Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
wPXfGrAC5q.dll

Overview

General Information

Sample name:wPXfGrAC5q.dll
renamed because original name is a hash value
Original sample name:4763aeaf5e201de4c17fb127a565b73940ec67292bc75ce6bd45feb4104319ef.dll
Analysis ID:1544812
MD5:c5255f9a1c66c5dad7434ae8ecb90318
SHA1:5d41f3073653f7d92079ca2b938778c000be6412
SHA256:4763aeaf5e201de4c17fb127a565b73940ec67292bc75ce6bd45feb4104319ef
Tags:2024bankerdllgolangloadermekotiouser-johnk3r
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 4504 cmdline: loaddll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 4296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6420 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 2408 cmdline: rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • WerFault.exe (PID: 3180 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 840 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 972 cmdline: rundll32.exe C:\Users\user\Desktop\wPXfGrAC5q.dll,BarCreate MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 4888 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 824 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 7424 cmdline: rundll32.exe C:\Users\user\Desktop\wPXfGrAC5q.dll,BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7524 cmdline: rundll32.exe C:\Users\user\Desktop\wPXfGrAC5q.dll,BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7596 cmdline: rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",BarCreate MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 7768 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7596 -s 832 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 7624 cmdline: rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7648 cmdline: rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7716 cmdline: rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",_cgo_dummy_export MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7776 cmdline: rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",SpellSpell MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7828 cmdline: rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",SpellInit MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7868 cmdline: rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",SpellFree MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7908 cmdline: rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",SignalInitializeCrashReporting MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7948 cmdline: rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",GetInstallDetailsPayload MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7988 cmdline: rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",BarRecognize MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability

Bitcoin Miner

barindex
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4C1830 3_2_6D4C1830
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D451830 20_2_6D451830
Source: wPXfGrAC5q.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: wPXfGrAC5q.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax3_2_6D492CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax3_2_6D492CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx3_2_6D4ACEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh3_2_6D4B9030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh3_2_6D4BA360
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax20_2_6D422CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax20_2_6D422CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx20_2_6D43CEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh20_2_6D449030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh20_2_6D44A360
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4C1A70 NtCreateWaitCompletionPacket,3_2_6D4C1A70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4C2A90 NtCreateWaitCompletionPacket,3_2_6D4C2A90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4C1570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,3_2_6D4C1570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4C11F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,3_2_6D4C11F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D451A70 NtCreateWaitCompletionPacket,20_2_6D451A70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D452A90 NtCreateWaitCompletionPacket,20_2_6D452A90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D451570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,20_2_6D451570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D4511F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,20_2_6D4511F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4BAD503_2_6D4BAD50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4EBC203_2_6D4EBC20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D492CA03_2_6D492CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D492CA63_2_6D492CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4CCF903_2_6D4CCF90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4E5ED03_2_6D4E5ED0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D49BE903_2_6D49BE90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4BD9C53_2_6D4BD9C5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4A59F03_2_6D4A59F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4FA8723_2_6D4FA872
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4BBB103_2_6D4BBB10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D49FBC03_2_6D49FBC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4BCA303_2_6D4BCA30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4A0AF03_2_6D4A0AF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4E85703_2_6D4E8570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4B14403_2_6D4B1440
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4D64703_2_6D4D6470
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4B34003_2_6D4B3400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4B66303_2_6D4B6630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4BC6D03_2_6D4BC6D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4ED6E03_2_6D4ED6E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4BD0403_2_6D4BD040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4C60103_2_6D4C6010
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4990F03_2_6D4990F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4BC0803_2_6D4BC080
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4A80A03_2_6D4A80A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4F332F3_2_6D4F332F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4CA3203_2_6D4CA320
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4B93F03_2_6D4B93F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4CE2403_2_6D4CE240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4BB2D03_2_6D4BB2D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4F72803_2_6D4F7280
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4932A03_2_6D4932A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D44AD5020_2_6D44AD50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D47BC2020_2_6D47BC20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D422CA020_2_6D422CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D422CA620_2_6D422CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D45CF9020_2_6D45CF90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D475ED020_2_6D475ED0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D42BE9020_2_6D42BE90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D44D9C520_2_6D44D9C5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D4359F020_2_6D4359F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D48A87220_2_6D48A872
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D44BB1020_2_6D44BB10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D42FBC020_2_6D42FBC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D44CA3020_2_6D44CA30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D430AF020_2_6D430AF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D47857020_2_6D478570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D44144020_2_6D441440
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D46647020_2_6D466470
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D44340020_2_6D443400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D44663020_2_6D446630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D44C6D020_2_6D44C6D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D47D6E020_2_6D47D6E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D44D04020_2_6D44D040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D45601020_2_6D456010
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D4290F020_2_6D4290F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D44C08020_2_6D44C080
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D4380A020_2_6D4380A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D45A32020_2_6D45A320
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D48332F20_2_6D48332F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D4493F020_2_6D4493F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D45E24020_2_6D45E240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D44B2D020_2_6D44B2D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D48728020_2_6D487280
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D4232A020_2_6D4232A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D4C7410 appears 691 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D4F6A90 appears 480 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D486A90 appears 480 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D457410 appears 691 times
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 824
Source: wPXfGrAC5q.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: classification engineClassification label: mal48.mine.winDLL@35/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4296:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\bba3320f-8344-4456-9708-84adcbee543eJump to behavior
Source: wPXfGrAC5q.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wPXfGrAC5q.dll,BarCreate
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wPXfGrAC5q.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 824
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 840
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wPXfGrAC5q.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wPXfGrAC5q.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",_cgo_dummy_export
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7596 -s 832
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",SpellSpell
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wPXfGrAC5q.dll,BarCreateJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wPXfGrAC5q.dll,BarDestroyJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\wPXfGrAC5q.dll,BarFreeRecJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",BarCreateJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",BarDestroyJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",BarFreeRecJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",_cgo_dummy_exportJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",SpellSpellJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",SpellInitJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",SpellFreeJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",SignalInitializeCrashReportingJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",GetInstallDetailsPayloadJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",BarRecognizeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: wPXfGrAC5q.dllStatic PE information: Image base 0x6d8c0000 > 0x60000000
Source: wPXfGrAC5q.dllStatic file information: File size 1368576 > 1048576
Source: wPXfGrAC5q.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4913E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,3_2_6D4913E0
Source: wPXfGrAC5q.dllStatic PE information: real checksum: 0x14e6bf should be: 0x154eea
Source: wPXfGrAC5q.dllStatic PE information: section name: .eh_fram
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0183AF34 push eax; retf 0_2_0183AF39
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0183CD7B push ss; iretd 0_2_0183CD92
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_018803E8 push edx; retf 0_2_018803F4
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0188036E push edx; iretd 0_2_0188038B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D505094 pushad ; ret 3_2_6D505095
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D50509D pushad ; ret 3_2_6D50509E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0543AF34 push eax; retf 4_2_0543AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_054823ED push edx; retf 4_2_054823F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_054828A2 push cs; iretd 4_2_054828B9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_0483D763 push esp; retf 17_2_0483D764
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_0543AF34 push eax; retf 19_2_0543AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D49509D pushad ; ret 20_2_6D49509E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D495094 pushad ; ret 20_2_6D495095
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0503AF34 push eax; retf 21_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0503CE1C push edx; ret 21_2_0503CE2B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_04C3AF34 push eax; retf 22_2_04C3AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_04C80394 push ecx; iretd 22_2_04C803A5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_04C3AF34 push eax; retf 24_2_04C3AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_04C3AF34 push eax; retf 26_2_04C3AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 27_2_04C3D30B push ebp; iretd 27_2_04C3D311
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 27_2_04C3AF34 push eax; retf 27_2_04C3AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 28_2_0443AF34 push eax; retf 28_2_0443AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 29_2_0443C926 push C790B133h; retf 29_2_0443CD8E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 29_2_0443CD6E push C790B133h; retf 29_2_0443CD8E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 29_2_0443AF34 push eax; retf 29_2_0443AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 30_2_0503AF34 push eax; retf 30_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 31_2_0543C8A3 push ss; retf 31_2_0543C8A5
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4FC0C0 rdtscp 3_2_6D4FC0C0
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 1.4 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 1.4 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4FC0C0 rdtscp 3_2_6D4FC0C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4913E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,3_2_6D4913E0
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D526300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,3_2_6D526300
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_6D4B6300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,20_2_6D4B6300
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D526250 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,3_2_6D526250
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4C1C90 RtlGetVersion,RtlGetCurrentPeb,3_2_6D4C1C90

