Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ndVERlNRYc.dll

Overview

General Information

Sample name:ndVERlNRYc.dll
renamed because original name is a hash value
Original sample name:59d90ac1f1a6d0d0de4eb9e7624f72be537be300e5e2646cd3c6cb726368191a.dll
Analysis ID:1544811
MD5:035e7197381e431607e7018b272e4c6a
SHA1:6a67771fdb0f51b0e1a5f90a1d2fe1e2aacbe228
SHA256:59d90ac1f1a6d0d0de4eb9e7624f72be537be300e5e2646cd3c6cb726368191a
Tags:2024bankerdllgolangloadermekotiouser-johnk3r
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5832 cmdline: loaddll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 4088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5012 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 5480 cmdline: rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • WerFault.exe (PID: 4016 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5480 -s 836 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 4196 cmdline: rundll32.exe C:\Users\user\Desktop\ndVERlNRYc.dll,BarCreate MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 1832 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 832 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 2680 cmdline: rundll32.exe C:\Users\user\Desktop\ndVERlNRYc.dll,BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6496 cmdline: rundll32.exe C:\Users\user\Desktop\ndVERlNRYc.dll,BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5076 cmdline: rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",BarCreate MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 2992 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 856 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 4836 cmdline: rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 3748 cmdline: rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6072 cmdline: rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",_cgo_dummy_export MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 2976 cmdline: rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",SpellSpell MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 4180 cmdline: rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",SpellInit MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 2720 cmdline: rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",SpellFree MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6036 cmdline: rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",SignalInitializeCrashReporting MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 4900 cmdline: rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",GetInstallDetailsPayload MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 3040 cmdline: rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",BarRecognize MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability

Bitcoin Miner

barindex
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D121830 4_2_6D121830
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCF1830 13_2_6CCF1830
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCF1830 17_2_6CCF1830
Source: ndVERlNRYc.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: ndVERlNRYc.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax4_2_6D0F2CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax4_2_6D0F2CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx4_2_6D10CEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh4_2_6D119030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh4_2_6D11A360
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax13_2_6CCC2CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax13_2_6CCC2CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx13_2_6CCDCEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh13_2_6CCE9030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh13_2_6CCEA360
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax17_2_6CCC2CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax17_2_6CCC2CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx17_2_6CCDCEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh17_2_6CCE9030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh17_2_6CCEA360
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D121A70 NtCreateWaitCompletionPacket,4_2_6D121A70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D122A90 NtCreateWaitCompletionPacket,4_2_6D122A90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D121570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,4_2_6D121570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D1211F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,4_2_6D1211F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCF2A90 NtCreateWaitCompletionPacket,13_2_6CCF2A90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCF1A70 NtCreateWaitCompletionPacket,13_2_6CCF1A70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCF1570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,13_2_6CCF1570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCF11F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,13_2_6CCF11F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCF2A90 NtCreateWaitCompletionPacket,17_2_6CCF2A90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCF1A70 NtCreateWaitCompletionPacket,17_2_6CCF1A70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCF1570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,17_2_6CCF1570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCF11F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,17_2_6CCF11F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D174D204_2_6D174D20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D11AD504_2_6D11AD50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D14BC204_2_6D14BC20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D176C204_2_6D176C20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D0F2CA64_2_6D0F2CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D0F2CA04_2_6D0F2CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D184F304_2_6D184F30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D12CF904_2_6D12CF90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D182E704_2_6D182E70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D0FBE904_2_6D0FBE90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D145ED04_2_6D145ED0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D16CEF04_2_6D16CEF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D1759D04_2_6D1759D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D11D9C54_2_6D11D9C5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D1059F04_2_6D1059F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D15A8724_2_6D15A872
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D11BB104_2_6D11BB10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D0FFBC04_2_6D0FFBC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D11CA304_2_6D11CA30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D100AF04_2_6D100AF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D1485704_2_6D148570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D1725604_2_6D172560
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D1795A04_2_6D1795A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D1134004_2_6D113400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D1114404_2_6D111440
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D1364704_2_6D136470
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D16E7404_2_6D16E740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D1767404_2_6D176740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D1166304_2_6D116630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D11C6D04_2_6D11C6D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D14D6E04_2_6D14D6E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D1260104_2_6D126010
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D11D0404_2_6D11D040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D11C0804_2_6D11C080
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D1080A04_2_6D1080A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D0F90F04_2_6D0F90F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D12A3204_2_6D12A320
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D15332F4_2_6D15332F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D1193F04_2_6D1193F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D1832304_2_6D183230
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D12E2404_2_6D12E240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D1572804_2_6D157280
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D0F32A04_2_6D0F32A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D11B2D04_2_6D11B2D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCC2CA613_2_6CCC2CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCC2CA013_2_6CCC2CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD1BC2013_2_6CD1BC20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCEAD5013_2_6CCEAD50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD15ED013_2_6CD15ED0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCCBE9013_2_6CCCBE90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCFCF9013_2_6CCFCF90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD2A87213_2_6CD2A872
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCED9C513_2_6CCED9C5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCD59F013_2_6CCD59F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCD0AF013_2_6CCD0AF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCECA3013_2_6CCECA30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCCFBC013_2_6CCCFBC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCEBB1013_2_6CCEBB10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCE144013_2_6CCE1440
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD0647013_2_6CD06470
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCE340013_2_6CCE3400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD1857013_2_6CD18570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCEC6D013_2_6CCEC6D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD1D6E013_2_6CD1D6E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCE663013_2_6CCE6630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCC90F013_2_6CCC90F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCEC08013_2_6CCEC080
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCD80A013_2_6CCD80A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCED04013_2_6CCED040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCF601013_2_6CCF6010
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCEB2D013_2_6CCEB2D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD2728013_2_6CD27280
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCC32A013_2_6CCC32A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCFE24013_2_6CCFE240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCE93F013_2_6CCE93F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CCFA32013_2_6CCFA320
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD2332F13_2_6CD2332F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCC2CA617_2_6CCC2CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCC2CA017_2_6CCC2CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD1BC2017_2_6CD1BC20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCEAD5017_2_6CCEAD50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD15ED017_2_6CD15ED0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCCBE9017_2_6CCCBE90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCFCF9017_2_6CCFCF90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD2A87217_2_6CD2A872
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCED9C517_2_6CCED9C5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCD59F017_2_6CCD59F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCD0AF017_2_6CCD0AF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCECA3017_2_6CCECA30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCCFBC017_2_6CCCFBC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCEBB1017_2_6CCEBB10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCE144017_2_6CCE1440
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD0647017_2_6CD06470
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCE340017_2_6CCE3400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD1857017_2_6CD18570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCEC6D017_2_6CCEC6D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD1D6E017_2_6CD1D6E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCE663017_2_6CCE6630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCC90F017_2_6CCC90F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCEC08017_2_6CCEC080
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCD80A017_2_6CCD80A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCED04017_2_6CCED040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCF601017_2_6CCF6010
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCEB2D017_2_6CCEB2D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD2728017_2_6CD27280
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCC32A017_2_6CCC32A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCFE24017_2_6CCFE240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCE93F017_2_6CCE93F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CCFA32017_2_6CCFA320
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD2332F17_2_6CD2332F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CD26A90 appears 962 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CCF7410 appears 1382 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D127410 appears 693 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CCF5080 appears 46 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D156A90 appears 481 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CCF3B30 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 832
Source: ndVERlNRYc.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: classification engineClassification label: mal48.mine.winDLL@35/0@0/0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D185B30 GetLastError,FormatMessageA,fprintf,LocalFree,4_2_6D185B30
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4088:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\7d6cc847-7479-4e1b-a04f-03e8da9f2e05Jump to behavior
Source: ndVERlNRYc.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",#1
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",#1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ndVERlNRYc.dll,BarCreate
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 832
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5480 -s 836
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ndVERlNRYc.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ndVERlNRYc.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",_cgo_dummy_export
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",SpellSpell
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 856
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ndVERlNRYc.dll,BarCreateJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ndVERlNRYc.dll,BarDestroyJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ndVERlNRYc.dll,BarFreeRecJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",BarCreateJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",BarDestroyJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",BarFreeRecJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",_cgo_dummy_exportJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",SpellSpellJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",SpellInitJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",SpellFreeJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",SignalInitializeCrashReportingJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",GetInstallDetailsPayloadJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",BarRecognizeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: ndVERlNRYc.dllStatic PE information: Image base 0x6d8c0000 > 0x60000000
Source: ndVERlNRYc.dllStatic file information: File size 1368576 > 1048576
Source: ndVERlNRYc.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D0F13E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,4_2_6D0F13E0
Source: ndVERlNRYc.dllStatic PE information: real checksum: 0x15a82d should be: 0x159f84
Source: ndVERlNRYc.dllStatic PE information: section name: .eh_fram
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0143AF34 push eax; retf 0_2_0143AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D165094 pushad ; ret 4_2_6D165095
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D16509D pushad ; ret 4_2_6D16509E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0483D297 push es; retf 11_2_0483D29A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0483AF38 push eax; retf 11_2_0483AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0488041E pushfd ; ret 11_2_0488041F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD35094 pushad ; ret 13_2_6CD35095
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD3509D pushad ; ret 13_2_6CD3509E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0503C3A4 push edi; iretd 14_2_0503C3A5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0503C39C push ds; retf 14_2_0503C3A2
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_0543AF62 push eax; retf 15_2_0543AF61
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_0543AF34 push eax; retf 15_2_0543AF61
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD35094 pushad ; ret 17_2_6CD35095
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD3509D pushad ; ret 17_2_6CD3509E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_04C3AF34 push eax; retf 20_2_04C3AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04C3C31D push edx; ret 21_2_04C3C32B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04C3AF34 push eax; retf 21_2_04C3AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04C80928 push 00000063h; retf 21_2_04C80935
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_0483AF34 push eax; retf 22_2_0483AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_0543AF34 push eax; retf 23_2_0543AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_05480D27 pushfd ; retf 23_2_05480D29
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_0548043A push ecx; retf 23_2_0548043D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0543CDD9 push B275ACE3h; retf 24_2_0543CDDE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0543AF34 push eax; retf 24_2_0543AF39
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D15C0C0 rdtscp 4_2_6D15C0C0
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 1.4 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 1.4 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\WerFault.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\SysWOW64\WerFault.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D15C0C0 rdtscp 4_2_6D15C0C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D0F13E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,4_2_6D0F13E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D184F30 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,memcpy,memset,IsBadReadPtr,realloc,SetLastError,SetLastError,SetLastError,SetLastError,SetLastError,memcpy,SetLastError,SetLastError,SetLastError,SetLastError,4_2_6D184F30
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D186300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,4_2_6D186300
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D1862FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,4_2_6D1862FC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CD56300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,13_2_6CD56300
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CD56300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,17_2_6CD56300
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D186250 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,4_2_6D186250
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D121C90 RtlGetVersion,RtlGetCurrentPeb,4_2_6D121C90

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
DLL Side-Loading		11
Process Injection		11
Virtualization/Sandbox Evasion		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		Boot or Logon Initialization Scripts1
DLL Side-Loading		11
Process Injection		LSASS Memory3
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API		Logon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager11
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS13
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Rundll32		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544811 Sample: ndVERlNRYc.dll Startdate: 29/10/2024 Architecture: WINDOWS Score: 48 27 AI detected suspicious sample 2->27 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 rundll32.exe 8->12         started        14 rundll32.exe 8->14         started        16 12 other processes 8->16 process5 18 rundll32.exe 10->18         started        21 WerFault.exe 2 12->21         started        23 WerFault.exe 2 14->23         started        signatures6 29 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 18->29 25 WerFault.exe 2 18->25         started        process7

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
ndVERlNRYc.dll5%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1544811
Start date and time:2024-10-29 19:24:35 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 6m 32s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:27
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:ndVERlNRYc.dll
renamed because original name is a hash value
Original Sample Name:59d90ac1f1a6d0d0de4eb9e7624f72be537be300e5e2646cd3c6cb726368191a.dll
Detection:MAL
Classification:mal48.mine.winDLL@35/0@0/0
EGA Information:
  • Successful, ratio: 20%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .dll

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 20.109.210.53, 52.165.164.15, 13.95.31.18
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
  • Execution Graph export aborted for target loaddll32.exe, PID 5832 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 2680 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 2720 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 2976 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 3040 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 3748 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 4180 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 4196 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 4836 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 4900 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 6036 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 6496 because there are no executed function
  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: ndVERlNRYc.dll

Simulations

Behavior and APIs

TimeTypeDescription
14:25:37API Interceptor1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):6.2703192285140394
TrID:
  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
  • Generic Win/DOS Executable (2004/3) 0.20%
  • DOS Executable Generic (2002/1) 0.20%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:ndVERlNRYc.dll
File size:1'368'576 bytes
MD5:035e7197381e431607e7018b272e4c6a
SHA1:6a67771fdb0f51b0e1a5f90a1d2fe1e2aacbe228
SHA256:59d90ac1f1a6d0d0de4eb9e7624f72be537be300e5e2646cd3c6cb726368191a
SHA512:9063052d384e107ae459e2cb9139c859b8ae87721fbb41b5bc15920798598a6575cd89b4598125968d4d58cab15df2400550b097306d8c7c2f4af2b174044d9e
SSDEEP:24576:jmU8STLu8nfLfsBPfXkEpiT8GD6DX982ICD3YFxOk02nMYm:jvQ50Yko6x1L
TLSH:59550800FD8784F1E403263285ABA2AF6325AD195F31CBC7FB44B779F9776954832286
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....d.......H.................m................................-.....@... .........................-..

File Icon

Icon Hash:7ae282899bbab082

Static PE Info

General

Entrypoint:0x6d8c1380
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x6d8c0000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:0x6d9563e0, 0x6d956390
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:1
File Version Major:6
File Version Minor:1
Subsystem Version Major:6
Subsystem Version Minor:1
Import Hash:47d9e8363ec498a9360ee0a7da269805

Entrypoint Preview

Instruction
sub esp, 1Ch
mov dword ptr [6DA2C730h], 00000000h
mov edx, dword ptr [esp+24h]
cmp edx, 01h
je 00007FF9F4C4F3CCh
mov ecx, dword ptr [esp+28h]
mov eax, dword ptr [esp+20h]
call 00007FF9F4C4F232h
add esp, 1Ch
retn 000Ch
lea esi, dword ptr [esi+00000000h]
mov dword ptr [esp+0Ch], edx
call 00007FF9F4CE424Ch
mov edx, dword ptr [esp+0Ch]
jmp 00007FF9F4C4F389h
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], 6DA08000h
mov dword ptr [esp+04h], eax
call 00007FF9F4CE509Eh
add esp, 1Ch
ret
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 6D95F000h
call dword ptr [6DA2E21Ch]
sub esp, 04h
test eax, eax
je 00007FF9F4C4F425h
mov ebx, eax
mov dword ptr [esp], 6D95F000h
call dword ptr [6DA2E264h]
mov edi, dword ptr [6DA2E224h]
sub esp, 04h
mov dword ptr [6DA2C764h], eax
mov dword ptr [esp+04h], 6D95F013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 6D95F029h
mov dword ptr [esp], ebx
call edi
mov dword ptr [6D958000h], eax
sub esp, 08h
test esi, esi
je 00007FF9F4C4F3C3h
mov dword ptr [esp+00h], 00000000h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x16d0000x12d.edata
IMAGE_DIRECTORY_ENTRY_IMPORT0x16e0000xb78.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x1710000x868c.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x144fb00x18.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x16e1cc0x190.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x962a80x964000d1e44ae0f87358ac572f225fdc10827False0.4698094321963394data6.282100588466756IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0x980000x67c80x680028e3d72e94c0b70a154abc66d7169e11False0.42007211538461536data4.441757650678606IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata0x9f0000xa63800xa640023f0c1bc906a2b0867fcd1946b26f417False0.431796287593985data5.590845133158305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.eh_fram0x1460000x12740x140085e22b3e84813337ea1a67b904c6bbcdFalse0.3369140625data4.565839626312234IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss0x1480000x2477c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata0x16d0000x12d0x20067859e1c9d81f1d2bdf6b531a2016f52False0.44921875data3.400613123216997IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.idata0x16e0000xb780xc00cb8eb4a241279d6fed66c3ea8ecac795False0.3961588541666667data5.12056831676781IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT0x16f0000x2c0x200db151290603a2662b590a75b7e0b0988False0.0546875data0.2069200177871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls0x1700000x80x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc0x1710000x868c0x8800080e7c6a736ad990f4b0b87da171f60dFalse0.6670209099264706data6.630610538731408IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLLImport
KERNEL32.dllAddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateIoCompletionPort, CreateThread, CreateWaitableTimerExW, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FormatMessageA, FreeEnvironmentStringsW, FreeLibrary, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetLastError, GetModuleHandleA, GetNativeSystemInfo, GetProcAddress, GetProcessAffinityMask, GetProcessHeap, GetQueuedCompletionStatusEx, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadLocale, GetTickCount, HeapAlloc, HeapFree, InitializeCriticalSection, IsBadReadPtr, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, LoadLibraryW, LocalFree, PostQueuedCompletionStatus, QueryPerformanceCounter, RaiseFailFastException, ResumeThread, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessPriorityBoost, SetThreadContext, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TerminateProcess, TlsAlloc, TlsGetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WriteConsoleW, WriteFile, lstrlenA
msvcrt.dll_amsg_exit, _beginthread, _errno, _initterm, _iob, _lock, _unlock, _wcsnicmp, abort, bsearch, calloc, fprintf, free, fwrite, malloc, mbstowcs, memcpy, memset, qsort, realloc, strcmp, strlen, strncmp, strtol, vfprintf, wcstombs

Exports

NameOrdinalAddress
BarCreate10x6d9545d0
BarDestroy20x6d954850
BarFreeRec30x6d954800
BarRecognize40x6d9547b0
GetInstallDetailsPayload50x6d954710
SignalInitializeCrashReporting60x6d954760
SpellFree70x6d954620
SpellInit80x6d954670
SpellSpell90x6d9546c0
_cgo_dummy_export100x6da2c768

