Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Q3kUbU2aJq.dll

Overview

General Information

Sample name:Q3kUbU2aJq.dll
renamed because original name is a hash value
Original sample name:407c05036609108e374e4bd1e09a9d99a9c21c91f60f381ffb7a3d6375e9d1c5.dll
Analysis ID:1544808
MD5:c6563a67de8b0016d8449ef98ec1055c
SHA1:c2602d3bfb6a5f53509fbd48a62a14e046ff2664
SHA256:407c05036609108e374e4bd1e09a9d99a9c21c91f60f381ffb7a3d6375e9d1c5
Tags:2024bankerdllgolangloadermekotiouser-johnk3r
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 7476 cmdline: loaddll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 7492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7560 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 7584 cmdline: rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • WerFault.exe (PID: 7772 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7584 -s 800 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 7568 cmdline: rundll32.exe C:\Users\user\Desktop\Q3kUbU2aJq.dll,BarCreate MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 7788 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7568 -s 832 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 7848 cmdline: rundll32.exe C:\Users\user\Desktop\Q3kUbU2aJq.dll,BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7916 cmdline: rundll32.exe C:\Users\user\Desktop\Q3kUbU2aJq.dll,BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7980 cmdline: rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",BarCreate MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 8132 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7980 -s 796 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 8008 cmdline: rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8040 cmdline: rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8100 cmdline: rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",_cgo_dummy_export MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8156 cmdline: rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",SpellSpell MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7220 cmdline: rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",SpellInit MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1492 cmdline: rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",SpellFree MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6752 cmdline: rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",SignalInitializeCrashReporting MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 2028 cmdline: rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",GetInstallDetailsPayload MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6704 cmdline: rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",BarRecognize MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: Q3kUbU2aJq.dllReversingLabs: Detection: 13%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability

Bitcoin Miner

barindex
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC71830 3_2_6CC71830
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCB1830 13_2_6CCB1830
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCB1830 17_2_6CCB1830
Source: Q3kUbU2aJq.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: Q3kUbU2aJq.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax3_2_6CC42CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax3_2_6CC42CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx3_2_6CC5CEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh3_2_6CC69030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh3_2_6CC6A360
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax13_2_6CC82CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax13_2_6CC82CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx13_2_6CC9CEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh13_2_6CCA9030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh13_2_6CCAA360
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax17_2_6CC82CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax17_2_6CC82CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx17_2_6CC9CEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh17_2_6CCA9030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh17_2_6CCAA360
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC72A90 NtCreateWaitCompletionPacket,3_2_6CC72A90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC71A70 NtCreateWaitCompletionPacket,3_2_6CC71A70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC71570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,3_2_6CC71570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC711F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,3_2_6CC711F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCB2A90 NtCreateWaitCompletionPacket,13_2_6CCB2A90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCB1A70 NtCreateWaitCompletionPacket,13_2_6CCB1A70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCB1570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,13_2_6CCB1570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCB11F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,13_2_6CCB11F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCB2A90 NtCreateWaitCompletionPacket,17_2_6CCB2A90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCB1A70 NtCreateWaitCompletionPacket,17_2_6CCB1A70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCB1570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,17_2_6CCB1570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCB11F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,17_2_6CCB11F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC42CA63_2_6CC42CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC42CA03_2_6CC42CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC9BC203_2_6CC9BC20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CCC6C203_2_6CCC6C20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC6AD503_2_6CC6AD50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CCC4D203_2_6CCC4D20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC95ED03_2_6CC95ED0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CCBCEF03_2_6CCBCEF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC4BE903_2_6CC4BE90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CCD2E703_2_6CCD2E70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC7CF903_2_6CC7CF90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CCD4F303_2_6CCD4F30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CCAA8723_2_6CCAA872
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC6D9C53_2_6CC6D9C5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CCC59D03_2_6CCC59D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC559F03_2_6CC559F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC50AF03_2_6CC50AF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC6CA303_2_6CC6CA30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC4FBC03_2_6CC4FBC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC6BB103_2_6CC6BB10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC614403_2_6CC61440
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC864703_2_6CC86470
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC634003_2_6CC63400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CCC95A03_2_6CCC95A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CCC25603_2_6CCC2560
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC985703_2_6CC98570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC6C6D03_2_6CC6C6D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC9D6E03_2_6CC9D6E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC666303_2_6CC66630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CCBE7403_2_6CCBE740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CCC67403_2_6CCC6740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC490F03_2_6CC490F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC6C0803_2_6CC6C080
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC580A03_2_6CC580A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC6D0403_2_6CC6D040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC760103_2_6CC76010
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC6B2D03_2_6CC6B2D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CCA72803_2_6CCA7280
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC432A03_2_6CC432A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC7E2403_2_6CC7E240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CCD32303_2_6CCD3230
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC693F03_2_6CC693F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CCA332F3_2_6CCA332F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC7A3203_2_6CC7A320
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CC82CA013_2_6CC82CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CC82CA613_2_6CC82CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCDBC2013_2_6CCDBC20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD06C2013_2_6CD06C20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCAAD5013_2_6CCAAD50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD04D2013_2_6CD04D20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCD5ED013_2_6CCD5ED0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCFCEF013_2_6CCFCEF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CC8BE9013_2_6CC8BE90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD12E7013_2_6CD12E70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCBCF9013_2_6CCBCF90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD14F3013_2_6CD14F30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCEA87213_2_6CCEA872
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD059D013_2_6CD059D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCAD9C513_2_6CCAD9C5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CC959F013_2_6CC959F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CC90AF013_2_6CC90AF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCACA3013_2_6CCACA30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CC8FBC013_2_6CC8FBC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCABB1013_2_6CCABB10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCA144013_2_6CCA1440
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCC647013_2_6CCC6470
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCA340013_2_6CCA3400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD095A013_2_6CD095A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD0256013_2_6CD02560
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCD857013_2_6CCD8570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCAC6D013_2_6CCAC6D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCDD6E013_2_6CCDD6E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCA663013_2_6CCA6630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCFE74013_2_6CCFE740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD0674013_2_6CD06740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CC890F013_2_6CC890F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCAC08013_2_6CCAC080
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CC980A013_2_6CC980A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCAD04013_2_6CCAD040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCB601013_2_6CCB6010
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCAB2D013_2_6CCAB2D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCE728013_2_6CCE7280
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CC832A013_2_6CC832A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCBE24013_2_6CCBE240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD1323013_2_6CD13230
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCA93F013_2_6CCA93F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCE332F13_2_6CCE332F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCBA32013_2_6CCBA320
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CC82CA017_2_6CC82CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CC82CA617_2_6CC82CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCDBC2017_2_6CCDBC20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD06C2017_2_6CD06C20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCAAD5017_2_6CCAAD50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD04D2017_2_6CD04D20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCD5ED017_2_6CCD5ED0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCFCEF017_2_6CCFCEF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CC8BE9017_2_6CC8BE90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD12E7017_2_6CD12E70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCBCF9017_2_6CCBCF90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD14F3017_2_6CD14F30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCEA87217_2_6CCEA872
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD059D017_2_6CD059D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCAD9C517_2_6CCAD9C5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CC959F017_2_6CC959F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CC90AF017_2_6CC90AF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCACA3017_2_6CCACA30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CC8FBC017_2_6CC8FBC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCABB1017_2_6CCABB10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCA144017_2_6CCA1440
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCC647017_2_6CCC6470
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCA340017_2_6CCA3400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD095A017_2_6CD095A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD0256017_2_6CD02560
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCD857017_2_6CCD8570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCAC6D017_2_6CCAC6D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCDD6E017_2_6CCDD6E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCA663017_2_6CCA6630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCFE74017_2_6CCFE740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD0674017_2_6CD06740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CC890F017_2_6CC890F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCAC08017_2_6CCAC080
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CC980A017_2_6CC980A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCAD04017_2_6CCAD040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCB601017_2_6CCB6010
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCAB2D017_2_6CCAB2D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCE728017_2_6CCE7280
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CC832A017_2_6CC832A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCBE24017_2_6CCBE240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD1323017_2_6CD13230
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCA93F017_2_6CCA93F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCE332F17_2_6CCE332F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCBA32017_2_6CCBA320
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CC82C30 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CC77410 appears 693 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CCB3B30 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CCA6A90 appears 481 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CCE6A90 appears 962 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CCB5080 appears 46 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CCB7410 appears 1386 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CCE5740 appears 40 times
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7584 -s 800
Source: Q3kUbU2aJq.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: classification engineClassification label: mal56.mine.winDLL@35/0@0/0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CCD5B30 GetLastError,FormatMessageA,fprintf,LocalFree,3_2_6CCD5B30
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7492:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\e5b5ebcb-8ed6-4a13-a26c-312bcfb0d6a5Jump to behavior
Source: Q3kUbU2aJq.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Q3kUbU2aJq.dll,BarCreate
Source: Q3kUbU2aJq.dllReversingLabs: Detection: 13%
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Q3kUbU2aJq.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7584 -s 800
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7568 -s 832
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Q3kUbU2aJq.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Q3kUbU2aJq.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",_cgo_dummy_export
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7980 -s 796
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",SpellSpell
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Q3kUbU2aJq.dll,BarCreateJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Q3kUbU2aJq.dll,BarDestroyJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Q3kUbU2aJq.dll,BarFreeRecJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",BarCreateJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",BarDestroyJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",BarFreeRecJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",_cgo_dummy_exportJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",SpellSpellJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",SpellInitJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",SpellFreeJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",SignalInitializeCrashReportingJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",GetInstallDetailsPayloadJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",BarRecognizeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: Q3kUbU2aJq.dllStatic PE information: Image base 0x6d8c0000 > 0x60000000
Source: Q3kUbU2aJq.dllStatic file information: File size 1368576 > 1048576
Source: Q3kUbU2aJq.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC413E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,3_2_6CC413E0
Source: Q3kUbU2aJq.dllStatic PE information: real checksum: 0x151005 should be: 0x152b80
Source: Q3kUbU2aJq.dllStatic PE information: section name: .eh_fram
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0183AF38 push eax; retf 0_2_0183AF39
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_018803C9 push edx; retf 0_2_018803CA
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC51E08 push edx; iretd 3_2_6CC51E09
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC52B27 pushfd ; iretd 3_2_6CC52B29
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC5246E push FFFFFF9Fh; iretd 3_2_6CC52470
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CCB509D pushad ; ret 3_2_6CCB509E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CCB5094 pushad ; ret 3_2_6CCB5095
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0483AF38 push eax; retf 4_2_0483AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04882378 push 92D155A5h; iretd 4_2_0488237E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0503AF59 push eax; retf 11_2_0503AF61
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_04C3D822 pushfd ; ret 12_2_04C3D823
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCF509D pushad ; ret 13_2_6CCF509E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCF5094 pushad ; ret 13_2_6CCF5095
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0543AFC5 push eax; retf 14_2_0543AF61
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0543AF59 push eax; retf 14_2_0543AF61
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_054803A8 pushad ; iretd 14_2_054803C8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_054803E6 pushad ; iretd 14_2_054803C8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_0510284D push esi; iretd 15_2_0510284F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCF509D pushad ; ret 17_2_6CCF509E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCF5094 pushad ; ret 17_2_6CCF5095
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_0483AF60 push eax; retf 19_2_0483AF61
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_0483CD50 push FFFFFFC2h; iretd 19_2_0483CD52
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0503AF38 push eax; retf 21_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05080DDD push es; ret 21_2_05080DE6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_0483AF38 push eax; retf 23_2_0483AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_04C3C41F pushad ; retf 24_2_04C3C426
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CCAC0C0 rdtscp 3_2_6CCAC0C0
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 0.7 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 1.3 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CCAC0C0 rdtscp 3_2_6CCAC0C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC413E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,3_2_6CC413E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CCD4E50 free,free,GetProcessHeap,HeapFree,3_2_6CCD4E50
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CCD6300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,3_2_6CCD6300
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD162FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,13_2_6CD162FC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD16300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,13_2_6CD16300
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD162FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,17_2_6CD162FC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD16300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,17_2_6CD16300
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CCD6250 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,3_2_6CCD6250
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC71C90 RtlGetVersion,RtlGetCurrentPeb,3_2_6CC71C90

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		11
Process Injection		11
Virtualization/Sandbox Evasion		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		Boot or Logon Initialization Scripts1
DLL Side-Loading		11
Process Injection		LSASS Memory3
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager11
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS3
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Rundll32		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544808 Sample: Q3kUbU2aJq.dll Startdate: 29/10/2024 Architecture: WINDOWS Score: 56 27 Multi AV Scanner detection for submitted file 2->27 29 AI detected suspicious sample 2->29 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 12 other processes 8->17 signatures5 31 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 10->31 19 WerFault.exe 2 10->19         started        21 rundll32.exe 13->21         started        23 WerFault.exe 2 15->23         started        process6 process7 25 WerFault.exe 2 21->25         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Q3kUbU2aJq.dll13%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0017.t-0009.t-msedge.net
13.107.246.45
truefalse
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1544808
    Start date and time:2024-10-29 19:12:41 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 7m 4s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:29
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:Q3kUbU2aJq.dll
    renamed because original name is a hash value
    Original Sample Name:407c05036609108e374e4bd1e09a9d99a9c21c91f60f381ffb7a3d6375e9d1c5.dll
    Detection:MAL
    Classification:mal56.mine.winDLL@35/0@0/0
    EGA Information:
    • Successful, ratio: 20%
    HCA Information:
    • Successful, ratio: 56%
    • Number of executed functions: 5
    • Number of non-executed functions: 113
    Cookbook Comments:
    • Found application associated with file extension: .dll

    Warnings

    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
    • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
    • Execution Graph export aborted for target loaddll32.exe, PID 7476 because there are no executed function
    • Execution Graph export aborted for target rundll32.exe, PID 1492 because there are no executed function
    • Execution Graph export aborted for target rundll32.exe, PID 2028 because there are no executed function
    • Execution Graph export aborted for target rundll32.exe, PID 6704 because there are no executed function
    • Execution Graph export aborted for target rundll32.exe, PID 6752 because there are no executed function
    • Execution Graph export aborted for target rundll32.exe, PID 7220 because there are no executed function
    • Execution Graph export aborted for target rundll32.exe, PID 7584 because there are no executed function
    • Execution Graph export aborted for target rundll32.exe, PID 7848 because there are no executed function
    • Execution Graph export aborted for target rundll32.exe, PID 7916 because there are no executed function
    • Execution Graph export aborted for target rundll32.exe, PID 8008 because there are no executed function
    • Execution Graph export aborted for target rundll32.exe, PID 8040 because there are no executed function
    • Execution Graph export aborted for target rundll32.exe, PID 8156 because there are no executed function
    • Not all processes where analyzed, report is missing behavior information
    • Report size exceeded maximum capacity and may have missing behavior information.
    • VT rate limit hit for: Q3kUbU2aJq.dll

    Simulations

    Behavior and APIs

    TimeTypeDescription
    14:13:50API Interceptor1x Sleep call for process: loaddll32.exe modified

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    s-part-0017.t-0009.t-msedge.nety2WSfG9g8W.dllGet hashmaliciousUnknownBrowse
    • 13.107.246.45
    file.exeGet hashmaliciousStealc, VidarBrowse
    • 13.107.246.45
    https://get.hidrive.com/api/ZVDVVnH5/file/fgWacQquUMk6LQc3wqBJEzGet hashmaliciousUnknownBrowse
    • 13.107.246.45
    https://forms.office.com/Pages/ShareFormPage.aspx?id=w0PqEzPG80GlVpQ2KYlCgotli86l81ZCgGQV0R07kYhUMDlNVzY4TDhNS0pGV0pGVENBVVNGTURFTi4u&sharetoken=3AKcsZjmxuGhgr7rDwU0Get hashmaliciousUnknownBrowse
    • 13.107.246.45
    Jmaman_##Salary##_Benefit_for_JmamanID#IyNURVhUTlVNUkFORE9NMTAjIw==.htmlGet hashmaliciousHTMLPhisherBrowse
    • 13.107.246.45
    https://qH.todentu.ru/FcZpLy/#Obritchie@initusa.comGet hashmaliciousUnknownBrowse
    • 13.107.246.45
    securedoc_20241028T070148.htmlGet hashmaliciousUnknownBrowse
    • 13.107.246.45
    file.exeGet hashmaliciousStealc, VidarBrowse
    • 13.107.246.45
    https://workdrive.zohoexternal.com/file/d3qaw4673940b54374623b165953068c580b5Get hashmaliciousHTMLPhisherBrowse
    • 13.107.246.45
    dokument wysy#U0142kowy faktury nr 52-FK-24.exeGet hashmaliciousFormBookBrowse
    • 13.107.246.45

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
    Entropy (8bit):6.270748908057763
    TrID:
    • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
    • Generic Win/DOS Executable (2004/3) 0.20%
    • DOS Executable Generic (2002/1) 0.20%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:Q3kUbU2aJq.dll
    File size:1'368'576 bytes
    MD5:c6563a67de8b0016d8449ef98ec1055c
    SHA1:c2602d3bfb6a5f53509fbd48a62a14e046ff2664
    SHA256:407c05036609108e374e4bd1e09a9d99a9c21c91f60f381ffb7a3d6375e9d1c5
    SHA512:6a3c0cd8503f4417d71b599065eb5f0e51fee009eaf79580ce6f4f1d3525c0c225faa10587b83e7642d716eb620a90dd5dba0207cf352b3a0aa3549a52a3de6a
    SSDEEP:24576:pmUvADcqbnfLDsDPfjJXAylWGBxDX96wPi2dAN04U02nMWU:p+qjtWiLx7d
    TLSH:5F551800FDC784F1E403263285AB62AB6325AD195F31CBC7FB44BB79FA776954832285
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....d.......H.................m......................................@... .........................-..

    File Icon

    Icon Hash:7ae282899bbab082

    Static PE Info

    General

    Entrypoint:0x6d8c1380
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x6d8c0000
    Subsystem:windows cui
    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
    TLS Callbacks:0x6d9563e0, 0x6d956390
    CLR (.Net) Version:
    OS Version Major:6
    OS Version Minor:1
    File Version Major:6
    File Version Minor:1
    Subsystem Version Major:6
    Subsystem Version Minor:1
    Import Hash:47d9e8363ec498a9360ee0a7da269805

    Entrypoint Preview

    Instruction
    sub esp, 1Ch
    mov dword ptr [6DA2C730h], 00000000h
    mov edx, dword ptr [esp+24h]
    cmp edx, 01h
    je 00007FF7352F239Ch
    mov ecx, dword ptr [esp+28h]
    mov eax, dword ptr [esp+20h]
    call 00007FF7352F2202h
    add esp, 1Ch
    retn 000Ch
    lea esi, dword ptr [esi+00000000h]
    mov dword ptr [esp+0Ch], edx
    call 00007FF73538721Ch
    mov edx, dword ptr [esp+0Ch]
    jmp 00007FF7352F2359h
    nop
    sub esp, 1Ch
    mov eax, dword ptr [esp+20h]
    mov dword ptr [esp], 6DA08000h
    mov dword ptr [esp+04h], eax
    call 00007FF73538806Eh
    add esp, 1Ch
    ret
    nop
    nop
    nop
    nop
    nop
    push ebp
    mov ebp, esp
    push edi
    push esi
    push ebx
    sub esp, 1Ch
    mov dword ptr [esp], 6D95F000h
    call dword ptr [6DA2E21Ch]
    sub esp, 04h
    test eax, eax
    je 00007FF7352F23F5h
    mov ebx, eax
    mov dword ptr [esp], 6D95F000h
    call dword ptr [6DA2E264h]
    mov edi, dword ptr [6DA2E224h]
    sub esp, 04h
    mov dword ptr [6DA2C764h], eax
    mov dword ptr [esp+04h], 6D95F013h
    mov dword ptr [esp], ebx
    call edi
    sub esp, 08h
    mov esi, eax
    mov dword ptr [esp+04h], 6D95F029h
    mov dword ptr [esp], ebx
    call edi
    mov dword ptr [6D958000h], eax
    sub esp, 08h
    test esi, esi
    je 00007FF7352F2393h
    mov dword ptr [esp+00h], 00000000h

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x16d0000x12d.edata
    IMAGE_DIRECTORY_ENTRY_IMPORT0x16e0000xb78.idata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1710000x868c.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x144fd00x18.rdata
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x16e1cc0x190.idata
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x962a80x9640063dc589a69099ea9dd0b396fff3a5876False0.4697996828202995data6.2822455338067895IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .data0x980000x67c80x68003c145d4dd653a7651cd93149f1b52adaFalse0.4201847956730769data4.4419396248563805IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .rdata0x9f0000xa63a00xa6400452d7d61af6b2474bd201eeb0556261eFalse0.4316890859962406data5.590270706539622IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
    .eh_fram0x1460000x12740x140085e22b3e84813337ea1a67b904c6bbcdFalse0.3369140625data4.565839626312234IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
    .bss0x1480000x2477c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .edata0x16d0000x12d0x20067859e1c9d81f1d2bdf6b531a2016f52False0.44921875data3.400613123216997IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
    .idata0x16e0000xb780xc00cb8eb4a241279d6fed66c3ea8ecac795False0.3961588541666667data5.12056831676781IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .CRT0x16f0000x2c0x200db151290603a2662b590a75b7e0b0988False0.0546875data0.2069200177871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .tls0x1700000x80x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .reloc0x1710000x868c0x8800b9d707b12c23cf40e1da0f3b0f06e05bFalse0.6665613511029411data6.630744317847094IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