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		11
Process Injection		11
Virtualization/Sandbox Evasion		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		Boot or Logon Initialization Scripts1
DLL Side-Loading		11
Process Injection		LSASS Memory2
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager11
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS3
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Rundll32		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544812 Sample: wPXfGrAC5q.dll Startdate: 29/10/2024 Architecture: WINDOWS Score: 48 27 AI detected suspicious sample 2->27 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 12 other processes 8->17 signatures5 29 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 10->29 19 WerFault.exe 2 10->19         started        21 rundll32.exe 13->21         started        23 WerFault.exe 2 15->23         started        process6 process7 25 WerFault.exe 2 21->25         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
wPXfGrAC5q.dll5%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1544812
Start date and time:2024-10-29 19:25:03 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 6m 8s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:37
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:wPXfGrAC5q.dll
renamed because original name is a hash value
Original Sample Name:4763aeaf5e201de4c17fb127a565b73940ec67292bc75ce6bd45feb4104319ef.dll
Detection:MAL
Classification:mal48.mine.winDLL@35/0@0/0
EGA Information:
  • Successful, ratio: 13.3%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .dll

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
  • Execution Graph export aborted for target loaddll32.exe, PID 4504 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 2408 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 7424 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 7524 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 7624 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 7648 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 7716 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 7776 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 7828 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 7868 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 7908 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 7948 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 7988 because there are no executed function
  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: wPXfGrAC5q.dll

Simulations

Behavior and APIs

TimeTypeDescription
14:26:07API Interceptor1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):6.270490878558078
TrID:
  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
  • Generic Win/DOS Executable (2004/3) 0.20%
  • DOS Executable Generic (2002/1) 0.20%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:wPXfGrAC5q.dll
File size:1'368'576 bytes
MD5:c5255f9a1c66c5dad7434ae8ecb90318
SHA1:5d41f3073653f7d92079ca2b938778c000be6412
SHA256:4763aeaf5e201de4c17fb127a565b73940ec67292bc75ce6bd45feb4104319ef
SHA512:3d7ff579f6d365fb5c14039a95e717c0570f1c88eaac33722f7504ca9e19eebe6d366a61db293153dcdcf5c767d979ddc9658c7b83c4eb88befa4bef5a5686ba
SSDEEP:24576:2mEA9daTnfLDWsHfEiL2IU6Fvuyufgk0NzptNoc02nMYm:26eZzJ0SL
TLSH:AB550800FD8784F1E403263285AB62AB6325AD195F31CBC7FB44BB79F9776D64832285
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....d.......H.................m......................................@... .........................-..

File Icon

Icon Hash:7ae282899bbab082

Static PE Info

General

Entrypoint:0x6d8c1380
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x6d8c0000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:0x6d9563e0, 0x6d956390
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:1
File Version Major:6
File Version Minor:1
Subsystem Version Major:6
Subsystem Version Minor:1
Import Hash:47d9e8363ec498a9360ee0a7da269805