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:14:25:27
Start date:29/10/2024
Path:C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):true
Commandline:loaddll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll"
Imagebase:0x9f0000
File size:126'464 bytes
MD5 hash:51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:1
Start time:14:25:27
Start date:29/10/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff66e660000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:3
Start time:14:25:27
Start date:29/10/2024
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",#1
Imagebase:0x1c0000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:4
Start time:14:25:27
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",#1
Imagebase:0xec0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:5
Start time:14:25:27
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\ndVERlNRYc.dll,BarCreate
Imagebase:0xec0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:9
Start time:14:25:29
Start date:29/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 832
Imagebase:0xbe0000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:10
Start time:14:25:29
Start date:29/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5480 -s 836
Imagebase:0xbe0000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:11
Start time:14:25:30
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\ndVERlNRYc.dll,BarDestroy
Imagebase:0xec0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:12
Start time:14:25:33
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\ndVERlNRYc.dll,BarFreeRec
Imagebase:0xec0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:13
Start time:14:25:36
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",BarCreate
Imagebase:0xec0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:14
Start time:14:25:36
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",BarDestroy
Imagebase:0xec0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:15
Start time:14:25:37
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",BarFreeRec
Imagebase:0xec0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:17
Start time:14:25:37
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",_cgo_dummy_export
Imagebase:0xec0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:18
Start time:14:25:37
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",SpellSpell
Imagebase:0xec0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:19
Start time:14:25:37
Start date:29/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 856
Imagebase:0xbe0000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:20
Start time:14:25:37
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",SpellInit
Imagebase:0xec0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:21
Start time:14:25:37
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",SpellFree
Imagebase:0xec0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:22
Start time:14:25:37
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",SignalInitializeCrashReporting
Imagebase:0xec0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:23
Start time:14:25:37
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",GetInstallDetailsPayload
Imagebase:0xec0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:24
Start time:14:25:37
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\ndVERlNRYc.dll",BarRecognize
Imagebase:0xec0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:0%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:11
    Total number of Limit Nodes:1
    execution_graph 52878 6d15cea0 52879 6d15ceb9 52878->52879 52880 6d15cec8 ResumeThread 52878->52880 52879->52880 52881 6d185fb0 52882 6d185fc7 _beginthread 52881->52882 52883 6d185fe1 _errno 52882->52883 52884 6d186012 52882->52884 52885 6d185fe8 _errno 52883->52885 52886 6d186020 Sleep 52883->52886 52888 6d185ff9 fprintf abort 52885->52888 52886->52882 52887 6d186034 52886->52887 52887->52885 52888->52884

    Executed Functions

    Function 6D185FB0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • runtime: failed to create new OS thread (%d), xrefs: 6D185FF9
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID: _errno$Sleep_beginthreadabortfprintf
    • String ID: runtime: failed to create new OS thread (%d)
    • API String ID: 1261927973-3231778263
    • Opcode ID: 376d4a1e6354e53c144159bedd956167451a923207b6336fc40f9d192761839a
    • Instruction ID: 259e4d4d2c043868fc5272a4ff7338f0492f69d6ac99ac6e99c05eca0127ff3a
    • Opcode Fuzzy Hash: 376d4a1e6354e53c144159bedd956167451a923207b6336fc40f9d192761839a
    • Instruction Fuzzy Hash: 64016D749083159FD700BFA8D88862EBBB4FF86324F42495DE58587356D7B19480DEA3
    Function 6D15CEA0 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 8 6d15cea0-6d15ceb7 9 6d15ceb9-6d15cec6 8->9 10 6d15cec8-6d15cee0 ResumeThread 8->10 9->10
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID: ResumeThread
    • String ID:
    • API String ID: 947044025-0
    • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction ID: 2403ec98af0b12695425140865b7d9ae21077d20bc3e2c3dc6a11ace9ea9de0e
    • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction Fuzzy Hash: 02E0E571505600CFCB15DF18C2C1316BBE1EB48A00F0485A8DE098F74AD778ED20CB92