    Imports

    DLLImport
    KERNEL32.dllAddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateIoCompletionPort, CreateThread, CreateWaitableTimerExW, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FormatMessageA, FreeEnvironmentStringsW, FreeLibrary, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetLastError, GetModuleHandleA, GetNativeSystemInfo, GetProcAddress, GetProcessAffinityMask, GetProcessHeap, GetQueuedCompletionStatusEx, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadLocale, GetTickCount, HeapAlloc, HeapFree, InitializeCriticalSection, IsBadReadPtr, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, LoadLibraryW, LocalFree, PostQueuedCompletionStatus, QueryPerformanceCounter, RaiseFailFastException, ResumeThread, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessPriorityBoost, SetThreadContext, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TerminateProcess, TlsAlloc, TlsGetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WriteConsoleW, WriteFile, lstrlenA
    msvcrt.dll_amsg_exit, _beginthread, _errno, _initterm, _iob, _lock, _unlock, _wcsnicmp, abort, bsearch, calloc, fprintf, free, fwrite, malloc, mbstowcs, memcpy, memset, qsort, realloc, strcmp, strlen, strncmp, strtol, vfprintf, wcstombs

    Exports

    NameOrdinalAddress
    BarCreate10x6d9545d0
    BarDestroy20x6d954850
    BarFreeRec30x6d954800
    BarRecognize40x6d9547b0
    GetInstallDetailsPayload50x6d954710
    SignalInitializeCrashReporting60x6d954760
    SpellFree70x6d954620
    SpellInit80x6d954670
    SpellSpell90x6d9546c0
    _cgo_dummy_export100x6da2c768

    Network Behavior

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Oct 29, 2024 19:13:38.797667027 CET1.1.1.1192.168.2.110x1ea6No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
    Oct 29, 2024 19:13:38.797667027 CET1.1.1.1192.168.2.110x1ea6No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:14:13:40
    Start date:29/10/2024
    Path:C:\Windows\System32\loaddll32.exe
    Wow64 process (32bit):true
    Commandline:loaddll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll"
    Imagebase:0xbc0000
    File size:126'464 bytes
    MD5 hash:51E6071F9CBA48E79F10C84515AAE618
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:1
    Start time:14:13:40
    Start date:29/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff68cce0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:2
    Start time:14:13:40
    Start date:29/10/2024
    Path:C:\Windows\SysWOW64\cmd.exe
    Wow64 process (32bit):true
    Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",#1
    Imagebase:0xc30000
    File size:236'544 bytes
    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:3
    Start time:14:13:40
    Start date:29/10/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe C:\Users\user\Desktop\Q3kUbU2aJq.dll,BarCreate
    Imagebase:0xb30000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:4
    Start time:14:13:40
    Start date:29/10/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",#1
    Imagebase:0xb30000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:9
    Start time:14:13:40
    Start date:29/10/2024
    Path:C:\Windows\SysWOW64\WerFault.exe
    Wow64 process (32bit):true
    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7584 -s 800
    Imagebase:0x710000
    File size:483'680 bytes
    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:10
    Start time:14:13:41
    Start date:29/10/2024
    Path:C:\Windows\SysWOW64\WerFault.exe
    Wow64 process (32bit):true
    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7568 -s 832
    Imagebase:0x710000
    File size:483'680 bytes
    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:11
    Start time:14:13:43
    Start date:29/10/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe C:\Users\user\Desktop\Q3kUbU2aJq.dll,BarDestroy
    Imagebase:0xb30000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:12
    Start time:14:13:46
    Start date:29/10/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe C:\Users\user\Desktop\Q3kUbU2aJq.dll,BarFreeRec
    Imagebase:0xb30000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:13
    Start time:14:13:49
    Start date:29/10/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",BarCreate
    Imagebase:0xb30000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:14
    Start time:14:13:49
    Start date:29/10/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",BarDestroy
    Imagebase:0xb30000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:15
    Start time:14:13:49
    Start date:29/10/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",BarFreeRec
    Imagebase:0xb30000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:17
    Start time:14:13:49
    Start date:29/10/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",_cgo_dummy_export
    Imagebase:0xb30000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:18
    Start time:14:13:49
    Start date:29/10/2024
    Path:C:\Windows\SysWOW64\WerFault.exe
    Wow64 process (32bit):true
    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7980 -s 796
    Imagebase:0x710000
    File size:483'680 bytes
    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:19
    Start time:14:13:50
    Start date:29/10/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",SpellSpell
    Imagebase:0xb30000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:20
    Start time:14:13:50
    Start date:29/10/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",SpellInit
    Imagebase:0xb30000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:21
    Start time:14:13:50
    Start date:29/10/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",SpellFree
    Imagebase:0xb30000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:22
    Start time:14:13:50
    Start date:29/10/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",SignalInitializeCrashReporting
    Imagebase:0xb30000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:23
    Start time:14:13:50
    Start date:29/10/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",GetInstallDetailsPayload
    Imagebase:0xb30000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:24
    Start time:14:13:50
    Start date:29/10/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\Q3kUbU2aJq.dll",BarRecognize
    Imagebase:0xb30000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    Disassembly

    Reset < >

      Execution Graph

      Execution Coverage:0%
      Dynamic/Decrypted Code Coverage:0%
      Signature Coverage:0%
      Total number of Nodes:3
      Total number of Limit Nodes:0
      execution_graph 52490 6ccacea0 52491 6ccacec8 WriteFile 52490->52491 52492 6ccaceb9 52490->52492 52492->52491

      Executed Functions

      Function 6CCACEA0 Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 0 6ccacea0-6ccaceb7 1 6ccacec8-6ccacee0 WriteFile 0->1 2 6ccaceb9-6ccacec6 0->2 2->1
      APIs
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID: FileWrite
      • String ID:
      • API String ID: 3934441357-0
      • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
      • Instruction ID: e6651893a263502fed982eb7b16fd848468c032874bac339fb1fa293ab15c07b
      • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
      • Instruction Fuzzy Hash: 43E0E571505640CFCB15DF18C2C5306BBE1EB48A00F0485A8DE098FB4AE734ED10CBD2