Entrypoint Preview

Instruction
sub esp, 1Ch
mov dword ptr [6DA2C730h], 00000000h
mov edx, dword ptr [esp+24h]
cmp edx, 01h
je 00007FBE99097C7Ch
mov ecx, dword ptr [esp+28h]
mov eax, dword ptr [esp+20h]
call 00007FBE99097AE2h
add esp, 1Ch
retn 000Ch
lea esi, dword ptr [esi+00000000h]
mov dword ptr [esp+0Ch], edx
call 00007FBE9912CAFCh
mov edx, dword ptr [esp+0Ch]
jmp 00007FBE99097C39h
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], 6DA08000h
mov dword ptr [esp+04h], eax
call 00007FBE9912D94Eh
add esp, 1Ch
ret
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 6D95F000h
call dword ptr [6DA2E21Ch]
sub esp, 04h
test eax, eax
je 00007FBE99097CD5h
mov ebx, eax
mov dword ptr [esp], 6D95F000h
call dword ptr [6DA2E264h]
mov edi, dword ptr [6DA2E224h]
sub esp, 04h
mov dword ptr [6DA2C764h], eax
mov dword ptr [esp+04h], 6D95F013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 6D95F029h
mov dword ptr [esp], ebx
call edi
mov dword ptr [6D958000h], eax
sub esp, 08h
test esi, esi
je 00007FBE99097C73h
mov dword ptr [esp+00h], 00000000h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x16d0000x12d.edata
IMAGE_DIRECTORY_ENTRY_IMPORT0x16e0000xb78.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x1710000x868c.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x144fd00x18.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x16e1cc0x190.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x962a80x964003f7138dd864e7ab0d61b20b4b0e9f320False0.46978830854825293data6.2819188635580785IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0x980000x67c80x6800d6def15a45d1a2f2bc47494a96cf111bFalse0.4201847956730769data4.442350908324895IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata0x9f0000xa63a00xa6400a03c82a89663fdce0625bd974c8b39d0False0.4318153782894737data5.591780982289819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.eh_fram0x1460000x12740x140085e22b3e84813337ea1a67b904c6bbcdFalse0.3369140625data4.565839626312234IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss0x1480000x2477c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata0x16d0000x12d0x20067859e1c9d81f1d2bdf6b531a2016f52False0.44921875data3.400613123216997IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.idata0x16e0000xb780xc00cb8eb4a241279d6fed66c3ea8ecac795False0.3961588541666667data5.12056831676781IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT0x16f0000x2c0x200db151290603a2662b590a75b7e0b0988False0.0546875data0.2069200177871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls0x1700000x80x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc0x1710000x868c0x8800dd759d99f2ae66972a768d9593e9d04dFalse0.6671070772058824data6.630807994886482IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLLImport
KERNEL32.dllAddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateIoCompletionPort, CreateThread, CreateWaitableTimerExW, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FormatMessageA, FreeEnvironmentStringsW, FreeLibrary, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetLastError, GetModuleHandleA, GetNativeSystemInfo, GetProcAddress, GetProcessAffinityMask, GetProcessHeap, GetQueuedCompletionStatusEx, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadLocale, GetTickCount, HeapAlloc, HeapFree, InitializeCriticalSection, IsBadReadPtr, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, LoadLibraryW, LocalFree, PostQueuedCompletionStatus, QueryPerformanceCounter, RaiseFailFastException, ResumeThread, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessPriorityBoost, SetThreadContext, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TerminateProcess, TlsAlloc, TlsGetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WriteConsoleW, WriteFile, lstrlenA
msvcrt.dll_amsg_exit, _beginthread, _errno, _initterm, _iob, _lock, _unlock, _wcsnicmp, abort, bsearch, calloc, fprintf, free, fwrite, malloc, mbstowcs, memcpy, memset, qsort, realloc, strcmp, strlen, strncmp, strtol, vfprintf, wcstombs

Exports

NameOrdinalAddress
BarCreate10x6d9545d0
BarDestroy20x6d954850
BarFreeRec30x6d954800
BarRecognize40x6d9547b0
GetInstallDetailsPayload50x6d954710
SignalInitializeCrashReporting60x6d954760
SpellFree70x6d954620
SpellInit80x6d954670
SpellSpell90x6d9546c0
_cgo_dummy_export100x6da2c768

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:14:25:57
Start date:29/10/2024
Path:C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):true
Commandline:loaddll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll"
Imagebase:0x290000
File size:126'464 bytes
MD5 hash:51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:1
Start time:14:25:57
Start date:29/10/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:2
Start time:14:25:57
Start date:29/10/2024
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",#1
Imagebase:0x410000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:3
Start time:14:25:57
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\wPXfGrAC5q.dll,BarCreate
Imagebase:0xa60000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:4
Start time:14:25:57
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",#1
Imagebase:0xa60000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:9
Start time:14:25:58
Start date:29/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 824
Imagebase:0xdc0000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:10
Start time:14:25:58
Start date:29/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 840
Imagebase:0xdc0000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:17
Start time:14:26:00
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\wPXfGrAC5q.dll,BarDestroy
Imagebase:0xa60000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:19
Start time:14:26:03
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\wPXfGrAC5q.dll,BarFreeRec
Imagebase:0xa60000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:20
Start time:14:26:06
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",BarCreate
Imagebase:0xa60000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:21
Start time:14:26:06
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",BarDestroy
Imagebase:0xa60000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:22
Start time:14:26:06
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",BarFreeRec
Imagebase:0xa60000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:24
Start time:14:26:06
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",_cgo_dummy_export
Imagebase:0xa60000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:25
Start time:14:26:07
Start date:29/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7596 -s 832
Imagebase:0xdc0000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:26
Start time:14:26:07
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",SpellSpell
Imagebase:0xa60000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:27
Start time:14:26:07
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",SpellInit
Imagebase:0xa60000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:28
Start time:14:26:07
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",SpellFree
Imagebase:0xa60000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:29
Start time:14:26:07
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",SignalInitializeCrashReporting
Imagebase:0xa60000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:30
Start time:14:26:07
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",GetInstallDetailsPayload
Imagebase:0xa60000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:31
Start time:14:26:07
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\wPXfGrAC5q.dll",BarRecognize
Imagebase:0xa60000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:0%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:3
    Total number of Limit Nodes:0
    execution_graph 42543 6d4fcea0 42544 6d4fceb9 42543->42544 42545 6d4fcec8 WriteFile 42543->42545 42544->42545

    Executed Functions

    Function 6D4FCEA0 Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 6d4fcea0-6d4fceb7 1 6d4fceb9-6d4fcec6 0->1 2 6d4fcec8-6d4fcee0 WriteFile 0->2 1->2
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID: FileWrite
    • String ID:
    • API String ID: 3934441357-0
    • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction ID: 85c2b85776a70629b33a3df8641f855c0f8d31cf90c6eb6b9915d9fb54389004
    • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction Fuzzy Hash: 24E0E571505600CFCB15DF18C2C1716BBE1EB88A00F0485A8DE098F74AD734ED10CB92