    Non-executed Functions

    Function 6D184F30 Relevance: 33.8, APIs: 17, Strings: 2, Instructions: 564memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 305 6d184f30-6d184f42 306 6d184f48-6d184f54 305->306 307 6d185350-6d18536e SetLastError 305->307 308 6d184f5a-6d184f71 306->308 309 6d185330-6d18533f SetLastError 306->309 308->307 311 6d184f77-6d184f88 308->311 310 6d185342-6d18534e 309->310 311->309 312 6d184f8e-6d184f98 311->312 312->309 313 6d184f9e-6d184fa7 312->313 313->309 314 6d184fad-6d184fbb 313->314 315 6d185710-6d185712 314->315 316 6d184fc1-6d184fc3 314->316 317 6d184fc5-6d184fe3 316->317 317->317 318 6d184fe5-6d18500f GetNativeSystemInfo 317->318 318->309 319 6d185015-6d185047 318->319 321 6d18504d-6d185073 GetProcessHeap HeapAlloc 319->321 322 6d185370-6d1853a3 319->322 323 6d185079-6d1850e4 321->323 324 6d185731-6d18576a SetLastError 321->324 322->321 329 6d1853a9-6d1853bb SetLastError 322->329 325 6d1850ea-6d18515c memcpy 323->325 326 6d1853c0-6d1853cd SetLastError 323->326 324->310 334 6d1851ea-6d1851f5 325->334 335 6d185162-6d185164 325->335 330 6d1853d0-6d1853e6 call 6d184e50 326->330 329->310 336 6d1851fb-6d18520a 334->336 337 6d185660-6d18566a 334->337 338 6d185166-6d18516b 335->338 341 6d185210-6d18521e 336->341 342 6d185472-6d18549a 336->342 339 6d1856eb-6d1856ee 337->339 340 6d18566c-6d185680 337->340 343 6d1853f0-6d1853fc 338->343 344 6d185171-6d18517a 338->344 345 6d185682-6d18568e 340->345 346 6d1856e6 340->346 348 6d185220-6d18523a IsBadReadPtr 341->348 349 6d18549c-6d18549f 342->349 350 6d1854b0-6d1854c8 342->350 343->326 347 6d1853fe-6d185426 343->347 351 6d18517c-6d1851a8 344->351 352 6d1851ce-6d1851dc 344->352 354 6d185690-6d18569b 345->354 346->339 347->330 369 6d185428-6d185455 memcpy 347->369 355 6d185470 348->355 356 6d185240-6d185249 348->356 357 6d1856ff-6d185704 349->357 358 6d1854a5-6d1854a8 349->358 359 6d1854ce-6d1854e6 350->359 360 6d1857a6-6d1857aa 350->360 351->330 374 6d1851ae-6d1851c9 memset 351->374 352->338 353 6d1851de-6d1851e6 352->353 353->334 361 6d18569d-6d18569f 354->361 362 6d1856d2-6d1856dc 354->362 355->342 356->355 364 6d18524f-6d185264 356->364 357->350 358->350 365 6d1854aa-6d1854af 358->365 367 6d185541-6d18554d 359->367 373 6d1857b3-6d1857c3 SetLastError 360->373 368 6d1856a0-6d1856ad 361->368 362->354 372 6d1856de-6d1856e2 362->372 382 6d18526a-6d185285 realloc 364->382 383 6d18576f-6d18577f SetLastError 364->383 365->350 370 6d18555a-6d18555e 367->370 371 6d18554f-6d185555 367->371 375 6d1856af-6d1856c0 368->375 376 6d1856c3-6d1856d0 368->376 380 6d18556a-6d18557b 370->380 381 6d185560-6d185568 370->381 377 6d1855a0-6d1855a6 371->377 378 6d185557 371->378 372->346 373->330 374->352 375->376 376->362 376->368 377->370 387 6d1855a8-6d1855ab 377->387 378->370 385 6d18557d-6d185583 380->385 386 6d185585 380->386 381->380 384 6d1854f0-6d1854ff call 6d1849e0 381->384 389 6d18528b-6d1852b5 382->389 390 6d185784-6d1857a1 SetLastError 382->390 383->330 398 6d185720-6d185724 384->398 399 6d185505-6d185514 384->399 385->386 391 6d18558a-6d185596 385->391 386->391 387->370 393 6d1852e8-6d1852f4 389->393 394 6d1852b7 389->394 390->330 395 6d185518-6d185530 391->395 396 6d1852c0-6d1852d6 393->396 397 6d1852f6-6d185307 393->397 403 6d185460-6d185465 394->403 400 6d1855b0-6d1855c9 call 6d1849e0 395->400 401 6d185532-6d18553d 395->401 409 6d1852d8-6d1852e2 396->409 410 6d185309-6d185326 SetLastError 396->410 397->409 397->410 398->330 399->395 400->330 408 6d1855cf-6d1855d9 400->408 401->367 403->348 411 6d1855db-6d1855e4 408->411 412 6d185613-6d185618 408->412 409->393 409->403 410->330 411->412 413 6d1855e6-6d1855ea 411->413 415 6d18561e-6d185629 412->415 416 6d1856f3-6d1856fa 412->416 413->412 417 6d1855ec 413->417 418 6d185729-6d18572c 415->418 419 6d18562f-6d185649 415->419 416->310 420 6d1855f0-6d18560f 417->420 418->310 419->373 422 6d18564f-6d185656 419->422 424 6d185611 420->424 422->310 424->412
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID: ErrorHeapLast$AllocInfoNativeProcessReadSystemmemcpymemsetrealloc
    • String ID: ?$@
    • API String ID: 2257136212-1463999369
    • Opcode ID: 3bf71dbd37942c7ce931efea6a3b518fd449339a65277ef741134d64f549b8cc
    • Instruction ID: b19928a561755af24714c8001f0f7da298171d8b41efa24cc3687bafb0cab7e5
    • Opcode Fuzzy Hash: 3bf71dbd37942c7ce931efea6a3b518fd449339a65277ef741134d64f549b8cc
    • Instruction Fuzzy Hash: 124206B46087068FE710DF29C58462ABBF1FF88354F55892DE89A87305E7B4E844CF82
    Function 6D1059F0 Relevance: 18.5, Strings: 14, Instructions: 1019COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1122 6d1059f0-6d105a05 1123 6d106c61-6d106c66 call 6d15ae50 1122->1123 1124 6d105a0b-6d105a31 call 6d160980 1122->1124 1123->1122 1129 6d105a33-6d105a38 1124->1129 1130 6d105a3a-6d105a3d 1124->1130 1131 6d105a40-6d105aa7 call 6d1609b0 call 6d15cff0 1129->1131 1130->1131 1136 6d105ab3-6d105b83 call 6d129e30 call 6d15ad60 * 2 call 6d129a20 1131->1136 1137 6d105aa9-6d105ab1 call 6d15c260 1131->1137 1148 6d105b85-6d105b89 1136->1148 1149 6d105b8b-6d105b93 call 6d149ba0 1136->1149 1137->1136 1150 6d105b97-6d105b99 1148->1150 1149->1150 1153 6d105b9b-6d105bca call 6d14a140 call 6d149cd0 1150->1153 1154 6d105bcf-6d105be5 1150->1154 1153->1154 1155 6d105bf1-6d105c00 1154->1155 1156 6d105be7-6d105bef call 6d15c260 1154->1156 1159 6d105c06-6d105f1c call 6d1609b0 call 6d15ad60 call 6d15cff0 call 6d15d050 call 6d1609d0 * 2 call 6d11fc30 call 6d14f810 * 2 call 6d1607f0 * 3 1155->1159 1160 6d106c4a-6d106c60 call 6d156a90 1155->1160 1156->1155 1190 6d105f24-6d105fc2 call 6d0fa4e0 call 6d12ed60 call 6d0fa700 call 6d111f00 call 6d1085c0 call 6d11ce30 call 6d1129f0 1159->1190 1191 6d105f1e 1159->1191 1160->1123 1206 6d105fd0-6d105fd2 1190->1206 1207 6d105fc4-6d105fc6 1190->1207 1191->1190 1210 6d105fd8-6d106095 call 6d15c476 call 6d15c94a call 6d15ad60 call 6d11d3f0 call 6d115470 call 6d15ad60 * 2 1206->1210 1211 6d106c1e-6d106c2f call 6d156a90 1206->1211 1208 6d106c34-6d106c45 call 6d156a90 1207->1208 1209 6d105fcc-6d105fce 1207->1209 1208->1160 1209->1206 1209->1210 1228 6d1060b4-6d1060bc 1210->1228 1229 6d106097-6d1060af call 6d112a70 1210->1229 1211->1208 1231 6d1060c2-6d106130 call 6d15c47a call 6d126bb0 call 6d14fa50 1228->1231 1232 6d106abf-6d106b05 call 6d0fa4e0 1228->1232 1229->1228 1248 6d106140-6d10615e 1231->1248 1237 6d106b14-6d106b30 call 6d0fa700 1232->1237 1238 6d106b07-6d106b12 call 6d15c260 1232->1238 1247 6d106b55-6d106b5e 1237->1247 1238->1237 1249 6d106b60-6d106b8b call 6d10ed90 1247->1249 1250 6d106b32-6d106b54 call 6d0f43c0 1247->1250 1253 6d106160-6d106163 1248->1253 1254 6d106169-6d1061ec 1248->1254 1262 6d106b9b-6d106bf2 call 6d138b70 * 2 1249->1262 1263 6d106b8d-6d106b96 call 6d15ad60 1249->1263 1250->1247 1253->1254 1257 6d106216-6d10621c 1253->1257 1258 6d1061f2-6d1061fc 1254->1258 1259 6d106c14-6d106c19 call 6d15c2e0 1254->1259 1264 6d106222-6d1063bc call 6d157ed0 call 6d126bb0 call 6d127410 call 6d127100 call 6d127410 * 3 call 6d127230 call 6d127410 call 6d126c10 call 6d15c47a 1257->1264 1265 6d106c0a-6d106c0f call 6d15c2e0 1257->1265 1260 6d1061fe-6d10620a 1258->1260 1261 6d10620f-6d106211 1258->1261 1259->1211 1267 6d106132-6d10613e 1260->1267 1261->1267 1279 6d106c03-6d106c09 1262->1279 1280 6d106bf4-6d106bfa 1262->1280 1263->1262 1299 6d10645e-6d106461 1264->1299 1265->1259 1267->1248 1280->1279 1282 6d106bfc 1280->1282 1282->1279 1300 6d1064e7-6d106690 call 6d126bb0 call 6d127410 call 6d126c10 call 6d160830 * 4 call 6d15c476 1299->1300 1301 6d106467-6d106484 1299->1301 1336 6d106717-6d10671a 1300->1336 1302 6d1063c1-6d106457 call 6d1080a0 call 6d157ed0 call 6d126bb0 call 6d127410 call 6d126c10 1301->1302 1303 6d10648a-6d1064e2 call 6d126bb0 call 6d127410 call 6d126c10 1301->1303 1302->1299 1303->1302 1337 6d1067c0-6d106a5a call 6d1609b0 * 2 call 6d126bb0 call 6d127410 call 6d127100 call 6d127410 call 6d127100 call 6d127410 call 6d127100 call 6d127410 call 6d127100 call 6d127410 call 6d127100 call 6d127410 call 6d127100 call 6d127410 call 6d127230 call 6d127410 call 6d126c10 1336->1337 1338 6d106720-6d106744 1336->1338 1404 6d106a7c-6d106aad call 6d126bb0 call 6d126db0 call 6d126c10 1337->1404 1405 6d106a5c-6d106a77 call 6d126bb0 call 6d127410 call 6d126c10 1337->1405 1339 6d106746-6d106749 1338->1339 1340 6d10674b-6d106779 call 6d126bb0 call 6d127410 call 6d126c10 1338->1340 1339->1340 1342 6d10677e-6d106780 1339->1342 1345 6d106695-6d106716 call 6d1080a0 call 6d157ed0 call 6d126bb0 call 6d127410 call 6d126c10 1340->1345 1342->1345 1346 6d106786-6d1067bb call 6d126bb0 call 6d127410 call 6d126c10 1342->1346 1345->1336 1346->1345 1404->1232 1417 6d106aaf-6d106aba call 6d0fa700 1404->1417 1405->1404 1417->1232
    Strings
    • +:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnrimfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09, xrefs: 6D1064A4, 6D10678B
    • gcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= , xrefs: 6D105ABA
    • @s -> Pn=][}]i)> +"osLlLtLuMnrimfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11, xrefs: 6D1062C7
    • ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ gp.goid, xrefs: 6D1068DC
    • gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket, xrefs: 6D106C4A
    • MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, xrefs: 6D106A06
    • ., xrefs: 6D1061FE
    • 5, xrefs: 6D106C27
    • gc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltadxaesshaavxfmaintma, xrefs: 6D10629A
    • failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre, xrefs: 6D106C34
    • MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc=, xrefs: 6D10699C
    • ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACE, xrefs: 6D1064EC
    • , xrefs: 6D10606A
    • non-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class bo, xrefs: 6D106C1E
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ @s -> Pn=][}]i)> +"osLlLtLuMnrimfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11$ MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:$ MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc=$ ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACE$ ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ gp.goid$+:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnrimfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09$.$5$failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre$gc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltadxaesshaavxfmaintma$gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket$gcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= $non-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class bo
    • API String ID: 0-2203935295
    • Opcode ID: eecb15b542bbceb630874e07e547eacfd3bbdb748aea65b16001bc7ff8ee711e
    • Instruction ID: 2b4fc686adef0796940530905d9fa14c7990bdc27d330c936b874363d18322f0
    • Opcode Fuzzy Hash: eecb15b542bbceb630874e07e547eacfd3bbdb748aea65b16001bc7ff8ee711e
    • Instruction Fuzzy Hash: 86B2F97460D345CFC764EF28C194B9ABBF1FB89308F02892ED98987355DB74A944CB92
    Function 6D1193F0 Relevance: 16.9, Strings: 13, Instructions: 643COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1419 6d1193f0-6d119402 1420 6d119f94-6d119f99 call 6d15ae50 1419->1420 1421 6d119408-6d119450 1419->1421 1420->1419 1423 6d119476-6d11947d 1421->1423 1424 6d119483-6d1194ed 1423->1424 1425 6d11957b-6d119581 1423->1425 1427 6d1194f3-6d1194f5 1424->1427 1428 6d119f8c-6d119f93 call 6d15c320 1424->1428 1429 6d119587-6d1195b3 call 6d11c5d0 1425->1429 1430 6d1197f9-6d119800 call 6d15c2f0 1425->1430 1432 6d119f85-6d119f87 call 6d15c340 1427->1432 1433 6d1194fb-6d119545 1427->1433 1428->1420 1444 6d119621-6d119631 1429->1444 1445 6d1195b5-6d119620 call 6d119360 1429->1445 1436 6d119805-6d11980c 1430->1436 1432->1428 1437 6d119552-6d119556 1433->1437 1438 6d119547-6d119550 1433->1438 1442 6d119810-6d119812 1436->1442 1443 6d119558-6d119576 1437->1443 1438->1443 1448 6d119818 1442->1448 1449 6d1199fd 1442->1449 1443->1442 1446 6d1197f4 call 6d15c2e0 1444->1446 1447 6d119637-6d119648 1444->1447 1446->1430 1452 6d1197e1-6d1197e9 1447->1452 1453 6d11964e-6d119653 1447->1453 1454 6d119f7e-6d119f80 call 6d15c2e0 1448->1454 1455 6d11981e-6d11984c 1448->1455 1451 6d119a01-6d119a0a 1449->1451 1457 6d119a10-6d119a16 1451->1457 1458 6d119d72-6d119de0 call 6d119360 1451->1458 1452->1446 1459 6d1197c6-6d1197d6 1453->1459 1460 6d119659-6d119666 1453->1460 1454->1432 1462 6d119856-6d1198af 1455->1462 1463 6d11984e-6d119854 1455->1463 1465 6d119d53-6d119d71 1457->1465 1466 6d119a1c-6d119a26 1457->1466 1478 6d119ee5-6d119eeb 1458->1478 1459->1452 1467 6d1197b8-6d1197c1 1460->1467 1468 6d11966c-6d1197b3 call 6d126bb0 call 6d127410 call 6d127230 call 6d127410 call 6d127230 call 6d127410 call 6d127100 call 6d127410 call 6d127100 call 6d127410 call 6d127100 call 6d127410 call 6d126c10 call 6d126bb0 call 6d127410 call 6d127100 call 6d126db0 call 6d126c10 call 6d156a90 1460->1468 1479 6d1198b1-6d1198bd 1462->1479 1480 6d1198bf-6d1198c8 1462->1480 1463->1436 1471 6d119a41-6d119a55 1466->1471 1472 6d119a28-6d119a3f 1466->1472 1468->1467 1476 6d119a5c 1471->1476 1472->1476 1483 6d119a71-6d119a91 1476->1483 1484 6d119a5e-6d119a6f 1476->1484 1481 6d119f68-6d119f79 call 6d156a90 1478->1481 1482 6d119eed-6d119f02 1478->1482 1486 6d1198ce-6d1198e0 1479->1486 1480->1486 1481->1454 1487 6d119f04-6d119f09 1482->1487 1488 6d119f0b-6d119f1d 1482->1488 1490 6d119a98 1483->1490 1484->1490 1492 6d1198e6-6d1198eb 1486->1492 1493 6d1199c8-6d1199ca 1486->1493 1494 6d119f1f 1487->1494 1488->1494 1495 6d119aa1-6d119aa4 1490->1495 1496 6d119a9a-6d119a9f 1490->1496 1500 6d1198f4-6d119908 1492->1500 1501 6d1198ed-6d1198f2 1492->1501 1498 6d1199e2 1493->1498 1499 6d1199cc-6d1199e0 1493->1499 1503 6d119f21-6d119f26 1494->1503 1504 6d119f28-6d119f40 1494->1504 1505 6d119aaa-6d119d4e call 6d126bb0 call 6d127410 call 6d127230 call 6d127410 call 6d127230 call 6d127410 call 6d127100 call 6d127410 call 6d127100 call 6d127410 call 6d127100 call 6d126db0 call 6d126c10 call 6d126bb0 call 6d127410 call 6d127230 call 6d127410 call 6d127100 call 6d127410 call 6d127230 call 6d126db0 call 6d126c10 call 6d126bb0 call 6d127410 call 6d1272a0 call 6d127410 call 6d127230 call 6d126db0 call 6d126c10 call 6d126bb0 call 6d127410 call 6d127100 call 6d127410 call 6d127100 call 6d126db0 call 6d126c10 1495->1505 1496->1505 1507 6d1199e6-6d1199fb 1498->1507 1499->1507 1502 6d11990f-6d119911 1500->1502 1501->1502 1508 6d119452-6d11946f 1502->1508 1509 6d119917-6d119919 1502->1509 1510 6d119f42-6d119f4e 1503->1510 1504->1510 1505->1478 1507->1451 1508->1423 1513 6d119922-6d11993d 1509->1513 1514 6d11991b-6d119920 1509->1514 1515 6d119f50-6d119f55 1510->1515 1516 6d119f5a-6d119f5d 1510->1516 1520 6d1199a7-6d1199c3 1513->1520 1521 6d11993f-6d119944 1513->1521 1519 6d11994b 1514->1519 1516->1481 1524 6d11994d-6d11995c 1519->1524 1525 6d11995e-6d11996d 1519->1525 1520->1436 1521->1519 1529 6d119970-6d1199a2 1524->1529 1525->1529 1529->1436
    Strings
    • runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 6D11967A, 6D119AB3
    • , j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type float32float64\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_Dltavx512finvaliduintptros/execruntimetls3desno anodeCancelIoReadFileAcceptExWSAIoctlshu, xrefs: 6D119C04
    • runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket, xrefs: 6D119CE8
    • ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc, xrefs: 6D1196CD
    • bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6D1197A2, 6D119F68
    • ][}]i)> +"osLlLtLuMnrimfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+, xrefs: 6D1196A4, 6D119AED
    • , npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by short writeProcessPrngMoveFileExWNetShar, xrefs: 6D119BD7
    • runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSruntime: mp.lockedInt = runqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard , xrefs: 6D119C5B
    • runtime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupQuerySer, xrefs: 6D11976B
    • , i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base stringGetACPSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13rdtscppopcntuint16uint32uint64structcmd/gonetdnsCommonCopySidWSARecvWSASendconnectconsoleforcegcallocmWc, xrefs: 6D119C88
    • , levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime:, xrefs: 6D119D15
    • , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnrimfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05, xrefs: 6D1196F7, 6D119721, 6D119B44, 6D119B6E
    • ] = pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheapt, xrefs: 6D119B1A
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnrimfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05$, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base stringGetACPSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13rdtscppopcntuint16uint32uint64structcmd/gonetdnsCommonCopySidWSARecvWSASendconnectconsoleforcegcallocmWc$, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type float32float64\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_Dltavx512finvaliduintptros/execruntimetls3desno anodeCancelIoReadFileAcceptExWSAIoctlshu$, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime:$, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by short writeProcessPrngMoveFileExWNetShar$] = pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheapt$] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc$][}]i)> +"osLlLtLuMnrimfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket$runtime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupQuerySer$runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSruntime: mp.lockedInt = runqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard $runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
    • API String ID: 0-4232704105
    • Opcode ID: 66b2fedfcee687b6d6115a9a6c820ee235975659db55a3f43d9b72bca1ed3b16
    • Instruction ID: 059e83c832265424ace48d16c971e93f42e25d6b2a7d63ab320fa6ba5dd538cc
    • Opcode Fuzzy Hash: 66b2fedfcee687b6d6115a9a6c820ee235975659db55a3f43d9b72bca1ed3b16
    • Instruction Fuzzy Hash: 3F524B75A0C7458FD320DF68D49075EBBF1BF89304F02892DEAA887349D7B5A944CB92
    Function 6D121570 Relevance: 16.4, Strings: 13, Instructions: 150COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1779 6d121570-6d12157e 1780 6d121584-6d1215b6 call 6d1232a0 1779->1780 1781 6d12181e-6d121823 call 6d15ae50 1779->1781 1786 6d121807-6d12181d call 6d156a90 1780->1786 1787 6d1215bc-6d1215ea call 6d121470 1780->1787 1781->1779 1786->1781 1792 6d1215fc-6d121631 call 6d1232a0 1787->1792 1793 6d1215ec-6d1215f9 call 6d15c270 1787->1793 1798 6d1217f1-6d121802 call 6d156a90 1792->1798 1799 6d121637-6d121669 call 6d121470 1792->1799 1793->1792 1798->1786 1803 6d12167b-6d121683 1799->1803 1804 6d12166b-6d121678 call 6d15c270 1799->1804 1805 6d121689-6d1216bb call 6d121470 1803->1805 1806 6d12172d-6d12175f call 6d121470 1803->1806 1804->1803 1815 6d1216cd-6d1216d5 1805->1815 1816 6d1216bd-6d1216ca call 6d15c270 1805->1816 1813 6d121771-6d1217a9 call 6d121470 1806->1813 1814 6d121761-6d12176e call 6d15c270 1806->1814 1827 6d1217bb-6d1217c4 1813->1827 1828 6d1217ab-6d1217b8 call 6d15c270 1813->1828 1814->1813 1820 6d1217db-6d1217ec call 6d156a90 1815->1820 1821 6d1216db-6d12170d call 6d121470 1815->1821 1816->1815 1820->1798 1831 6d12171f-6d121727 1821->1831 1832 6d12170f-6d12171c call 6d15c270 1821->1832 1828->1827 1831->1806 1833 6d1217c5-6d1217d6 call 6d156a90 1831->1833 1832->1831 1833->1820
    Strings
    • ntdll.dll, xrefs: 6D121608
    • , xrefs: 6D1216A2
    • NtCancelWaitCompletionPacket, xrefs: 6D1216E2
    • P, xrefs: 6D1217E4
    • RtlGetCurrentPeb, xrefs: 6D121734
    • , xrefs: 6D12169A
    • NtCreateWaitCompletionPacket exists but NtCancelWaitCompletionPacket does notcannot convert slice with length %y to array or pointer to array with length %xNtCreateWaitCompletionPacket exists but NtAssociateWaitCompletionPacket does notcgocheck > 1 mode is no , xrefs: 6D1217C5