      Non-executed Functions

      Function 6CCD4F30 Relevance: 33.8, APIs: 17, Strings: 2, Instructions: 564memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 297 6ccd4f30-6ccd4f42 298 6ccd4f48-6ccd4f54 297->298 299 6ccd5350-6ccd536e SetLastError 297->299 300 6ccd4f5a-6ccd4f71 298->300 301 6ccd5330-6ccd533f SetLastError 298->301 300->299 303 6ccd4f77-6ccd4f88 300->303 302 6ccd5342-6ccd534e 301->302 303->301 304 6ccd4f8e-6ccd4f98 303->304 304->301 305 6ccd4f9e-6ccd4fa7 304->305 305->301 306 6ccd4fad-6ccd4fbb 305->306 307 6ccd4fc1-6ccd4fc3 306->307 308 6ccd5710-6ccd5712 306->308 309 6ccd4fc5-6ccd4fe3 307->309 309->309 310 6ccd4fe5-6ccd500f GetNativeSystemInfo 309->310 310->301 311 6ccd5015-6ccd5047 310->311 313 6ccd504d-6ccd5073 GetProcessHeap HeapAlloc 311->313 314 6ccd5370-6ccd53a3 311->314 315 6ccd5079-6ccd50e4 313->315 316 6ccd5731-6ccd576a SetLastError 313->316 314->313 320 6ccd53a9-6ccd53bb SetLastError 314->320 318 6ccd50ea-6ccd515c memcpy 315->318 319 6ccd53c0-6ccd53cd SetLastError 315->319 316->302 326 6ccd51ea-6ccd51f5 318->326 327 6ccd5162-6ccd5164 318->327 321 6ccd53d0-6ccd53e6 call 6ccd4e50 319->321 320->302 328 6ccd51fb-6ccd520a 326->328 329 6ccd5660-6ccd566a 326->329 330 6ccd5166-6ccd516b 327->330 335 6ccd5210-6ccd521e 328->335 336 6ccd5472-6ccd549a 328->336 333 6ccd566c-6ccd5680 329->333 334 6ccd56eb-6ccd56ee 329->334 331 6ccd5171-6ccd517a 330->331 332 6ccd53f0-6ccd53fc 330->332 339 6ccd517c-6ccd51a8 331->339 340 6ccd51ce-6ccd51dc 331->340 332->319 341 6ccd53fe-6ccd5426 332->341 342 6ccd56e6 333->342 343 6ccd5682-6ccd568e 333->343 344 6ccd5220-6ccd523a IsBadReadPtr 335->344 337 6ccd549c-6ccd549f 336->337 338 6ccd54b0-6ccd54c8 336->338 345 6ccd56ff-6ccd5704 337->345 346 6ccd54a5-6ccd54a8 337->346 347 6ccd54ce-6ccd54e6 338->347 348 6ccd57a6-6ccd57aa 338->348 339->321 362 6ccd51ae-6ccd51c9 memset 339->362 340->330 349 6ccd51de-6ccd51e6 340->349 341->321 365 6ccd5428-6ccd5455 memcpy 341->365 342->334 350 6ccd5690-6ccd569b 343->350 351 6ccd5470 344->351 352 6ccd5240-6ccd5249 344->352 345->338 346->338 353 6ccd54aa-6ccd54af 346->353 355 6ccd5541-6ccd554d 347->355 361 6ccd57b3-6ccd57c3 SetLastError 348->361 349->326 357 6ccd569d-6ccd569f 350->357 358 6ccd56d2-6ccd56dc 350->358 351->336 352->351 359 6ccd524f-6ccd5264 352->359 353->338 363 6ccd554f-6ccd5555 355->363 364 6ccd555a-6ccd555e 355->364 366 6ccd56a0-6ccd56ad 357->366 358->350 360 6ccd56de-6ccd56e2 358->360 378 6ccd576f-6ccd577f SetLastError 359->378 379 6ccd526a-6ccd5285 realloc 359->379 360->342 361->321 362->340 367 6ccd5557 363->367 368 6ccd55a0-6ccd55a6 363->368 372 6ccd556a-6ccd557b 364->372 373 6ccd5560-6ccd5568 364->373 369 6ccd56af-6ccd56c0 366->369 370 6ccd56c3-6ccd56d0 366->370 367->364 368->364 377 6ccd55a8-6ccd55ab 368->377 369->370 370->358 370->366 375 6ccd557d-6ccd5583 372->375 376 6ccd5585 372->376 373->372 374 6ccd54f0-6ccd54ff call 6ccd49e0 373->374 391 6ccd5505-6ccd5514 374->391 392 6ccd5720-6ccd5724 374->392 375->376 382 6ccd558a-6ccd5596 375->382 376->382 377->364 378->321 380 6ccd528b-6ccd52b5 379->380 381 6ccd5784-6ccd57a1 SetLastError 379->381 384 6ccd52e8-6ccd52f4 380->384 385 6ccd52b7 380->385 381->321 386 6ccd5518-6ccd5530 382->386 389 6ccd52f6-6ccd5307 384->389 390 6ccd52c0-6ccd52d6 384->390 388 6ccd5460-6ccd5465 385->388 393 6ccd55b0-6ccd55c9 call 6ccd49e0 386->393 394 6ccd5532-6ccd553d 386->394 388->344 400 6ccd5309-6ccd5326 SetLastError 389->400 401 6ccd52d8-6ccd52e2 389->401 390->400 390->401 391->386 392->321 393->321 402 6ccd55cf-6ccd55d9 393->402 394->355 400->321 401->384 401->388 403 6ccd55db-6ccd55e4 402->403 404 6ccd5613-6ccd5618 402->404 403->404 407 6ccd55e6-6ccd55ea 403->407 405 6ccd561e-6ccd5629 404->405 406 6ccd56f3-6ccd56fa 404->406 409 6ccd562f-6ccd5649 405->409 410 6ccd5729-6ccd572c 405->410 406->302 407->404 411 6ccd55ec 407->411 409->361 414 6ccd564f-6ccd5656 409->414 410->302 412 6ccd55f0-6ccd560f 411->412 416 6ccd5611 412->416 414->302 416->404
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID: ErrorHeapLast$AllocInfoNativeProcessReadSystemmemcpymemsetrealloc
      • String ID: ?$@
      • API String ID: 2257136212-1463999369
      • Opcode ID: 16892a65ea8d501f908ded7dbd7969facc346e03b8cbb6825d9171e650769af1
      • Instruction ID: ed8cc3ed0d772522b73ce269841e12fdcf3e5a0b0b6289f1e7f3db2472c9977b
      • Opcode Fuzzy Hash: 16892a65ea8d501f908ded7dbd7969facc346e03b8cbb6825d9171e650769af1
      • Instruction Fuzzy Hash: B14223B46097058FD710DF69C580A5AFBF0FF88309F558A2DEA9987B00E774E855CB82
      Function 6CC559F0 Relevance: 18.5, Strings: 14, Instructions: 1019COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1107 6cc559f0-6cc55a05 1108 6cc56c61-6cc56c66 call 6ccaae50 1107->1108 1109 6cc55a0b-6cc55a31 call 6ccb0980 1107->1109 1108->1107 1114 6cc55a33-6cc55a38 1109->1114 1115 6cc55a3a-6cc55a3d 1109->1115 1116 6cc55a40-6cc55aa7 call 6ccb09b0 call 6ccacff0 1114->1116 1115->1116 1121 6cc55ab3-6cc55b83 call 6cc79e30 call 6ccaad60 * 2 call 6cc79a20 1116->1121 1122 6cc55aa9-6cc55ab1 call 6ccac260 1116->1122 1133 6cc55b85-6cc55b89 1121->1133 1134 6cc55b8b-6cc55b93 call 6cc99ba0 1121->1134 1122->1121 1136 6cc55b97-6cc55b99 1133->1136 1134->1136 1138 6cc55bcf-6cc55be5 1136->1138 1139 6cc55b9b-6cc55bca call 6cc9a140 call 6cc99cd0 1136->1139 1141 6cc55be7-6cc55bef call 6ccac260 1138->1141 1142 6cc55bf1-6cc55c00 1138->1142 1139->1138 1141->1142 1145 6cc55c06-6cc55f1c call 6ccb09b0 call 6ccaad60 call 6ccacff0 call 6ccad050 call 6ccb09d0 * 2 call 6cc6fc30 call 6cc9f810 * 2 call 6ccb07f0 * 3 1142->1145 1146 6cc56c4a-6cc56c60 call 6cca6a90 1142->1146 1175 6cc55f24-6cc55fc2 call 6cc4a4e0 call 6cc7ed60 call 6cc4a700 call 6cc61f00 call 6cc585c0 call 6cc6ce30 call 6cc629f0 1145->1175 1176 6cc55f1e 1145->1176 1146->1108 1191 6cc55fc4-6cc55fc6 1175->1191 1192 6cc55fd0-6cc55fd2 1175->1192 1176->1175 1193 6cc56c34-6cc56c45 call 6cca6a90 1191->1193 1194 6cc55fcc-6cc55fce 1191->1194 1195 6cc56c1e-6cc56c2f call 6cca6a90 1192->1195 1196 6cc55fd8-6cc56095 call 6ccac476 call 6ccac94a call 6ccaad60 call 6cc6d3f0 call 6cc65470 call 6ccaad60 * 2 1192->1196 1193->1146 1194->1192 1194->1196 1195->1193 1213 6cc560b4-6cc560bc 1196->1213 1214 6cc56097-6cc560af call 6cc62a70 1196->1214 1216 6cc560c2-6cc56130 call 6ccac47a call 6cc76bb0 call 6cc9fa50 1213->1216 1217 6cc56abf-6cc56b05 call 6cc4a4e0 1213->1217 1214->1213 1233 6cc56140-6cc5615e 1216->1233 1222 6cc56b14-6cc56b30 call 6cc4a700 1217->1222 1223 6cc56b07-6cc56b12 call 6ccac260 1217->1223 1232 6cc56b55-6cc56b5e 1222->1232 1223->1222 1234 6cc56b60-6cc56b8b call 6cc5ed90 1232->1234 1235 6cc56b32-6cc56b54 call 6cc443c0 1232->1235 1237 6cc56160-6cc56163 1233->1237 1238 6cc56169-6cc561ec 1233->1238 1248 6cc56b8d-6cc56b96 call 6ccaad60 1234->1248 1249 6cc56b9b-6cc56bf2 call 6cc88b70 * 2 1234->1249 1235->1232 1237->1238 1241 6cc56216-6cc5621c 1237->1241 1242 6cc56c14-6cc56c19 call 6ccac2e0 1238->1242 1243 6cc561f2-6cc561fc 1238->1243 1250 6cc56222-6cc563bc call 6cca7ed0 call 6cc76bb0 call 6cc77410 call 6cc77100 call 6cc77410 * 3 call 6cc77230 call 6cc77410 call 6cc76c10 call 6ccac47a 1241->1250 1251 6cc56c0a-6cc56c0f call 6ccac2e0 1241->1251 1242->1195 1246 6cc5620f-6cc56211 1243->1246 1247 6cc561fe-6cc5620a 1243->1247 1253 6cc56132-6cc5613e 1246->1253 1247->1253 1248->1249 1264 6cc56bf4-6cc56bfa 1249->1264 1265 6cc56c03-6cc56c09 1249->1265 1284 6cc5645e-6cc56461 1250->1284 1251->1242 1253->1233 1264->1265 1266 6cc56bfc 1264->1266 1266->1265 1285 6cc564e7-6cc56690 call 6cc76bb0 call 6cc77410 call 6cc76c10 call 6ccb0830 * 4 call 6ccac476 1284->1285 1286 6cc56467-6cc56484 1284->1286 1321 6cc56717-6cc5671a 1285->1321 1288 6cc563c1-6cc56457 call 6cc580a0 call 6cca7ed0 call 6cc76bb0 call 6cc77410 call 6cc76c10 1286->1288 1289 6cc5648a-6cc564e2 call 6cc76bb0 call 6cc77410 call 6cc76c10 1286->1289 1288->1284 1289->1288 1322 6cc567c0-6cc56a5a call 6ccb09b0 * 2 call 6cc76bb0 call 6cc77410 call 6cc77100 call 6cc77410 call 6cc77100 call 6cc77410 call 6cc77100 call 6cc77410 call 6cc77100 call 6cc77410 call 6cc77100 call 6cc77410 call 6cc77100 call 6cc77410 call 6cc77230 call 6cc77410 call 6cc76c10 1321->1322 1323 6cc56720-6cc56744 1321->1323 1389 6cc56a7c-6cc56aad call 6cc76bb0 call 6cc76db0 call 6cc76c10 1322->1389 1390 6cc56a5c-6cc56a77 call 6cc76bb0 call 6cc77410 call 6cc76c10 1322->1390 1324 6cc56746-6cc56749 1323->1324 1325 6cc5674b-6cc56779 call 6cc76bb0 call 6cc77410 call 6cc76c10 1323->1325 1324->1325 1327 6cc5677e-6cc56780 1324->1327 1332 6cc56695-6cc56716 call 6cc580a0 call 6cca7ed0 call 6cc76bb0 call 6cc77410 call 6cc76c10 1325->1332 1327->1332 1333 6cc56786-6cc567bb call 6cc76bb0 call 6cc77410 call 6cc76c10 1327->1333 1332->1321 1333->1332 1389->1217 1402 6cc56aaf-6cc56aba call 6cc4a700 1389->1402 1390->1389 1402->1217
      Strings
      • failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre, xrefs: 6CC56C34
      • ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ gp.goid, xrefs: 6CC568DC
      • MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, xrefs: 6CC56A06
      • 5, xrefs: 6CC56C27
      • gcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= , xrefs: 6CC55ABA
      • +:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08, xrefs: 6CC564A4, 6CC5678B
      • gc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltadxaesshaavxfmaintma, xrefs: 6CC5629A
      • @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12, xrefs: 6CC562C7
      • ., xrefs: 6CC561FE
      • non-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class bo, xrefs: 6CC56C1E
      • ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACE, xrefs: 6CC564EC
      • , xrefs: 6CC5606A
      • MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc=, xrefs: 6CC5699C
      • gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket, xrefs: 6CC56C4A
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: $ @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12$ MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:$ MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc=$ ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACE$ ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ gp.goid$+:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08$.$5$failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre$gc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltadxaesshaavxfmaintma$gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket$gcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= $non-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class bo
      • API String ID: 0-2575422049
      • Opcode ID: ac72a5f9bc028c6241f788ac4c9b11478d695c9d97dd5059227e6c55d0f822bb
      • Instruction ID: c870c54cf98c28cff85af305a28a58ef6d9a370713ef03b1754a041c2c67bbc2
      • Opcode Fuzzy Hash: ac72a5f9bc028c6241f788ac4c9b11478d695c9d97dd5059227e6c55d0f822bb
      • Instruction Fuzzy Hash: 3CB212B46097448FD764DF68C580B9EBBF5FB8A304F41892ED98987750EB30A848DF52
      Function 6CC693F0 Relevance: 16.9, Strings: 13, Instructions: 643COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1404 6cc693f0-6cc69402 1405 6cc69f94-6cc69f99 call 6ccaae50 1404->1405 1406 6cc69408-6cc69450 1404->1406 1405->1404 1408 6cc69476-6cc6947d 1406->1408 1410 6cc69483-6cc694ed 1408->1410 1411 6cc6957b-6cc69581 1408->1411 1414 6cc694f3-6cc694f5 1410->1414 1415 6cc69f8c-6cc69f93 call 6ccac320 1410->1415 1412 6cc69587-6cc695b3 call 6cc6c5d0 1411->1412 1413 6cc697f9-6cc69800 call 6ccac2f0 1411->1413 1427 6cc695b5-6cc69620 call 6cc69360 1412->1427 1428 6cc69621-6cc69631 1412->1428 1423 6cc69805-6cc6980c 1413->1423 1419 6cc69f85-6cc69f87 call 6ccac340 1414->1419 1420 6cc694fb-6cc69545 1414->1420 1415->1405 1419->1415 1424 6cc69547-6cc69550 1420->1424 1425 6cc69552-6cc69556 1420->1425 1429 6cc69810-6cc69812 1423->1429 1430 6cc69558-6cc69576 1424->1430 1425->1430 1431 6cc69637-6cc69648 1428->1431 1432 6cc697f4 call 6ccac2e0 1428->1432 1433 6cc699fd 1429->1433 1434 6cc69818 1429->1434 1430->1429 1438 6cc697e1-6cc697e9 1431->1438 1439 6cc6964e-6cc69653 1431->1439 1432->1413 1437 6cc69a01-6cc69a0a 1433->1437 1440 6cc69f7e-6cc69f80 call 6ccac2e0 1434->1440 1441 6cc6981e-6cc6984c 1434->1441 1443 6cc69d72-6cc69de0 call 6cc69360 1437->1443 1444 6cc69a10-6cc69a16 1437->1444 1438->1432 1445 6cc697c6-6cc697d6 1439->1445 1446 6cc69659-6cc69666 1439->1446 1440->1419 1448 6cc69856-6cc698af 1441->1448 1449 6cc6984e-6cc69854 1441->1449 1461 6cc69ee5-6cc69eeb 1443->1461 1451 6cc69d53-6cc69d71 1444->1451 1452 6cc69a1c-6cc69a26 1444->1452 1445->1438 1453 6cc6966c-6cc697b3 call 6cc76bb0 call 6cc77410 call 6cc77230 call 6cc77410 call 6cc77230 call 6cc77410 call 6cc77100 call 6cc77410 call 6cc77100 call 6cc77410 call 6cc77100 call 6cc77410 call 6cc76c10 call 6cc76bb0 call 6cc77410 call 6cc77100 call 6cc76db0 call 6cc76c10 call 6cca6a90 1446->1453 1454 6cc697b8-6cc697c1 1446->1454 1462 6cc698b1-6cc698bd 1448->1462 1463 6cc698bf-6cc698c8 1448->1463 1449->1423 1457 6cc69a41-6cc69a55 1452->1457 1458 6cc69a28-6cc69a3f 1452->1458 1453->1454 1464 6cc69a5c 1457->1464 1458->1464 1469 6cc69eed-6cc69f02 1461->1469 1470 6cc69f68-6cc69f79 call 6cca6a90 1461->1470 1466 6cc698ce-6cc698e0 1462->1466 1463->1466 1467 6cc69a71-6cc69a91 1464->1467 1468 6cc69a5e-6cc69a6f 1464->1468 1476 6cc698e6-6cc698eb 1466->1476 1477 6cc699c8-6cc699ca 1466->1477 1472 6cc69a98 1467->1472 1468->1472 1473 6cc69f04-6cc69f09 1469->1473 1474 6cc69f0b-6cc69f1d 1469->1474 1470->1440 1479 6cc69aa1-6cc69aa4 1472->1479 1480 6cc69a9a-6cc69a9f 1472->1480 1481 6cc69f1f 1473->1481 1474->1481 1485 6cc698f4-6cc69908 1476->1485 1486 6cc698ed-6cc698f2 1476->1486 1483 6cc699e2 1477->1483 1484 6cc699cc-6cc699e0 1477->1484 1487 6cc69aaa-6cc69d4e call 6cc76bb0 call 6cc77410 call 6cc77230 call 6cc77410 call 6cc77230 call 6cc77410 call 6cc77100 call 6cc77410 call 6cc77100 call 6cc77410 call 6cc77100 call 6cc76db0 call 6cc76c10 call 6cc76bb0 call 6cc77410 call 6cc77230 call 6cc77410 call 6cc77100 call 6cc77410 call 6cc77230 call 6cc76db0 call 6cc76c10 call 6cc76bb0 call 6cc77410 call 6cc772a0 call 6cc77410 call 6cc77230 call 6cc76db0 call 6cc76c10 call 6cc76bb0 call 6cc77410 call 6cc77100 call 6cc77410 call 6cc77100 call 6cc76db0 call 6cc76c10 1479->1487 1480->1487 1488 6cc69f21-6cc69f26 1481->1488 1489 6cc69f28-6cc69f40 1481->1489 1491 6cc699e6-6cc699fb 1483->1491 1484->1491 1492 6cc6990f-6cc69911 1485->1492 1486->1492 1487->1461 1493 6cc69f42-6cc69f4e 1488->1493 1489->1493 1491->1437 1496 6cc69917-6cc69919 1492->1496 1497 6cc69452-6cc6946f 1492->1497 1498 6cc69f50-6cc69f55 1493->1498 1499 6cc69f5a-6cc69f5d 1493->1499 1502 6cc69922-6cc6993d 1496->1502 1503 6cc6991b-6cc69920 1496->1503 1497->1408 1499->1470 1507 6cc699a7-6cc699c3 1502->1507 1508 6cc6993f-6cc69944 1502->1508 1506 6cc6994b 1503->1506 1511 6cc6995e-6cc6996d 1506->1511 1512 6cc6994d-6cc6995c 1506->1512 1507->1423 1508->1506 1513 6cc69970-6cc699a2 1511->1513 1512->1513 1513->1423
      Strings
      • runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSruntime: mp.lockedInt = runqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard , xrefs: 6CC69C5B
      • runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket, xrefs: 6CC69CE8
      • runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 6CC6967A, 6CC69AB3
      • , j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type float32float64\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_Dltavx512finvaliduintptros/execruntimetls3desNoisyFoxexibindono anodeCancelIoReadFileAcc, xrefs: 6CC69C04
      • runtime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupQuerySer, xrefs: 6CC6976B
      • ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc, xrefs: 6CC696CD
      • , levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime:, xrefs: 6CC69D15
      • ] = pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheapt, xrefs: 6CC69B1A
      • , npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by short writeProcessPrngMoveFileExWNetShar, xrefs: 6CC69BD7
      • ][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13C, xrefs: 6CC696A4, 6CC69AED
      • , i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base stringGetACPSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13rdtscppopcntuint16uint32uint64structcmd/gonetdnsCommonCopySidWSARecvWSASendconnectconsoleforcegcallocmWc, xrefs: 6CC69C88
      • bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6CC697A2, 6CC69F68
      • , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST, xrefs: 6CC696F7, 6CC69721, 6CC69B44, 6CC69B6E
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST$, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base stringGetACPSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13rdtscppopcntuint16uint32uint64structcmd/gonetdnsCommonCopySidWSARecvWSASendconnectconsoleforcegcallocmWc$, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type float32float64\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_Dltavx512finvaliduintptros/execruntimetls3desNoisyFoxexibindono anodeCancelIoReadFileAcc$, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime:$, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by short writeProcessPrngMoveFileExWNetShar$] = pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheapt$] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc$][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13C$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket$runtime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupQuerySer$runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSruntime: mp.lockedInt = runqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard $runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
      • API String ID: 0-2701529305
      • Opcode ID: 66f1c3dc43cff45ad9c41d4c40eac6a06e7fce270f3d8472ea3d3bc48ec1c109
      • Instruction ID: 1975ff843bc2eb5b0d52e107eabe95e40f4b77d90757a43a22f399f3f0f4e20e
      • Opcode Fuzzy Hash: 66f1c3dc43cff45ad9c41d4c40eac6a06e7fce270f3d8472ea3d3bc48ec1c109
      • Instruction Fuzzy Hash: 525258756097088FD320DF69C58079EBBF1FF89308F11892DE99887B40E774A849DB92
      Function 6CC71570 Relevance: 16.4, Strings: 13, Instructions: 150COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1764 6cc71570-6cc7157e 1765 6cc71584-6cc715b6 call 6cc732a0 1764->1765 1766 6cc7181e-6cc71823 call 6ccaae50 1764->1766 1771 6cc71807-6cc7181d call 6cca6a90 1765->1771 1772 6cc715bc-6cc715ea call 6cc71470 1765->1772 1766->1764 1771->1766 1777 6cc715fc-6cc71631 call 6cc732a0 1772->1777 1778 6cc715ec-6cc715f9 call 6ccac270 1772->1778 1783 6cc71637-6cc71669 call 6cc71470 1777->1783 1784 6cc717f1-6cc71802 call 6cca6a90 1777->1784 1778->1777 1788 6cc7167b-6cc71683 1783->1788 1789 6cc7166b-6cc71678 call 6ccac270 1783->1789 1784->1771 1791 6cc7172d-6cc7175f call 6cc71470 1788->1791 1792 6cc71689-6cc716bb call 6cc71470 1788->1792 1789->1788 1798 6cc71771-6cc717a9 call 6cc71470 1791->1798 1799 6cc71761-6cc7176e call 6ccac270 1791->1799 1800 6cc716cd-6cc716d5 1792->1800 1801 6cc716bd-6cc716ca call 6ccac270 1792->1801 1812 6cc717bb-6cc717c4 1798->1812 1813 6cc717ab-6cc717b8 call 6ccac270 1798->1813 1799->1798 1805 6cc717db-6cc717ec call 6cca6a90 1800->1805 1806 6cc716db-6cc7170d call 6cc71470 1800->1806 1801->1800 1805->1784 1816 6cc7171f-6cc71727 1806->1816 1817 6cc7170f-6cc7171c call 6ccac270 1806->1817 1813->1812 1816->1791 1820 6cc717c5-6cc717d6 call 6cca6a90 1816->1820 1817->1816 1820->1805
      Strings
      • NtCreateWaitCompletionPacket, xrefs: 6CC7163E
      • RtlGetVersion, xrefs: 6CC7177E
      • bcryptprimitives.dll, xrefs: 6CC7158D
      • NtAssociateWaitCompletionPacket, xrefs: 6CC71690
      • RtlGetCurrentPeb, xrefs: 6CC71734
      • NtCancelWaitCompletionPacket, xrefs: 6CC716E2
      • ntdll.dll, xrefs: 6CC71608
      • , xrefs: 6CC7169A
      • ProcessPrng, xrefs: 6CC715BF
      • , xrefs: 6CC716A2
      • bcryptprimitives.dll not foundpanic called with nil argumentcheckdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer found on stack locals stack map entries for abi mismatch detected between runtime: impossible , xrefs: 6CC71807
      • NtCreateWaitCompletionPacket exists but NtCancelWaitCompletionPacket does notcannot convert slice with length %y to array or pointer to array with length %xNtCreateWaitCompletionPacket exists but NtAssociateWaitCompletionPacket does notcgocheck > 1 mode is no , xrefs: 6CC717C5
      • P, xrefs: 6CC717E4
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: $ $NtAssociateWaitCompletionPacket$NtCancelWaitCompletionPacket$NtCreateWaitCompletionPacket$NtCreateWaitCompletionPacket exists but NtCancelWaitCompletionPacket does notcannot convert slice with length %y to array or pointer to array with length %xNtCreateWaitCompletionPacket exists but NtAssociateWaitCompletionPacket does notcgocheck > 1 mode is no $P$ProcessPrng$RtlGetCurrentPeb$RtlGetVersion$bcryptprimitives.dll$bcryptprimitives.dll not foundpanic called with nil argumentcheckdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer found on stack locals stack map entries for abi mismatch detected between runtime: impossible $ntdll.dll
      • API String ID: 0-2332038095
      • Opcode ID: 5e2fa6b079a60ed01ac0fa266240d731ad767656d844b4a76d889eb3d17e26ba
      • Instruction ID: 2f3fe032f913bbe8a524097049491e13ddcb0b42e177614cefde81c8f837246e
      • Opcode Fuzzy Hash: 5e2fa6b079a60ed01ac0fa266240d731ad767656d844b4a76d889eb3d17e26ba
      • Instruction Fuzzy Hash: 1F71C6B420A702DFEB44DF68D49465ABBF4FB86748F11882EE49983750E774D848CF62
      Function 6CC63400 Relevance: 14.6, Strings: 11, Instructions: 876COMMON
      Download Yara Rule
      Strings
      • nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMo, xrefs: 6CC63D81
      • previous allocCount=, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:, xrefs: 6CC63DAB
      • sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = NtAssociateWaitCompletionPacket, xrefs: 6CC63E09
      • mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification, xrefs: 6CC63D16
      • sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine LockFileExWSASocketWunixpacket, xrefs: 6CC63CB8, 6CC6412C
      • swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 6CC63C65
      • , xrefs: 6CC63E12
      • mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6CC63CE2, 6CC64156
      • mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1, xrefs: 6CC641A9
      • mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdea, xrefs: 6CC6418A
      • sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executiontraceSto, xrefs: 6CC63C4F
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: $ mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$ nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMo$ previous allocCount=, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:$ sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine LockFileExWSASocketWunixpacket$mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification$mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdea$mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1$sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = NtAssociateWaitCompletionPacket$sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executiontraceSto$swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
      • API String ID: 0-893999930
      • Opcode ID: c40b180e5a2f31278667ca1171a9915aafafbe0a414e210db16175f693bc9c9a
      • Instruction ID: 692d91c43332010f971ae29c96d8e327dc87d47b333765038cbde88931ae0386
      • Opcode Fuzzy Hash: c40b180e5a2f31278667ca1171a9915aafafbe0a414e210db16175f693bc9c9a
      • Instruction Fuzzy Hash: 178247B46097548FC350DF66C190B9ABBF1BF89708F04896DE8D887B92E730D849DB52
      Function 6CC72A90 Relevance: 14.0, Strings: 11, Instructions: 253COMMON
      Download Yara Rule
      Strings
      • runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] wi, xrefs: 6CC72EFD
      • VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notunexpected runtime.netpoll error: network dropped connec, xrefs: 6CC72DC9
      • runtime: NtCreateWaitCompletionPacket failed; errno=casfrom_Gscanstatus: gp->status is not in scan statenon-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS thr, xrefs: 6CC72DEC
      • runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:, xrefs: 6CC72D95
      • %, xrefs: 6CC72F3A
      • runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!internal error: unknown network type godebug: unexpected IncNonDefault of b, xrefs: 6CC72F31
      • NtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a cor, xrefs: 6CC72E20
      • ,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12, xrefs: 6CC72D29
      • CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplet, xrefs: 6CC72E7B, 6CC72ED6
      • bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timersOpenServiceWRevertToSelfCreateEventWGetConsoleCPUnlockFi, xrefs: 6CC72D6E
      • runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] with length %ypanicwrap: unexpected string afte, xrefs: 6CC72E47, 6CC72EA2
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: %$,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12$CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplet$NtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a cor$VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notunexpected runtime.netpoll error: network dropped connec$bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timersOpenServiceWRevertToSelfCreateEventWGetConsoleCPUnlockFi$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] wi$runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!internal error: unknown network type godebug: unexpected IncNonDefault of b$runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] with length %ypanicwrap: unexpected string afte$runtime: NtCreateWaitCompletionPacket failed; errno=casfrom_Gscanstatus: gp->status is not in scan statenon-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS thr$runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:
      • API String ID: 0-2809656213
      • Opcode ID: d949780d16b290c42b4832b1c64c3ab652d246878bac5f64bb09e1e0ea7ff152
      • Instruction ID: d189e6ade76579d319385c08a62d0e1ed3de7c4c7d1b47240814116e43ea9d54
      • Opcode Fuzzy Hash: d949780d16b290c42b4832b1c64c3ab652d246878bac5f64bb09e1e0ea7ff152
      • Instruction Fuzzy Hash: 2DC1E4B42087018FD710EFA8C19879ABBF4FF89748F10896DE49887B40E7759949DF62
      Function 6CC413E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID: AddressProc$HandleLibraryLoadModule
      • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
      • API String ID: 384173800-1835852900
      • Opcode ID: 6706ab700a3a3c1188ddda8e6482f92976a783d88cbb7d9f849150430992e535
      • Instruction ID: b122ebea36bbaf6f3ea5fc4c99f4ee8376e8cad1b7c46ec2c8be35405f9a0bc6
      • Opcode Fuzzy Hash: 6706ab700a3a3c1188ddda8e6482f92976a783d88cbb7d9f849150430992e535
      • Instruction Fuzzy Hash: 030100B29053148FD7007FB9E50631E7AB8BB42655F02952DD58587A11E730A455CB93
      Function 6CCA332F Relevance: 12.0, Strings: 9, Instructions: 757COMMON
      Download Yara Rule
      Strings
      • malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]mo, xrefs: 6CCA3D31
      • mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential, xrefs: 6CCA3D47
      • 2, xrefs: 6CCA3D50
      • malloc during signalclose of nil channelnotetsleep not on g0bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not empty, xrefs: 6CCA3D1B
      • p, xrefs: 6CCA3D5E
      • !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 6CCA36FF
      • mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= , xrefs: 6CCA3D05
      • 3-, xrefs: 6CCA3D58
      • 4, xrefs: 6CCA3D0E
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC$2$4$malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]mo$malloc during signalclose of nil channelnotetsleep not on g0bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not empty$mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential$mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= $3-$p
      • API String ID: 0-234616912
      • Opcode ID: 3e6637b330cc6b11115b3ce8b087e4ca3e65bc19bbc6469e79a13a0c34f52539
      • Instruction ID: cb281f60b8cb39a6ab1db239161a7de41d2509d71a203a378a872a48d2be5b95
      • Opcode Fuzzy Hash: 3e6637b330cc6b11115b3ce8b087e4ca3e65bc19bbc6469e79a13a0c34f52539
      • Instruction Fuzzy Hash: DD62D070609356CFC304CFA9C0A466ABBF1BF89718F18896DE9948B791E735D846CF42
      Function 6CCBCEF0 Relevance: 10.8, Strings: 8, Instructions: 756COMMON
      Download Yara Rule
      Strings
      • pattern bits too long: runtime: C malloc failedconnection reset by peerlevel 2 not synchronizedlink number out of rangeout of streams resourcesfunction not implementedstructure needs cleaningnot supported by windowsCertFreeCertificateChainCreateToolhelp32Snaps, xrefs: 6CCBD785
      • !, xrefs: 6CCBD0EC
      • v, xrefs: 6CCBD025
      • n, xrefs: 6CCBD1B1
      • y: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KS, xrefs: 6CCBD1C5
      • invalid pattern syntax (+ after -): cannot exec a shared library directlyvalue too large for defined data typeruntime: allocation size out of range) is smaller than minimum page size (/cpu/classes/gc/mark/idle:cpu-secondssetprofilebucket: profile already setfa, xrefs: 6CCBD663
      • invalid pattern syntax: resource deadlock avoidedoperation now in progressno buffer space availableno such device or addresssocket type not supportedinvalid cross-device linkGetFinalPathNameByHandleWGetQueuedCompletionStatusUpdateProcThreadAttributegoroutine p, xrefs: 6CCBCF75, 6CCBD068, 6CCBD138, 6CCBD6F4, 6CCBD816, 6CCBD8A7, 6CCBD938, 6CCBD9CD
      • $, xrefs: 6CCBD66D
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: !$$$invalid pattern syntax (+ after -): cannot exec a shared library directlyvalue too large for defined data typeruntime: allocation size out of range) is smaller than minimum page size (/cpu/classes/gc/mark/idle:cpu-secondssetprofilebucket: profile already setfa$invalid pattern syntax: resource deadlock avoidedoperation now in progressno buffer space availableno such device or addresssocket type not supportedinvalid cross-device linkGetFinalPathNameByHandleWGetQueuedCompletionStatusUpdateProcThreadAttributegoroutine p$n$pattern bits too long: runtime: C malloc failedconnection reset by peerlevel 2 not synchronizedlink number out of rangeout of streams resourcesfunction not implementedstructure needs cleaningnot supported by windowsCertFreeCertificateChainCreateToolhelp32Snaps$v$y: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KS
      • API String ID: 0-3686076665
      • Opcode ID: fd60f4ecea6a5eb4808e12f5dd00e55d3fecb9cbbdba7d300e099c12b455e22c
      • Instruction ID: 9ae71ce7ca86deec13376b940e90cf97dc31e6bf1a0b975c5cfea35c4b0e50ef
      • Opcode Fuzzy Hash: fd60f4ecea6a5eb4808e12f5dd00e55d3fecb9cbbdba7d300e099c12b455e22c
      • Instruction Fuzzy Hash: BE7259B4A08345CFC714DFA9C18069AFBF1BB89704F548A2DE99897740EB74D948CF82
      Function 6CCC2560 Relevance: 10.5, Strings: 7, Instructions: 1779COMMON
      Download Yara Rule
      Strings
      • %!Weekday(complex128execerrdothttp2debugcrypto/tlsMessageBoxWbroken pipebad messagefile existsbad addressRegCloseKeyCloseHandleCreateFileWDeleteFileWExitProcessFreeLibraryGetFileTypeOpenProcessSetFileTimeVirtualLockWSARecvFromclosesocketgetpeernamegetsocknamec, xrefs: 6CCC3BCA, 6CCC3E95
      • 0, xrefs: 6CCC3150
      • %!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMoveFileWWriteFileWSASendTod.nx != 0timerSendpollCacheprofBlockstackpoolhchanLeafwbufSpansGC (idle)mSpanDeadinittracescavtracepanicwaitchan sendpreemptedcoroutinecopystac, xrefs: 6CCC3FD9, 6CCC42BB
      • 0, xrefs: 6CCC30B1
      • 0, xrefs: 6CCC3344
      • )]+:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+, xrefs: 6CCC3BE4, 6CCC3EAF, 6CCC3FF3, 6CCC42D5
      • 0, xrefs: 6CCC3267
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: %!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMoveFileWWriteFileWSASendTod.nx != 0timerSendpollCacheprofBlockstackpoolhchanLeafwbufSpansGC (idle)mSpanDeadinittracescavtracepanicwaitchan sendpreemptedcoroutinecopystac$%!Weekday(complex128execerrdothttp2debugcrypto/tlsMessageBoxWbroken pipebad messagefile existsbad addressRegCloseKeyCloseHandleCreateFileWDeleteFileWExitProcessFreeLibraryGetFileTypeOpenProcessSetFileTimeVirtualLockWSARecvFromclosesocketgetpeernamegetsocknamec$)]+:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+$0$0$0$0
      • API String ID: 0-3084215349
      • Opcode ID: f397a5ac3c429bbca82f2e040d65efe57e12dd79eb299a912dc906f4d954d4e2
      • Instruction ID: 0e0d4638006c186f635a86070d8a99f59733aa83b8f116c012c139d18851988f
      • Opcode Fuzzy Hash: f397a5ac3c429bbca82f2e040d65efe57e12dd79eb299a912dc906f4d954d4e2
      • Instruction Fuzzy Hash: DA03E3B4A093818FC324DF19C0946DEFBE1BBC9304F14892EE99997751E770A949CB93
      Function 6CC95ED0 Relevance: 10.5, Strings: 8, Instructions: 512COMMON
      Download Yara Rule
      Strings
      • fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit, xrefs: 6CC96539
      • non-Go function at pc=RtlLookupFunctionEntryCreateEnvironmentBlockWSAGetOverlappedResultSao Tome Standard TimeAleutian Standard TimeParaguay Standard TimeMountain Standard TimeAtlantic Standard TimePakistan Standard TimeSakhalin Standard TimeGeorgian Standard , xrefs: 6CC966C5
      • :(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08I, xrefs: 6CC963FD
      • (1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08ID, xrefs: 6CC96320
      • pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptrace, xrefs: 6CC96593
      • sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (us, xrefs: 6CC96566
      • , xrefs: 6CC96031
      • , xrefs: 6CC96039
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: $ $ fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit$ pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptrace$ sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (us$(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08ID$:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08I$non-Go function at pc=RtlLookupFunctionEntryCreateEnvironmentBlockWSAGetOverlappedResultSao Tome Standard TimeAleutian Standard TimeParaguay Standard TimeMountain Standard TimeAtlantic Standard TimePakistan Standard TimeSakhalin Standard TimeGeorgian Standard
      • API String ID: 0-3830612415
      • Opcode ID: 4c6a04ab9d9215b92ebe477eae45099eae7916594d467df97f87e720fa7807c5
      • Instruction ID: 46dd6875c3811f72593dfcefce3c206dca300c89664b941575944bee0d5f0573
      • Opcode Fuzzy Hash: 4c6a04ab9d9215b92ebe477eae45099eae7916594d467df97f87e720fa7807c5
      • Instruction Fuzzy Hash: AE32E3746097818FC364DF65C180B9FBBE1BF89308F15896EE8C887751EB309849DB92
      Function 6CC71A70 Relevance: 8.9, Strings: 7, Instructions: 116COMMON
      Download Yara Rule
      Strings
      • timeBeginPeriod, xrefs: 6CC71B29
      • timeEndPeriod, xrefs: 6CC71B73
      • runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already connectedmismatched count during itab ta, xrefs: 6CC71BD9
      • winmm.dll, xrefs: 6CC71AF3
      • timeBegin/EndPeriod not foundruntime: sudog with non-nil centersyscall inconsistent bp entersyscall inconsistent sp gfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon, xrefs: 6CC71C0D
      • &, xrefs: 6CC71C3D
      • runtime: LoadLibraryExW failed; errno=runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already co, xrefs: 6CC71C34
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: &$runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already connectedmismatched count during itab ta$runtime: LoadLibraryExW failed; errno=runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already co$timeBegin/EndPeriod not foundruntime: sudog with non-nil centersyscall inconsistent bp entersyscall inconsistent sp gfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon$timeBeginPeriod$timeEndPeriod$winmm.dll
      • API String ID: 0-424793872
      • Opcode ID: 9e59cd97fa91a151f8954822ee17c1ceafbe4c2459a860de05a940af250a7211
      • Instruction ID: 94cada88bd20ceb9703ad21635dd26023ddc1637856745a1ff21d9b90a9abc1c
      • Opcode Fuzzy Hash: 9e59cd97fa91a151f8954822ee17c1ceafbe4c2459a860de05a940af250a7211
      • Instruction Fuzzy Hash: E251D5B06097019FEB14EFA8D19475ABBF4FB46348F10881DE49887B50E774D448DF62
      Function 6CCD5B30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30windowCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID: ErrorFormatFreeLastLocalMessagefprintf
      • String ID: Erro: %s
      • API String ID: 659079672-2412703935
      • Opcode ID: f879f94332cc7186ce19094af99bfd71d26640fe8bb282919f1bc8ec9a8bb00e
      • Instruction ID: 4236042f18b4e104cce91c46b088caabae9bb4e6d890e697690244dec83ce758
      • Opcode Fuzzy Hash: f879f94332cc7186ce19094af99bfd71d26640fe8bb282919f1bc8ec9a8bb00e
      • Instruction Fuzzy Hash: 5901DDB05093019FE700AFA8C09831FFBF4AB88308F01891DE99886690E7789258CF93
      Function 6CC7CF90 Relevance: 8.6, Strings: 6, Instructions: 1093COMMON
      Download Yara Rule
      Strings
      • findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionAdjustTokenPrivilegesLookupPrivilegeValueWNetUserGetLocalGroupsGetProfi, xrefs: 6CC7E0EB
      • global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/metadata/mspan/free:bytesruntime.SetFinaliz, xrefs: 6CC7E093
      • findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of r, xrefs: 6CC7E0D5
      • !, xrefs: 6CC7E0DE
      • findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for [origina, xrefs: 6CC7E0BF
      • findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a corrupted shared librarylfstack node a, xrefs: 6CC7E0A9
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: !$findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of r$findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for [origina$findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a corrupted shared librarylfstack node a$findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionAdjustTokenPrivilegesLookupPrivilegeValueWNetUserGetLocalGroupsGetProfi$global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/metadata/mspan/free:bytesruntime.SetFinaliz
      • API String ID: 0-3518981815
      • Opcode ID: d9664dfe4cf2e2c8d53db3da0cb021d98e66b0f70b2c2bcbb57fcd256d4f8f51
      • Instruction ID: feb913c8b39a29a06824651b40651f0d9ebc6478b1ff1f7bee902d6531956354
      • Opcode Fuzzy Hash: d9664dfe4cf2e2c8d53db3da0cb021d98e66b0f70b2c2bcbb57fcd256d4f8f51
      • Instruction Fuzzy Hash: DCA2C2B46093419FE724DF69C090B9ABBF4BF8A748F04892DE9D887750E735D848CB52
      Function 6CC711F0 Relevance: 7.6, Strings: 6, Instructions: 133COMMON
      Download Yara Rule
      Strings
      • 5, xrefs: 6CC71420
      • runtime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocresize: invalid argspan has no free stacksstack growth after forkshrinkstack at bad timereflect.methodValueCallDestroy, xrefs: 6CC7139D, 6CC713F8, 6CC7144B
      • runtime: NtAssociateWaitCompletionPacket failed; errno= runtime: checkmarks found unexpected unmarked object obj=tried to trace goroutine with invalid or unsupported statusmanual span allocation called with non-manually-managed typeaddr range base and limit ar, xrefs: 6CC71369
      • runtime: SetWaitableTimer failed; errno= stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classe, xrefs: 6CC713C4
      • d, xrefs: 6CC71276
      • runtime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not , xrefs: 6CC71417
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: 5$d$runtime: NtAssociateWaitCompletionPacket failed; errno= runtime: checkmarks found unexpected unmarked object obj=tried to trace goroutine with invalid or unsupported statusmanual span allocation called with non-manually-managed typeaddr range base and limit ar$runtime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not $runtime: SetWaitableTimer failed; errno= stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classe$runtime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocresize: invalid argspan has no free stacksstack growth after forkshrinkstack at bad timereflect.methodValueCallDestroy
      • API String ID: 0-2414937731
      • Opcode ID: a6e2adc301ebd9e66ffb27646d2475941e09559723c45ae9a6485777781136e4
      • Instruction ID: 7e3ef5896622afc11beb0bb313d1e6486071ec0c911a0fa8c58477a15a7a70b7
      • Opcode Fuzzy Hash: a6e2adc301ebd9e66ffb27646d2475941e09559723c45ae9a6485777781136e4
      • Instruction Fuzzy Hash: 9351DBB46097019FD750DF68C194B9EBBF4EF89348F00882DE89887B50E774A948DB63
      Function 6CCD6250 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON
      Download Yara Rule
      APIs
      • GetSystemTimeAsFileTime.KERNEL32 ref: 6CCD6289
      • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CC413B9), ref: 6CCD629A
      • GetCurrentThreadId.KERNEL32 ref: 6CCD62A2
      • GetTickCount.KERNEL32 ref: 6CCD62AA
      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CC413B9), ref: 6CCD62B9
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
      • String ID:
      • API String ID: 1445889803-0
      • Opcode ID: 20ca8ab6023f31241f6812031d0ca93d4c62d082baff321dcceb445ff4c4de7a
      • Instruction ID: 28d24af7b167b36768a407e3dcf291532f9c9118da0a53caa23b0ee178bb4819
      • Opcode Fuzzy Hash: 20ca8ab6023f31241f6812031d0ca93d4c62d082baff321dcceb445ff4c4de7a
      • Instruction Fuzzy Hash: 0B114CB56053008BDB00DFB9E48864BBBF8FB89354F060D39E545C6A00EA31E458CBD2
      Function 6CCD6300 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
      Download Yara Rule
      APIs
      • SetUnhandledExceptionFilter.KERNEL32 ref: 6CCD634F
      • UnhandledExceptionFilter.KERNEL32 ref: 6CCD635F
      • GetCurrentProcess.KERNEL32 ref: 6CCD6368
      • TerminateProcess.KERNEL32 ref: 6CCD6379
      • abort.MSVCRT ref: 6CCD6382
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
      • String ID:
      • API String ID: 520269711-0
      • Opcode ID: 68559fdf59d6df59fa884e5499a79533767f63869847c0ce6fa45fa26408e3da
      • Instruction ID: b50590f618a3d1905ad3af510d28b1a1142a19a2f02bf2f9fe3ee1f070f088c8
      • Opcode Fuzzy Hash: 68559fdf59d6df59fa884e5499a79533767f63869847c0ce6fa45fa26408e3da
      • Instruction Fuzzy Hash: F611E6B5A05201CFEB00FFA9D14565EBBF4BB85314F01892DEA88C7360E775A954CF92
      Function 6CC61440 Relevance: 5.5, Strings: 4, Instructions: 494COMMON
      Download Yara Rule
      Strings
      • runtime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame ts set in timertraceback stuckrunti, xrefs: 6CC6198C, 6CC619DB
      • min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=dalTLDpSugct?GetTempPath2WModule32NextW, xrefs: 6CC619C0
      • min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce, xrefs: 6CC61A0F
      • !, xrefs: 6CC61A18
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: !$min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce$min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=dalTLDpSugct?GetTempPath2WModule32NextW$runtime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame ts set in timertraceback stuckrunti
      • API String ID: 0-967014423
      • Opcode ID: 736234160b8994db1e54edd4a1d890c52fbbcc89de19a69a4d2a57ada07c3375
      • Instruction ID: f19a7aa976bf6102cb094bfae41540ad0194ddbdb04b1bfdaa6035d2e61957fd
      • Opcode Fuzzy Hash: 736234160b8994db1e54edd4a1d890c52fbbcc89de19a69a4d2a57ada07c3375
      • Instruction Fuzzy Hash: A8F1D0326097268FD711DEAE85C064EB7E2EBC4349F148A3CD89597B81FB71D809C682
      Function 6CC7A320 Relevance: 5.4, Strings: 4, Instructions: 352COMMON
      Download Yara Rule
      Strings
      • stopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a , xrefs: 6CC7A843
      • stopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/met, xrefs: 6CC7A7EB
      • stopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executionruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base pointer out of rangeattempting to link in too many, xrefs: 6CC7A7B0
      • stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classes/gc/mark/dedicated:cpu-seconds/memory/cl, xrefs: 6CC7A690
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: stopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/met$stopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a $stopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executionruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base pointer out of rangeattempting to link in too many$stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classes/gc/mark/dedicated:cpu-seconds/memory/cl
      • API String ID: 0-2039697367
      • Opcode ID: 3d42a33c45e6f85e972e66936c839b9aaccff2572a9f77fd5024921287e122e6
      • Instruction ID: 77a19db01291d259be9e035ca25208bb0466454d791b0fe4be0edc492e57c517
      • Opcode Fuzzy Hash: 3d42a33c45e6f85e972e66936c839b9aaccff2572a9f77fd5024921287e122e6
      • Instruction Fuzzy Hash: 83F1EF746093408FD318CF69C190A9ABBF1FBCA708F14992EE99887751E770E945CF92
      Function 6CCD4E50 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID: Heapfree$FreeProcess
      • String ID:
      • API String ID: 3425746932-0
      • Opcode ID: db817ae01fea5cef3c6e1b852a561db69dd4c8a9846e3f6faaf2e2b83164d05c
      • Instruction ID: 3728641d9a30f57841866a6aa5caa8c390a07a34f57d68c29a950314eac0d221
      • Opcode Fuzzy Hash: db817ae01fea5cef3c6e1b852a561db69dd4c8a9846e3f6faaf2e2b83164d05c
      • Instruction Fuzzy Hash: F121E5B56057019BDB00DF25D1C471ABBE5BF84308F16C96CEA888BB49E734E845CB92
      Function 6CC71830 Relevance: 5.1, Strings: 4, Instructions: 57COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: '$'$PowerRegisterSuspendResumeNotification$powrprof.dll
      • API String ID: 0-4026319467
      • Opcode ID: 6aaed791d3d91e978d008bf482863acfc0876b3c3c721f969d3c2bd56f34b18a
      • Instruction ID: 4e1824220a149b5bed06bd9f91cf1a2fb541205e14e28f842daf0caafd173530
      • Opcode Fuzzy Hash: 6aaed791d3d91e978d008bf482863acfc0876b3c3c721f969d3c2bd56f34b18a
      • Instruction Fuzzy Hash: 9C21B3B4A083429FD714CF29C09465ABBF0FB89758F40881EE49987750E775DA89CF93
      Function 6CC86470 Relevance: 4.2, Strings: 3, Instructions: 451COMMON
      Download Yara Rule
      Strings
      • runtime: malformed profBuf buffer - tag and data out of syncabiRegArgsType needs GC Prog, update methodValueCallFrameObjsfound bad pointer in Go heap (incorrect use of unsafe or cgo?)limiterEvent.stop: found wrong event in p's limiter event slotruntime: intern, xrefs: 6CC86A04
      • <, xrefs: 6CC86A0D
      • runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplete multibyte or wide characterslice bounds out of range [::%x] with capacity %yinvalid memory add, xrefs: 6CC869D7
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: <$runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplete multibyte or wide characterslice bounds out of range [::%x] with capacity %yinvalid memory add$runtime: malformed profBuf buffer - tag and data out of syncabiRegArgsType needs GC Prog, update methodValueCallFrameObjsfound bad pointer in Go heap (incorrect use of unsafe or cgo?)limiterEvent.stop: found wrong event in p's limiter event slotruntime: intern
      • API String ID: 0-450027851
      • Opcode ID: bce85b59186d505a8ed19ba6a9a1a4253927047362a8998be0bf261740354822
      • Instruction ID: 47b2a974cf1707391003c134fd282cccf552efccf3b1128992734810c69e2508
      • Opcode Fuzzy Hash: bce85b59186d505a8ed19ba6a9a1a4253927047362a8998be0bf261740354822
      • Instruction Fuzzy Hash: 50028B70A1AB058FC714DF69C19065FBBE1BFC8708F14892DE99887740EB75E845CB82
      Function 6CC76010 Relevance: 4.1, Strings: 3, Instructions: 313COMMON
      Download Yara Rule
      Strings
      • invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:DuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "[bisect-match 0xpermission deniedwro, xrefs: 6CC7648D
      • suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function traceRegion: alloc with concurrent drop2006-01-02 15:04:05.999999999 -0700 MSTaddress family not support, xrefs: 6CC764A3
      • ', xrefs: 6CC764AC
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: '$invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:DuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "[bisect-match 0xpermission deniedwro$suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function traceRegion: alloc with concurrent drop2006-01-02 15:04:05.999999999 -0700 MSTaddress family not support
      • API String ID: 0-3278438963
      • Opcode ID: c9d421e3aa12871a2ee52c2f317410ef602f3ad4a5b0f74a5fad2a9f7b5ffc7e
      • Instruction ID: 7fa83d55c7952a93fe504af0dca098cf895010ebc27804f50bb2161c58b2059f
      • Opcode Fuzzy Hash: c9d421e3aa12871a2ee52c2f317410ef602f3ad4a5b0f74a5fad2a9f7b5ffc7e
      • Instruction Fuzzy Hash: EBD1317420D7418FC714CF2AC090A5ABBF1EF8A708F48885DE8C597B51E735E945CB62
      Function 6CC66630 Relevance: 3.0, Strings: 2, Instructions: 499COMMON
      Download Yara Rule
      Strings
      • +, xrefs: 6CC66D57
      • grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me, xrefs: 6CC66D4E
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: +$grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me
      • API String ID: 0-3347251187
      • Opcode ID: 52bfc7b5682942d94224fa7684c6b525154bcd147cfe9bf92df82f4de49da57b
      • Instruction ID: a207744b14fe34edc2bd96373ecc5b9429588e1cf75c8fd66d898d926e966248
      • Opcode Fuzzy Hash: 52bfc7b5682942d94224fa7684c6b525154bcd147cfe9bf92df82f4de49da57b
      • Instruction Fuzzy Hash: DF22FF746097819FD314CF6AC290A5EBBF1BF89708F14892DE9D987B50EB35D848CB42
      Function 6CC6B2D0 Relevance: 2.8, Strings: 2, Instructions: 264COMMON
      Download Yara Rule
      Strings
      • bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6CC6B60F
      • @, xrefs: 6CC6B4FB
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: @$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod
      • API String ID: 0-1191861649
      • Opcode ID: 2f0699e1a8c971364cf81f7584ea33280cba7be6a2979e56aba4f565eccaf58f
      • Instruction ID: 34c0d4257fdd8380b7eb39be197cbaab01a4bd194dcb6dd8ae0ad0cf92f02be1
      • Opcode Fuzzy Hash: 2f0699e1a8c971364cf81f7584ea33280cba7be6a2979e56aba4f565eccaf58f
      • Instruction Fuzzy Hash: B0A1D17560870A8FC304DF59C8D065AB7E1FFC8318F448A2DE9959B741EB34E95ACB82
      Function 6CCAA872 Relevance: 2.6, Strings: 2, Instructions: 137COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: $@
      • API String ID: 0-1077428164
      • Opcode ID: 82a583140d6cd3a5e277b8faf606864a97f0cc312713ff3a7eb80f451b3ace9a
      • Instruction ID: 6344a500c3ab071c2a00aa52b1f2062a1323b7932e45efbb97fd44f5b54ec1c4
      • Opcode Fuzzy Hash: 82a583140d6cd3a5e277b8faf606864a97f0cc312713ff3a7eb80f451b3ace9a
      • Instruction Fuzzy Hash: C051A610C1DF5B65E6330AFEC4026267B206EB7244B01D76FFDD6B58B2E7136941BA22
      Function 6CC5CEC0 Relevance: 2.6, Strings: 2, Instructions: 88COMMON
      Download Yara Rule
      Strings
      • ,, xrefs: 6CC5CFAA
      • gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackcannot send after transport endpoint shu, xrefs: 6CC5CFA1
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: ,$gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackcannot send after transport endpoint shu
      • API String ID: 0-27675022
      • Opcode ID: 4f73bc22e0c0f4fb51882a1890edfe88ac936be5d0bee7d9e8bf4186c2c525d8
      • Instruction ID: e0a8565566427aeb05ef38a7dc651236822a59ace5b563f8802a31cf705a0072
      • Opcode Fuzzy Hash: 4f73bc22e0c0f4fb51882a1890edfe88ac936be5d0bee7d9e8bf4186c2c525d8
      • Instruction Fuzzy Hash: 48318F756493968FD305DF58C490A59B7F1FB8A608F4886BDCC885F383DB31A84ACB85