    Non-executed Functions

    Function 6D4A59F0 Relevance: 18.5, Strings: 14, Instructions: 1019COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 870 6d4a59f0-6d4a5a05 871 6d4a5a0b-6d4a5a31 call 6d500980 870->871 872 6d4a6c61-6d4a6c66 call 6d4fae50 870->872 877 6d4a5a3a-6d4a5a3d 871->877 878 6d4a5a33-6d4a5a38 871->878 872->870 879 6d4a5a40-6d4a5aa7 call 6d5009b0 call 6d4fcff0 877->879 878->879 884 6d4a5aa9-6d4a5ab1 call 6d4fc260 879->884 885 6d4a5ab3-6d4a5b83 call 6d4c9e30 call 6d4fad60 * 2 call 6d4c9a20 879->885 884->885 896 6d4a5b8b-6d4a5b93 call 6d4e9ba0 885->896 897 6d4a5b85-6d4a5b89 885->897 898 6d4a5b97-6d4a5b99 896->898 897->898 901 6d4a5b9b-6d4a5bca call 6d4ea140 call 6d4e9cd0 898->901 902 6d4a5bcf-6d4a5be5 898->902 901->902 903 6d4a5bf1-6d4a5c00 902->903 904 6d4a5be7-6d4a5bef call 6d4fc260 902->904 908 6d4a6c4a-6d4a6c60 call 6d4f6a90 903->908 909 6d4a5c06-6d4a5f1c call 6d5009b0 call 6d4fad60 call 6d4fcff0 call 6d4fd050 call 6d5009d0 * 2 call 6d4bfc30 call 6d4ef810 * 2 call 6d5007f0 * 3 903->909 904->903 908->872 938 6d4a5f1e 909->938 939 6d4a5f24-6d4a5fc2 call 6d49a4e0 call 6d4ced60 call 6d49a700 call 6d4b1f00 call 6d4a85c0 call 6d4bce30 call 6d4b29f0 909->939 938->939 954 6d4a5fd0-6d4a5fd2 939->954 955 6d4a5fc4-6d4a5fc6 939->955 958 6d4a5fd8-6d4a6095 call 6d4fc476 call 6d4fc94a call 6d4fad60 call 6d4bd3f0 call 6d4b5470 call 6d4fad60 * 2 954->958 959 6d4a6c1e-6d4a6c2f call 6d4f6a90 954->959 956 6d4a5fcc-6d4a5fce 955->956 957 6d4a6c34-6d4a6c45 call 6d4f6a90 955->957 956->954 956->958 957->908 976 6d4a6097-6d4a60af call 6d4b2a70 958->976 977 6d4a60b4-6d4a60bc 958->977 959->957 976->977 979 6d4a6abf-6d4a6b05 call 6d49a4e0 977->979 980 6d4a60c2-6d4a6130 call 6d4fc47a call 6d4c6bb0 call 6d4efa50 977->980 985 6d4a6b07-6d4a6b12 call 6d4fc260 979->985 986 6d4a6b14-6d4a6b30 call 6d49a700 979->986 998 6d4a6140-6d4a615e 980->998 985->986 995 6d4a6b55-6d4a6b5e 986->995 996 6d4a6b32-6d4a6b54 call 6d4943c0 995->996 997 6d4a6b60-6d4a6b8b call 6d4aed90 995->997 996->995 1011 6d4a6b9b-6d4a6bf2 call 6d4d8b70 * 2 997->1011 1012 6d4a6b8d-6d4a6b96 call 6d4fad60 997->1012 1001 6d4a6169-6d4a61ec 998->1001 1002 6d4a6160-6d4a6163 998->1002 1003 6d4a61f2-6d4a61fc 1001->1003 1004 6d4a6c14-6d4a6c19 call 6d4fc2e0 1001->1004 1002->1001 1007 6d4a6216-6d4a621c 1002->1007 1009 6d4a61fe-6d4a620a 1003->1009 1010 6d4a620f-6d4a6211 1003->1010 1004->959 1013 6d4a6c0a-6d4a6c0f call 6d4fc2e0 1007->1013 1014 6d4a6222-6d4a63bc call 6d4f7ed0 call 6d4c6bb0 call 6d4c7410 call 6d4c7100 call 6d4c7410 * 3 call 6d4c7230 call 6d4c7410 call 6d4c6c10 call 6d4fc47a 1007->1014 1015 6d4a6132-6d4a613e 1009->1015 1010->1015 1027 6d4a6c03-6d4a6c09 1011->1027 1028 6d4a6bf4-6d4a6bfa 1011->1028 1012->1011 1013->1004 1047 6d4a645e-6d4a6461 1014->1047 1015->998 1028->1027 1030 6d4a6bfc 1028->1030 1030->1027 1048 6d4a64e7-6d4a6690 call 6d4c6bb0 call 6d4c7410 call 6d4c6c10 call 6d500830 * 4 call 6d4fc476 1047->1048 1049 6d4a6467-6d4a6484 1047->1049 1084 6d4a6717-6d4a671a 1048->1084 1051 6d4a648a-6d4a64e2 call 6d4c6bb0 call 6d4c7410 call 6d4c6c10 1049->1051 1052 6d4a63c1-6d4a6457 call 6d4a80a0 call 6d4f7ed0 call 6d4c6bb0 call 6d4c7410 call 6d4c6c10 1049->1052 1051->1052 1052->1047 1085 6d4a67c0-6d4a6a5a call 6d5009b0 * 2 call 6d4c6bb0 call 6d4c7410 call 6d4c7100 call 6d4c7410 call 6d4c7100 call 6d4c7410 call 6d4c7100 call 6d4c7410 call 6d4c7100 call 6d4c7410 call 6d4c7100 call 6d4c7410 call 6d4c7100 call 6d4c7410 call 6d4c7230 call 6d4c7410 call 6d4c6c10 1084->1085 1086 6d4a6720-6d4a6744 1084->1086 1152 6d4a6a7c-6d4a6aad call 6d4c6bb0 call 6d4c6db0 call 6d4c6c10 1085->1152 1153 6d4a6a5c-6d4a6a77 call 6d4c6bb0 call 6d4c7410 call 6d4c6c10 1085->1153 1087 6d4a674b-6d4a6779 call 6d4c6bb0 call 6d4c7410 call 6d4c6c10 1086->1087 1088 6d4a6746-6d4a6749 1086->1088 1096 6d4a6695-6d4a6716 call 6d4a80a0 call 6d4f7ed0 call 6d4c6bb0 call 6d4c7410 call 6d4c6c10 1087->1096 1088->1087 1090 6d4a677e-6d4a6780 1088->1090 1095 6d4a6786-6d4a67bb call 6d4c6bb0 call 6d4c7410 call 6d4c6c10 1090->1095 1090->1096 1095->1096 1096->1084 1152->979 1165 6d4a6aaf-6d4a6aba call 6d49a700 1152->1165 1153->1152 1165->979
    Strings
    • @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12, xrefs: 6D4A62C7
    • 5, xrefs: 6D4A6C27
    • gcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= , xrefs: 6D4A5ABA
    • failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre, xrefs: 6D4A6C34
    • gc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltadxaesshaavxfmaintma, xrefs: 6D4A629A
    • +:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08, xrefs: 6D4A64A4, 6D4A678B
    • ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACE, xrefs: 6D4A64EC
    • MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc=, xrefs: 6D4A699C
    • ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ gp.goid, xrefs: 6D4A68DC
    • ., xrefs: 6D4A61FE
    • gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket, xrefs: 6D4A6C4A
    • , xrefs: 6D4A606A
    • MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, xrefs: 6D4A6A06
    • non-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class bo, xrefs: 6D4A6C1E