    • ProcessPrng, xrefs: 6D1215BF
    • NtAssociateWaitCompletionPacket, xrefs: 6D121690
    • RtlGetVersion, xrefs: 6D12177E
    • NtCreateWaitCompletionPacket, xrefs: 6D12163E
    • bcryptprimitives.dll, xrefs: 6D12158D
    • bcryptprimitives.dll not foundpanic called with nil argumentcheckdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer found on stack locals stack map entries for abi mismatch detected between runtime: impossible , xrefs: 6D121807
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ $NtAssociateWaitCompletionPacket$NtCancelWaitCompletionPacket$NtCreateWaitCompletionPacket$NtCreateWaitCompletionPacket exists but NtCancelWaitCompletionPacket does notcannot convert slice with length %y to array or pointer to array with length %xNtCreateWaitCompletionPacket exists but NtAssociateWaitCompletionPacket does notcgocheck > 1 mode is no $P$ProcessPrng$RtlGetCurrentPeb$RtlGetVersion$bcryptprimitives.dll$bcryptprimitives.dll not foundpanic called with nil argumentcheckdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer found on stack locals stack map entries for abi mismatch detected between runtime: impossible $ntdll.dll
    • API String ID: 0-2332038095
    • Opcode ID: f045fb5b17b19d1204f4891c5ee19a5a9f81a9b9ebdac4868f352b0f34c23305
    • Instruction ID: 6f32aea4ac0062cc8e1b03d7d329d2e91e560cc82649dd28ab8f4b2a1b6495ab
    • Opcode Fuzzy Hash: f045fb5b17b19d1204f4891c5ee19a5a9f81a9b9ebdac4868f352b0f34c23305
    • Instruction Fuzzy Hash: E771F6B4109302DFDB44DF24D194B1ABBF0BF8A348F01882DE59887344D7B6A898CF92
    Function 6D113400 Relevance: 14.6, Strings: 11, Instructions: 876COMMON
    Download Yara Rule
    Strings
    • nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMo, xrefs: 6D113D81
    • mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdea, xrefs: 6D11418A
    • mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification, xrefs: 6D113D16
    • sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executiontraceSto, xrefs: 6D113C4F
    • , xrefs: 6D113E12
    • mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6D113CE2, 6D114156
    • sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine LockFileExWSASocketWunixpacket, xrefs: 6D113CB8, 6D11412C
    • sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = NtAssociateWaitCompletionPacket, xrefs: 6D113E09
    • swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 6D113C65
    • previous allocCount=, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:, xrefs: 6D113DAB
    • mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1, xrefs: 6D1141A9
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$ nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMo$ previous allocCount=, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:$ sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine LockFileExWSASocketWunixpacket$mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification$mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdea$mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1$sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = NtAssociateWaitCompletionPacket$sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executiontraceSto$swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
    • API String ID: 0-893999930
    • Opcode ID: 457d66c549598d21f4bbecd754995e3ca8a37f963b23874f1dd56a04d6603a7d
    • Instruction ID: 362aa3cc0ec6a037b425207c38b6d9b4911251c469ac244e6cfb4027c89de95d
    • Opcode Fuzzy Hash: 457d66c549598d21f4bbecd754995e3ca8a37f963b23874f1dd56a04d6603a7d
    • Instruction Fuzzy Hash: 888268B460C3958FC351DF24C490B6ABBF1BF89708F41882DE9D887389D7B59945CB92
    Function 6D122A90 Relevance: 14.0, Strings: 11, Instructions: 253COMMON
    Download Yara Rule
    Strings
    • runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:, xrefs: 6D122D95
    • runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] wi, xrefs: 6D122EFD
    • runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!internal error: unknown network type godebug: unexpected IncNonDefault of b, xrefs: 6D122F31
    • VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notunexpected runtime.netpoll error: network dropped connec, xrefs: 6D122DC9
    • CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplet, xrefs: 6D122E7B, 6D122ED6
    • NtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a cor, xrefs: 6D122E20
    • runtime: NtCreateWaitCompletionPacket failed; errno=casfrom_Gscanstatus: gp->status is not in scan statenon-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS thr, xrefs: 6D122DEC
    • ,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnrimfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT, xrefs: 6D122D29
    • bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timersOpenServiceWRevertToSelfCreateEventWGetConsoleCPUnlockFi, xrefs: 6D122D6E
    • %, xrefs: 6D122F3A
    • runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] with length %ypanicwrap: unexpected string afte, xrefs: 6D122E47, 6D122EA2
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: %$,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnrimfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT$CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplet$NtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a cor$VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notunexpected runtime.netpoll error: network dropped connec$bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timersOpenServiceWRevertToSelfCreateEventWGetConsoleCPUnlockFi$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] wi$runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!internal error: unknown network type godebug: unexpected IncNonDefault of b$runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] with length %ypanicwrap: unexpected string afte$runtime: NtCreateWaitCompletionPacket failed; errno=casfrom_Gscanstatus: gp->status is not in scan statenon-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS thr$runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:
    • API String ID: 0-1107767589
    • Opcode ID: d345be454a570daf32d5df144223778930eafc6364cd3cfe97930bc8e21895dc
    • Instruction ID: 397b663ade511ba96f40ac7a5d6b33423aa2b203fcbd1ade2d6e3413643e52b8
    • Opcode Fuzzy Hash: d345be454a570daf32d5df144223778930eafc6364cd3cfe97930bc8e21895dc
    • Instruction Fuzzy Hash: 40C1D2B460C3458FD300EF64D194B1EBBF4BF89708F01896DE99887385D7B6A989CB52
    Function 6D0F13E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleLibraryLoadModule
    • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
    • API String ID: 384173800-1835852900
    • Opcode ID: 3ccf089f2fe9ec5b87c25436dc3d39f42b1988ee8f1629b81de578eb2ac8d040
    • Instruction ID: 533bcf9eb3565dd1368a2d649b45986813e50ad20848d81b9b48412a6ae6f0ff
    • Opcode Fuzzy Hash: 3ccf089f2fe9ec5b87c25436dc3d39f42b1988ee8f1629b81de578eb2ac8d040
    • Instruction Fuzzy Hash: F1015AF18093548FDB00BFB8A60A31EBFF8EB82655F12452DD88897209D771A445CBA3
    Function 6D15332F Relevance: 12.0, Strings: 9, Instructions: 757COMMON
    Download Yara Rule
    Strings
    • 2, xrefs: 6D153D50
    • !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 6D1536FF
    • 4, xrefs: 6D153D0E
    • mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= , xrefs: 6D153D05
    • malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]mo, xrefs: 6D153D31
    • mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential, xrefs: 6D153D47
    • malloc during signalclose of nil channelnotetsleep not on g0bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not empty, xrefs: 6D153D1B
    • p, xrefs: 6D153D5E
    • 3-, xrefs: 6D153D58
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC$2$4$malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]mo$malloc during signalclose of nil channelnotetsleep not on g0bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not empty$mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential$mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= $3-$p
    • API String ID: 0-234616912
    • Opcode ID: 14f48f2b6aadb8a6ba7865da412a5a2cc2722851254aa5d33381e6ed46df04f4
    • Instruction ID: 72e7f3953c24e7eb40d6d679cf6b54daa24e0df61ea9f5ee8c52c4ff7d0be6e8
    • Opcode Fuzzy Hash: 14f48f2b6aadb8a6ba7865da412a5a2cc2722851254aa5d33381e6ed46df04f4
    • Instruction Fuzzy Hash: 3662BFB06083458FC704CF29C090B2ABBF1BF89714F15896DE9A48B396D7B9D956CF42
    Function 6D16CEF0 Relevance: 10.8, Strings: 8, Instructions: 756COMMON
    Download Yara Rule
    Strings
    • v, xrefs: 6D16D025
    • y: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnrimfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+1, xrefs: 6D16D1C5
    • invalid pattern syntax (+ after -): cannot exec a shared library directlyvalue too large for defined data typeruntime: allocation size out of range) is smaller than minimum page size (/cpu/classes/gc/mark/idle:cpu-secondssetprofilebucket: profile already setfa, xrefs: 6D16D663
    • $, xrefs: 6D16D66D
    • !, xrefs: 6D16D0EC
    • n, xrefs: 6D16D1B1
    • invalid pattern syntax: resource deadlock avoidedoperation now in progressno buffer space availableno such device or addresssocket type not supportedinvalid cross-device linkGetFinalPathNameByHandleWGetQueuedCompletionStatusUpdateProcThreadAttributegoroutine p, xrefs: 6D16CF75, 6D16D068, 6D16D138, 6D16D6F4, 6D16D816, 6D16D8A7, 6D16D938, 6D16D9CD
    • pattern bits too long: runtime: C malloc failedconnection reset by peerlevel 2 not synchronizedlink number out of rangeout of streams resourcesfunction not implementedstructure needs cleaningnot supported by windowsCertFreeCertificateChainCreateToolhelp32Snaps, xrefs: 6D16D785
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !$$$invalid pattern syntax (+ after -): cannot exec a shared library directlyvalue too large for defined data typeruntime: allocation size out of range) is smaller than minimum page size (/cpu/classes/gc/mark/idle:cpu-secondssetprofilebucket: profile already setfa$invalid pattern syntax: resource deadlock avoidedoperation now in progressno buffer space availableno such device or addresssocket type not supportedinvalid cross-device linkGetFinalPathNameByHandleWGetQueuedCompletionStatusUpdateProcThreadAttributegoroutine p$n$pattern bits too long: runtime: C malloc failedconnection reset by peerlevel 2 not synchronizedlink number out of rangeout of streams resourcesfunction not implementedstructure needs cleaningnot supported by windowsCertFreeCertificateChainCreateToolhelp32Snaps$v$y: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnrimfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+1
    • API String ID: 0-3093806760
    • Opcode ID: 5081745fdb2a97a65094df0b442e6d661d0b950f1fa2a966677b91f398bc7b5e
    • Instruction ID: db39337252de5ecf1dea2e61b33430442ca4341f561dd0d46a8bb8f5a00794ff
    • Opcode Fuzzy Hash: 5081745fdb2a97a65094df0b442e6d661d0b950f1fa2a966677b91f398bc7b5e
    • Instruction Fuzzy Hash: E07214B4A083858FC714DF68C180B5ABBF1BBC9704F55892DE9A887344DBB4E954CF92
    Function 6D172560 Relevance: 10.5, Strings: 7, Instructions: 1779COMMON
    Download Yara Rule
    Strings
    • 0, xrefs: 6D1730B1
    • 0, xrefs: 6D173344
    • 0, xrefs: 6D173150
    • %!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMoveFileWWriteFileWSASendTod.nx != 0timerSendpollCacheprofBlockstackpoolhchanLeafwbufSpansGC (idle)mSpanDeadinittracescavtracepanicwaitchan sendpreemptedcoroutinecopystac, xrefs: 6D173FD9, 6D1742BB
    • 0, xrefs: 6D173267
    • )]+:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnrimfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+, xrefs: 6D173BE4, 6D173EAF, 6D173FF3, 6D1742D5
    • %!Weekday(complex128execerrdothttp2debugcrypto/tlsMessageBoxWbroken pipebad messagefile existsbad addressRegCloseKeyCloseHandleCreateFileWDeleteFileWExitProcessFreeLibraryGetFileTypeOpenProcessSetFileTimeVirtualLockWSARecvFromclosesocketgetpeernamegetsocknamec, xrefs: 6D173BCA, 6D173E95
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: %!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMoveFileWWriteFileWSASendTod.nx != 0timerSendpollCacheprofBlockstackpoolhchanLeafwbufSpansGC (idle)mSpanDeadinittracescavtracepanicwaitchan sendpreemptedcoroutinecopystac$%!Weekday(complex128execerrdothttp2debugcrypto/tlsMessageBoxWbroken pipebad messagefile existsbad addressRegCloseKeyCloseHandleCreateFileWDeleteFileWExitProcessFreeLibraryGetFileTypeOpenProcessSetFileTimeVirtualLockWSARecvFromclosesocketgetpeernamegetsocknamec$)]+:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnrimfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+$0$0$0$0
    • API String ID: 0-2599036075
    • Opcode ID: 6ad4707fbc7bf858690bc09c10ca82d52e6f01eeb00e1ccc4833d7429ae48489
    • Instruction ID: 578ed81e327112ca0b8aa3a18e697c49cfdb53056d138c84cc913c73332e4029
    • Opcode Fuzzy Hash: 6ad4707fbc7bf858690bc09c10ca82d52e6f01eeb00e1ccc4833d7429ae48489
    • Instruction Fuzzy Hash: 8103D4B4A0C3858FC335CF18C09069EFBE1BBC9310F15892EE99997365D7B4A945CB92
    Function 6D145ED0 Relevance: 10.5, Strings: 8, Instructions: 512COMMON
    Download Yara Rule
    Strings
    • non-Go function at pc=RtlLookupFunctionEntryCreateEnvironmentBlockWSAGetOverlappedResultSao Tome Standard TimeAleutian Standard TimeParaguay Standard TimeMountain Standard TimeAtlantic Standard TimePakistan Standard TimeSakhalin Standard TimeGeorgian Standard , xrefs: 6D1466C5
    • sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (us, xrefs: 6D146566
    • (1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnrimfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+0, xrefs: 6D146320
    • pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptrace, xrefs: 6D146593
    • :(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnrimfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+, xrefs: 6D1463FD
    • , xrefs: 6D146031
    • , xrefs: 6D146039
    • fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit, xrefs: 6D146539
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ $ fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit$ pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptrace$ sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (us$(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnrimfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+0$:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnrimfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+$non-Go function at pc=RtlLookupFunctionEntryCreateEnvironmentBlockWSAGetOverlappedResultSao Tome Standard TimeAleutian Standard TimeParaguay Standard TimeMountain Standard TimeAtlantic Standard TimePakistan Standard TimeSakhalin Standard TimeGeorgian Standard
    • API String ID: 0-609173017
    • Opcode ID: bae6f0cb6e144287cf095a3a0b3310eb8ea90014096c6b7f6bb66b3b56a15ec9
    • Instruction ID: 815bc50ffffdd7eb06a78d692938c572f64ac0966529dd88d1d1ce6a672b398c
    • Opcode Fuzzy Hash: bae6f0cb6e144287cf095a3a0b3310eb8ea90014096c6b7f6bb66b3b56a15ec9
    • Instruction Fuzzy Hash: A532E37460C3858FC365DF65C180B9FBBE1AF89308F05886EE9C897359D7B1A845CB92
    Function 6D121A70 Relevance: 8.9, Strings: 7, Instructions: 116COMMON
    Download Yara Rule
    Strings
    • timeBegin/EndPeriod not foundruntime: sudog with non-nil centersyscall inconsistent bp entersyscall inconsistent sp gfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon, xrefs: 6D121C0D
    • timeBeginPeriod, xrefs: 6D121B29
    • runtime: LoadLibraryExW failed; errno=runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already co, xrefs: 6D121C34
    • &, xrefs: 6D121C3D
    • timeEndPeriod, xrefs: 6D121B73
    • runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already connectedmismatched count during itab ta, xrefs: 6D121BD9
    • winmm.dll, xrefs: 6D121AF3
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: &$runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already connectedmismatched count during itab ta$runtime: LoadLibraryExW failed; errno=runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already co$timeBegin/EndPeriod not foundruntime: sudog with non-nil centersyscall inconsistent bp entersyscall inconsistent sp gfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon$timeBeginPeriod$timeEndPeriod$winmm.dll
    • API String ID: 0-424793872
    • Opcode ID: 4c2d477c69eeb1dd0d6c7ec43e23bc69ae36bd6cd303aee19794173c202e9092
    • Instruction ID: 686264d86201f6b4884a845f0b48892955340b1d4e32bd2413486ab216d3660d
    • Opcode Fuzzy Hash: 4c2d477c69eeb1dd0d6c7ec43e23bc69ae36bd6cd303aee19794173c202e9092
    • Instruction Fuzzy Hash: C451B5B460D3469FD704EF64D19472ABBF0BF59309F01881DE59887384E7B6A898CF92
    Function 6D185B30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID: ErrorFormatFreeLastLocalMessagefprintf
    • String ID: Erro: %s
    • API String ID: 659079672-2412703935
    • Opcode ID: dc609c76012c4d652399507b74feb47f248124e693dd083fbe57cfe99e557d47
    • Instruction ID: aba3c8d5af539ba8fa31f1af2865e87b074cb2b629aeb14a0fa4df34c5212163
    • Opcode Fuzzy Hash: dc609c76012c4d652399507b74feb47f248124e693dd083fbe57cfe99e557d47
    • Instruction Fuzzy Hash: 08019DB08083019FE700EF68C58971FBBF0AB88349F01891DE99897254D7B98249CF93
    Function 6D12CF90 Relevance: 8.6, Strings: 6, Instructions: 1093COMMON
    Download Yara Rule
    Strings
    • findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of r, xrefs: 6D12E0D5
    • findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionAdjustTokenPrivilegesLookupPrivilegeValueWNetUserGetLocalGroupsGetProfi, xrefs: 6D12E0EB
    • findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a corrupted shared librarylfstack node a, xrefs: 6D12E0A9
    • findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for [origina, xrefs: 6D12E0BF
    • global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/metadata/mspan/free:bytesruntime.SetFinaliz, xrefs: 6D12E093
    • !, xrefs: 6D12E0DE
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !$findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of r$findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for [origina$findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a corrupted shared librarylfstack node a$findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionAdjustTokenPrivilegesLookupPrivilegeValueWNetUserGetLocalGroupsGetProfi$global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/metadata/mspan/free:bytesruntime.SetFinaliz
    • API String ID: 0-3518981815
    • Opcode ID: a2d2143eaab7f3135b9fb1f4b67d0d30278f9aa64ea92f9875c07d6e58c93d2a
    • Instruction ID: 212dfe4b4225620940c487450cdeb066315e58311b157ff10e274b1bf4565c77
    • Opcode Fuzzy Hash: a2d2143eaab7f3135b9fb1f4b67d0d30278f9aa64ea92f9875c07d6e58c93d2a
    • Instruction Fuzzy Hash: FAA2B27460D3418FD724DF69C094B6ABBF1BF8A744F01882DE9D887354EBB59884CB92
    Function 6D1211F0 Relevance: 7.6, Strings: 6, Instructions: 133COMMON
    Download Yara Rule
    Strings
    • d, xrefs: 6D121276
    • runtime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocresize: invalid argspan has no free stacksstack growth after forkshrinkstack at bad timereflect.methodValueCallDestroy, xrefs: 6D12139D, 6D1213F8, 6D12144B
    • runtime: NtAssociateWaitCompletionPacket failed; errno= runtime: checkmarks found unexpected unmarked object obj=tried to trace goroutine with invalid or unsupported statusmanual span allocation called with non-manually-managed typeaddr range base and limit ar, xrefs: 6D121369
    • 5, xrefs: 6D121420
    • runtime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not , xrefs: 6D121417
    • runtime: SetWaitableTimer failed; errno= stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classe, xrefs: 6D1213C4