      Function 6CCC59D0 Relevance: 1.9, Strings: 1, Instructions: 607COMMON
      Download Yara Rule
      Strings
      • ,M3.2.0,M11.1.0jstmpllitinterptarinsecurepathx509keypairleafx509usepolicieszipinsecurepathRegCreateKeyExWRegDeleteValueWstring too large0123456789abcdefinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePoint, xrefs: 6CCC5B6E
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: ,M3.2.0,M11.1.0jstmpllitinterptarinsecurepathx509keypairleafx509usepolicieszipinsecurepathRegCreateKeyExWRegDeleteValueWstring too large0123456789abcdefinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePoint
      • API String ID: 0-1364986362
      • Opcode ID: ebd66ce79be4ea53955a50259abbec9a4e505454f95ed8fa33d867449ac5528a
      • Instruction ID: b190c83763deff5a975a6af7dd65af1e598591e0ffed19f249f525dada8aa8b0
      • Opcode Fuzzy Hash: ebd66ce79be4ea53955a50259abbec9a4e505454f95ed8fa33d867449ac5528a
      • Instruction Fuzzy Hash: F35205B5A083858FD334CF19C5503DEBBE1ABD5308F44892DD9D89B381E7B5A9498B83
      Function 6CC98570 Relevance: 1.8, Strings: 1, Instructions: 543COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: 4
      • API String ID: 0-4088798008
      • Opcode ID: b3d4fa667a56278856cec29f02030aec2b473febb0d311d6e5211527dbf3bbb6
      • Instruction ID: e39d448a4df716f1f635bbe174a50f12beebc0ca89be11d921bd8caf3403457a
      • Opcode Fuzzy Hash: b3d4fa667a56278856cec29f02030aec2b473febb0d311d6e5211527dbf3bbb6
      • Instruction Fuzzy Hash: 7922B07560D3468FC734DE58C4C4A9EB7E1BFC5304F148A2ED9998BB91EB31A805CB82
      Function 6CC50AF0 Relevance: 1.6, Strings: 1, Instructions: 306COMMON
      Download Yara Rule
      Strings
      • span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor, xrefs: 6CC50D52
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor
      • API String ID: 0-1712010102
      • Opcode ID: 74210d09285d0c0d1ae274bbd3fab7eb7c39738714c5350252421cc05ddbb626
      • Instruction ID: 3f7f61cebe940de66f8fdb2306b0a623a1865c84269ccec624bf1fbac1c2de4e
      • Opcode Fuzzy Hash: 74210d09285d0c0d1ae274bbd3fab7eb7c39738714c5350252421cc05ddbb626
      • Instruction Fuzzy Hash: 89D147746093859FC744DF29C09066EBBE0BF8A708F40892EE8D9C7B41E735D969CB46
      Function 6CC6D040 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
      Download Yara Rule
      Strings
      • runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin, xrefs: 6CC6D3CB
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin
      • API String ID: 0-429552053
      • Opcode ID: 8b6214888bdda5d2be191d5b510d82adbed7917723b7277ecb77d76c5fe0c570
      • Instruction ID: 88851980b55dd87b230a11aa8f64eb31dbe9cb8e5c9ddde3a471a16ab7e164c5
      • Opcode Fuzzy Hash: 8b6214888bdda5d2be191d5b510d82adbed7917723b7277ecb77d76c5fe0c570
      • Instruction Fuzzy Hash: 97B1E3786093459FC704DF6AC28082EBBF1BB89358F61892DE99497B10E730E945CF82
      Function 6CCC95A0 Relevance: 1.5, Strings: 1, Instructions: 278COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: ;
      • API String ID: 0-1661535913
      • Opcode ID: 91e63bebd3c03032be3089ba058ab9ac86a5a10190d26e73233acf9cdda30252
      • Instruction ID: 0ba13f72110c7294cd08149efa6dadebf6de2b77f407b82148691905924155fc
      • Opcode Fuzzy Hash: 91e63bebd3c03032be3089ba058ab9ac86a5a10190d26e73233acf9cdda30252
      • Instruction Fuzzy Hash: 9CA17171B083054FD70CDE5DD99131AFAE2ABC8304F09CA3DE589DB7A4E634D9098B86
      Function 6CC6A360 Relevance: 1.5, Strings: 1, Instructions: 213COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: @
      • API String ID: 0-2766056989
      • Opcode ID: d17a19ff89c02534acd6f0a8ead620bb06e6c5b084c88789462174edbb3a8208
      • Instruction ID: af89888da8346837bb43c3f047a3d61110c3691094efa304485635ac052588fe
      • Opcode Fuzzy Hash: d17a19ff89c02534acd6f0a8ead620bb06e6c5b084c88789462174edbb3a8208
      • Instruction Fuzzy Hash: FA91F0B5A093059FC344DF29C1C065ABBE1FFC8744F40992EE89997B41E735E949CB82
      Function 6CCBE740 Relevance: .9, Instructions: 941COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 0bd35d764435ba440c8ade09d18a58935ddb89d1d5a96a6668163cf3e6bab018
      • Instruction ID: 04428544ae8339ddbc955ac9ec3f137354d77be4b2290c513dadfddabaf3695a
      • Opcode Fuzzy Hash: 0bd35d764435ba440c8ade09d18a58935ddb89d1d5a96a6668163cf3e6bab018
      • Instruction Fuzzy Hash: CA826B75A083548BC768CE4EC49069AF3F2BBCD700F55896ED69DA3750EB70AD05CB82
      Function 6CCC6C20 Relevance: .6, Instructions: 601COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 491adf2faa0e8a3fb2ef1dcf537e387b239fe1537c4f022028539c175e7ada28
      • Instruction ID: 3b6182d5407998396e3f837acc06752bd119296f0203ab69a2a4eee7958bbf3c
      • Opcode Fuzzy Hash: 491adf2faa0e8a3fb2ef1dcf537e387b239fe1537c4f022028539c175e7ada28
      • Instruction Fuzzy Hash: 6E225C71B0C7458FD724CE69C59036BB7E2BB85304F55882DE9898BB40FB71984A9B83
      Function 6CCC4D20 Relevance: .5, Instructions: 530COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c42bf6e88a9827d7d80249f3a08103c0b672bf10ea7e9f64b0fc63e75ab360f7
      • Instruction ID: b2540207435482050ec3cec03203e23e164567156c1c7e429cde92213a9c5a2a
      • Opcode Fuzzy Hash: c42bf6e88a9827d7d80249f3a08103c0b672bf10ea7e9f64b0fc63e75ab360f7
      • Instruction Fuzzy Hash: 76129872B087098FC324DE5DC98024AF7E6BBC4304F59CA3DD9588B755EB70E9098B82
      Function 6CC6C080 Relevance: .5, Instructions: 477COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: d1a9ae08260df1ce7c13fe12f0e335411b4460604157aebd0e0ff4301afa9015
      • Instruction ID: afb2d24e4a3ffbb70504f917039e4f1c08af377f8dc643d7da1b4102ca612909
      • Opcode Fuzzy Hash: d1a9ae08260df1ce7c13fe12f0e335411b4460604157aebd0e0ff4301afa9015
      • Instruction Fuzzy Hash: 66E11633B497194BD714EDAEC9C025EB2D2ABC8344F19873CDD649BB80FA75D80A86C1
      Function 6CC9BC20 Relevance: .5, Instructions: 462COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b95ac3eb0218a8d35395329727b4e1d7f06b2867ca7f4bb53230f175424d3c8f
      • Instruction ID: 3bc64e06e730aec2c4a4de10215b732e54e80a30d4c6565572f8e2b955086e66
      • Opcode Fuzzy Hash: b95ac3eb0218a8d35395329727b4e1d7f06b2867ca7f4bb53230f175424d3c8f
      • Instruction Fuzzy Hash: FF0280356097468FD324DF68C48065EF7E1BF89308F148A6DE9998BB51E731E846CB82
      Function 6CC6BB10 Relevance: .5, Instructions: 462COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 39320d3a0d07c7548c9f7eef2ca2e37278f467871f0239259d4ab98470ad7b84
      • Instruction ID: ab4ce8026842787421b05be58f7154cbe6447273bacf7d66b77986b25aab10b4
      • Opcode Fuzzy Hash: 39320d3a0d07c7548c9f7eef2ca2e37278f467871f0239259d4ab98470ad7b84
      • Instruction Fuzzy Hash: 85E1C433E2472507D3149E59CC80249B2D3ABC8670F4EC72DED95AB781EAB4ED5987C2
      Function 6CCC6740 Relevance: .4, Instructions: 408COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 0fc8c447167872922458748b16cf49e10ea7ca0c18c11b9fc95b28d858fb3495
      • Instruction ID: 7045fb5bb96c2ab908cee7b2a156178d7a0bc1a692878769fa87cbf1ffc76ef4
      • Opcode Fuzzy Hash: 0fc8c447167872922458748b16cf49e10ea7ca0c18c11b9fc95b28d858fb3495
      • Instruction Fuzzy Hash: 8BE19D72B4CB658BC305CE2A859022EFBE2BBC5704F45892DE895CB741E7719849CB83
      Function 6CC580A0 Relevance: .4, Instructions: 378COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 64540959b0599aae1586d18fcff43f0ec14578a612a0a6be9a4209ff843ad994
      • Instruction ID: 2ac6bb2462aa0cd3693e92c2f203e22131eed5863ec6408ae37f7287d6341a57
      • Opcode Fuzzy Hash: 64540959b0599aae1586d18fcff43f0ec14578a612a0a6be9a4209ff843ad994
      • Instruction Fuzzy Hash: B3C1E232B483254FC708DE6DC89064EBBE2ABC4304F89863DE855DB7A1F774E8168785
      Function 6CC9D6E0 Relevance: .4, Instructions: 368COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 3855397d292470c8f902b8d8ec6232358f13ebd2c320b6b8fd97d485db7fb972
      • Instruction ID: d6c64cad9591fa8d112132dc3ddc20c96ec5c24658dd46cfdbf6832f1b1d0ec4
      • Opcode Fuzzy Hash: 3855397d292470c8f902b8d8ec6232358f13ebd2c320b6b8fd97d485db7fb972
      • Instruction Fuzzy Hash: DEE1D23160D3568FC314DF69C4C096EFBE1AF8A304F044A6DE8959B792E730E949CB92
      Function 6CC7E240 Relevance: .3, Instructions: 331COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 65faa5cf811e2ccdb88ef99156e65edc4faafe32772ddae3edc3caf989906191
      • Instruction ID: bf52a71141b6ef4816c549fda98631716fb67355e70a32d1cdf95efcc0166224
      • Opcode Fuzzy Hash: 65faa5cf811e2ccdb88ef99156e65edc4faafe32772ddae3edc3caf989906191
      • Instruction Fuzzy Hash: E8F1E57560D3908FD364CF29C090B9BBBE1BBCA304F54892EE9D887751EB31A845CB52
      Function 6CCD2E70 Relevance: .3, Instructions: 286COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 7edfcb56d4dd458ce5161377095538c78eb45fcbe2acf44007646aa9ef258c88
      • Instruction ID: 75ff22748cf53fe7a1042b9af29bd46545b9f02011c3556c249d8e29b1b72003
      • Opcode Fuzzy Hash: 7edfcb56d4dd458ce5161377095538c78eb45fcbe2acf44007646aa9ef258c88
      • Instruction Fuzzy Hash: F6C1627060432A4FC251CE5EDCC096A73D1AB4821DF91866D9644CF7C3DA3AF46B97A4
      Function 6CCD3230 Relevance: .3, Instructions: 286COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: cd7a7fe86b8bc88d778a80c28423ace3bdf2107ee49e9059009431d6b2ef1ece
      • Instruction ID: 662214b20119f0b843747c7ed17a7493af7a1231321ca5521af806ccae466c15
      • Opcode Fuzzy Hash: cd7a7fe86b8bc88d778a80c28423ace3bdf2107ee49e9059009431d6b2ef1ece
      • Instruction Fuzzy Hash: B5C1527060432A4FC251CE5EDCC0A6A73E1AB4821DF91866D9644CF7C3DA3AF46B97A4
      Function 6CC6C6D0 Relevance: .3, Instructions: 285COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 2b5e0c87d7e2f9abdf8faeab4cb441f63306768803d926ae3c6d5aeb1dc2b25f
      • Instruction ID: a3126a1b92e30b45f1b327fcb28e435e90143ede4ba49fafbdefd33ca7e8946d
      • Opcode Fuzzy Hash: 2b5e0c87d7e2f9abdf8faeab4cb441f63306768803d926ae3c6d5aeb1dc2b25f
      • Instruction Fuzzy Hash: F19146326097154FCB19EE9EC4D050EB3E2FBC8348F58873CD96A4BB81EB759909C681
      Function 6CC6CA30 Relevance: .3, Instructions: 281COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 92b3299e68fdacd889cc76ee031c649a0c754ff6d4665cfa35afad7678b20302
      • Instruction ID: 488c15448ce3367d024271bdb5961aebeacf10e774809de2983c0409445eb970
      • Opcode Fuzzy Hash: 92b3299e68fdacd889cc76ee031c649a0c754ff6d4665cfa35afad7678b20302
      • Instruction Fuzzy Hash: 82814537B4973A4FDB11EDAA89D024D3292ABC8358F19473CD9748BBC1FB75980682C1
      Function 6CC6AD50 Relevance: .3, Instructions: 276COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 34f51e8a1b34f11b1f565f070722c079264281ac83bd42ffc8115468a0142253
      • Instruction ID: 0e2bc4a4db3de9bfe9da8c396a893c2c5d117e778de44738454e8be1757c48fd
      • Opcode Fuzzy Hash: 34f51e8a1b34f11b1f565f070722c079264281ac83bd42ffc8115468a0142253
      • Instruction Fuzzy Hash: 6F91B776A187184BD304DE59CCC0259B3D2BBC8724F49C63CECA89B745E674EE59CB81
      Function 6CC432A0 Relevance: .2, Instructions: 219COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 41ada581611e63b5808f14d10c08f02f82e27722ee5b4f368e8c30ef40c42610
      • Instruction ID: 8bcd22e2c2fe32257e5bbbbb0abbdc5a8bcf49cdcf8eb52de511fa9bbab13259
      • Opcode Fuzzy Hash: 41ada581611e63b5808f14d10c08f02f82e27722ee5b4f368e8c30ef40c42610
      • Instruction Fuzzy Hash: E28109B2A183108FC314DF19D88095AFBE2BFC8748F46892DF988D7711E771D9158B82
      Function 6CC69030 Relevance: .2, Instructions: 193COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 61061917868daa726f7df6c3dcb5f3add355fa800b7da8a9865bcf94aea8642a
      • Instruction ID: 5a305f27be20f7e89cd6cf98f2ed983a0d6a76773f434cd05dc673e64be19616
      • Opcode Fuzzy Hash: 61061917868daa726f7df6c3dcb5f3add355fa800b7da8a9865bcf94aea8642a
      • Instruction Fuzzy Hash: 9691CDB49093419FC308CF29C19091ABBF0FF89748F008A6EE89997B50E730E949CF46
      Function 6CC42CA6 Relevance: .2, Instructions: 161COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: aaac1fa95927537056fa748d1ed80cb4c36531cfe69fe86e380ee050db7f54d2
      • Instruction ID: fe9265e966f238be14381b7682c431bdd387b376e558a601d6fffc5177f9d7b2
      • Opcode Fuzzy Hash: aaac1fa95927537056fa748d1ed80cb4c36531cfe69fe86e380ee050db7f54d2
      • Instruction Fuzzy Hash: 8851647090C3A44AE3158FAF48D412AFFF16FC6301F884A6EF5E443392D5B89515DBAA
      Function 6CC42CA0 Relevance: .2, Instructions: 160COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 5f2099bee0860f46ca284356d62ef3010283a0982996d5de84ffb9257a3ea447
      • Instruction ID: 209c9cdf2819e4f6b98f327cbc764b16d5e4fb7e3f16b20fb886018d826b5ec9
      • Opcode Fuzzy Hash: 5f2099bee0860f46ca284356d62ef3010283a0982996d5de84ffb9257a3ea447
      • Instruction Fuzzy Hash: 0851557090C3A44AE3158F6F48D402AFFF16FC6301F884A6EF5E443392D5B89515DB6A
      Function 6CC6D9C5 Relevance: .1, Instructions: 134COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: cf9c76d27d5dc59b544c5d80dd6d2adef459ad74bee414c0931f3956d7a2b484
      • Instruction ID: 2adce73d512fd8e96c2111f9f7f0827fcea9b0481208d284c70c1c6faadbd462
      • Opcode Fuzzy Hash: cf9c76d27d5dc59b544c5d80dd6d2adef459ad74bee414c0931f3956d7a2b484
      • Instruction Fuzzy Hash: 18516A756093228FC318DF69C5D0A1AB7E0BF88604F19857CED599B792E731E846CBC2
      Function 6CC4BE90 Relevance: .1, Instructions: 116COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 5fd40fddcc9234b28d6ac9b2f126ec15b5a8808f996aa90ca90f8fce91e34c2a
      • Instruction ID: f7e9ceeb82bd9e97c1f10652b73f87a36c9a8ebc707641057c23758a2ea95698
      • Opcode Fuzzy Hash: 5fd40fddcc9234b28d6ac9b2f126ec15b5a8808f996aa90ca90f8fce91e34c2a
      • Instruction Fuzzy Hash: A0418171908F058FC346DE79C49021AB3A5BFC6384F54C72DE94A6B752EB319847CB41
      Function 6CC4FBC0 Relevance: .1, Instructions: 97COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 009984602d2f734f8d16a2e5d6803421c25f3b2d3ad13aae2bac973d4cb183f2
      • Instruction ID: 1d172029d69f4c2a369cd362b1e8573e4fb6d3fb68facd9bd7256a2a0fd0a0ce
      • Opcode Fuzzy Hash: 009984602d2f734f8d16a2e5d6803421c25f3b2d3ad13aae2bac973d4cb183f2
      • Instruction Fuzzy Hash: AC3141B391971D8BD300AF498C40149F7E2ABD0B20F5ECA5ED9A457701EBB0AA15CBC7
      Function 6CC490F0 Relevance: .1, Instructions: 76COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 5ca079cf2e2a6f1d31c5f92b890377aa5e6f00d775241e798b627952595af7b8
      • Instruction ID: 996aa384f6780f051aee5f12b2103b31ad391f2fa71e41eb43a240e6905190e0
      • Opcode Fuzzy Hash: 5ca079cf2e2a6f1d31c5f92b890377aa5e6f00d775241e798b627952595af7b8
      • Instruction Fuzzy Hash: 5B21F531704221CBDB08CF3ED9D012AB7F7ABCA710B45C46CD545C7BA4E634A80AC746
      Function 6CC71C90 Relevance: .0, Instructions: 46COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 89016d398c22f2bae14625aac949c51a8b57cb633c09e291db8d10ecaa718ef4
      • Instruction ID: 40db49abd22e0920df66126afd67ca497945620f936520bc88fb1cf94373148a
      • Opcode Fuzzy Hash: 89016d398c22f2bae14625aac949c51a8b57cb633c09e291db8d10ecaa718ef4
      • Instruction Fuzzy Hash: 0411BF70608341CFD725CF68C0A06A9BBF5FF86308F44485CE59A5BB91E7799809CF52
      Function 6CCA7280 Relevance: .0, Instructions: 46COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: fc7d9fec521580eb4febf21cc6dd2623cac27ae91f1ffa3a151bf185828a13ed
      • Instruction ID: c00cfe725911c722ee7e6365ec2d662c24c24155d08b82b1a8674b7bbd9cb500
      • Opcode Fuzzy Hash: fc7d9fec521580eb4febf21cc6dd2623cac27ae91f1ffa3a151bf185828a13ed
      • Instruction Fuzzy Hash: E711DBB4700B118FD398DF99C0D4A69B3E1FB8C200B4A81BDDB0A9B766D670A855DB85
      Function 6CCAC0C0 Relevance: .0, Instructions: 10COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c84666ef49d364ee30ead3b7227dc5a8c18a5a284f4551500877bb849b3686a5
      • Instruction ID: c7b7272fa4bf86ad28e956fbb013a3986898037c4db3749b3f69e21ebc341ec1
      • Opcode Fuzzy Hash: c84666ef49d364ee30ead3b7227dc5a8c18a5a284f4551500877bb849b3686a5
      • Instruction Fuzzy Hash: 4BC02BF0C0E353AEF700CB9EC10430ABEE09B81300F81C48DE24883604D335C1824704
      Function 6CCD64A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON
      Download Yara Rule
      APIs
      Strings
      • VirtualQuery failed for %d bytes at address %p, xrefs: 6CCD65C7
      • @, xrefs: 6CCD6578
      • VirtualProtect failed with code 0x%x, xrefs: 6CCD659A
      • Address %p has no image-section, xrefs: 6CCD65DB
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID: QueryVirtual
      • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
      • API String ID: 1804819252-1098444051
      • Opcode ID: ddde7f400842f9cf6f467dee660be5ea038ccd21a359cadf835f8566083e84be
      • Instruction ID: a6baa180ef7d4e9f2179bcc12834c7291897debc7fe413c3744f39791660c1cf
      • Opcode Fuzzy Hash: ddde7f400842f9cf6f467dee660be5ea038ccd21a359cadf835f8566083e84be
      • Instruction Fuzzy Hash: 26418DB6A057018FD700EFA9E48464AFBF4FB85324F168A29DA598B714F734E444CB92
      Function 6CCD4AF0 Relevance: 12.2, APIs: 8, Instructions: 156stringCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID: ErrorLast_wcsnicmpfreelstrlenmallocmbstowcsstrlenstrtol
      • String ID:
      • API String ID: 533997002-0
      • Opcode ID: 58568de747f74c1e05850fe23331a39c6a310e731d58f4d4603b3ab281db16d3
      • Instruction ID: 77a4755f2e06d0986b22534a68434f99275d24c6cc5c4b559ed9cef039ee9f62
      • Opcode Fuzzy Hash: 58568de747f74c1e05850fe23331a39c6a310e731d58f4d4603b3ab281db16d3
      • Instruction Fuzzy Hash: 0951B176A087158FD700DF29D48025AB7E5FBC8304F06892EEB98D7640F775E949CB92
      Function 6CCD5CB0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON
      Download Yara Rule
      APIs
      • CreateEventA.KERNEL32 ref: 6CCD5CD2
      • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CCD5D89), ref: 6CCD5CEB
      • fwrite.MSVCRT ref: 6CCD5D20
      • abort.MSVCRT ref: 6CCD5D25
      Strings
      • runtime: failed to create runtime initialization wait event., xrefs: 6CCD5D19
      • =, xrefs: 6CCD5D05
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID: CreateCriticalEventInitializeSectionabortfwrite
      • String ID: =$runtime: failed to create runtime initialization wait event.
      • API String ID: 2455830200-3519180978
      • Opcode ID: 168fee2ee0ade3dec1f92486eeb91b76ef600f3055053d4227575d333d59a205
      • Instruction ID: 3cff3328aa8d3553cd86f4a06999fe2842d72f2b3cdd141767a538aa1fcfd3ea
      • Opcode Fuzzy Hash: 168fee2ee0ade3dec1f92486eeb91b76ef600f3055053d4227575d333d59a205
      • Instruction Fuzzy Hash: 2FF0FFB15053019FE700BFA8D51931EBFF4FB81318F82885DD99886690EB7AA058CF93
      Function 6CC41020 Relevance: 9.1, APIs: 6, Instructions: 112sleepCOMMON
      Download Yara Rule
      APIs
      • Sleep.KERNEL32(?,?,?,6CC412E0,?,?,?,?,?,?,6CC413A3), ref: 6CC41057
      • _amsg_exit.MSVCRT ref: 6CC41085
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID: Sleep_amsg_exit
      • String ID:
      • API String ID: 1015461914-0
      • Opcode ID: c2feb0526786d6c625add3fa2e2635500355b9d26e79a2405e024fda03d4c721
      • Instruction ID: 900ab209a1b2361fd9ca43d0e04485e5330b3cf228f1cf48e4d1d96b51f243e4
      • Opcode Fuzzy Hash: c2feb0526786d6c625add3fa2e2635500355b9d26e79a2405e024fda03d4c721
      • Instruction Fuzzy Hash: 66417D71709240CBF700BFAED98174A77F4EB82358F11C52AD6848BB44E776D491CB82
      Function 6CCD4D00 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
      Download Yara Rule
      APIs
      • bsearch.MSVCRT ref: 6CCD4D5F
      • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6CCD5BEF), ref: 6CCD4D9A
      • malloc.MSVCRT ref: 6CCD4DC8
      • qsort.MSVCRT ref: 6CCD4E16
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID: ErrorLastbsearchmallocqsort
      • String ID:
      • API String ID: 1451747280-0
      • Opcode ID: 928a9d52f0f9150865a5bcbfe6be8d3dc726ad6f7609b3f0e095e2eb590e34c6
      • Instruction ID: 894b7b513e0ba08528d697f90e1be13fc0377a004ef6d329cd4422da4ee4ff7f
      • Opcode Fuzzy Hash: 928a9d52f0f9150865a5bcbfe6be8d3dc726ad6f7609b3f0e095e2eb590e34c6
      • Instruction Fuzzy Hash: 2D417B756083018FD710DF29D480A1AB7F5FF88314F1689ADEA8987B14E774F858CB82
      Function 6CCD5850 Relevance: 7.6, APIs: 5, Instructions: 79threadCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID: ErrorLast$LocaleThread
      • String ID:
      • API String ID: 2451566642-0
      • Opcode ID: 5d8cd3785de2e6a6be6d63701afae17516d95f0bab4ad36de5a1da2bc7b57ed4
      • Instruction ID: ed1518be41ee358885287e9301affe4977c06f1352c641fb34065ede4368f2a7
      • Opcode Fuzzy Hash: 5d8cd3785de2e6a6be6d63701afae17516d95f0bab4ad36de5a1da2bc7b57ed4
      • Instruction Fuzzy Hash: 222181706042048BD700EB79D844A5777F5FF85318F168928E6A9CB680FA35F859CB52
      Function 6CCD70C0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID: _lock_unlockcalloc
      • String ID:
      • API String ID: 3876498383-0
      • Opcode ID: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
      • Instruction ID: a8d454be014872f4928d60c7d023cadaeb6537479ee5809aba3b428570b0c8be
      • Opcode Fuzzy Hash: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
      • Instruction Fuzzy Hash: 77115E70105201CFE7009F68C88075A7BE4FF45354F568A6AEA98CBB89FB78F845DB52
      Function 6CCD5DE0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
      Download Yara Rule
      APIs
      • WaitForSingleObject.KERNEL32 ref: 6CCD5E10
      • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CCD45D9), ref: 6CCD5E1C
      • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CCD45D9), ref: 6CCD5E2E
      • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6CCD45D9), ref: 6CCD5E3E
      • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6CCD45D9), ref: 6CCD5E50
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID: CriticalSection$EnterLeave$ObjectSingleWait
      • String ID:
      • API String ID: 1755037574-0
      • Opcode ID: 3acad371e03bd753cc9e4d06027e9dfb0a66ce42c9a49c370ed7660236f62db9
      • Instruction ID: b8ec94ae0e36acfa0886a4539c0834b9abd1d476966ea31433bf75f280fc7d74
      • Opcode Fuzzy Hash: 3acad371e03bd753cc9e4d06027e9dfb0a66ce42c9a49c370ed7660236f62db9
      • Instruction Fuzzy Hash: 6E01D2B1504305CFEA00BFF9E58551EBBB8FF86224F510929DA9447750D733A469CBA3
      Function 6CCD7220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON
      Download Yara Rule
      APIs
      Strings
      • Mingw-w64 runtime failure:, xrefs: 6CCD7248
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID: abortfwritevfprintf
      • String ID: Mingw-w64 runtime failure:
      • API String ID: 3176311984-2889761391
      • Opcode ID: e90202181e88e4bbb6d53a9c39148d5c833f5c348cf045db84e2e8830cb682e9
      • Instruction ID: e704c8a652b0d931495cb5aff2efb6c013f3d0718d99d1d39bf61ef3a98ff1d2
      • Opcode Fuzzy Hash: e90202181e88e4bbb6d53a9c39148d5c833f5c348cf045db84e2e8830cb682e9
      • Instruction Fuzzy Hash: 1EE0C2B0009304DED300AF69C08529EBAE4BF84348F42C91CE2C847B95E778A489EB53
      Function 6CCD65F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON
      Download Yara Rule
      APIs
      • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CC412A5), ref: 6CCD6709
      Strings
      • Unknown pseudo relocation bit size %d., xrefs: 6CCD6799
      • Unknown pseudo relocation protocol version %d., xrefs: 6CCD6864
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID: ProtectVirtual
      • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
      • API String ID: 544645111-395989641
      • Opcode ID: c10c6b3c12d7cc805be04e5761ab0184d36bb81255706981293b6ab8502aa347
      • Instruction ID: e578bf0fee120931681021e48f6b6b98f19bc88c166756b50a7f2df308c0ebe0
      • Opcode Fuzzy Hash: c10c6b3c12d7cc805be04e5761ab0184d36bb81255706981293b6ab8502aa347
      • Instruction Fuzzy Hash: BC61D171A05A098FDB00EF68D4C0649B7B5FF85318F668A29EA45DBB10F371F846CB81
      Function 6CCD5BC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID: bsearchfprintffwrite
      • String ID: $
      • API String ID: 1110293247-3993045852
      • Opcode ID: c47f3968ce23c21dccacf98c72eaad457a11cb281f275a49095932c02d795e24
      • Instruction ID: d11512a0c94dba74cd79b42fb0f4b2209e92dd2247e8b471c083033444a22b0b
      • Opcode Fuzzy Hash: c47f3968ce23c21dccacf98c72eaad457a11cb281f275a49095932c02d795e24
      • Instruction Fuzzy Hash: D501D7B58093109BD700AF68D44925AFBE4FF48318F52892EE9C897741E775E444CB93
      Function 6CCD6870 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000003.00000002.1324614259.000000006CC41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC40000, based on PE: true
      • Associated: 00000003.00000002.1324587819.000000006CC40000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324722230.000000006CCD8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324759089.000000006CCD9000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324793784.000000006CCDA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324866371.000000006CCDF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1324997782.000000006CD88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD8E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325023818.000000006CD93000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325067578.000000006CDA6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325092484.000000006CDAD000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325115152.000000006CDAE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.1325132352.000000006CDB1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_6cc40000_rundll32.jbxd
      Similarity
      • API ID: CriticalSection$EnterErrorLastLeaveValue
      • String ID:
      • API String ID: 682475483-0
      • Opcode ID: 4adfa50933a08b4d13bebda7e4281c26aeb164cad8e6e2f81564b2cee6f09063
      • Instruction ID: 14fd6fcf35ad7f426fe6cc1d9662d0fffb9439d6ce6702cd38affaab33aed824
      • Opcode Fuzzy Hash: 4adfa50933a08b4d13bebda7e4281c26aeb164cad8e6e2f81564b2cee6f09063
      • Instruction Fuzzy Hash: 4CF08172A007148FEB007FBDD98991B7BB8EA85354B060928DE4487714E730A469CBE3