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12$ MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:$ MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc=$ ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACE$ ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ gp.goid$+:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08$.$5$failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre$gc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltadxaesshaavxfmaintma$gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket$gcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= $non-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class bo
    • API String ID: 0-2575422049
    • Opcode ID: 09d4bb7ec8d0c3913a8c058ce57e5899ab8c28bd90d303091c6d83b0bc0f49ca
    • Instruction ID: 176e266eb315b2ad8cf13d334001dbcff246de132e5cdcec460c67880327b35d
    • Opcode Fuzzy Hash: 09d4bb7ec8d0c3913a8c058ce57e5899ab8c28bd90d303091c6d83b0bc0f49ca
    • Instruction Fuzzy Hash: 3FB2F5785087458FCB64DF28C190BAABBF5FB89304F168D2ED98987750DB30A845CF96
    Function 6D4B93F0 Relevance: 16.9, Strings: 13, Instructions: 643COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1167 6d4b93f0-6d4b9402 1168 6d4b9408-6d4b9450 1167->1168 1169 6d4b9f94-6d4b9f99 call 6d4fae50 1167->1169 1171 6d4b9476-6d4b947d 1168->1171 1169->1167 1172 6d4b957b-6d4b9581 1171->1172 1173 6d4b9483-6d4b94ed 1171->1173 1177 6d4b97f9-6d4b9800 call 6d4fc2f0 1172->1177 1178 6d4b9587-6d4b95b3 call 6d4bc5d0 1172->1178 1175 6d4b9f8c-6d4b9f93 call 6d4fc320 1173->1175 1176 6d4b94f3-6d4b94f5 1173->1176 1175->1169 1180 6d4b94fb-6d4b9545 1176->1180 1181 6d4b9f85-6d4b9f87 call 6d4fc340 1176->1181 1184 6d4b9805-6d4b980c 1177->1184 1192 6d4b9621-6d4b9631 1178->1192 1193 6d4b95b5-6d4b9620 call 6d4b9360 1178->1193 1185 6d4b9552-6d4b9556 1180->1185 1186 6d4b9547-6d4b9550 1180->1186 1181->1175 1190 6d4b9810-6d4b9812 1184->1190 1191 6d4b9558-6d4b9576 1185->1191 1186->1191 1196 6d4b9818 1190->1196 1197 6d4b99fd 1190->1197 1191->1190 1194 6d4b9637-6d4b9648 1192->1194 1195 6d4b97f4 call 6d4fc2e0 1192->1195 1200 6d4b964e-6d4b9653 1194->1200 1201 6d4b97e1-6d4b97e9 1194->1201 1195->1177 1202 6d4b9f7e-6d4b9f80 call 6d4fc2e0 1196->1202 1203 6d4b981e-6d4b984c 1196->1203 1199 6d4b9a01-6d4b9a0a 1197->1199 1205 6d4b9d72-6d4b9de0 call 6d4b9360 1199->1205 1206 6d4b9a10-6d4b9a16 1199->1206 1207 6d4b9659-6d4b9666 1200->1207 1208 6d4b97c6-6d4b97d6 1200->1208 1201->1195 1202->1181 1210 6d4b984e-6d4b9854 1203->1210 1211 6d4b9856-6d4b98af 1203->1211 1226 6d4b9ee5-6d4b9eeb 1205->1226 1213 6d4b9a1c-6d4b9a26 1206->1213 1214 6d4b9d53-6d4b9d71 1206->1214 1215 6d4b97b8-6d4b97c1 1207->1215 1216 6d4b966c-6d4b97b3 call 6d4c6bb0 call 6d4c7410 call 6d4c7230 call 6d4c7410 call 6d4c7230 call 6d4c7410 call 6d4c7100 call 6d4c7410 call 6d4c7100 call 6d4c7410 call 6d4c7100 call 6d4c7410 call 6d4c6c10 call 6d4c6bb0 call 6d4c7410 call 6d4c7100 call 6d4c6db0 call 6d4c6c10 call 6d4f6a90 1207->1216 1208->1201 1210->1184 1227 6d4b98bf-6d4b98c8 1211->1227 1228 6d4b98b1-6d4b98bd 1211->1228 1219 6d4b9a28-6d4b9a3f 1213->1219 1220 6d4b9a41-6d4b9a55 1213->1220 1216->1215 1224 6d4b9a5c 1219->1224 1220->1224 1231 6d4b9a5e-6d4b9a6f 1224->1231 1232 6d4b9a71-6d4b9a91 1224->1232 1229 6d4b9f68-6d4b9f79 call 6d4f6a90 1226->1229 1230 6d4b9eed-6d4b9f02 1226->1230 1234 6d4b98ce-6d4b98e0 1227->1234 1228->1234 1229->1202 1235 6d4b9f0b-6d4b9f1d 1230->1235 1236 6d4b9f04-6d4b9f09 1230->1236 1238 6d4b9a98 1231->1238 1232->1238 1240 6d4b99c8-6d4b99ca 1234->1240 1241 6d4b98e6-6d4b98eb 1234->1241 1242 6d4b9f1f 1235->1242 1236->1242 1243 6d4b9a9a-6d4b9a9f 1238->1243 1244 6d4b9aa1-6d4b9aa4 1238->1244 1246 6d4b99cc-6d4b99e0 1240->1246 1247 6d4b99e2 1240->1247 1248 6d4b98ed-6d4b98f2 1241->1248 1249 6d4b98f4-6d4b9908 1241->1249 1251 6d4b9f28-6d4b9f40 1242->1251 1252 6d4b9f21-6d4b9f26 1242->1252 1253 6d4b9aaa-6d4b9d4e call 6d4c6bb0 call 6d4c7410 call 6d4c7230 call 6d4c7410 call 6d4c7230 call 6d4c7410 call 6d4c7100 call 6d4c7410 call 6d4c7100 call 6d4c7410 call 6d4c7100 call 6d4c6db0 call 6d4c6c10 call 6d4c6bb0 call 6d4c7410 call 6d4c7230 call 6d4c7410 call 6d4c7100 call 6d4c7410 call 6d4c7230 call 6d4c6db0 call 6d4c6c10 call 6d4c6bb0 call 6d4c7410 call 6d4c72a0 call 6d4c7410 call 6d4c7230 call 6d4c6db0 call 6d4c6c10 call 6d4c6bb0 call 6d4c7410 call 6d4c7100 call 6d4c7410 call 6d4c7100 call 6d4c6db0 call 6d4c6c10 1243->1253 1244->1253 1255 6d4b99e6-6d4b99fb 1246->1255 1247->1255 1250 6d4b990f-6d4b9911 1248->1250 1249->1250 1256 6d4b9452-6d4b946f 1250->1256 1257 6d4b9917-6d4b9919 1250->1257 1258 6d4b9f42-6d4b9f4e 1251->1258 1252->1258 1253->1226 1255->1199 1256->1171 1261 6d4b991b-6d4b9920 1257->1261 1262 6d4b9922-6d4b993d 1257->1262 1263 6d4b9f5a-6d4b9f5d 1258->1263 1264 6d4b9f50-6d4b9f55 1258->1264 1267 6d4b994b 1261->1267 1268 6d4b993f-6d4b9944 1262->1268 1269 6d4b99a7-6d4b99c3 1262->1269 1263->1229 1272 6d4b995e-6d4b996d 1267->1272 1273 6d4b994d-6d4b995c 1267->1273 1268->1267 1269->1184 1277 6d4b9970-6d4b99a2 1272->1277 1273->1277 1277->1184
    Strings
    • runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket, xrefs: 6D4B9CE8
    • ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc, xrefs: 6D4B96CD
    • , i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base stringGetACPSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13rdtscppopcntuint16uint32uint64structcmd/gonetdnsCommonCopySidWSARecvWSASendconnectconsoleforcegcallocmWc, xrefs: 6D4B9C88
    • , levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime:, xrefs: 6D4B9D15
    • , npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by short writeProcessPrngMoveFileExWNetShar, xrefs: 6D4B9BD7
    • ] = pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheapt, xrefs: 6D4B9B1A
    • runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSruntime: mp.lockedInt = runqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard , xrefs: 6D4B9C5B
    • runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 6D4B967A, 6D4B9AB3
    • , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST, xrefs: 6D4B96F7, 6D4B9721, 6D4B9B44, 6D4B9B6E
    • bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6D4B97A2, 6D4B9F68
    • , j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type float32float64\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_Dltavx512finvaliduintptros/execruntimetls3desno anodeCancelIoReadFileAcceptExWSAIoctlshu, xrefs: 6D4B9C04
    • runtime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupQuerySer, xrefs: 6D4B976B
    • ][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13C, xrefs: 6D4B96A4, 6D4B9AED
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST$, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base stringGetACPSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13rdtscppopcntuint16uint32uint64structcmd/gonetdnsCommonCopySidWSARecvWSASendconnectconsoleforcegcallocmWc$, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type float32float64\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_Dltavx512finvaliduintptros/execruntimetls3desno anodeCancelIoReadFileAcceptExWSAIoctlshu$, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime:$, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by short writeProcessPrngMoveFileExWNetShar$] = pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheapt$] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc$][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13C$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket$runtime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupQuerySer$runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSruntime: mp.lockedInt = runqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard $runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
    • API String ID: 0-566501290
    • Opcode ID: 741c352c3fb5dbf61d13edd255521c9d357e342ab9fd1ab9cb2a66eff9008502
    • Instruction ID: 254a9f2de361124229478188146f122d6b53b8f0b9f8e018a51591fad525a511
    • Opcode Fuzzy Hash: 741c352c3fb5dbf61d13edd255521c9d357e342ab9fd1ab9cb2a66eff9008502
    • Instruction Fuzzy Hash: 0C525879A0C7548FD720EF68C080B5ABBE5BF99304F12892DEA9887350D775AC45CB93
    Function 6D4C1570 Relevance: 16.4, Strings: 13, Instructions: 150COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1527 6d4c1570-6d4c157e 1528 6d4c181e-6d4c1823 call 6d4fae50 1527->1528 1529 6d4c1584-6d4c15b6 call 6d4c32a0 1527->1529 1528->1527 1534 6d4c15bc-6d4c15ea call 6d4c1470 1529->1534 1535 6d4c1807-6d4c181d call 6d4f6a90 1529->1535 1540 6d4c15fc-6d4c1631 call 6d4c32a0 1534->1540 1541 6d4c15ec-6d4c15f9 call 6d4fc270 1534->1541 1535->1528 1546 6d4c1637-6d4c1669 call 6d4c1470 1540->1546 1547 6d4c17f1-6d4c1802 call 6d4f6a90 1540->1547 1541->1540 1551 6d4c167b-6d4c1683 1546->1551 1552 6d4c166b-6d4c1678 call 6d4fc270 1546->1552 1547->1535 1554 6d4c172d-6d4c175f call 6d4c1470 1551->1554 1555 6d4c1689-6d4c16bb call 6d4c1470 1551->1555 1552->1551 1561 6d4c1771-6d4c17a9 call 6d4c1470 1554->1561 1562 6d4c1761-6d4c176e call 6d4fc270 1554->1562 1563 6d4c16cd-6d4c16d5 1555->1563 1564 6d4c16bd-6d4c16ca call 6d4fc270 1555->1564 1575 6d4c17bb-6d4c17c4 1561->1575 1576 6d4c17ab-6d4c17b8 call 6d4fc270 1561->1576 1562->1561 1568 6d4c17db-6d4c17ec call 6d4f6a90 1563->1568 1569 6d4c16db-6d4c170d call 6d4c1470 1563->1569 1564->1563 1568->1547 1579 6d4c171f-6d4c1727 1569->1579 1580 6d4c170f-6d4c171c call 6d4fc270 1569->1580 1576->1575 1579->1554 1583 6d4c17c5-6d4c17d6 call 6d4f6a90 1579->1583 1580->1579 1583->1568
    Strings
    • ProcessPrng, xrefs: 6D4C15BF
    • , xrefs: 6D4C16A2
    • NtCreateWaitCompletionPacket, xrefs: 6D4C163E
    • , xrefs: 6D4C169A
    • RtlGetVersion, xrefs: 6D4C177E
    • RtlGetCurrentPeb, xrefs: 6D4C1734
    • NtAssociateWaitCompletionPacket, xrefs: 6D4C1690
    • ntdll.dll, xrefs: 6D4C1608
    • bcryptprimitives.dll, xrefs: 6D4C158D
    • bcryptprimitives.dll not foundpanic called with nil argumentcheckdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer found on stack locals stack map entries for abi mismatch detected between runtime: impossible , xrefs: 6D4C1807
    • NtCreateWaitCompletionPacket exists but NtCancelWaitCompletionPacket does notcannot convert slice with length %y to array or pointer to array with length %xNtCreateWaitCompletionPacket exists but NtAssociateWaitCompletionPacket does notcgocheck > 1 mode is no , xrefs: 6D4C17C5
    • P, xrefs: 6D4C17E4
    • NtCancelWaitCompletionPacket, xrefs: 6D4C16E2