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: 5$d$runtime: NtAssociateWaitCompletionPacket failed; errno= runtime: checkmarks found unexpected unmarked object obj=tried to trace goroutine with invalid or unsupported statusmanual span allocation called with non-manually-managed typeaddr range base and limit ar$runtime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not $runtime: SetWaitableTimer failed; errno= stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classe$runtime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocresize: invalid argspan has no free stacksstack growth after forkshrinkstack at bad timereflect.methodValueCallDestroy
    • API String ID: 0-2414937731
    • Opcode ID: f1ea2373b276309cd071d2f8035fcd209edfe9648c9b94144fd76ebd64910394
    • Instruction ID: bc2e6aa08ab5f4d924303ad65ea80ff4d6be34526bc29e3e41e146c10d9dd349
    • Opcode Fuzzy Hash: f1ea2373b276309cd071d2f8035fcd209edfe9648c9b94144fd76ebd64910394
    • Instruction Fuzzy Hash: 5951C0B460C7459FD740EF28C19471EBBF0BF89708F01882DE99887354E7B69988CB92
    Function 6D186300 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6D18634F
    • UnhandledExceptionFilter.KERNEL32 ref: 6D18635F
    • GetCurrentProcess.KERNEL32 ref: 6D186368
    • TerminateProcess.KERNEL32 ref: 6D186379
    • abort.MSVCRT ref: 6D186382
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: 088a0fdb5e8b0d750b37ba541e00212d84fce38c1aee779845fb9dd1c784b252
    • Instruction ID: 2e25066c28119ce8cde9a84002de6ee32217e2e563b756eb38746f55a8412cfd
    • Opcode Fuzzy Hash: 088a0fdb5e8b0d750b37ba541e00212d84fce38c1aee779845fb9dd1c784b252
    • Instruction Fuzzy Hash: 2411E3B5904205CFCB00EF69C149B2ABBF0FB5A708F018929E988C7355F7759A54DF92
    Function 6D186250 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON
    Download Yara Rule
    APIs
    • GetSystemTimeAsFileTime.KERNEL32 ref: 6D186289
    • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D0F13B9), ref: 6D18629A
    • GetCurrentThreadId.KERNEL32 ref: 6D1862A2
    • GetTickCount.KERNEL32 ref: 6D1862AA
    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D0F13B9), ref: 6D1862B9
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
    • String ID:
    • API String ID: 1445889803-0
    • Opcode ID: 0698523a1aa8ee7f0a569fd9e95da221e136d4a0b77d46df68bd57494acba753
    • Instruction ID: 1eb05f05737bb8f8c16787afd09dbb9c524179fd4da9bbfef72f305f59e76d30
    • Opcode Fuzzy Hash: 0698523a1aa8ee7f0a569fd9e95da221e136d4a0b77d46df68bd57494acba753
    • Instruction Fuzzy Hash: D2119AB1A053008BCB00DF78E488A5BBBF5FB8A369F050D3AE444C6204EB71D558CBC2
    Function 6D1862FC Relevance: 7.5, APIs: 5, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6D18634F
    • UnhandledExceptionFilter.KERNEL32 ref: 6D18635F
    • GetCurrentProcess.KERNEL32 ref: 6D186368
    • TerminateProcess.KERNEL32 ref: 6D186379
    • abort.MSVCRT ref: 6D186382
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: 047e8497b59209120c73b1ea67c5c50b29e35910e5925c8de98fb7d69d608a20
    • Instruction ID: bea80640363f75a961bd4cc3f2ceb75a012893f8c96a6721a46c763571582938
    • Opcode Fuzzy Hash: 047e8497b59209120c73b1ea67c5c50b29e35910e5925c8de98fb7d69d608a20
    • Instruction Fuzzy Hash: 9E1102B5804205CFCB00EFB9C149B2A7BF0FB06708F008529E948D7249E7749A44DF92
    Function 6D111440 Relevance: 5.5, Strings: 4, Instructions: 494COMMON
    Download Yara Rule
    Strings
    • min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce, xrefs: 6D111A0F
    • runtime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame ts set in timertraceback stuckrunti, xrefs: 6D11198C, 6D1119DB
    • !, xrefs: 6D111A18
    • min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=dalTLDpSugct?GetTempPath2WModule32NextW, xrefs: 6D1119C0
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !$min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce$min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=dalTLDpSugct?GetTempPath2WModule32NextW$runtime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame ts set in timertraceback stuckrunti
    • API String ID: 0-967014423
    • Opcode ID: 36edcd1a05a7ff8e8312478b2a2b18cc5bdc4633c1bd1e572ac78dce6b4bbfc4
    • Instruction ID: 0bc22ba19a06824ff6d758f09afdb0eb1f9f62ddf361849b0db7637cd9bc677a
    • Opcode Fuzzy Hash: 36edcd1a05a7ff8e8312478b2a2b18cc5bdc4633c1bd1e572ac78dce6b4bbfc4
    • Instruction Fuzzy Hash: 04F1F27260D32A8FD701DE98C8C061EB7E2BBD4344F158A3CD99487389EBB19885C6C2
    Function 6D12A320 Relevance: 5.4, Strings: 4, Instructions: 352COMMON
    Download Yara Rule
    Strings
    • stopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/met, xrefs: 6D12A7EB
    • stopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executionruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base pointer out of rangeattempting to link in too many, xrefs: 6D12A7B0
    • stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classes/gc/mark/dedicated:cpu-seconds/memory/cl, xrefs: 6D12A690
    • stopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a , xrefs: 6D12A843
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: stopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/met$stopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a $stopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executionruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base pointer out of rangeattempting to link in too many$stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classes/gc/mark/dedicated:cpu-seconds/memory/cl
    • API String ID: 0-2039697367
    • Opcode ID: 69e1ed2523406126ef7fe023bd9f92210981ee4419a4600ef6c08777afd759c0
    • Instruction ID: 52a0740399b55cbfe8849d9cefee22b70d9d96a236ad434531a8a0ddb647f6b0
    • Opcode Fuzzy Hash: 69e1ed2523406126ef7fe023bd9f92210981ee4419a4600ef6c08777afd759c0
    • Instruction Fuzzy Hash: 2DF1F57860C3418FC304CF68C194A6AFBF1BB89708F16896DE99887355DBB5D985CF82
    Function 6D121830 Relevance: 5.1, Strings: 4, Instructions: 57COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: '$'$PowerRegisterSuspendResumeNotification$powrprof.dll
    • API String ID: 0-4026319467
    • Opcode ID: a84d34195f63536454d889f305e2c2aef252dc860adf968a071c6a392339d568
    • Instruction ID: 8da6238b3d2a147603c185184f8aaba2a193cb5ee80d36d566b3d236314b9c7c
    • Opcode Fuzzy Hash: a84d34195f63536454d889f305e2c2aef252dc860adf968a071c6a392339d568
    • Instruction Fuzzy Hash: 1421BFB45083429FD704CF25D094B5ABBF0BB89748F41891DE4D887354E7BA9A89CF83
    Function 6D136470 Relevance: 4.2, Strings: 3, Instructions: 451COMMON
    Download Yara Rule
    Strings
    • runtime: malformed profBuf buffer - tag and data out of syncabiRegArgsType needs GC Prog, update methodValueCallFrameObjsfound bad pointer in Go heap (incorrect use of unsafe or cgo?)limiterEvent.stop: found wrong event in p's limiter event slotruntime: intern, xrefs: 6D136A04
    • runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplete multibyte or wide characterslice bounds out of range [::%x] with capacity %yinvalid memory add, xrefs: 6D1369D7
    • <, xrefs: 6D136A0D
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: <$runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplete multibyte or wide characterslice bounds out of range [::%x] with capacity %yinvalid memory add$runtime: malformed profBuf buffer - tag and data out of syncabiRegArgsType needs GC Prog, update methodValueCallFrameObjsfound bad pointer in Go heap (incorrect use of unsafe or cgo?)limiterEvent.stop: found wrong event in p's limiter event slotruntime: intern
    • API String ID: 0-450027851
    • Opcode ID: 2e646295dd8b9751dce9b2f28b6fb3f2677e996da2de0476b6b1ef4e59e1d598
    • Instruction ID: 3d654e1ac0410519c1423fd73868d884438fb4c0c882a0655e1442c58730c8a8
    • Opcode Fuzzy Hash: 2e646295dd8b9751dce9b2f28b6fb3f2677e996da2de0476b6b1ef4e59e1d598
    • Instruction Fuzzy Hash: 27027C70A0C7598FC714CF29C19061ABBE2BFC8704F16892DE99987348DBB5E855CF82
    Function 6D126010 Relevance: 4.1, Strings: 3, Instructions: 313COMMON
    Download Yara Rule
    Strings
    • ', xrefs: 6D1264AC
    • suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function traceRegion: alloc with concurrent drop2006-01-02 15:04:05.999999999 -0700 MSTaddress family not support, xrefs: 6D1264A3
    • invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:DuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "[bisect-match 0xpermission deniedwro, xrefs: 6D12648D
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: '$invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:DuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "[bisect-match 0xpermission deniedwro$suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function traceRegion: alloc with concurrent drop2006-01-02 15:04:05.999999999 -0700 MSTaddress family not support
    • API String ID: 0-3278438963
    • Opcode ID: d4da02169b8c63f31f916c36222160e80cd6045983750c5dd61d9ff9f5c6ba81
    • Instruction ID: ecaaecb8fdaf9da88f502d6d1cfb92127ab289d62d5e43cbad380c4e5ac0f0b3
    • Opcode Fuzzy Hash: d4da02169b8c63f31f916c36222160e80cd6045983750c5dd61d9ff9f5c6ba81
    • Instruction Fuzzy Hash: 9ED132B460D3458FC305CF29C09062ABBF2AF8A708F45885DF9D487395D7B6E984CB92
    Function 6D116630 Relevance: 3.0, Strings: 2, Instructions: 499COMMON
    Download Yara Rule
    Strings
    • +, xrefs: 6D116D57
    • grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me, xrefs: 6D116D4E
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: +$grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me
    • API String ID: 0-3347251187
    • Opcode ID: 04d6cfa5226fa812aeb9d3742a34da694482d1234cf33f571fe88bfb28333e77
    • Instruction ID: a6362f942cb03fe642a71c861ab96e02761d55c893e37f4c4844f549f2c89ef1
    • Opcode Fuzzy Hash: 04d6cfa5226fa812aeb9d3742a34da694482d1234cf33f571fe88bfb28333e77
    • Instruction Fuzzy Hash: 5322EF7460C3858FC354DF29C590B2ABBE1BF89744F11892DE9D887358DBB6E844CB82
    Function 6D11B2D0 Relevance: 2.8, Strings: 2, Instructions: 264COMMON
    Download Yara Rule
    Strings
    • @, xrefs: 6D11B4FB
    • bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6D11B60F
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: @$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod
    • API String ID: 0-1191861649
    • Opcode ID: 0bad75efc9b30ae4755a5bf1b76892bfe230cb0832e60b067411712dc942093a
    • Instruction ID: 1b1077ae9fae3dbe3fa77cd6def371023d345936988c3ac46ae869eba75bf461
    • Opcode Fuzzy Hash: 0bad75efc9b30ae4755a5bf1b76892bfe230cb0832e60b067411712dc942093a
    • Instruction Fuzzy Hash: EAA1E37560830A8FC304CF18C88065EB7E1FFC9314F458A2DE9A99B355D774E956CB82
    Function 6D15A872 Relevance: 2.6, Strings: 2, Instructions: 137COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $@
    • API String ID: 0-1077428164
    • Opcode ID: e93fa8dba664f0f20c106ba687b109d02638ec38cd152a675c1cdc83119198d4
    • Instruction ID: 5cd3640937538a3eb61b4827e96054c929c4b0de874b6d3265be5d00c4f13170
    • Opcode Fuzzy Hash: e93fa8dba664f0f20c106ba687b109d02638ec38cd152a675c1cdc83119198d4
    • Instruction Fuzzy Hash: 4B519E24C0CF9B65E6330BBDC442A663B206EB3144B01D76FFDD6B54B2E7566940BA22
    Function 6D10CEC0 Relevance: 2.6, Strings: 2, Instructions: 88COMMON
    Download Yara Rule
    Strings
    • gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackcannot send after transport endpoint shu, xrefs: 6D10CFA1
    • ,, xrefs: 6D10CFAA
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: ,$gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackcannot send after transport endpoint shu
    • API String ID: 0-27675022
    • Opcode ID: c12824c9e80250410e29e74848b5cd4ba938cdb4aeeec43081f1cd93316f569c
    • Instruction ID: b078ec4474d8382e2f0555b09d4db96c217f0a9861a06c776b3e4810c7a50943
    • Opcode Fuzzy Hash: c12824c9e80250410e29e74848b5cd4ba938cdb4aeeec43081f1cd93316f569c
    • Instruction Fuzzy Hash: AD3193756093968FD305DF14C480A5AB7F1BB8A608F0985BDDC884F387CB71984ACBD1
    Function 6D1759D0 Relevance: 1.9, Strings: 1, Instructions: 607COMMON
    Download Yara Rule
    Strings
    • ,M3.2.0,M11.1.0jstmpllitinterptarinsecurepathx509keypairleafx509usepolicieszipinsecurepathRegCreateKeyExWRegDeleteValueWstring too large0123456789abcdefinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePoint, xrefs: 6D175B6E
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: ,M3.2.0,M11.1.0jstmpllitinterptarinsecurepathx509keypairleafx509usepolicieszipinsecurepathRegCreateKeyExWRegDeleteValueWstring too large0123456789abcdefinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePoint
    • API String ID: 0-1364986362
    • Opcode ID: c7911c1eb02d2a071dbec38b9db841fed974aa1336b1134259b39bea88ee0435
    • Instruction ID: 9066b4fc12e57398544c5b719732445c180f4169f51c92406c530d24724f996d
    • Opcode Fuzzy Hash: c7911c1eb02d2a071dbec38b9db841fed974aa1336b1134259b39bea88ee0435
    • Instruction Fuzzy Hash: A25216B1A083898FD374CF18C49039FFBE1ABD5304F45892DDAD89B395E7B599448B82
    Function 6D148570 Relevance: 1.8, Strings: 1, Instructions: 543COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: 4
    • API String ID: 0-4088798008
    • Opcode ID: 473c45b3117547ca276a39a97b4790bcb181a1d52bad261cea7b32445485c751
    • Instruction ID: 01fa17eb54f1e0ac2ad1e2415ca88b5aa603e93f9b2126bec36d1d68ac8e657a
    • Opcode Fuzzy Hash: 473c45b3117547ca276a39a97b4790bcb181a1d52bad261cea7b32445485c751
    • Instruction Fuzzy Hash: 8922CD7560D3468FC324DF58C4C466EB7E1AFC9304F15CA2DE9998B399DBB0A805CB82
    Function 6D100AF0 Relevance: 1.6, Strings: 1, Instructions: 306COMMON
    Download Yara Rule
    Strings
    • span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor, xrefs: 6D100D52
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor
    • API String ID: 0-1712010102
    • Opcode ID: c8d5b35e7344744cb90fa88e2ca169569221c1cde8db06c9803d630c5e9b5fdb
    • Instruction ID: 9f26973b73978bc6186705924194cf517afc0a76902c66bc71561f6f5cbf6d1f
    • Opcode Fuzzy Hash: c8d5b35e7344744cb90fa88e2ca169569221c1cde8db06c9803d630c5e9b5fdb
    • Instruction Fuzzy Hash: D8D142B460C3458FC704EF29C090A6ABBE0BF89748F01896DF9D98B345EBB5D945CB42
    Function 6D11D040 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
    Download Yara Rule
    Strings
    • runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin, xrefs: 6D11D3CB
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin
    • API String ID: 0-429552053
    • Opcode ID: af4e93eb2ef526ecbbcaec212562521a8b364e5c0a9b31cc2f8d062b9690492b
    • Instruction ID: 1bda76deeaef78ee042b1ee3d5e5694347444d4885c93b0d7f406aa031f3d71c
    • Opcode Fuzzy Hash: af4e93eb2ef526ecbbcaec212562521a8b364e5c0a9b31cc2f8d062b9690492b
    • Instruction Fuzzy Hash: 69B1E2B860D3068FC704DF68C48492AB7F1BBC9348F52892DE99487318E7B5E945CF92
    Function 6D1795A0 Relevance: 1.5, Strings: 1, Instructions: 278COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: ;
    • API String ID: 0-1661535913
    • Opcode ID: 3c8df150ed30dacb6591d218e667a65cf17a38cda214035134734358f67a1092
    • Instruction ID: 35755f0ecc2cd3b7e2090ef3fc6633c2966f879f10ace25bbace0c767d1d51a4
    • Opcode Fuzzy Hash: 3c8df150ed30dacb6591d218e667a65cf17a38cda214035134734358f67a1092
    • Instruction Fuzzy Hash: B7A1A471B083054FC31CDE5DD95131AFAE2ABC8304F05CA3DE599CB7A8E674D9098B82
    Function 6D11A360 Relevance: 1.5, Strings: 1, Instructions: 213COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: @
    • API String ID: 0-2766056989
    • Opcode ID: 48b73b0f981e3b30623a7cf0ee14e651bbe25bce3cb67f28e6853b4b32cb0d79
    • Instruction ID: 836cdf0a9d07d7a5c48bbf1dd324c8447321b30708b4657b9e11dc44708d8411
    • Opcode Fuzzy Hash: 48b73b0f981e3b30623a7cf0ee14e651bbe25bce3cb67f28e6853b4b32cb0d79
    • Instruction Fuzzy Hash: F49100B5A0D3059FC344CF28C480A5ABBE1FF89744F41992EE99897345E7B4D989CB82
    Function 6D16E740 Relevance: .9, Instructions: 941COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9a2ed2d2543b100bb7983e11a5ede8175fd6e7d2ac1510a49190ac159463f581
    • Instruction ID: 4ef28d1473b92932db96576f3c77721a259ba38ff11d16256b5bd901f5b7d027
    • Opcode Fuzzy Hash: 9a2ed2d2543b100bb7983e11a5ede8175fd6e7d2ac1510a49190ac159463f581
    • Instruction Fuzzy Hash: 4F826D75A083958BC728CE0DC89079AF3F2BBDD300F55892DD599C7354E7B0AA15CB92
    Function 6D176C20 Relevance: .6, Instructions: 601COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 107e6ac636eba8ac7bb795d79bdadad0c3a18cc7428a64c587081b01eeb11b7a
    • Instruction ID: 737d2fd8436a03b6141ae23be41e8da9bc2b93e6ef9c3dbb99e782650bb17bd4
    • Opcode Fuzzy Hash: 107e6ac636eba8ac7bb795d79bdadad0c3a18cc7428a64c587081b01eeb11b7a
    • Instruction Fuzzy Hash: BF228071A1C34A8FC764CF64C49036BB7E2FB95304F55882DE99987259EBF19809CB82
    Function 6D174D20 Relevance: .5, Instructions: 530COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b7ae646c2cb77213912cd73a79a30c4b4321bef3375586f715b5101657f23c8f
    • Instruction ID: 22f087a4e1dd2b5469b895b55bd256bffb815301550afd03f3c14bf76c628503
    • Opcode Fuzzy Hash: b7ae646c2cb77213912cd73a79a30c4b4321bef3375586f715b5101657f23c8f
    • Instruction Fuzzy Hash: 14128A72A087498FD324DE5DC98024AF7E7BBC4304F55CA3DD9548B369EBB4E9058B82
    Function 6D11C080 Relevance: .5, Instructions: 477COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 1a28f619da41eeffb9f7029f80e132f5cc225868663fa831e664f9b9c2a1aedc
    • Instruction ID: 38864399a114a34d021abb563591cd4af30a31402ab95ff2b280baefb182fe86
    • Opcode Fuzzy Hash: 1a28f619da41eeffb9f7029f80e132f5cc225868663fa831e664f9b9c2a1aedc
    • Instruction Fuzzy Hash: 09E1F472B5D72A4BD3159DAD8CC025EF2D3ABC8344F09863CDD649B384FAB5D90A86C1
    Function 6D14BC20 Relevance: .5, Instructions: 462COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2ff9c28b74cadbd143516b92fc68cda9e6021cd3a34d9eea0daf51f120ecf3f0
    • Instruction ID: 7f9e9e52b4c333e986be50c14464f433ad110ebf1893b1d6e6cd9ea92142be28
    • Opcode Fuzzy Hash: 2ff9c28b74cadbd143516b92fc68cda9e6021cd3a34d9eea0daf51f120ecf3f0
    • Instruction Fuzzy Hash: A20270756083468FC324CF68C480A2EF7E2BF89304F15C96DE9999B355D7B4E809CB92
    Function 6D11BB10 Relevance: .5, Instructions: 462COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 67a2eabb3b095236dae5d4439b59bf668fd90ad4e48c1b5fe133fce7aba7d9a6
    • Instruction ID: 879d43e41d327e11d2ff2a13b14180bcada30aa3a847e89a1adf13d86673138f
    • Opcode Fuzzy Hash: 67a2eabb3b095236dae5d4439b59bf668fd90ad4e48c1b5fe133fce7aba7d9a6
    • Instruction Fuzzy Hash: C1E1C433E2872507D3149E58CC80249B2D3ABC8670F4EC73DED95AB785E9B4ED5986C2
    Function 6D176740 Relevance: .4, Instructions: 408COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9314ad8bb994a5f98341734951072681bca98154b0fc3f0001ed45b823dedeb2
    • Instruction ID: e1d07e831f4e1b73fff4b7a10b60ed7b72a7b281ee2eb4bfb3e9545fbad81334
    • Opcode Fuzzy Hash: 9314ad8bb994a5f98341734951072681bca98154b0fc3f0001ed45b823dedeb2
    • Instruction Fuzzy Hash: ADE1C272A0C36A4BC365CF29C49021FBBE2BBC5704F45892DE8958B359E7B19805CBC2
    Function 6D1080A0 Relevance: .4, Instructions: 378COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b9e7c6ae92f8ac048a884e9dc39cc239323f12d6d38cb081281c21f7e43b165e
    • Instruction ID: 8a07f85805c120789e02be0d12a9842789f78388b03739f0e68a5374e092a672
    • Opcode Fuzzy Hash: b9e7c6ae92f8ac048a884e9dc39cc239323f12d6d38cb081281c21f7e43b165e
    • Instruction Fuzzy Hash: 4CC1B332B0C3164FC705EE6DC89061EB7E2ABC8344F49863CE955DB3A5EBB4E8058781
    Function 6D14D6E0 Relevance: .4, Instructions: 368COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 0b18d5e0786534fe9bad8c2124bc0a57677639f4ad4728094f37da87952ff00a
    • Instruction ID: 90ff12e6fb4b99b8ca69bb094a7b038c2189670afd8943d9bdf8c23c6fdc1e5a
    • Opcode Fuzzy Hash: 0b18d5e0786534fe9bad8c2124bc0a57677639f4ad4728094f37da87952ff00a
    • Instruction Fuzzy Hash: DFE1B17560D3568FC715CF28C4C092EFBE1AFCA204F05896EE9958B396DB70E905CB92
    Function 6D12E240 Relevance: .3, Instructions: 331COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 82ddcdc1dbce7fdaa21d87f9d23a0c516852a948a157d702bb5790d55ed78867
    • Instruction ID: 54f8e17b5371e14bc3cedbad3f9142f6d2c4ec401f5af57b44b550af526d603e
    • Opcode Fuzzy Hash: 82ddcdc1dbce7fdaa21d87f9d23a0c516852a948a157d702bb5790d55ed78867
    • Instruction Fuzzy Hash: 5DF1EF7860C3918FC365CF29C090B5BBBE2BBC9204F15892EE9D8C7355EB71A945CB52