      Execution Graph

      Execution Coverage:0%
      Dynamic/Decrypted Code Coverage:0%
      Signature Coverage:0%
      Total number of Nodes:11
      Total number of Limit Nodes:1
      execution_graph 52844 6cd15fb0 52845 6cd15fc7 _beginthread 52844->52845 52846 6cd15fe1 _errno 52845->52846 52847 6cd16012 52845->52847 52848 6cd16020 Sleep 52846->52848 52849 6cd15fe8 _errno 52846->52849 52848->52845 52850 6cd16034 52848->52850 52851 6cd15ff9 fprintf abort 52849->52851 52850->52849 52851->52847 52852 6ccecea0 52853 6ccecec8 WriteFile 52852->52853 52854 6cceceb9 52852->52854 52854->52853

      Executed Functions

      Function 6CD15FB0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40sleepCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      Strings
      • runtime: failed to create new OS thread (%d), xrefs: 6CD15FF9
      Memory Dump Source
      • Source File: 0000000D.00000002.1420748715.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 0000000D.00000002.1420624836.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425264400.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425395354.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425825887.000000006CD1A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425974039.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426346234.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426633660.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426778331.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426923729.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1427000091.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_13_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: _errno$Sleep_beginthreadabortfprintf
      • String ID: runtime: failed to create new OS thread (%d)
      • API String ID: 1261927973-3231778263
      • Opcode ID: ab107c82566ee56ca4b63f3c72babdb45091643b0129ba936ecfc7ca6e6d6893
      • Instruction ID: 476a5dcf44ac306d04151f505536cea3ffff2821be5f5502668782f9e75f808b
      • Opcode Fuzzy Hash: ab107c82566ee56ca4b63f3c72babdb45091643b0129ba936ecfc7ca6e6d6893
      • Instruction Fuzzy Hash: 8A0128B5509314DFD700BF69E88851EBBB8EB8A224F06461DE68983E60D7309444DAA3
      Function 6CCECEA0 Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 8 6ccecea0-6cceceb7 9 6ccecec8-6ccecee0 WriteFile 8->9 10 6cceceb9-6ccecec6 8->10 10->9
      APIs
      Memory Dump Source
      • Source File: 0000000D.00000002.1420748715.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 0000000D.00000002.1420624836.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425264400.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425395354.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425825887.000000006CD1A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425974039.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426346234.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426633660.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426778331.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426923729.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1427000091.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_13_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: FileWrite
      • String ID:
      • API String ID: 3934441357-0
      • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
      • Instruction ID: 6083f5c3ca3784cb42446b3cadced54dcd62b1418f04aca6e529cd5a6b409ffd
      • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
      • Instruction Fuzzy Hash: 70E0C2715056408FCB15DF18C2C1706BBE1EB48A00F0485A8DE098BB4AE734ED10CA92