    Function 6D182E70 Relevance: .3, Instructions: 286COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5dd081f4c61e5d3415c40e18319b5dc330a399baa85ad11cce7c0997160d24b6
    • Instruction ID: 4431cfb5bb6edcf3ad1e633192dce91664b3df4252f8118e95e956d063c1ebfb
    • Opcode Fuzzy Hash: 5dd081f4c61e5d3415c40e18319b5dc330a399baa85ad11cce7c0997160d24b6
    • Instruction Fuzzy Hash: F4C1627060432A4FC251CE5EDCC0A6A73D1AB4821DF91866D9644CF7C3DA3AF46B97E4
    Function 6D183230 Relevance: .3, Instructions: 286COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 09c845a70b864f6ca571d1d3d18313b7dd936455618e24bb4507f0e50a36f532
    • Instruction ID: c1f6f6d388fd4ba307b62ade7da4d48171f356c23c5f4dbf9ad057ce14e29014
    • Opcode Fuzzy Hash: 09c845a70b864f6ca571d1d3d18313b7dd936455618e24bb4507f0e50a36f532
    • Instruction Fuzzy Hash: C1C1517060432A4FC251CE5EDCC0A6A73D1AB4821DF91866D9644CF7C3DA3AF46B97A4
    Function 6D11C6D0 Relevance: .3, Instructions: 285COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b2699f0d6a376cdbb57e74c4fe3e461c18da3677727e4127a4b55dea350de8af
    • Instruction ID: abb277559146d64124a98f9b40587f3ecd96e065813580c64c50c9d432dc888d
    • Opcode Fuzzy Hash: b2699f0d6a376cdbb57e74c4fe3e461c18da3677727e4127a4b55dea350de8af
    • Instruction Fuzzy Hash: B691223260D72A4FC319CE98C8D055EF3E3BBC8344F55873CD9694B388EBB599098682
    Function 6D11CA30 Relevance: .3, Instructions: 281COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: de646de130b651a53f1661c05c66aa2aedecf3070cbe1b1875a53abfce346d2e
    • Instruction ID: b4dca02951567736c2fbc4d0f766bfb80e308bfb52bc0fff5ce338738f7b1a71
    • Opcode Fuzzy Hash: de646de130b651a53f1661c05c66aa2aedecf3070cbe1b1875a53abfce346d2e
    • Instruction Fuzzy Hash: A081133664D72A4FD712CDA89CD025EB293ABC4314F0A863CD9748B3C9FBF5991582C1
    Function 6D11AD50 Relevance: .3, Instructions: 276COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 997ee789d63ff01b041cb46038cfa586764cdb98c4e989744bfcc523b4938b81
    • Instruction ID: cb64abc102e62d1dac7d164ad5b2697247053623af9dd743d8f73fa6001c9ff8
    • Opcode Fuzzy Hash: 997ee789d63ff01b041cb46038cfa586764cdb98c4e989744bfcc523b4938b81
    • Instruction Fuzzy Hash: ED91D776A187184BD304DE59CCC0659B3E2BBC8324F49C63CECA89B345E674EE49CB81
    Function 6D0F32A0 Relevance: .2, Instructions: 219COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f4a29cb9ccafc59a4ad614da4e3eee1c61a88ff44bf61622e5e8975f70bf0a8f
    • Instruction ID: 1f54767eaabd01a1f0511df16233e87d9b513c9c5daede0d558b14fcacd3b659
    • Opcode Fuzzy Hash: f4a29cb9ccafc59a4ad614da4e3eee1c61a88ff44bf61622e5e8975f70bf0a8f
    • Instruction Fuzzy Hash: E08109B2A183108FC314DF29D88095AF7E2BFC8758F56892DF988D7311E771E9158B86
    Function 6D119030 Relevance: .2, Instructions: 193COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 7b1003de7702b199192f5610b254c5ecda9cdaca0357ccb3a1cf2f72fe1f47b2
    • Instruction ID: 9fe2574fc06c144256c8f80f55be13f26bdb3c9529ac160148bd3e93bb9cbc5e
    • Opcode Fuzzy Hash: 7b1003de7702b199192f5610b254c5ecda9cdaca0357ccb3a1cf2f72fe1f47b2
    • Instruction Fuzzy Hash: 5191B9B4A0D3419FC308CF28C490A1ABBF1FB89748F018A6EE9A997354D770E945CB46
    Function 6D0F2CA6 Relevance: .2, Instructions: 161COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: aaac1fa95927537056fa748d1ed80cb4c36531cfe69fe86e380ee050db7f54d2
    • Instruction ID: 57980dc33cdd274c144825bb5d97e89a71396101a64edef21583c57ee2edf47b
    • Opcode Fuzzy Hash: aaac1fa95927537056fa748d1ed80cb4c36531cfe69fe86e380ee050db7f54d2
    • Instruction Fuzzy Hash: B651777090C3A44AE3158F6F48D412EFFE16FC6301F844A6EF5E443392D5B89515DB6A
    Function 6D0F2CA0 Relevance: .2, Instructions: 160COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: da2682228f934117631de466b45c32e19182ebb72eca9faee462f5c464ede428
    • Instruction ID: 3daca143d07715f3695c83be7626a7f5778055080c60ea64c1d10df07a7a8669
    • Opcode Fuzzy Hash: da2682228f934117631de466b45c32e19182ebb72eca9faee462f5c464ede428
    • Instruction Fuzzy Hash: 2251677090C3A44AE3158F6F48D412AFFF16FC6301F844A6EF5E443392D5B89515DB6A
    Function 6D11D9C5 Relevance: .1, Instructions: 134COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c0af164a59dffde9019ccf176b512166136ceede5e03613e7123eeb4f0f24e2a
    • Instruction ID: 04ab00989d6bd0a12bd86e7bb4ce18126f8522233e00bf5e73be4cc478ef1fc6
    • Opcode Fuzzy Hash: c0af164a59dffde9019ccf176b512166136ceede5e03613e7123eeb4f0f24e2a
    • Instruction Fuzzy Hash: DE5158B56093228FC318DF69C590A1AB7E0BB88604F058A7CE9599B395D771E846CBC2
    Function 6D0FBE90 Relevance: .1, Instructions: 116COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 561e5d1b628176aa2f81e037e46efcb9d9d03abd105febb7ff718ab52cdfc021
    • Instruction ID: 27eb1e9a5f60688de6087b5f1bbc8ecc5bbd3d0cfb727550924365dbedd2abb8
    • Opcode Fuzzy Hash: 561e5d1b628176aa2f81e037e46efcb9d9d03abd105febb7ff718ab52cdfc021
    • Instruction Fuzzy Hash: 4E41C370908B058FD346DE79C49031AB7E2FFCA384F54872DE95A6B352EB719842CA42
    Function 6D0FFBC0 Relevance: .1, Instructions: 97COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 44f36a6c572a08c4158623b584ae59b60d90d4163327f206c229718e150ac4a9
    • Instruction ID: bd61bd25567c3d2809d4d3a3b6b39cd967625ebeb6ee77b11def03f8eec80e71
    • Opcode Fuzzy Hash: 44f36a6c572a08c4158623b584ae59b60d90d4163327f206c229718e150ac4a9
    • Instruction Fuzzy Hash: 2A31457381971D8BD300AF498C40259F7E6ABD0B20F5E8A5DD99417701EBB0AA15CBC7
    Function 6D0F90F0 Relevance: .1, Instructions: 76COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e28c4f46a7f5ad898d941c33ff062e626c8bcd6254973c9eb97fb1483411ab15
    • Instruction ID: c3e8a44efbd2f8c903de3db83f99828155ca9950fd6f4c4a1e86c0991d49b03f
    • Opcode Fuzzy Hash: e28c4f46a7f5ad898d941c33ff062e626c8bcd6254973c9eb97fb1483411ab15
    • Instruction Fuzzy Hash: DC21C2317042128BEB08CF39D8E462EB7F3FBCA711B59857CD855876A4DA34A80AC756
    Function 6D121C90 Relevance: .0, Instructions: 46COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: afa9abfff43a307845cc4d536585fa38c401a36d26300b5d8775f213ad91e637
    • Instruction ID: 6c6ac41d84850e46b6037f28413aa01c2fb866ad7dc99125cee3be8dacafa064
    • Opcode Fuzzy Hash: afa9abfff43a307845cc4d536585fa38c401a36d26300b5d8775f213ad91e637
    • Instruction Fuzzy Hash: 4511DDB8608341CFC705CF20D0A4B6AB7B1FF9A308F41485CE5894B394C7BB98A8CB42
    Function 6D157280 Relevance: .0, Instructions: 46COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f5bbef862363de876cc00bde09edceab25c5c41bacf835301ca7b1e132cb8ee1
    • Instruction ID: 8060973f31b0359ff125165a29d087b166908656f9a454e69dd07633ce017363
    • Opcode Fuzzy Hash: f5bbef862363de876cc00bde09edceab25c5c41bacf835301ca7b1e132cb8ee1
    • Instruction Fuzzy Hash: 4011EDB4601B118FD398DF59C0D4E66B3E1FB8C200B4A85BDDB0E8B766C670AC55DB85
    Function 6D15C0C0 Relevance: .0, Instructions: 10COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f2f1494b284148f45bfb2a7fcf1c3a4b774832f4498ef3b53ee9e0a156798258
    • Instruction ID: fc3d7356955da02577def59c36c8e14cc0e6692b6f688e462a458c4e28e41715
    • Opcode Fuzzy Hash: f2f1494b284148f45bfb2a7fcf1c3a4b774832f4498ef3b53ee9e0a156798258
    • Instruction Fuzzy Hash: 97C08CF485A3529DF300CF5CC10030ABFF19B81310F80C088A15843208C3B881808618
    Function 6D185E79 Relevance: 21.0, APIs: 9, Strings: 3, Instructions: 49fileCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • runtime: failed to signal runtime initialization complete., xrefs: 6D185F2C
    • unexpected cgo_bindm on Windows, xrefs: 6D185EA4
    • ;, xrefs: 6D185F18
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeaveabortfwrite$Event
    • String ID: ;$runtime: failed to signal runtime initialization complete.$unexpected cgo_bindm on Windows
    • API String ID: 3057923235-924395932
    • Opcode ID: c9bea25ae5212f9417da8bbfdef62a397e88f572684a4e151b0b94dcfb671eab
    • Instruction ID: ed5268b27d13c6d08d39a21bc78550138a51f47ddef27baa3fc091f098d0afe8
    • Opcode Fuzzy Hash: c9bea25ae5212f9417da8bbfdef62a397e88f572684a4e151b0b94dcfb671eab
    • Instruction Fuzzy Hash: 6B11C9B18083449FDB00BFB8D50D71EBBB0BB42308F46895DE98587205E7B55558DF53
    Function 6D1864A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Strings
    • Address %p has no image-section, xrefs: 6D1865DB
    • @, xrefs: 6D186578
    • VirtualQuery failed for %d bytes at address %p, xrefs: 6D1865C7
    • VirtualProtect failed with code 0x%x, xrefs: 6D18659A
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID: QueryVirtual
    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
    • API String ID: 1804819252-1098444051
    • Opcode ID: fc87b779f1f26aea83ed1e51fea0cf045830ac07d263ccceac1c3f430895fe9c
    • Instruction ID: 3942c181b63d30991fd0f01041d6530f5949f491aead96e35c7ab2ca2f8b4e52
    • Opcode Fuzzy Hash: fc87b779f1f26aea83ed1e51fea0cf045830ac07d263ccceac1c3f430895fe9c
    • Instruction Fuzzy Hash: B2418FB1A143069FC700DF68D488A1AFBF4FF95758F158A69D9588B21AE370E444CFD2
    Function 6D184AF0 Relevance: 12.2, APIs: 8, Instructions: 156stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast_wcsnicmpfreelstrlenmallocmbstowcsstrlenstrtol
    • String ID:
    • API String ID: 533997002-0
    • Opcode ID: a8e37444a870e06a220ec6933a52e1fd283dbd74f177cb23efbd9dea4e096a21
    • Instruction ID: 947e7aaba52cacf7ca96ce83cc31c1226b5f32d3680a5019b3c18ceddd45088b
    • Opcode Fuzzy Hash: a8e37444a870e06a220ec6933a52e1fd283dbd74f177cb23efbd9dea4e096a21
    • Instruction Fuzzy Hash: 3E51B275A083158FD700DF29D48026AB7EAFFC8304F05892EE998D7215EBB5D949CF92
    Function 6D186060 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66fileCOMMON
    Download Yara Rule
    APIs
    • malloc.MSVCRT ref: 6D18606F
    • fwrite.MSVCRT ref: 6D1860BD
    • abort.MSVCRT ref: 6D1860C2
    • free.MSVCRT ref: 6D1860E5
      • Part of subcall function 6D185FB0: _beginthread.MSVCRT ref: 6D185FD6
      • Part of subcall function 6D185FB0: _errno.MSVCRT ref: 6D185FE1
      • Part of subcall function 6D185FB0: _errno.MSVCRT ref: 6D185FE8
      • Part of subcall function 6D185FB0: fprintf.MSVCRT ref: 6D186008
      • Part of subcall function 6D185FB0: abort.MSVCRT ref: 6D18600D
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID: _errnoabort$_beginthreadfprintffreefwritemalloc
    • String ID: +$runtime/cgo: out of memory in thread_start
    • API String ID: 2633710936-1802439445
    • Opcode ID: fb65bc1e8b1684d1c13b58e6ab1496f6e0d6bd8085f27be11766fdac9f15bcc7
    • Instruction ID: b860cbd7422b3e29fffa9a340a347e2ae0f327e1822f7fd5b7292f433725ef64
    • Opcode Fuzzy Hash: fb65bc1e8b1684d1c13b58e6ab1496f6e0d6bd8085f27be11766fdac9f15bcc7
    • Instruction Fuzzy Hash: 0221C8B49087449FD700EF69D58491AFBF4FF8A704F45899DE9888B32AD3759840CF92
    Function 6D185CB0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON
    Download Yara Rule
    APIs
    • CreateEventA.KERNEL32 ref: 6D185CD2
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D185D89), ref: 6D185CEB
    • fwrite.MSVCRT ref: 6D185D20
    • abort.MSVCRT ref: 6D185D25
    Strings
    • =, xrefs: 6D185D05
    • runtime: failed to create runtime initialization wait event., xrefs: 6D185D19
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID: CreateCriticalEventInitializeSectionabortfwrite
    • String ID: =$runtime: failed to create runtime initialization wait event.
    • API String ID: 2455830200-3519180978
    • Opcode ID: 11c0758151d2906e69da2581ae3692420a561e8cfffae550169aef6bbb0f1710
    • Instruction ID: c0158501ac70a6dff8754c2969b3244a1a904480da49c6dfc2372f8741201820
    • Opcode Fuzzy Hash: 11c0758151d2906e69da2581ae3692420a561e8cfffae550169aef6bbb0f1710
    • Instruction Fuzzy Hash: 0EF0C9B04083019FE700AF68C51D32EBBF0EB41348F81885DD8998A245E7BA8554CF93
    Function 6D0F1020 Relevance: 9.1, APIs: 6, Instructions: 112sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,6D0F12E0,?,?,?,?,?,?,6D0F13A3), ref: 6D0F1057
    • _amsg_exit.MSVCRT ref: 6D0F1085
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID: Sleep_amsg_exit
    • String ID:
    • API String ID: 1015461914-0
    • Opcode ID: 921e8f5e111b3dbbc92f134cfc0a3626f64d7463b910130616ab0a5998aee2a3
    • Instruction ID: 185f5208591fc2881467a4764742e150719a79345a6df671f269e2ec24ed5287
    • Opcode Fuzzy Hash: 921e8f5e111b3dbbc92f134cfc0a3626f64d7463b910130616ab0a5998aee2a3
    • Instruction Fuzzy Hash: 414186F16082468BFB019F6DC588B1BB7F4FB82748F51852ED954CB244E7769482CB83
    Function 6D18655C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualQuery.KERNEL32 ref: 6D18652D
    • VirtualProtect.KERNEL32 ref: 6D186587
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6D235388), ref: 6D186594
      • Part of subcall function 6D187220: fwrite.MSVCRT ref: 6D18724F
      • Part of subcall function 6D187220: vfprintf.MSVCRT ref: 6D18726F
      • Part of subcall function 6D187220: abort.MSVCRT ref: 6D187274
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID: Virtual$ErrorLastProtectQueryabortfwritevfprintf
    • String ID: VirtualProtect failed with code 0x%x$@
    • API String ID: 1616349570-2953866262
    • Opcode ID: bdd73050a367a16ff0a552e7ba600ad93291930c190fd4526a2be7b1d2daa5b6
    • Instruction ID: f82a664cf3bcb459cf739d0888c6d49fdfb2fb7990560d4a40d8ae84fde0784a
    • Opcode Fuzzy Hash: bdd73050a367a16ff0a552e7ba600ad93291930c190fd4526a2be7b1d2daa5b6
    • Instruction Fuzzy Hash: 6F2137B29183068FD700DF28D488A1AFBF0FF98758F018A69D99887259E370D544CF92
    Function 6D184D00 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
    Download Yara Rule
    APIs
    • bsearch.MSVCRT ref: 6D184D5F
    • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6D185BEF), ref: 6D184D9A
    • malloc.MSVCRT ref: 6D184DC8
    • qsort.MSVCRT ref: 6D184E16
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLastbsearchmallocqsort
    • String ID:
    • API String ID: 1451747280-0
    • Opcode ID: 09a5f89c279008dc03bda862b5ea53b90610744d50697e86a9edc3f9e5600bc5
    • Instruction ID: b3543ed0002b15c3d26d10cb8f913dc1376926d6902d5fc21d7e614e35bd4c29
    • Opcode Fuzzy Hash: 09a5f89c279008dc03bda862b5ea53b90610744d50697e86a9edc3f9e5600bc5
    • Instruction Fuzzy Hash: F4413D756083018FD710DF29D48062ABBE6FF98314F058A2DE88587319EBB4E844CF52
    Function 6D185850 Relevance: 7.6, APIs: 5, Instructions: 79threadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$LocaleThread
    • String ID:
    • API String ID: 2451566642-0
    • Opcode ID: bb3b9ae83214d686634eb3c10b7e685f0fe5e5865ca32f93c54d8a5c64351266
    • Instruction ID: 7e4faa1630f1c2b5ad555fd5d4cc153cdb2c17edf0a07eecfd23d91057f3c140
    • Opcode Fuzzy Hash: bb3b9ae83214d686634eb3c10b7e685f0fe5e5865ca32f93c54d8a5c64351266
    • Instruction Fuzzy Hash: 3821D930614205CBE700DF39C484A6777F5FF4A314F058529E5A6CB289EBB4E845CF52
    Function 6D1870C0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID: _lock_unlockcalloc
    • String ID:
    • API String ID: 3876498383-0
    • Opcode ID: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction ID: c0f51499214b8a7e7461633803d474e07440fbac11108dfd5ef6196367ca1995
    • Opcode Fuzzy Hash: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction Fuzzy Hash: 75114FB1B082018BD701DF68D88076ABBE4BF45354F158A6AE498CB78EDBB4D440CF62
    Function 6D185DE0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32 ref: 6D185E10
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D1845D9), ref: 6D185E1C
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D1845D9), ref: 6D185E2E
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6D1845D9), ref: 6D185E3E
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D1845D9), ref: 6D185E50
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$ObjectSingleWait
    • String ID:
    • API String ID: 1755037574-0
    • Opcode ID: 7161fdb98f6d71b9de33d0a77b813767695aa6ab4e4505b7234f8ea6d5abc643
    • Instruction ID: 5a8aaec4c5aa2f41bd17a213d08e2569b2be58405dd10bc557eb69a4705964b4
    • Opcode Fuzzy Hash: 7161fdb98f6d71b9de33d0a77b813767695aa6ab4e4505b7234f8ea6d5abc643
    • Instruction Fuzzy Hash: B1014CB154430C9FDA00FFB9DD89A2BFBB4EF42614F410529E89087255E771A468CFA3
    Function 6D187220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • Mingw-w64 runtime failure:, xrefs: 6D187248
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID: abortfwritevfprintf
    • String ID: Mingw-w64 runtime failure:
    • API String ID: 3176311984-2889761391
    • Opcode ID: 1da49d4f6858048a3c3890de548e4f10521e23db7a23015956ba3fad012b5471
    • Instruction ID: a6a2875cee0d47ef64926409ba222b3f6ab94732d7f6160c396da1097e595a12
    • Opcode Fuzzy Hash: 1da49d4f6858048a3c3890de548e4f10521e23db7a23015956ba3fad012b5471
    • Instruction Fuzzy Hash: 25E0AEB090C3089AD301EFA4C08521EFAE5AF89348F42891DE1D84724AC7B98585CF93
    Function 6D1865F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6D0F12A5), ref: 6D186709
    Strings
    • Unknown pseudo relocation bit size %d., xrefs: 6D186799
    • Unknown pseudo relocation protocol version %d., xrefs: 6D186864
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
    • API String ID: 544645111-395989641
    • Opcode ID: 20977a2e13872e0367e9fdb052540d9bf4690ba93734a52feb6f1b2340fcb3c5
    • Instruction ID: b5eb4fdfcdf3b94dd8fb6786df6324a1da8407c88143a8760f861834a83c1682
    • Opcode Fuzzy Hash: 20977a2e13872e0367e9fdb052540d9bf4690ba93734a52feb6f1b2340fcb3c5
    • Instruction Fuzzy Hash: 84618175A2421A8FCB04CF69C48476DB7B5FB45318F258529D9199B30AD3B5A805CFC2
    Function 6D185BC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID: bsearchfprintffwrite
    • String ID: $
    • API String ID: 1110293247-3993045852
    • Opcode ID: 41df10273a530c55b59c2aa3e9c40c26ff6c3ae2ec2a8e1e8fbd7b78305ed61f
    • Instruction ID: cc6c10df5419f58df7acd29e56bf03784e4d57c61ef7d020eb5f596a4a2bacde
    • Opcode Fuzzy Hash: 41df10273a530c55b59c2aa3e9c40c26ff6c3ae2ec2a8e1e8fbd7b78305ed61f
    • Instruction Fuzzy Hash: 6C011BB584C3109BD700EF68D44826AFBE4FF49318F42891EE9C997206E7B58540CF93
    Function 6D184E50 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID: Heapfree$FreeProcess
    • String ID:
    • API String ID: 3425746932-0
    • Opcode ID: babf33c1ea1fd9d72a5282842051380fb7a6db2356db3c28fe150692d1c56705
    • Instruction ID: 7b26b2da2b381e5d9617aff948ba42bf69cdad4c1f1423c4e9f50f78568ddb7d
    • Opcode Fuzzy Hash: babf33c1ea1fd9d72a5282842051380fb7a6db2356db3c28fe150692d1c56705
    • Instruction Fuzzy Hash: A821E3B5A083018BDB00DF28D5C871ABBE5BF98204F15C96DE8898B30ADB74D844CF92
    Function 6D186870 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.2157357095.000000006D0F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0F0000, based on PE: true
    • Associated: 00000004.00000002.2157331130.000000006D0F0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157546480.000000006D188000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157572256.000000006D189000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157593536.000000006D18A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157610370.000000006D18F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157779500.000000006D238000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D23E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157812147.000000006D243000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157864902.000000006D256000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157885194.000000006D25D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157903095.000000006D25E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2157924684.000000006D261000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6d0f0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterErrorLastLeaveValue
    • String ID:
    • API String ID: 682475483-0
    • Opcode ID: f2fb515d93416b902104fffdf5403fbc19e62bdbff411c292dfe18433bdc3683
    • Instruction ID: 3d6667ae21a5a0fb3bbc3bf06b8915a21c36e6a52bba656896e9d3f1c9f9dbec
    • Opcode Fuzzy Hash: f2fb515d93416b902104fffdf5403fbc19e62bdbff411c292dfe18433bdc3683
    • Instruction Fuzzy Hash: 11F044B1A043198FDB00BF7CD4CDE1B7BB8EA56654B050568DD48C7209E730A959CBE3

    Execution Graph

    Execution Coverage:0%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:3
    Total number of Limit Nodes:0
    execution_graph 42903 6cd2cea0 42904 6cd2cec8 WriteFile 42903->42904 42905 6cd2ceb9 42903->42905 42905->42904

    Executed Functions

    Function 6CD2CEA0 Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 6cd2cea0-6cd2ceb7 1 6cd2cec8-6cd2cee0 WriteFile 0->1 2 6cd2ceb9-6cd2cec6 0->2 2->1
    APIs
    Memory Dump Source
    • Source File: 0000000D.00000002.2240678036.000000006CCC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCC0000, based on PE: true
    • Associated: 0000000D.00000002.2240603354.000000006CCC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2240909004.000000006CD58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2240997944.000000006CD59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241087508.000000006CD5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241278835.000000006CD5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241626267.000000006CE08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241698080.000000006CE0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241698080.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241823700.000000006CE26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241856545.000000006CE2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241890587.000000006CE2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241921532.000000006CE31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6ccc0000_rundll32.jbxd
    Similarity
    • API ID: FileWrite
    • String ID:
    • API String ID: 3934441357-0
    • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction ID: b3e3864809eadfe80362801953ad3256261258ab1ca8a0e5650387a02e6df7ec
    • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction Fuzzy Hash: 87E0E571505600CFDB15DF18C2C1306BBE1EB88A00F0485A8DE098FB4AD738EE10CB92

    Non-executed Functions

    Function 6CD56300 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6CD5634F
    • UnhandledExceptionFilter.KERNEL32 ref: 6CD5635F
    • GetCurrentProcess.KERNEL32 ref: 6CD56368
    • TerminateProcess.KERNEL32 ref: 6CD56379
    • abort.MSVCRT ref: 6CD56382
    Memory Dump Source
    • Source File: 0000000D.00000002.2240678036.000000006CCC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCC0000, based on PE: true
    • Associated: 0000000D.00000002.2240603354.000000006CCC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2240909004.000000006CD58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2240997944.000000006CD59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241087508.000000006CD5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241278835.000000006CD5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241626267.000000006CE08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241698080.000000006CE0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241698080.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241823700.000000006CE26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241856545.000000006CE2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241890587.000000006CE2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241921532.000000006CE31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6ccc0000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: 31c67968ef61176f96313f7d0c30baa16bddf6f0abfc3d8cac90b50cdbc8f09c
    • Instruction ID: 7383e0132047f7d7c92e8d651c977ac77db255f0ffe56e44fdab326f808ec66e
    • Opcode Fuzzy Hash: 31c67968ef61176f96313f7d0c30baa16bddf6f0abfc3d8cac90b50cdbc8f09c
    • Instruction Fuzzy Hash: 431104B5A04600DFEB00EF78C14975E7BF0BB55305F509929E84987360E77899548F92
    Function 6CD564A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Strings
    • @, xrefs: 6CD56578
    • Address %p has no image-section, xrefs: 6CD565DB
    • VirtualProtect failed with code 0x%x, xrefs: 6CD5659A
    • VirtualQuery failed for %d bytes at address %p, xrefs: 6CD565C7
    Memory Dump Source
    • Source File: 0000000D.00000002.2240678036.000000006CCC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCC0000, based on PE: true
    • Associated: 0000000D.00000002.2240603354.000000006CCC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2240909004.000000006CD58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2240997944.000000006CD59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241087508.000000006CD5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241278835.000000006CD5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241626267.000000006CE08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241698080.000000006CE0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241698080.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241823700.000000006CE26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241856545.000000006CE2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241890587.000000006CE2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241921532.000000006CE31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6ccc0000_rundll32.jbxd
    Similarity
    • API ID: QueryVirtual
    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
    • API String ID: 1804819252-1098444051
    • Opcode ID: 355c1503f126506f0484a941a9b84940aef8c25983a596fdfc3e33102b305b49
    • Instruction ID: 1c88722d3fca0f749a1f1cada2522313102a819406d3e492a368fd28ce534c58
    • Opcode Fuzzy Hash: 355c1503f126506f0484a941a9b84940aef8c25983a596fdfc3e33102b305b49
    • Instruction Fuzzy Hash: D6419FB2A053019BDB00DF79C48564EFBF0FF45314F958629D8888B728E334E466CB92
    Function 6CCC13E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.2240678036.000000006CCC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCC0000, based on PE: true
    • Associated: 0000000D.00000002.2240603354.000000006CCC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2240909004.000000006CD58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2240997944.000000006CD59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241087508.000000006CD5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241278835.000000006CD5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241626267.000000006CE08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241698080.000000006CE0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241698080.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241823700.000000006CE26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241856545.000000006CE2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241890587.000000006CE2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241921532.000000006CE31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6ccc0000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleLibraryLoadModule
    • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
    • API String ID: 384173800-1835852900
    • Opcode ID: 4f333fa6b78379da76a85a48b2afe5307deb2e4b5ed859472effcdf95f13fbd3
    • Instruction ID: d325e9dcb8ad01dfcd56f651944ea4dad0510bacf14a50af86af098619cd0284
    • Opcode Fuzzy Hash: 4f333fa6b78379da76a85a48b2afe5307deb2e4b5ed859472effcdf95f13fbd3
    • Instruction Fuzzy Hash: 3E015EB2A093148BDB00BF7D9A0631EBFF8EB42256F45452DD8898BB15E7349454CBD3
    Function 6CD55CB0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON
    Download Yara Rule
    APIs
    • CreateEventA.KERNEL32 ref: 6CD55CD2
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CD55D89), ref: 6CD55CEB
    • fwrite.MSVCRT ref: 6CD55D20
    • abort.MSVCRT ref: 6CD55D25
    Strings
    • =, xrefs: 6CD55D05
    • runtime: failed to create runtime initialization wait event., xrefs: 6CD55D19
    Memory Dump Source
    • Source File: 0000000D.00000002.2240678036.000000006CCC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCC0000, based on PE: true
    • Associated: 0000000D.00000002.2240603354.000000006CCC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2240909004.000000006CD58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2240997944.000000006CD59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241087508.000000006CD5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241278835.000000006CD5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241626267.000000006CE08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241698080.000000006CE0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241698080.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241823700.000000006CE26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241856545.000000006CE2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241890587.000000006CE2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241921532.000000006CE31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6ccc0000_rundll32.jbxd
    Similarity
    • API ID: CreateCriticalEventInitializeSectionabortfwrite
    • String ID: =$runtime: failed to create runtime initialization wait event.
    • API String ID: 2455830200-3519180978
    • Opcode ID: 586b1c20b0a9f15766b5e1acfa2c8fc71bb411b39768b23df2c32ca9ed1b0bc8
    • Instruction ID: 8bac0ce037fef57037a2a207a43350453db36dc83c8b535c167ecedfab0f6b20
    • Opcode Fuzzy Hash: 586b1c20b0a9f15766b5e1acfa2c8fc71bb411b39768b23df2c32ca9ed1b0bc8
    • Instruction Fuzzy Hash: 4AF0C9B1604701DFEB00BF68C50A31ABBF0BF41315F91886DD8998A650EBB991588B93
    Function 6CCC1020 Relevance: 9.1, APIs: 6, Instructions: 112sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,6CCC12E0,?,?,?,?,?,?,6CCC13A3), ref: 6CCC1057
    • _amsg_exit.MSVCRT ref: 6CCC1085
    Memory Dump Source
    • Source File: 0000000D.00000002.2240678036.000000006CCC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCC0000, based on PE: true
    • Associated: 0000000D.00000002.2240603354.000000006CCC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2240909004.000000006CD58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2240997944.000000006CD59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241087508.000000006CD5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241278835.000000006CD5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241626267.000000006CE08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241698080.000000006CE0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241698080.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241823700.000000006CE26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241856545.000000006CE2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241890587.000000006CE2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241921532.000000006CE31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6ccc0000_rundll32.jbxd
    Similarity
    • API ID: Sleep_amsg_exit
    • String ID:
    • API String ID: 1015461914-0
    • Opcode ID: d6529bff7ef5bc628f09a35de81bd26e3785310c3a45c5f1470be5093c96881c
    • Instruction ID: 7ca222cccd54888f043284a302df11813324aa09d98a76f5d3c28e8ec29a0c6a
    • Opcode Fuzzy Hash: d6529bff7ef5bc628f09a35de81bd26e3785310c3a45c5f1470be5093c96881c
    • Instruction Fuzzy Hash: 36414CB27082408BFB00AF6EC58175AB7F1FB82758F61852ED584CB744E77AC4958B93
    Function 6CD570C0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000D.00000002.2240678036.000000006CCC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCC0000, based on PE: true
    • Associated: 0000000D.00000002.2240603354.000000006CCC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2240909004.000000006CD58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2240997944.000000006CD59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241087508.000000006CD5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241278835.000000006CD5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241626267.000000006CE08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241698080.000000006CE0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241698080.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241823700.000000006CE26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241856545.000000006CE2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241890587.000000006CE2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241921532.000000006CE31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6ccc0000_rundll32.jbxd
    Similarity
    • API ID: _lock_unlockcalloc
    • String ID:
    • API String ID: 3876498383-0
    • Opcode ID: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction ID: 2b475fd312d0f8ba8b69255179d260a131384f1d6047eac1232c655a57c9d616
    • Opcode Fuzzy Hash: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction Fuzzy Hash: 4C117F70114200DFDB009F2CC880B5A7BE0BF45354FA6CA6AE498CBBA4DB74D454CB62
    Function 6CD56250 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON
    Download Yara Rule
    APIs
    • GetSystemTimeAsFileTime.KERNEL32 ref: 6CD56289
    • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CCC13B9), ref: 6CD5629A
    • GetCurrentThreadId.KERNEL32 ref: 6CD562A2
    • GetTickCount.KERNEL32 ref: 6CD562AA
    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CCC13B9), ref: 6CD562B9
    Memory Dump Source
    • Source File: 0000000D.00000002.2240678036.000000006CCC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCC0000, based on PE: true
    • Associated: 0000000D.00000002.2240603354.000000006CCC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2240909004.000000006CD58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2240997944.000000006CD59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241087508.000000006CD5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241278835.000000006CD5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241626267.000000006CE08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241698080.000000006CE0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241698080.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241823700.000000006CE26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241856545.000000006CE2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241890587.000000006CE2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241921532.000000006CE31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6ccc0000_rundll32.jbxd
    Similarity
    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
    • String ID:
    • API String ID: 1445889803-0
    • Opcode ID: 85d55bcc91aadc996b4232a7eac566897db8c67a176ef1966b95c6d72fa6ccfd
    • Instruction ID: 47949528cfbce6fa628d7da4850ef93d4b28cfb41eb63eae6fb4574bc666c38c
    • Opcode Fuzzy Hash: 85d55bcc91aadc996b4232a7eac566897db8c67a176ef1966b95c6d72fa6ccfd
    • Instruction Fuzzy Hash: 21119EB26053008FDB00EF78E48868BBBF4FB89255F440D39E449C7710EA38D4598BD2
    Function 6CD55DE0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32 ref: 6CD55E10
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CD545D9), ref: 6CD55E1C
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CD545D9), ref: 6CD55E2E
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6CD545D9), ref: 6CD55E3E
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6CD545D9), ref: 6CD55E50
    Memory Dump Source
    • Source File: 0000000D.00000002.2240678036.000000006CCC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCC0000, based on PE: true
    • Associated: 0000000D.00000002.2240603354.000000006CCC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2240909004.000000006CD58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2240997944.000000006CD59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241087508.000000006CD5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241278835.000000006CD5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241626267.000000006CE08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241698080.000000006CE0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241698080.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241823700.000000006CE26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241856545.000000006CE2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241890587.000000006CE2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241921532.000000006CE31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6ccc0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$ObjectSingleWait
    • String ID:
    • API String ID: 1755037574-0
    • Opcode ID: c2a91418af42742a9f78d4396bef626d467cf1811ca249b4f2f05226ff6b3452
    • Instruction ID: c11bbff684c9d43d3f2f4e6bbc4e77a3ed1e70cf5e89fcf23d23333fb25acd3f
    • Opcode Fuzzy Hash: c2a91418af42742a9f78d4396bef626d467cf1811ca249b4f2f05226ff6b3452
    • Instruction Fuzzy Hash: C9015EB2708708CFEB00BF79D98661ABBB4BF46210F510929D89047250E735E468CBA3
    Function 6CD57220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • Mingw-w64 runtime failure:, xrefs: 6CD57248
    Memory Dump Source
    • Source File: 0000000D.00000002.2240678036.000000006CCC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCC0000, based on PE: true
    • Associated: 0000000D.00000002.2240603354.000000006CCC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2240909004.000000006CD58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2240997944.000000006CD59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241087508.000000006CD5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241278835.000000006CD5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241626267.000000006CE08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241698080.000000006CE0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241698080.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241823700.000000006CE26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241856545.000000006CE2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241890587.000000006CE2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241921532.000000006CE31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6ccc0000_rundll32.jbxd
    Similarity
    • API ID: abortfwritevfprintf
    • String ID: Mingw-w64 runtime failure:
    • API String ID: 3176311984-2889761391
    • Opcode ID: a576734f88fc7ce7f6e5961fdc1ea43f471556af9c5f67d47705729ebc7d35c2
    • Instruction ID: 561c76a9351d68579a76f47297fa9fe1f9845e709f40314f11890c8974a85a97
    • Opcode Fuzzy Hash: a576734f88fc7ce7f6e5961fdc1ea43f471556af9c5f67d47705729ebc7d35c2
    • Instruction Fuzzy Hash: 49E0C9B0518304AED700AF69C18539FBBF4BF85348F92C91CE0C847761D77984588B63
    Function 6CD565F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CCC12A5), ref: 6CD56709
    Strings
    • Unknown pseudo relocation bit size %d., xrefs: 6CD56799
    • Unknown pseudo relocation protocol version %d., xrefs: 6CD56864
    Memory Dump Source
    • Source File: 0000000D.00000002.2240678036.000000006CCC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCC0000, based on PE: true
    • Associated: 0000000D.00000002.2240603354.000000006CCC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2240909004.000000006CD58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2240997944.000000006CD59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241087508.000000006CD5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241278835.000000006CD5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241626267.000000006CE08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241698080.000000006CE0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241698080.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241823700.000000006CE26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241856545.000000006CE2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241890587.000000006CE2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241921532.000000006CE31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6ccc0000_rundll32.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
    • API String ID: 544645111-395989641
    • Opcode ID: e0fb48f82289a4b9fdc833ed1aa754158328297d467317f65b60b253eb5340e1
    • Instruction ID: 4c735bfc064b350b170991260276f5d97f0c8d15ad64ffe83fe8bffdadad2ffb
    • Opcode Fuzzy Hash: e0fb48f82289a4b9fdc833ed1aa754158328297d467317f65b60b253eb5340e1
    • Instruction Fuzzy Hash: DF61CB71B0530ACFCF04DF68C48065EBBB1FB85318BA5826DE854DBB64D335A8678B91
    Function 6CD56870 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000D.00000002.2240678036.000000006CCC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCC0000, based on PE: true
    • Associated: 0000000D.00000002.2240603354.000000006CCC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2240909004.000000006CD58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2240997944.000000006CD59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241087508.000000006CD5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241278835.000000006CD5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241626267.000000006CE08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241698080.000000006CE0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241698080.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241823700.000000006CE26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241856545.000000006CE2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241890587.000000006CE2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2241921532.000000006CE31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6ccc0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterErrorLastLeaveValue
    • String ID:
    • API String ID: 682475483-0
    • Opcode ID: 5840228399c2cd18c866a02030d010eafaa1d882e22c7c8abf1f91fc1c93a394
    • Instruction ID: 895694f099440c7709ec36841861b2eb83d9b1ca1a12f07023f1932a69c5508d
    • Opcode Fuzzy Hash: 5840228399c2cd18c866a02030d010eafaa1d882e22c7c8abf1f91fc1c93a394
    • Instruction Fuzzy Hash: 35F0A472A007148FEF107F7DC48AA1ABBB4EF45254B050528DD858B325E734E429CBE3