      Non-executed Functions

      Function 6CD16300 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
      Download Yara Rule
      APIs
      • SetUnhandledExceptionFilter.KERNEL32 ref: 6CD1634F
      • UnhandledExceptionFilter.KERNEL32 ref: 6CD1635F
      • GetCurrentProcess.KERNEL32 ref: 6CD16368
      • TerminateProcess.KERNEL32 ref: 6CD16379
      • abort.MSVCRT ref: 6CD16382
      Memory Dump Source
      • Source File: 0000000D.00000002.1420748715.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 0000000D.00000002.1420624836.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425264400.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425395354.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425825887.000000006CD1A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425974039.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426346234.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426633660.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426778331.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426923729.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1427000091.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_13_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
      • String ID:
      • API String ID: 520269711-0
      • Opcode ID: 4897821df74cf619dcdcd8a4e8def8aac86d21fe103cd9caf79b4fc11b8968f0
      • Instruction ID: 2bd5e396d90cb79062974bb68d5cbc735c06584d5fdb90771edd978c4d4c9906
      • Opcode Fuzzy Hash: 4897821df74cf619dcdcd8a4e8def8aac86d21fe103cd9caf79b4fc11b8968f0
      • Instruction Fuzzy Hash: BE11DAB5A04205DFEB40FF69D14565E7BF4FB49304F00851DEA4887760E7349944CF92
      Function 6CD162FC Relevance: 7.5, APIs: 5, Instructions: 47COMMON
      Download Yara Rule
      APIs
      • SetUnhandledExceptionFilter.KERNEL32 ref: 6CD1634F
      • UnhandledExceptionFilter.KERNEL32 ref: 6CD1635F
      • GetCurrentProcess.KERNEL32 ref: 6CD16368
      • TerminateProcess.KERNEL32 ref: 6CD16379
      • abort.MSVCRT ref: 6CD16382
      Memory Dump Source
      • Source File: 0000000D.00000002.1420748715.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 0000000D.00000002.1420624836.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425264400.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425395354.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425825887.000000006CD1A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425974039.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426346234.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426633660.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426778331.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426923729.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1427000091.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_13_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
      • String ID:
      • API String ID: 520269711-0
      • Opcode ID: 5cd49edce9e96cbc1f9d2b3105011ba1996b88aed84558e24ae11e7b5575918b
      • Instruction ID: d98aff3ec21feafaf06448f1de9488d8b45c80b2bee6479728ba773286b38732
      • Opcode Fuzzy Hash: 5cd49edce9e96cbc1f9d2b3105011ba1996b88aed84558e24ae11e7b5575918b
      • Instruction Fuzzy Hash: 411105B5A04205DFEB40FF69D14961A7FF8FB4A304F00852CEA4887B60E734A904CF92
      Function 6CD15E79 Relevance: 21.0, APIs: 9, Strings: 3, Instructions: 49fileCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      Strings
      • unexpected cgo_bindm on Windows, xrefs: 6CD15EA4
      • runtime: failed to signal runtime initialization complete., xrefs: 6CD15F2C
      • ;, xrefs: 6CD15F18
      Memory Dump Source
      • Source File: 0000000D.00000002.1420748715.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 0000000D.00000002.1420624836.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425264400.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425395354.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425825887.000000006CD1A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425974039.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426346234.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426633660.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426778331.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426923729.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1427000091.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_13_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: CriticalSection$EnterLeaveabortfwrite$Event
      • String ID: ;$runtime: failed to signal runtime initialization complete.$unexpected cgo_bindm on Windows
      • API String ID: 3057923235-924395932
      • Opcode ID: 9533effaa59e57006318ff5399a8a90d63373dbd3f6e52a6d9a153c1f7258370
      • Instruction ID: 31597f175c9baea379297bad1e042387c40451e0c92cef4399aac0e7e1306502
      • Opcode Fuzzy Hash: 9533effaa59e57006318ff5399a8a90d63373dbd3f6e52a6d9a153c1f7258370
      • Instruction Fuzzy Hash: EC11D6B1908700DFEB40BF78D10A26EBFF4BB49304F42891CE98547A21D779A158CBA3
      Function 6CD164A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON
      Download Yara Rule
      APIs
      Strings
      • @, xrefs: 6CD16578
      • VirtualProtect failed with code 0x%x, xrefs: 6CD1659A
      • VirtualQuery failed for %d bytes at address %p, xrefs: 6CD165C7
      • Address %p has no image-section, xrefs: 6CD165DB
      Memory Dump Source
      • Source File: 0000000D.00000002.1420748715.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 0000000D.00000002.1420624836.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425264400.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425395354.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425825887.000000006CD1A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425974039.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426346234.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426633660.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426778331.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426923729.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1427000091.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_13_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: QueryVirtual
      • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
      • API String ID: 1804819252-1098444051
      • Opcode ID: cc15ac44ae187d1d00efef9e6036de95b6bb8357b1c63f980a7242aff15d8050
      • Instruction ID: 6df4061c7389f79164f5e34225133bb8263e4d80f356d838bd2e7b5f564057a4
      • Opcode Fuzzy Hash: cc15ac44ae187d1d00efef9e6036de95b6bb8357b1c63f980a7242aff15d8050
      • Instruction Fuzzy Hash: E6414FB2A093019BE700EF69E48464EFBF4FB89314F558669D958CBB24E730E445CB92
      Function 6CC813E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 0000000D.00000002.1420748715.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 0000000D.00000002.1420624836.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425264400.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425395354.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425825887.000000006CD1A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425974039.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426346234.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426633660.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426778331.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426923729.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1427000091.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_13_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: AddressProc$HandleLibraryLoadModule
      • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
      • API String ID: 384173800-1835852900
      • Opcode ID: 239c3896d8077e9649473e108e7355970673679694ba628e01db9901f69307be
      • Instruction ID: 514f3843fd0826da2078aebf4d0b67b18fd2adb2bef1e9d063ed10d524ba3f6b
      • Opcode Fuzzy Hash: 239c3896d8077e9649473e108e7355970673679694ba628e01db9901f69307be
      • Instruction Fuzzy Hash: 7C0152B290A3048FD700BFB9A90631F7FF8EB46255F01452DD99987F21E73094048B93
      Function 6CD14AF0 Relevance: 12.2, APIs: 8, Instructions: 156stringCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 0000000D.00000002.1420748715.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 0000000D.00000002.1420624836.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425264400.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425395354.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425825887.000000006CD1A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425974039.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426346234.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426633660.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426778331.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426923729.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1427000091.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_13_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: ErrorLast_wcsnicmpfreelstrlenmallocmbstowcsstrlenstrtol
      • String ID:
      • API String ID: 533997002-0
      • Opcode ID: 58314adb6ba89a2a19c1e0875c3b1f3481cfc73d89b39112f4239555d48545b7
      • Instruction ID: f3a1dc546c11dc665dd97cfeb399ffbc7d85b27ad273bd4b0bb61e495a680987
      • Opcode Fuzzy Hash: 58314adb6ba89a2a19c1e0875c3b1f3481cfc73d89b39112f4239555d48545b7
      • Instruction Fuzzy Hash: B951847660C3158FD700DF29E48025AB7E6FFC8308F15892AE998D7A20E775D5498B92
      Function 6CD16060 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66fileCOMMON
      Download Yara Rule
      APIs
      • malloc.MSVCRT ref: 6CD1606F
      • fwrite.MSVCRT ref: 6CD160BD
      • abort.MSVCRT ref: 6CD160C2
      • free.MSVCRT ref: 6CD160E5
        • Part of subcall function 6CD15FB0: _beginthread.MSVCRT ref: 6CD15FD6
        • Part of subcall function 6CD15FB0: _errno.MSVCRT ref: 6CD15FE1
        • Part of subcall function 6CD15FB0: _errno.MSVCRT ref: 6CD15FE8
        • Part of subcall function 6CD15FB0: fprintf.MSVCRT ref: 6CD16008
        • Part of subcall function 6CD15FB0: abort.MSVCRT ref: 6CD1600D
      Strings
      Memory Dump Source
      • Source File: 0000000D.00000002.1420748715.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 0000000D.00000002.1420624836.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425264400.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425395354.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425825887.000000006CD1A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425974039.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426346234.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426633660.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426778331.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426923729.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1427000091.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_13_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: _errnoabort$_beginthreadfprintffreefwritemalloc
      • String ID: +$runtime/cgo: out of memory in thread_start
      • API String ID: 2633710936-1802439445
      • Opcode ID: f37a4c5442dd97de9b53096f31db3f18507033124d61fcc48f3c0929fa80253c
      • Instruction ID: 9c3075354aca66b71cbaa924c603503198ebadb5d8e9d748667a60556914be89
      • Opcode Fuzzy Hash: f37a4c5442dd97de9b53096f31db3f18507033124d61fcc48f3c0929fa80253c
      • Instruction Fuzzy Hash: 4721F7B4608700DFD700EF28D58594ABBF4FF89314F45899DE9888BB36D3399845CBA2
      Function 6CD15CB0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON
      Download Yara Rule
      APIs
      • CreateEventA.KERNEL32 ref: 6CD15CD2
      • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CD15D89), ref: 6CD15CEB
      • fwrite.MSVCRT ref: 6CD15D20
      • abort.MSVCRT ref: 6CD15D25
      Strings
      • =, xrefs: 6CD15D05
      • runtime: failed to create runtime initialization wait event., xrefs: 6CD15D19
      Memory Dump Source
      • Source File: 0000000D.00000002.1420748715.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 0000000D.00000002.1420624836.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425264400.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425395354.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425825887.000000006CD1A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425974039.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426346234.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426633660.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426778331.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426923729.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1427000091.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_13_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: CreateCriticalEventInitializeSectionabortfwrite
      • String ID: =$runtime: failed to create runtime initialization wait event.
      • API String ID: 2455830200-3519180978
      • Opcode ID: 90ac8accdfa7d066e20527a33016efd00701548856f7d99f7cc4069472a83c64
      • Instruction ID: f6d107048129da67f809770c9480ef8193b2463c9c316f73a2fa75950733a1e2
      • Opcode Fuzzy Hash: 90ac8accdfa7d066e20527a33016efd00701548856f7d99f7cc4069472a83c64
      • Instruction Fuzzy Hash: 0DF0C9B15087019FE740BF68D50931ABFF4BB45308F81885DD99986A61E77980488B93
      Function 6CC81020 Relevance: 9.1, APIs: 6, Instructions: 112sleepCOMMON
      Download Yara Rule
      APIs
      • Sleep.KERNEL32(?,?,?,6CC812E0,?,?,?,?,?,?,6CC813A3), ref: 6CC81057
      • _amsg_exit.MSVCRT ref: 6CC81085
      Memory Dump Source
      • Source File: 0000000D.00000002.1420748715.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 0000000D.00000002.1420624836.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425264400.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425395354.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425825887.000000006CD1A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425974039.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426346234.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426633660.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426778331.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426923729.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1427000091.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_13_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: Sleep_amsg_exit
      • String ID:
      • API String ID: 1015461914-0
      • Opcode ID: a603a9c7f71a0d8f5cd89ae877b4067d2306fdd2af221306abe9739182cbf44e
      • Instruction ID: 466e6c1f673685527e861e086d2455efd346ed05c3bd8afd96b564f4972844af
      • Opcode Fuzzy Hash: a603a9c7f71a0d8f5cd89ae877b4067d2306fdd2af221306abe9739182cbf44e
      • Instruction Fuzzy Hash: 5D41AE7170A2408BFB40BF2ED98075B7FF8FB86349F11452AD6648BB10E775C4818BA2
      Function 6CD1655C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58memoryCOMMON
      Download Yara Rule
      APIs
      • VirtualQuery.KERNEL32 ref: 6CD1652D
      • VirtualProtect.KERNEL32 ref: 6CD16587
      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CDC53A8), ref: 6CD16594
        • Part of subcall function 6CD17220: fwrite.MSVCRT ref: 6CD1724F
        • Part of subcall function 6CD17220: vfprintf.MSVCRT ref: 6CD1726F
        • Part of subcall function 6CD17220: abort.MSVCRT ref: 6CD17274
      Strings
      Memory Dump Source
      • Source File: 0000000D.00000002.1420748715.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 0000000D.00000002.1420624836.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425264400.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425395354.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425825887.000000006CD1A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425974039.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426346234.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426633660.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426778331.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426923729.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1427000091.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_13_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: Virtual$ErrorLastProtectQueryabortfwritevfprintf
      • String ID: VirtualProtect failed with code 0x%x$@
      • API String ID: 1616349570-2953866262
      • Opcode ID: c121a77127881fd32d828396a4697ba48d9f95138848d9e75b9589b862a806ce
      • Instruction ID: 12294b0e55d4193b4fbb02b783b2af14aa402bf6a74cd37aec153239d69e0fb4
      • Opcode Fuzzy Hash: c121a77127881fd32d828396a4697ba48d9f95138848d9e75b9589b862a806ce
      • Instruction Fuzzy Hash: E62128B29083018FE740EF29D48464EBBF0FF88318F158A69E998C7A64E334D505CB92
      Function 6CD15B30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30windowCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 0000000D.00000002.1420748715.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 0000000D.00000002.1420624836.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425264400.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425395354.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425825887.000000006CD1A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425974039.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426346234.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426633660.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426778331.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426923729.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1427000091.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_13_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: ErrorFormatFreeLastLocalMessagefprintf
      • String ID: Erro: %s
      • API String ID: 659079672-2412703935
      • Opcode ID: 0e378154d61fc9f0462019f65e59462904739f39bf4bc8e4d6adce3b333bec2a
      • Instruction ID: 803fc079d481bda86e1bedd79c96ae51ee07059b406cb6ff939cb24fbd3a71c9
      • Opcode Fuzzy Hash: 0e378154d61fc9f0462019f65e59462904739f39bf4bc8e4d6adce3b333bec2a
      • Instruction Fuzzy Hash: A10192B05083019FE700AF68C58931BBBF4AB88349F01891DE99896A50D7798249CF93
      Function 6CD14D00 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
      Download Yara Rule
      APIs
      • bsearch.MSVCRT ref: 6CD14D5F
      • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6CD15BEF), ref: 6CD14D9A
      • malloc.MSVCRT ref: 6CD14DC8
      • qsort.MSVCRT ref: 6CD14E16
      Memory Dump Source
      • Source File: 0000000D.00000002.1420748715.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 0000000D.00000002.1420624836.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425264400.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425395354.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425825887.000000006CD1A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425974039.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426346234.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426633660.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426778331.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426923729.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1427000091.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_13_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: ErrorLastbsearchmallocqsort
      • String ID:
      • API String ID: 1451747280-0
      • Opcode ID: 7adf61f2eee38f5b0fbd853ff81d5cab1506bacd976ff157fb4511ceb890fdd0
      • Instruction ID: 2db907580f83b47a777f785fe44e4324b2b2bc6e9eb30f6cbb730e5fc0f8e77b
      • Opcode Fuzzy Hash: 7adf61f2eee38f5b0fbd853ff81d5cab1506bacd976ff157fb4511ceb890fdd0
      • Instruction Fuzzy Hash: C4413D75618301CFDB10DF29E48061AB7F5FF88318F15896DE88987B25D774E858CB92
      Function 6CD15850 Relevance: 7.6, APIs: 5, Instructions: 79threadCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 0000000D.00000002.1420748715.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 0000000D.00000002.1420624836.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425264400.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425395354.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425825887.000000006CD1A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425974039.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426346234.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426633660.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426778331.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426923729.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1427000091.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_13_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: ErrorLast$LocaleThread
      • String ID:
      • API String ID: 2451566642-0
      • Opcode ID: b0171c12a0e51089d0c3009a26f98434c31eae9380e52efe3c5082ecb7c6f136
      • Instruction ID: d246b1e250f21f5f1a44679da8b3cd9f5e6286eb712ffb998e983b23513e4f09
      • Opcode Fuzzy Hash: b0171c12a0e51089d0c3009a26f98434c31eae9380e52efe3c5082ecb7c6f136
      • Instruction Fuzzy Hash: 7E21A770608204CBD700AF38D884657B7F5BF49318F158928E5A9CBBA0FB39E819CB52
      Function 6CD170C0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 0000000D.00000002.1420748715.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 0000000D.00000002.1420624836.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425264400.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425395354.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425825887.000000006CD1A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425974039.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426346234.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426633660.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426778331.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426923729.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1427000091.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_13_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: _lock_unlockcalloc
      • String ID:
      • API String ID: 3876498383-0
      • Opcode ID: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
      • Instruction ID: 9830270284ee1804a30f689971db51f093a0229989cdc6615220afb2635c4468
      • Opcode Fuzzy Hash: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
      • Instruction Fuzzy Hash: E01172B0248200DFD7009F68E8807567BE0BF45364F16896AE498CBF75DB74D485CB61
      Function 6CD16250 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON
      Download Yara Rule
      APIs
      • GetSystemTimeAsFileTime.KERNEL32 ref: 6CD16289
      • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CC813B9), ref: 6CD1629A
      • GetCurrentThreadId.KERNEL32 ref: 6CD162A2
      • GetTickCount.KERNEL32 ref: 6CD162AA
      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CC813B9), ref: 6CD162B9
      Memory Dump Source
      • Source File: 0000000D.00000002.1420748715.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 0000000D.00000002.1420624836.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425264400.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425395354.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425825887.000000006CD1A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425974039.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426346234.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426633660.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426778331.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426923729.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1427000091.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_13_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
      • String ID:
      • API String ID: 1445889803-0
      • Opcode ID: b5066e610bef4e100ae3c5f3d11faaded1dc92d677935877df8cc330557c1462
      • Instruction ID: 9cc7f4bd4d159a062bae19d2deb889941cc1da39037140e20d13eac30c3f650c
      • Opcode Fuzzy Hash: b5066e610bef4e100ae3c5f3d11faaded1dc92d677935877df8cc330557c1462
      • Instruction Fuzzy Hash: 9C115EB56093018BEB00EF79E48964BBBF8FB89254F054D39E544C7E10EA35D449CBD2
      Function 6CD15DE0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
      Download Yara Rule
      APIs
      • WaitForSingleObject.KERNEL32 ref: 6CD15E10
      • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CD145D9), ref: 6CD15E1C
      • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CD145D9), ref: 6CD15E2E
      • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6CD145D9), ref: 6CD15E3E
      • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6CD145D9), ref: 6CD15E50
      Memory Dump Source
      • Source File: 0000000D.00000002.1420748715.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 0000000D.00000002.1420624836.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425264400.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425395354.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425825887.000000006CD1A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425974039.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426346234.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426633660.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426778331.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426923729.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1427000091.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_13_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: CriticalSection$EnterLeave$ObjectSingleWait
      • String ID:
      • API String ID: 1755037574-0
      • Opcode ID: 6f2c487af5706a9201dc20e77dcf752647e70662a62dec9e4b37721e4c038b16
      • Instruction ID: 99ff6a816da0ec97ae03e02feacd327810f74bb5a06ccfc073ad5b8ebb45499e
      • Opcode Fuzzy Hash: 6f2c487af5706a9201dc20e77dcf752647e70662a62dec9e4b37721e4c038b16
      • Instruction Fuzzy Hash: 960112B1A08705CFEB00BF79A58551ABFB8BF8A214F510529D99447B60D731A468CBA3
      Function 6CD17220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON
      Download Yara Rule
      APIs
      Strings
      • Mingw-w64 runtime failure:, xrefs: 6CD17248
      Memory Dump Source
      • Source File: 0000000D.00000002.1420748715.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 0000000D.00000002.1420624836.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425264400.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425395354.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425825887.000000006CD1A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425974039.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426346234.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426633660.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426778331.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426923729.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1427000091.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_13_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: abortfwritevfprintf
      • String ID: Mingw-w64 runtime failure:
      • API String ID: 3176311984-2889761391
      • Opcode ID: 84de4c8f40c43bc6f4bc84b304afda66f6e76f8510e6d6c16138c3f02d5c6efd
      • Instruction ID: f21929fc8345664d8c03e9bbb1bacabb93dd9b31f67abe0dc75f8e813d5b6b46
      • Opcode Fuzzy Hash: 84de4c8f40c43bc6f4bc84b304afda66f6e76f8510e6d6c16138c3f02d5c6efd
      • Instruction Fuzzy Hash: DBE0C2B000D304AED300AFA9D0853AFBAF4BF84348F02891CE0C847B71D77884898B63
      Function 6CD165F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON
      Download Yara Rule
      APIs
      • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CC812A5), ref: 6CD16709
      Strings
      • Unknown pseudo relocation protocol version %d., xrefs: 6CD16864
      • Unknown pseudo relocation bit size %d., xrefs: 6CD16799
      Memory Dump Source
      • Source File: 0000000D.00000002.1420748715.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 0000000D.00000002.1420624836.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425264400.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425395354.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425825887.000000006CD1A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425974039.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426346234.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426633660.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426778331.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426923729.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1427000091.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_13_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: ProtectVirtual
      • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
      • API String ID: 544645111-395989641
      • Opcode ID: 60132a35128272504bdf88cc6d0cff58efcecdbdd2170863b99786195ed562f3
      • Instruction ID: a9b17eabcde7d1f043c86cfa6843007e67019e29d4070befe1284c5d476fe12e
      • Opcode Fuzzy Hash: 60132a35128272504bdf88cc6d0cff58efcecdbdd2170863b99786195ed562f3
      • Instruction Fuzzy Hash: D5618071B092058BCB00EFA9E4C064DBBB9FB85318F648669D954DBF60D3719847CB91
      Function 6CD15BC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 0000000D.00000002.1420748715.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 0000000D.00000002.1420624836.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425264400.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425395354.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425825887.000000006CD1A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425974039.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426346234.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426633660.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426778331.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426923729.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1427000091.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_13_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: bsearchfprintffwrite
      • String ID: $
      • API String ID: 1110293247-3993045852
      • Opcode ID: f93a90aa829beb83a12c489f21e7002fe61b5eb3ee68f2468318dfbe156cf63f
      • Instruction ID: e83bd7c0c0d46580a0c589ec4c9eadd6842c6b624de0d9975ef7a210fe85c2df
      • Opcode Fuzzy Hash: f93a90aa829beb83a12c489f21e7002fe61b5eb3ee68f2468318dfbe156cf63f
      • Instruction Fuzzy Hash: 40011BB550D300DFD700AF68E54929AFBE4AF48318F41891EE8C897B61E378C444CB63
      Function 6CD14E50 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 0000000D.00000002.1420748715.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 0000000D.00000002.1420624836.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425264400.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425395354.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425825887.000000006CD1A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425974039.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426346234.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426633660.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426778331.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426923729.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1427000091.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_13_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: Heapfree$FreeProcess
      • String ID:
      • API String ID: 3425746932-0
      • Opcode ID: 7fb37a1526a8f0b741e9c3a441f7216339ac894847945d83f100e0118fa327b9
      • Instruction ID: bc3db961a0be798d8dc8854d02d654f786fb3e485f3896b2163d93a1fcd1d1b3
      • Opcode Fuzzy Hash: 7fb37a1526a8f0b741e9c3a441f7216339ac894847945d83f100e0118fa327b9
      • Instruction Fuzzy Hash: 6C21E5B5A09300CBDB00DF25E1C471ABBF5BF88208F15C96CE8898BB19D734D844CB92
      Function 6CD16870 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 0000000D.00000002.1420748715.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 0000000D.00000002.1420624836.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425264400.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425395354.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425825887.000000006CD1A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1425974039.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426346234.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426444323.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426633660.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426778331.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1426923729.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1427000091.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_13_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: CriticalSection$EnterErrorLastLeaveValue
      • String ID:
      • API String ID: 682475483-0
      • Opcode ID: c3639df2d304d4506b730857d2a7585453b083e7cf9745a6d93082c7bfbf8f1a
      • Instruction ID: 294c2fed305e994866f60614181825bfa8b2a4ca6dba850e7c45d21a061457c1
      • Opcode Fuzzy Hash: c3639df2d304d4506b730857d2a7585453b083e7cf9745a6d93082c7bfbf8f1a
      • Instruction Fuzzy Hash: 05F0A472A08304CFEB007F6DD48991FBBB8FA89254B050528DE4487B64E730A859CBE3

      Execution Graph

      Execution Coverage:0%
      Dynamic/Decrypted Code Coverage:0%
      Signature Coverage:0%
      Total number of Nodes:11
      Total number of Limit Nodes:1
      execution_graph 52844 6cd15fb0 52845 6cd15fc7 _beginthread 52844->52845 52846 6cd15fe1 _errno 52845->52846 52847 6cd16012 52845->52847 52848 6cd16020 Sleep 52846->52848 52849 6cd15fe8 _errno 52846->52849 52848->52845 52850 6cd16034 52848->52850 52851 6cd15ff9 fprintf abort 52849->52851 52850->52849 52851->52847 52852 6ccecea0 52853 6ccecec8 VirtualAlloc 52852->52853 52854 6cceceb9 52852->52854 52854->52853

      Executed Functions

      Function 6CD15FB0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40sleepCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      Strings
      • runtime: failed to create new OS thread (%d), xrefs: 6CD15FF9
      Memory Dump Source
      • Source File: 00000011.00000002.1417494003.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 00000011.00000002.1417384075.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1417925160.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418086648.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418310727.000000006CD1D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418521727.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1419461352.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420340320.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420631386.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420752055.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1421347558.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_17_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: _errno$Sleep_beginthreadabortfprintf
      • String ID: runtime: failed to create new OS thread (%d)
      • API String ID: 1261927973-3231778263
      • Opcode ID: ab107c82566ee56ca4b63f3c72babdb45091643b0129ba936ecfc7ca6e6d6893
      • Instruction ID: 476a5dcf44ac306d04151f505536cea3ffff2821be5f5502668782f9e75f808b
      • Opcode Fuzzy Hash: ab107c82566ee56ca4b63f3c72babdb45091643b0129ba936ecfc7ca6e6d6893
      • Instruction Fuzzy Hash: 8A0128B5509314DFD700BF69E88851EBBB8EB8A224F06461DE68983E60D7309444DAA3
      Function 6CCECEA0 Relevance: 1.3, APIs: 1, Instructions: 21memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 8 6ccecea0-6cceceb7 9 6ccecec8-6ccecee0 VirtualAlloc 8->9 10 6cceceb9-6ccecec6 8->10 10->9
      APIs
      Memory Dump Source
      • Source File: 00000011.00000002.1417494003.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 00000011.00000002.1417384075.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1417925160.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418086648.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418310727.000000006CD1D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418521727.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1419461352.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420340320.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420631386.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420752055.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1421347558.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_17_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
      • Instruction ID: 6083f5c3ca3784cb42446b3cadced54dcd62b1418f04aca6e529cd5a6b409ffd
      • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
      • Instruction Fuzzy Hash: 70E0C2715056408FCB15DF18C2C1706BBE1EB48A00F0485A8DE098BB4AE734ED10CA92