    Execution Graph

    Execution Coverage:0%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:3
    Total number of Limit Nodes:0
    execution_graph 42903 6cd2cea0 42904 6cd2cec8 VirtualAlloc 42903->42904 42905 6cd2ceb9 42903->42905 42905->42904

    Executed Functions

    Function 6CD2CEA0 Relevance: 1.3, APIs: 1, Instructions: 21memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 6cd2cea0-6cd2ceb7 1 6cd2cec8-6cd2cee0 VirtualAlloc 0->1 2 6cd2ceb9-6cd2cec6 0->2 2->1
    APIs
    Memory Dump Source
    • Source File: 00000011.00000002.2238535246.000000006CCC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCC0000, based on PE: true
    • Associated: 00000011.00000002.2238449080.000000006CCC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238821413.000000006CD58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238913287.000000006CD59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239017947.000000006CD5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239108410.000000006CD5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239441273.000000006CE08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239527337.000000006CE0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239527337.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239713591.000000006CE26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239801515.000000006CE2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239896793.000000006CE2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239998274.000000006CE31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6ccc0000_rundll32.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction ID: b3e3864809eadfe80362801953ad3256261258ab1ca8a0e5650387a02e6df7ec
    • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction Fuzzy Hash: 87E0E571505600CFDB15DF18C2C1306BBE1EB88A00F0485A8DE098FB4AD738EE10CB92

    Non-executed Functions

    Function 6CD56300 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6CD5634F
    • UnhandledExceptionFilter.KERNEL32 ref: 6CD5635F
    • GetCurrentProcess.KERNEL32 ref: 6CD56368
    • TerminateProcess.KERNEL32 ref: 6CD56379
    • abort.MSVCRT ref: 6CD56382
    Memory Dump Source
    • Source File: 00000011.00000002.2238535246.000000006CCC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCC0000, based on PE: true
    • Associated: 00000011.00000002.2238449080.000000006CCC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238821413.000000006CD58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238913287.000000006CD59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239017947.000000006CD5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239108410.000000006CD5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239441273.000000006CE08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239527337.000000006CE0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239527337.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239713591.000000006CE26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239801515.000000006CE2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239896793.000000006CE2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239998274.000000006CE31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6ccc0000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: 31c67968ef61176f96313f7d0c30baa16bddf6f0abfc3d8cac90b50cdbc8f09c
    • Instruction ID: 7383e0132047f7d7c92e8d651c977ac77db255f0ffe56e44fdab326f808ec66e
    • Opcode Fuzzy Hash: 31c67968ef61176f96313f7d0c30baa16bddf6f0abfc3d8cac90b50cdbc8f09c
    • Instruction Fuzzy Hash: 431104B5A04600DFEB00EF78C14975E7BF0BB55305F509929E84987360E77899548F92
    Function 6CD564A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Strings
    • VirtualProtect failed with code 0x%x, xrefs: 6CD5659A
    • Address %p has no image-section, xrefs: 6CD565DB
    • @, xrefs: 6CD56578
    • VirtualQuery failed for %d bytes at address %p, xrefs: 6CD565C7
    Memory Dump Source
    • Source File: 00000011.00000002.2238535246.000000006CCC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCC0000, based on PE: true
    • Associated: 00000011.00000002.2238449080.000000006CCC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238821413.000000006CD58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238913287.000000006CD59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239017947.000000006CD5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239108410.000000006CD5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239441273.000000006CE08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239527337.000000006CE0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239527337.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239713591.000000006CE26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239801515.000000006CE2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239896793.000000006CE2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239998274.000000006CE31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6ccc0000_rundll32.jbxd
    Similarity
    • API ID: QueryVirtual
    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
    • API String ID: 1804819252-1098444051
    • Opcode ID: 355c1503f126506f0484a941a9b84940aef8c25983a596fdfc3e33102b305b49
    • Instruction ID: 1c88722d3fca0f749a1f1cada2522313102a819406d3e492a368fd28ce534c58
    • Opcode Fuzzy Hash: 355c1503f126506f0484a941a9b84940aef8c25983a596fdfc3e33102b305b49
    • Instruction Fuzzy Hash: D6419FB2A053019BDB00DF79C48564EFBF0FF45314F958629D8888B728E334E466CB92
    Function 6CCC13E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000011.00000002.2238535246.000000006CCC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCC0000, based on PE: true
    • Associated: 00000011.00000002.2238449080.000000006CCC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238821413.000000006CD58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238913287.000000006CD59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239017947.000000006CD5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239108410.000000006CD5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239441273.000000006CE08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239527337.000000006CE0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239527337.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239713591.000000006CE26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239801515.000000006CE2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239896793.000000006CE2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239998274.000000006CE31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6ccc0000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleLibraryLoadModule
    • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
    • API String ID: 384173800-1835852900
    • Opcode ID: 4f333fa6b78379da76a85a48b2afe5307deb2e4b5ed859472effcdf95f13fbd3
    • Instruction ID: d325e9dcb8ad01dfcd56f651944ea4dad0510bacf14a50af86af098619cd0284
    • Opcode Fuzzy Hash: 4f333fa6b78379da76a85a48b2afe5307deb2e4b5ed859472effcdf95f13fbd3
    • Instruction Fuzzy Hash: 3E015EB2A093148BDB00BF7D9A0631EBFF8EB42256F45452DD8898BB15E7349454CBD3
    Function 6CD55CB0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON
    Download Yara Rule
    APIs
    • CreateEventA.KERNEL32 ref: 6CD55CD2
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CD55D89), ref: 6CD55CEB
    • fwrite.MSVCRT ref: 6CD55D20
    • abort.MSVCRT ref: 6CD55D25
    Strings
    • runtime: failed to create runtime initialization wait event., xrefs: 6CD55D19
    • =, xrefs: 6CD55D05
    Memory Dump Source
    • Source File: 00000011.00000002.2238535246.000000006CCC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCC0000, based on PE: true
    • Associated: 00000011.00000002.2238449080.000000006CCC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238821413.000000006CD58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238913287.000000006CD59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239017947.000000006CD5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239108410.000000006CD5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239441273.000000006CE08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239527337.000000006CE0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239527337.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239713591.000000006CE26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239801515.000000006CE2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239896793.000000006CE2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239998274.000000006CE31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6ccc0000_rundll32.jbxd
    Similarity
    • API ID: CreateCriticalEventInitializeSectionabortfwrite
    • String ID: =$runtime: failed to create runtime initialization wait event.
    • API String ID: 2455830200-3519180978
    • Opcode ID: 586b1c20b0a9f15766b5e1acfa2c8fc71bb411b39768b23df2c32ca9ed1b0bc8
    • Instruction ID: 8bac0ce037fef57037a2a207a43350453db36dc83c8b535c167ecedfab0f6b20
    • Opcode Fuzzy Hash: 586b1c20b0a9f15766b5e1acfa2c8fc71bb411b39768b23df2c32ca9ed1b0bc8
    • Instruction Fuzzy Hash: 4AF0C9B1604701DFEB00BF68C50A31ABBF0BF41315F91886DD8998A650EBB991588B93
    Function 6CCC1020 Relevance: 9.1, APIs: 6, Instructions: 112sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,6CCC12E0,?,?,?,?,?,?,6CCC13A3), ref: 6CCC1057
    • _amsg_exit.MSVCRT ref: 6CCC1085
    Memory Dump Source
    • Source File: 00000011.00000002.2238535246.000000006CCC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCC0000, based on PE: true
    • Associated: 00000011.00000002.2238449080.000000006CCC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238821413.000000006CD58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238913287.000000006CD59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239017947.000000006CD5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239108410.000000006CD5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239441273.000000006CE08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239527337.000000006CE0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239527337.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239713591.000000006CE26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239801515.000000006CE2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239896793.000000006CE2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239998274.000000006CE31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6ccc0000_rundll32.jbxd
    Similarity
    • API ID: Sleep_amsg_exit
    • String ID:
    • API String ID: 1015461914-0
    • Opcode ID: d6529bff7ef5bc628f09a35de81bd26e3785310c3a45c5f1470be5093c96881c
    • Instruction ID: 7ca222cccd54888f043284a302df11813324aa09d98a76f5d3c28e8ec29a0c6a
    • Opcode Fuzzy Hash: d6529bff7ef5bc628f09a35de81bd26e3785310c3a45c5f1470be5093c96881c
    • Instruction Fuzzy Hash: 36414CB27082408BFB00AF6EC58175AB7F1FB82758F61852ED584CB744E77AC4958B93
    Function 6CD570C0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000011.00000002.2238535246.000000006CCC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCC0000, based on PE: true
    • Associated: 00000011.00000002.2238449080.000000006CCC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238821413.000000006CD58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238913287.000000006CD59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239017947.000000006CD5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239108410.000000006CD5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239441273.000000006CE08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239527337.000000006CE0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239527337.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239713591.000000006CE26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239801515.000000006CE2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239896793.000000006CE2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239998274.000000006CE31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6ccc0000_rundll32.jbxd
    Similarity
    • API ID: _lock_unlockcalloc
    • String ID:
    • API String ID: 3876498383-0
    • Opcode ID: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction ID: 2b475fd312d0f8ba8b69255179d260a131384f1d6047eac1232c655a57c9d616
    • Opcode Fuzzy Hash: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction Fuzzy Hash: 4C117F70114200DFDB009F2CC880B5A7BE0BF45354FA6CA6AE498CBBA4DB74D454CB62
    Function 6CD56250 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON
    Download Yara Rule
    APIs
    • GetSystemTimeAsFileTime.KERNEL32 ref: 6CD56289
    • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CCC13B9), ref: 6CD5629A
    • GetCurrentThreadId.KERNEL32 ref: 6CD562A2
    • GetTickCount.KERNEL32 ref: 6CD562AA
    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CCC13B9), ref: 6CD562B9
    Memory Dump Source
    • Source File: 00000011.00000002.2238535246.000000006CCC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCC0000, based on PE: true
    • Associated: 00000011.00000002.2238449080.000000006CCC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238821413.000000006CD58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238913287.000000006CD59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239017947.000000006CD5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239108410.000000006CD5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239441273.000000006CE08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239527337.000000006CE0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239527337.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239713591.000000006CE26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239801515.000000006CE2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239896793.000000006CE2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239998274.000000006CE31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6ccc0000_rundll32.jbxd
    Similarity
    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
    • String ID:
    • API String ID: 1445889803-0
    • Opcode ID: 85d55bcc91aadc996b4232a7eac566897db8c67a176ef1966b95c6d72fa6ccfd
    • Instruction ID: 47949528cfbce6fa628d7da4850ef93d4b28cfb41eb63eae6fb4574bc666c38c
    • Opcode Fuzzy Hash: 85d55bcc91aadc996b4232a7eac566897db8c67a176ef1966b95c6d72fa6ccfd
    • Instruction Fuzzy Hash: 21119EB26053008FDB00EF78E48868BBBF4FB89255F440D39E449C7710EA38D4598BD2
    Function 6CD55DE0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32 ref: 6CD55E10
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CD545D9), ref: 6CD55E1C
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CD545D9), ref: 6CD55E2E
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6CD545D9), ref: 6CD55E3E
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6CD545D9), ref: 6CD55E50
    Memory Dump Source
    • Source File: 00000011.00000002.2238535246.000000006CCC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCC0000, based on PE: true
    • Associated: 00000011.00000002.2238449080.000000006CCC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238821413.000000006CD58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238913287.000000006CD59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239017947.000000006CD5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239108410.000000006CD5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239441273.000000006CE08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239527337.000000006CE0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239527337.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239713591.000000006CE26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239801515.000000006CE2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239896793.000000006CE2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239998274.000000006CE31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6ccc0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$ObjectSingleWait
    • String ID:
    • API String ID: 1755037574-0
    • Opcode ID: c2a91418af42742a9f78d4396bef626d467cf1811ca249b4f2f05226ff6b3452
    • Instruction ID: c11bbff684c9d43d3f2f4e6bbc4e77a3ed1e70cf5e89fcf23d23333fb25acd3f
    • Opcode Fuzzy Hash: c2a91418af42742a9f78d4396bef626d467cf1811ca249b4f2f05226ff6b3452
    • Instruction Fuzzy Hash: C9015EB2708708CFEB00BF79D98661ABBB4BF46210F510929D89047250E735E468CBA3
    Function 6CD57220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • Mingw-w64 runtime failure:, xrefs: 6CD57248
    Memory Dump Source
    • Source File: 00000011.00000002.2238535246.000000006CCC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCC0000, based on PE: true
    • Associated: 00000011.00000002.2238449080.000000006CCC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238821413.000000006CD58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238913287.000000006CD59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239017947.000000006CD5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239108410.000000006CD5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239441273.000000006CE08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239527337.000000006CE0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239527337.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239713591.000000006CE26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239801515.000000006CE2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239896793.000000006CE2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239998274.000000006CE31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6ccc0000_rundll32.jbxd
    Similarity
    • API ID: abortfwritevfprintf
    • String ID: Mingw-w64 runtime failure:
    • API String ID: 3176311984-2889761391
    • Opcode ID: a576734f88fc7ce7f6e5961fdc1ea43f471556af9c5f67d47705729ebc7d35c2
    • Instruction ID: 561c76a9351d68579a76f47297fa9fe1f9845e709f40314f11890c8974a85a97
    • Opcode Fuzzy Hash: a576734f88fc7ce7f6e5961fdc1ea43f471556af9c5f67d47705729ebc7d35c2
    • Instruction Fuzzy Hash: 49E0C9B0518304AED700AF69C18539FBBF4BF85348F92C91CE0C847761D77984588B63
    Function 6CD565F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CCC12A5), ref: 6CD56709
    Strings
    • Unknown pseudo relocation bit size %d., xrefs: 6CD56799
    • Unknown pseudo relocation protocol version %d., xrefs: 6CD56864
    Memory Dump Source
    • Source File: 00000011.00000002.2238535246.000000006CCC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCC0000, based on PE: true
    • Associated: 00000011.00000002.2238449080.000000006CCC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238821413.000000006CD58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238913287.000000006CD59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239017947.000000006CD5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239108410.000000006CD5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239441273.000000006CE08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239527337.000000006CE0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239527337.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239713591.000000006CE26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239801515.000000006CE2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239896793.000000006CE2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239998274.000000006CE31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6ccc0000_rundll32.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
    • API String ID: 544645111-395989641
    • Opcode ID: e0fb48f82289a4b9fdc833ed1aa754158328297d467317f65b60b253eb5340e1
    • Instruction ID: 4c735bfc064b350b170991260276f5d97f0c8d15ad64ffe83fe8bffdadad2ffb
    • Opcode Fuzzy Hash: e0fb48f82289a4b9fdc833ed1aa754158328297d467317f65b60b253eb5340e1
    • Instruction Fuzzy Hash: DF61CB71B0530ACFCF04DF68C48065EBBB1FB85318BA5826DE854DBB64D335A8678B91
    Function 6CD56870 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000011.00000002.2238535246.000000006CCC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CCC0000, based on PE: true
    • Associated: 00000011.00000002.2238449080.000000006CCC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238821413.000000006CD58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2238913287.000000006CD59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239017947.000000006CD5D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239108410.000000006CD5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239441273.000000006CE08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239527337.000000006CE0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239527337.000000006CE13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239713591.000000006CE26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239801515.000000006CE2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239896793.000000006CE2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2239998274.000000006CE31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6ccc0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterErrorLastLeaveValue
    • String ID:
    • API String ID: 682475483-0
    • Opcode ID: 5840228399c2cd18c866a02030d010eafaa1d882e22c7c8abf1f91fc1c93a394
    • Instruction ID: 895694f099440c7709ec36841861b2eb83d9b1ca1a12f07023f1932a69c5508d
    • Opcode Fuzzy Hash: 5840228399c2cd18c866a02030d010eafaa1d882e22c7c8abf1f91fc1c93a394
    • Instruction Fuzzy Hash: 35F0A472A007148FEF107F7DC48AA1ABBB4EF45254B050528DD858B325E734E429CBE3