      Non-executed Functions

      Function 6CD16300 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
      Download Yara Rule
      APIs
      • SetUnhandledExceptionFilter.KERNEL32 ref: 6CD1634F
      • UnhandledExceptionFilter.KERNEL32 ref: 6CD1635F
      • GetCurrentProcess.KERNEL32 ref: 6CD16368
      • TerminateProcess.KERNEL32 ref: 6CD16379
      • abort.MSVCRT ref: 6CD16382
      Memory Dump Source
      • Source File: 00000011.00000002.1417494003.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 00000011.00000002.1417384075.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1417925160.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418086648.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418310727.000000006CD1D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418521727.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1419461352.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420340320.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420631386.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420752055.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1421347558.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_17_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
      • String ID:
      • API String ID: 520269711-0
      • Opcode ID: 4897821df74cf619dcdcd8a4e8def8aac86d21fe103cd9caf79b4fc11b8968f0
      • Instruction ID: 2bd5e396d90cb79062974bb68d5cbc735c06584d5fdb90771edd978c4d4c9906
      • Opcode Fuzzy Hash: 4897821df74cf619dcdcd8a4e8def8aac86d21fe103cd9caf79b4fc11b8968f0
      • Instruction Fuzzy Hash: BE11DAB5A04205DFEB40FF69D14565E7BF4FB49304F00851DEA4887760E7349944CF92
      Function 6CD162FC Relevance: 7.5, APIs: 5, Instructions: 47COMMON
      Download Yara Rule
      APIs
      • SetUnhandledExceptionFilter.KERNEL32 ref: 6CD1634F
      • UnhandledExceptionFilter.KERNEL32 ref: 6CD1635F
      • GetCurrentProcess.KERNEL32 ref: 6CD16368
      • TerminateProcess.KERNEL32 ref: 6CD16379
      • abort.MSVCRT ref: 6CD16382
      Memory Dump Source
      • Source File: 00000011.00000002.1417494003.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 00000011.00000002.1417384075.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1417925160.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418086648.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418310727.000000006CD1D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418521727.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1419461352.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420340320.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420631386.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420752055.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1421347558.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_17_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
      • String ID:
      • API String ID: 520269711-0
      • Opcode ID: 5cd49edce9e96cbc1f9d2b3105011ba1996b88aed84558e24ae11e7b5575918b
      • Instruction ID: d98aff3ec21feafaf06448f1de9488d8b45c80b2bee6479728ba773286b38732
      • Opcode Fuzzy Hash: 5cd49edce9e96cbc1f9d2b3105011ba1996b88aed84558e24ae11e7b5575918b
      • Instruction Fuzzy Hash: 411105B5A04205DFEB40FF69D14961A7FF8FB4A304F00852CEA4887B60E734A904CF92
      Function 6CD15E79 Relevance: 21.0, APIs: 9, Strings: 3, Instructions: 49fileCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      Strings
      • unexpected cgo_bindm on Windows, xrefs: 6CD15EA4
      • ;, xrefs: 6CD15F18
      • runtime: failed to signal runtime initialization complete., xrefs: 6CD15F2C
      Memory Dump Source
      • Source File: 00000011.00000002.1417494003.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 00000011.00000002.1417384075.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1417925160.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418086648.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418310727.000000006CD1D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418521727.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1419461352.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420340320.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420631386.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420752055.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1421347558.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_17_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: CriticalSection$EnterLeaveabortfwrite$Event
      • String ID: ;$runtime: failed to signal runtime initialization complete.$unexpected cgo_bindm on Windows
      • API String ID: 3057923235-924395932
      • Opcode ID: 9533effaa59e57006318ff5399a8a90d63373dbd3f6e52a6d9a153c1f7258370
      • Instruction ID: 31597f175c9baea379297bad1e042387c40451e0c92cef4399aac0e7e1306502
      • Opcode Fuzzy Hash: 9533effaa59e57006318ff5399a8a90d63373dbd3f6e52a6d9a153c1f7258370
      • Instruction Fuzzy Hash: EC11D6B1908700DFEB40BF78D10A26EBFF4BB49304F42891CE98547A21D779A158CBA3
      Function 6CD164A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON
      Download Yara Rule
      APIs
      Strings
      • VirtualQuery failed for %d bytes at address %p, xrefs: 6CD165C7
      • @, xrefs: 6CD16578
      • VirtualProtect failed with code 0x%x, xrefs: 6CD1659A
      • Address %p has no image-section, xrefs: 6CD165DB
      Memory Dump Source
      • Source File: 00000011.00000002.1417494003.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 00000011.00000002.1417384075.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1417925160.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418086648.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418310727.000000006CD1D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418521727.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1419461352.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420340320.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420631386.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420752055.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1421347558.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_17_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: QueryVirtual
      • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
      • API String ID: 1804819252-1098444051
      • Opcode ID: cc15ac44ae187d1d00efef9e6036de95b6bb8357b1c63f980a7242aff15d8050
      • Instruction ID: 6df4061c7389f79164f5e34225133bb8263e4d80f356d838bd2e7b5f564057a4
      • Opcode Fuzzy Hash: cc15ac44ae187d1d00efef9e6036de95b6bb8357b1c63f980a7242aff15d8050
      • Instruction Fuzzy Hash: E6414FB2A093019BE700EF69E48464EFBF4FB89314F558669D958CBB24E730E445CB92
      Function 6CC813E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000011.00000002.1417494003.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 00000011.00000002.1417384075.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1417925160.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418086648.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418310727.000000006CD1D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418521727.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1419461352.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420340320.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420631386.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420752055.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1421347558.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_17_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: AddressProc$HandleLibraryLoadModule
      • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
      • API String ID: 384173800-1835852900
      • Opcode ID: 239c3896d8077e9649473e108e7355970673679694ba628e01db9901f69307be
      • Instruction ID: 514f3843fd0826da2078aebf4d0b67b18fd2adb2bef1e9d063ed10d524ba3f6b
      • Opcode Fuzzy Hash: 239c3896d8077e9649473e108e7355970673679694ba628e01db9901f69307be
      • Instruction Fuzzy Hash: 7C0152B290A3048FD700BFB9A90631F7FF8EB46255F01452DD99987F21E73094048B93
      Function 6CD14AF0 Relevance: 12.2, APIs: 8, Instructions: 156stringCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000011.00000002.1417494003.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 00000011.00000002.1417384075.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1417925160.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418086648.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418310727.000000006CD1D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418521727.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1419461352.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420340320.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420631386.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420752055.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1421347558.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_17_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: ErrorLast_wcsnicmpfreelstrlenmallocmbstowcsstrlenstrtol
      • String ID:
      • API String ID: 533997002-0
      • Opcode ID: 58314adb6ba89a2a19c1e0875c3b1f3481cfc73d89b39112f4239555d48545b7
      • Instruction ID: f3a1dc546c11dc665dd97cfeb399ffbc7d85b27ad273bd4b0bb61e495a680987
      • Opcode Fuzzy Hash: 58314adb6ba89a2a19c1e0875c3b1f3481cfc73d89b39112f4239555d48545b7
      • Instruction Fuzzy Hash: B951847660C3158FD700DF29E48025AB7E6FFC8308F15892AE998D7A20E775D5498B92
      Function 6CD16060 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66fileCOMMON
      Download Yara Rule
      APIs
      • malloc.MSVCRT ref: 6CD1606F
      • fwrite.MSVCRT ref: 6CD160BD
      • abort.MSVCRT ref: 6CD160C2
      • free.MSVCRT ref: 6CD160E5
        • Part of subcall function 6CD15FB0: _beginthread.MSVCRT ref: 6CD15FD6
        • Part of subcall function 6CD15FB0: _errno.MSVCRT ref: 6CD15FE1
        • Part of subcall function 6CD15FB0: _errno.MSVCRT ref: 6CD15FE8
        • Part of subcall function 6CD15FB0: fprintf.MSVCRT ref: 6CD16008
        • Part of subcall function 6CD15FB0: abort.MSVCRT ref: 6CD1600D
      Strings
      Memory Dump Source
      • Source File: 00000011.00000002.1417494003.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 00000011.00000002.1417384075.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1417925160.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418086648.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418310727.000000006CD1D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418521727.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1419461352.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420340320.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420631386.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420752055.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1421347558.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_17_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: _errnoabort$_beginthreadfprintffreefwritemalloc
      • String ID: +$runtime/cgo: out of memory in thread_start
      • API String ID: 2633710936-1802439445
      • Opcode ID: f37a4c5442dd97de9b53096f31db3f18507033124d61fcc48f3c0929fa80253c
      • Instruction ID: 9c3075354aca66b71cbaa924c603503198ebadb5d8e9d748667a60556914be89
      • Opcode Fuzzy Hash: f37a4c5442dd97de9b53096f31db3f18507033124d61fcc48f3c0929fa80253c
      • Instruction Fuzzy Hash: 4721F7B4608700DFD700EF28D58594ABBF4FF89314F45899DE9888BB36D3399845CBA2
      Function 6CD15CB0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON
      Download Yara Rule
      APIs
      • CreateEventA.KERNEL32 ref: 6CD15CD2
      • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CD15D89), ref: 6CD15CEB
      • fwrite.MSVCRT ref: 6CD15D20
      • abort.MSVCRT ref: 6CD15D25
      Strings
      • =, xrefs: 6CD15D05
      • runtime: failed to create runtime initialization wait event., xrefs: 6CD15D19
      Memory Dump Source
      • Source File: 00000011.00000002.1417494003.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 00000011.00000002.1417384075.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1417925160.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418086648.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418310727.000000006CD1D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418521727.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1419461352.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420340320.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420631386.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420752055.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1421347558.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_17_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: CreateCriticalEventInitializeSectionabortfwrite
      • String ID: =$runtime: failed to create runtime initialization wait event.
      • API String ID: 2455830200-3519180978
      • Opcode ID: 90ac8accdfa7d066e20527a33016efd00701548856f7d99f7cc4069472a83c64
      • Instruction ID: f6d107048129da67f809770c9480ef8193b2463c9c316f73a2fa75950733a1e2
      • Opcode Fuzzy Hash: 90ac8accdfa7d066e20527a33016efd00701548856f7d99f7cc4069472a83c64
      • Instruction Fuzzy Hash: 0DF0C9B15087019FE740BF68D50931ABFF4BB45308F81885DD99986A61E77980488B93
      Function 6CC81020 Relevance: 9.1, APIs: 6, Instructions: 112sleepCOMMON
      Download Yara Rule
      APIs
      • Sleep.KERNEL32(?,?,?,6CC812E0,?,?,?,?,?,?,6CC813A3), ref: 6CC81057
      • _amsg_exit.MSVCRT ref: 6CC81085
      Memory Dump Source
      • Source File: 00000011.00000002.1417494003.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 00000011.00000002.1417384075.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1417925160.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418086648.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418310727.000000006CD1D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418521727.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1419461352.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420340320.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420631386.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420752055.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1421347558.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_17_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: Sleep_amsg_exit
      • String ID:
      • API String ID: 1015461914-0
      • Opcode ID: a603a9c7f71a0d8f5cd89ae877b4067d2306fdd2af221306abe9739182cbf44e
      • Instruction ID: 466e6c1f673685527e861e086d2455efd346ed05c3bd8afd96b564f4972844af
      • Opcode Fuzzy Hash: a603a9c7f71a0d8f5cd89ae877b4067d2306fdd2af221306abe9739182cbf44e
      • Instruction Fuzzy Hash: 5D41AE7170A2408BFB40BF2ED98075B7FF8FB86349F11452AD6648BB10E775C4818BA2
      Function 6CD1655C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58memoryCOMMON
      Download Yara Rule
      APIs
      • VirtualQuery.KERNEL32 ref: 6CD1652D
      • VirtualProtect.KERNEL32 ref: 6CD16587
      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CDC53A8), ref: 6CD16594
        • Part of subcall function 6CD17220: fwrite.MSVCRT ref: 6CD1724F
        • Part of subcall function 6CD17220: vfprintf.MSVCRT ref: 6CD1726F
        • Part of subcall function 6CD17220: abort.MSVCRT ref: 6CD17274
      Strings
      Memory Dump Source
      • Source File: 00000011.00000002.1417494003.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 00000011.00000002.1417384075.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1417925160.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418086648.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418310727.000000006CD1D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418521727.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1419461352.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420340320.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420631386.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420752055.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1421347558.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_17_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: Virtual$ErrorLastProtectQueryabortfwritevfprintf
      • String ID: VirtualProtect failed with code 0x%x$@
      • API String ID: 1616349570-2953866262
      • Opcode ID: c121a77127881fd32d828396a4697ba48d9f95138848d9e75b9589b862a806ce
      • Instruction ID: 12294b0e55d4193b4fbb02b783b2af14aa402bf6a74cd37aec153239d69e0fb4
      • Opcode Fuzzy Hash: c121a77127881fd32d828396a4697ba48d9f95138848d9e75b9589b862a806ce
      • Instruction Fuzzy Hash: E62128B29083018FE740EF29D48464EBBF0FF88318F158A69E998C7A64E334D505CB92
      Function 6CD15B30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30windowCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000011.00000002.1417494003.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 00000011.00000002.1417384075.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1417925160.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418086648.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418310727.000000006CD1D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418521727.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1419461352.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420340320.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420631386.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420752055.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1421347558.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_17_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: ErrorFormatFreeLastLocalMessagefprintf
      • String ID: Erro: %s
      • API String ID: 659079672-2412703935
      • Opcode ID: 0e378154d61fc9f0462019f65e59462904739f39bf4bc8e4d6adce3b333bec2a
      • Instruction ID: 803fc079d481bda86e1bedd79c96ae51ee07059b406cb6ff939cb24fbd3a71c9
      • Opcode Fuzzy Hash: 0e378154d61fc9f0462019f65e59462904739f39bf4bc8e4d6adce3b333bec2a
      • Instruction Fuzzy Hash: A10192B05083019FE700AF68C58931BBBF4AB88349F01891DE99896A50D7798249CF93
      Function 6CD14D00 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
      Download Yara Rule
      APIs
      • bsearch.MSVCRT ref: 6CD14D5F
      • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6CD15BEF), ref: 6CD14D9A
      • malloc.MSVCRT ref: 6CD14DC8
      • qsort.MSVCRT ref: 6CD14E16
      Memory Dump Source
      • Source File: 00000011.00000002.1417494003.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 00000011.00000002.1417384075.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1417925160.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418086648.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418310727.000000006CD1D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418521727.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1419461352.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420340320.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420631386.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420752055.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1421347558.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_17_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: ErrorLastbsearchmallocqsort
      • String ID:
      • API String ID: 1451747280-0
      • Opcode ID: 7adf61f2eee38f5b0fbd853ff81d5cab1506bacd976ff157fb4511ceb890fdd0
      • Instruction ID: 2db907580f83b47a777f785fe44e4324b2b2bc6e9eb30f6cbb730e5fc0f8e77b
      • Opcode Fuzzy Hash: 7adf61f2eee38f5b0fbd853ff81d5cab1506bacd976ff157fb4511ceb890fdd0
      • Instruction Fuzzy Hash: C4413D75618301CFDB10DF29E48061AB7F5FF88318F15896DE88987B25D774E858CB92
      Function 6CD15850 Relevance: 7.6, APIs: 5, Instructions: 79threadCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000011.00000002.1417494003.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 00000011.00000002.1417384075.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1417925160.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418086648.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418310727.000000006CD1D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418521727.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1419461352.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420340320.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420631386.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420752055.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1421347558.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_17_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: ErrorLast$LocaleThread
      • String ID:
      • API String ID: 2451566642-0
      • Opcode ID: b0171c12a0e51089d0c3009a26f98434c31eae9380e52efe3c5082ecb7c6f136
      • Instruction ID: d246b1e250f21f5f1a44679da8b3cd9f5e6286eb712ffb998e983b23513e4f09
      • Opcode Fuzzy Hash: b0171c12a0e51089d0c3009a26f98434c31eae9380e52efe3c5082ecb7c6f136
      • Instruction Fuzzy Hash: 7E21A770608204CBD700AF38D884657B7F5BF49318F158928E5A9CBBA0FB39E819CB52
      Function 6CD170C0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000011.00000002.1417494003.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 00000011.00000002.1417384075.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1417925160.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418086648.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418310727.000000006CD1D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418521727.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1419461352.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420340320.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420631386.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420752055.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1421347558.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_17_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: _lock_unlockcalloc
      • String ID:
      • API String ID: 3876498383-0
      • Opcode ID: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
      • Instruction ID: 9830270284ee1804a30f689971db51f093a0229989cdc6615220afb2635c4468
      • Opcode Fuzzy Hash: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
      • Instruction Fuzzy Hash: E01172B0248200DFD7009F68E8807567BE0BF45364F16896AE498CBF75DB74D485CB61
      Function 6CD16250 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON
      Download Yara Rule
      APIs
      • GetSystemTimeAsFileTime.KERNEL32 ref: 6CD16289
      • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CC813B9), ref: 6CD1629A
      • GetCurrentThreadId.KERNEL32 ref: 6CD162A2
      • GetTickCount.KERNEL32 ref: 6CD162AA
      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CC813B9), ref: 6CD162B9
      Memory Dump Source
      • Source File: 00000011.00000002.1417494003.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 00000011.00000002.1417384075.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1417925160.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418086648.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418310727.000000006CD1D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418521727.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1419461352.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420340320.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420631386.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420752055.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1421347558.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_17_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
      • String ID:
      • API String ID: 1445889803-0
      • Opcode ID: b5066e610bef4e100ae3c5f3d11faaded1dc92d677935877df8cc330557c1462
      • Instruction ID: 9cc7f4bd4d159a062bae19d2deb889941cc1da39037140e20d13eac30c3f650c
      • Opcode Fuzzy Hash: b5066e610bef4e100ae3c5f3d11faaded1dc92d677935877df8cc330557c1462
      • Instruction Fuzzy Hash: 9C115EB56093018BEB00EF79E48964BBBF8FB89254F054D39E544C7E10EA35D449CBD2
      Function 6CD15DE0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
      Download Yara Rule
      APIs
      • WaitForSingleObject.KERNEL32 ref: 6CD15E10
      • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CD145D9), ref: 6CD15E1C
      • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CD145D9), ref: 6CD15E2E
      • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6CD145D9), ref: 6CD15E3E
      • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6CD145D9), ref: 6CD15E50
      Memory Dump Source
      • Source File: 00000011.00000002.1417494003.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 00000011.00000002.1417384075.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1417925160.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418086648.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418310727.000000006CD1D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418521727.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1419461352.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420340320.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420631386.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420752055.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1421347558.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_17_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: CriticalSection$EnterLeave$ObjectSingleWait
      • String ID:
      • API String ID: 1755037574-0
      • Opcode ID: 6f2c487af5706a9201dc20e77dcf752647e70662a62dec9e4b37721e4c038b16
      • Instruction ID: 99ff6a816da0ec97ae03e02feacd327810f74bb5a06ccfc073ad5b8ebb45499e
      • Opcode Fuzzy Hash: 6f2c487af5706a9201dc20e77dcf752647e70662a62dec9e4b37721e4c038b16
      • Instruction Fuzzy Hash: 960112B1A08705CFEB00BF79A58551ABFB8BF8A214F510529D99447B60D731A468CBA3
      Function 6CD17220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON
      Download Yara Rule
      APIs
      Strings
      • Mingw-w64 runtime failure:, xrefs: 6CD17248
      Memory Dump Source
      • Source File: 00000011.00000002.1417494003.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 00000011.00000002.1417384075.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1417925160.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418086648.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418310727.000000006CD1D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418521727.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1419461352.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420340320.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420631386.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420752055.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1421347558.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_17_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: abortfwritevfprintf
      • String ID: Mingw-w64 runtime failure:
      • API String ID: 3176311984-2889761391
      • Opcode ID: 84de4c8f40c43bc6f4bc84b304afda66f6e76f8510e6d6c16138c3f02d5c6efd
      • Instruction ID: f21929fc8345664d8c03e9bbb1bacabb93dd9b31f67abe0dc75f8e813d5b6b46
      • Opcode Fuzzy Hash: 84de4c8f40c43bc6f4bc84b304afda66f6e76f8510e6d6c16138c3f02d5c6efd
      • Instruction Fuzzy Hash: DBE0C2B000D304AED300AFA9D0853AFBAF4BF84348F02891CE0C847B71D77884898B63
      Function 6CD165F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON
      Download Yara Rule
      APIs
      • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CC812A5), ref: 6CD16709
      Strings
      • Unknown pseudo relocation protocol version %d., xrefs: 6CD16864
      • Unknown pseudo relocation bit size %d., xrefs: 6CD16799
      Memory Dump Source
      • Source File: 00000011.00000002.1417494003.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 00000011.00000002.1417384075.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1417925160.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418086648.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418310727.000000006CD1D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418521727.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1419461352.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420340320.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420631386.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420752055.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1421347558.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_17_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: ProtectVirtual
      • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
      • API String ID: 544645111-395989641
      • Opcode ID: 60132a35128272504bdf88cc6d0cff58efcecdbdd2170863b99786195ed562f3
      • Instruction ID: a9b17eabcde7d1f043c86cfa6843007e67019e29d4070befe1284c5d476fe12e
      • Opcode Fuzzy Hash: 60132a35128272504bdf88cc6d0cff58efcecdbdd2170863b99786195ed562f3
      • Instruction Fuzzy Hash: D5618071B092058BCB00EFA9E4C064DBBB9FB85318F648669D954DBF60D3719847CB91
      Function 6CD15BC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000011.00000002.1417494003.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 00000011.00000002.1417384075.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1417925160.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418086648.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418310727.000000006CD1D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418521727.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1419461352.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420340320.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420631386.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420752055.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1421347558.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_17_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: bsearchfprintffwrite
      • String ID: $
      • API String ID: 1110293247-3993045852
      • Opcode ID: f93a90aa829beb83a12c489f21e7002fe61b5eb3ee68f2468318dfbe156cf63f
      • Instruction ID: e83bd7c0c0d46580a0c589ec4c9eadd6842c6b624de0d9975ef7a210fe85c2df
      • Opcode Fuzzy Hash: f93a90aa829beb83a12c489f21e7002fe61b5eb3ee68f2468318dfbe156cf63f
      • Instruction Fuzzy Hash: 40011BB550D300DFD700AF68E54929AFBE4AF48318F41891EE8C897B61E378C444CB63
      Function 6CD14E50 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000011.00000002.1417494003.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 00000011.00000002.1417384075.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1417925160.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418086648.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418310727.000000006CD1D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418521727.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1419461352.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420340320.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420631386.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420752055.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1421347558.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_17_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: Heapfree$FreeProcess
      • String ID:
      • API String ID: 3425746932-0
      • Opcode ID: 7fb37a1526a8f0b741e9c3a441f7216339ac894847945d83f100e0118fa327b9
      • Instruction ID: bc3db961a0be798d8dc8854d02d654f786fb3e485f3896b2163d93a1fcd1d1b3
      • Opcode Fuzzy Hash: 7fb37a1526a8f0b741e9c3a441f7216339ac894847945d83f100e0118fa327b9
      • Instruction Fuzzy Hash: 6C21E5B5A09300CBDB00DF25E1C471ABBF5BF88208F15C96CE8898BB19D734D844CB92
      Function 6CD16870 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000011.00000002.1417494003.000000006CC81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CC80000, based on PE: true
      • Associated: 00000011.00000002.1417384075.000000006CC80000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1417925160.000000006CD18000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418086648.000000006CD19000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418310727.000000006CD1D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1418521727.000000006CD1F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1419461352.000000006CDC8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDCE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420034938.000000006CDD3000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420340320.000000006CDE6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420631386.000000006CDED000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1420752055.000000006CDEE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1421347558.000000006CDF1000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_17_2_6cc80000_rundll32.jbxd
      Similarity
      • API ID: CriticalSection$EnterErrorLastLeaveValue
      • String ID:
      • API String ID: 682475483-0
      • Opcode ID: c3639df2d304d4506b730857d2a7585453b083e7cf9745a6d93082c7bfbf8f1a
      • Instruction ID: 294c2fed305e994866f60614181825bfa8b2a4ca6dba850e7c45d21a061457c1
      • Opcode Fuzzy Hash: c3639df2d304d4506b730857d2a7585453b083e7cf9745a6d93082c7bfbf8f1a
      • Instruction Fuzzy Hash: 05F0A472A08304CFEB007F6DD48991FBBB8FA89254B050528DE4487B64E730A859CBE3