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ $NtAssociateWaitCompletionPacket$NtCancelWaitCompletionPacket$NtCreateWaitCompletionPacket$NtCreateWaitCompletionPacket exists but NtCancelWaitCompletionPacket does notcannot convert slice with length %y to array or pointer to array with length %xNtCreateWaitCompletionPacket exists but NtAssociateWaitCompletionPacket does notcgocheck > 1 mode is no $P$ProcessPrng$RtlGetCurrentPeb$RtlGetVersion$bcryptprimitives.dll$bcryptprimitives.dll not foundpanic called with nil argumentcheckdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer found on stack locals stack map entries for abi mismatch detected between runtime: impossible $ntdll.dll
    • API String ID: 0-2332038095
    • Opcode ID: b37972c4c4ae9a70e16c8c21cb8af90663bd1c45e6e63c1b42f0ee95284d3b93
    • Instruction ID: 25bae7b70aa697739b2704d9b35aefa88bf49d0d22624778e74965cd0942d300
    • Opcode Fuzzy Hash: b37972c4c4ae9a70e16c8c21cb8af90663bd1c45e6e63c1b42f0ee95284d3b93
    • Instruction Fuzzy Hash: D871B1B86097029FDB04DF64D190B5ABBF0BF8A345F12882DE59887750D774A848CFA7
    Function 6D4B3400 Relevance: 14.6, Strings: 11, Instructions: 876COMMON
    Download Yara Rule
    Strings
    • sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = NtAssociateWaitCompletionPacket, xrefs: 6D4B3E09
    • mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1, xrefs: 6D4B41A9
    • sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executiontraceSto, xrefs: 6D4B3C4F
    • mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdea, xrefs: 6D4B418A
    • mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification, xrefs: 6D4B3D16
    • mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6D4B3CE2, 6D4B4156
    • sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine LockFileExWSASocketWunixpacket, xrefs: 6D4B3CB8, 6D4B412C
    • nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMo, xrefs: 6D4B3D81
    • swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 6D4B3C65
    • previous allocCount=, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:, xrefs: 6D4B3DAB
    • , xrefs: 6D4B3E12
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$ nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMo$ previous allocCount=, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:$ sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine LockFileExWSASocketWunixpacket$mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification$mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdea$mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1$sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = NtAssociateWaitCompletionPacket$sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executiontraceSto$swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
    • API String ID: 0-893999930
    • Opcode ID: a4b6f96e01f99b67f5790dce06f39b1b33b2cb24092021990150e5e7ed52dd61
    • Instruction ID: c86e18323c070b527df91b74d763d5be2768cecc627a1882def48c195e929eea
    • Opcode Fuzzy Hash: a4b6f96e01f99b67f5790dce06f39b1b33b2cb24092021990150e5e7ed52dd61
    • Instruction Fuzzy Hash: C78236B460C3558FC755DF29C080B6ABBF1BF99748F51886DE9C88B391D7309845CBA2
    Function 6D4C2A90 Relevance: 14.0, Strings: 11, Instructions: 253COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2261 6d4c2a90-6d4c2a9e 2262 6d4c2f48-6d4c2f4d call 6d4fae50 2261->2262 2263 6d4c2aa4-6d4c2afb call 6d4c33e0 2261->2263 2262->2261 2268 6d4c2eec-6d4c2f47 call 6d4fcef0 call 6d4c6bb0 call 6d4c7410 call 6d4c7100 call 6d4c6db0 call 6d4c6c10 call 6d4f6a90 2263->2268 2269 6d4c2b01-6d4c2b80 call 6d49a4e0 call 6d4c3110 2263->2269 2268->2262 2278 6d4c2bd1-6d4c2bd9 2269->2278 2279 6d4c2b82-6d4c2b8b 2269->2279 2283 6d4c2bdf-6d4c2be8 2278->2283 2284 6d4c2c68-6d4c2ca9 call 6d49a700 call 6d4fc479 call 6d4c32a0 2278->2284 2279->2278 2281 6d4c2b8d-6d4c2bcb call 6d4c32f0 2279->2281 2281->2278 2296 6d4c2e91-6d4c2ee7 call 6d4fcef0 call 6d4c6bb0 call 6d4c7410 call 6d4c7100 call 6d4c6db0 call 6d4c6c10 call 6d4f6a90 2281->2296 2283->2284 2288 6d4c2bea-6d4c2c28 call 6d4c32f0 2283->2288 2314 6d4c2caf-6d4c2cd1 2284->2314 2315 6d4c2d84-6d4c2dda call 6d4fcef0 call 6d4c6bb0 call 6d4c7410 call 6d4c7100 call 6d4c6db0 call 6d4c6c10 call 6d4f6a90 2284->2315 2298 6d4c2c2e-6d4c2c62 call 6d4c32a0 2288->2298 2299 6d4c2e36-6d4c2e8c call 6d4fcef0 call 6d4c6bb0 call 6d4c7410 call 6d4c7100 call 6d4c6db0 call 6d4c6c10 call 6d4f6a90 2288->2299 2296->2268 2298->2284 2313 6d4c2ddf-6d4c2e31 call 6d4c6bb0 call 6d4c7410 call 6d4c7100 call 6d4c6db0 call 6d4c6c10 call 6d4f6a90 2298->2313 2299->2296 2313->2299 2321 6d4c2cfa-6d4c2d7f call 6d4c6bb0 call 6d4c7410 call 6d4c72a0 call 6d4c7410 call 6d4c72a0 call 6d4c7410 call 6d4c6c10 call 6d4f6a90 2314->2321 2322 6d4c2cd3-6d4c2ce0 2314->2322 2315->2313 2321->2315 2322->2321 2329 6d4c2ce2-6d4c2cf9 call 6d4fc0a0 2322->2329
    Strings
    • ,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12, xrefs: 6D4C2D29
    • runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] wi, xrefs: 6D4C2EFD
    • bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timersOpenServiceWRevertToSelfCreateEventWGetConsoleCPUnlockFi, xrefs: 6D4C2D6E
    • %, xrefs: 6D4C2F3A
    • runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:, xrefs: 6D4C2D95
    • runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!internal error: unknown network type godebug: unexpected IncNonDefault of b, xrefs: 6D4C2F31
    • runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] with length %ypanicwrap: unexpected string afte, xrefs: 6D4C2E47, 6D4C2EA2
    • NtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a cor, xrefs: 6D4C2E20
    • VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notunexpected runtime.netpoll error: network dropped connec, xrefs: 6D4C2DC9
    • CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplet, xrefs: 6D4C2E7B, 6D4C2ED6
    • runtime: NtCreateWaitCompletionPacket failed; errno=casfrom_Gscanstatus: gp->status is not in scan statenon-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS thr, xrefs: 6D4C2DEC
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: %$,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12$CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplet$NtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a cor$VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notunexpected runtime.netpoll error: network dropped connec$bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timersOpenServiceWRevertToSelfCreateEventWGetConsoleCPUnlockFi$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] wi$runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!internal error: unknown network type godebug: unexpected IncNonDefault of b$runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] with length %ypanicwrap: unexpected string afte$runtime: NtCreateWaitCompletionPacket failed; errno=casfrom_Gscanstatus: gp->status is not in scan statenon-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS thr$runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:
    • API String ID: 0-2809656213
    • Opcode ID: 190de15c26d2fd3574f2a550f1154d727f35e06ddfc732695e25033a7adcafa7
    • Instruction ID: 7cd63274e446b374311a5df026dcf2b3eb6811f450d73aaa7209c63b7b80781b
    • Opcode Fuzzy Hash: 190de15c26d2fd3574f2a550f1154d727f35e06ddfc732695e25033a7adcafa7
    • Instruction Fuzzy Hash: ECC1B2B850C3018FD700EF68C194B5ABBF4AF89708F12896CE59887750EB759989CF93
    Function 6D4913E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleLibraryLoadModule
    • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
    • API String ID: 384173800-1835852900
    • Opcode ID: 4f63b915adac282159a9c7b8b4ce16011f756846745edadb5ca18c54579f2623
    • Instruction ID: c2a87ded36c932926fbedc1042f238fceefe3dbe016a748162da1b0cbed18915
    • Opcode Fuzzy Hash: 4f63b915adac282159a9c7b8b4ce16011f756846745edadb5ca18c54579f2623
    • Instruction Fuzzy Hash: EB0125B18093049BDB00BF7AA50971E7FF8EF46756F02452DD8859B644E7305818CBA3
    Function 6D4F332F Relevance: 12.0, Strings: 9, Instructions: 757COMMON
    Download Yara Rule
    Strings
    • 3-, xrefs: 6D4F3D58
    • mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= , xrefs: 6D4F3D05
    • malloc during signalclose of nil channelnotetsleep not on g0bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not empty, xrefs: 6D4F3D1B
    • malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]mo, xrefs: 6D4F3D31
    • 2, xrefs: 6D4F3D50
    • 4, xrefs: 6D4F3D0E
    • mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential, xrefs: 6D4F3D47
    • p, xrefs: 6D4F3D5E
    • !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 6D4F36FF
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC$2$4$malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]mo$malloc during signalclose of nil channelnotetsleep not on g0bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not empty$mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential$mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= $3-$p
    • API String ID: 0-234616912
    • Opcode ID: 36000e6f8093d866a5430e57eb0b40dfc78742d6121fb1dcd81252ac6c0ddcc5
    • Instruction ID: 5e84bd88ddc9374f3372c675fed73625cb6690d3f1bded31f2c3af62e5ae6fc0
    • Opcode Fuzzy Hash: 36000e6f8093d866a5430e57eb0b40dfc78742d6121fb1dcd81252ac6c0ddcc5
    • Instruction Fuzzy Hash: F36256716083558FC714CF29C094B2ABBE1AFC9714F15896DE9988B3A2D735EC46CF82
    Function 6D4E5ED0 Relevance: 10.5, Strings: 8, Instructions: 512COMMON
    Download Yara Rule
    Strings
    • pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptrace, xrefs: 6D4E6593
    • , xrefs: 6D4E6039
    • :(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08I, xrefs: 6D4E63FD
    • sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (us, xrefs: 6D4E6566
    • , xrefs: 6D4E6031
    • (1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08ID, xrefs: 6D4E6320
    • non-Go function at pc=RtlLookupFunctionEntryCreateEnvironmentBlockWSAGetOverlappedResultSao Tome Standard TimeAleutian Standard TimeParaguay Standard TimeMountain Standard TimeAtlantic Standard TimePakistan Standard TimeSakhalin Standard TimeGeorgian Standard , xrefs: 6D4E66C5
    • fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit, xrefs: 6D4E6539
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ $ fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit$ pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptrace$ sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (us$(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08ID$:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08I$non-Go function at pc=RtlLookupFunctionEntryCreateEnvironmentBlockWSAGetOverlappedResultSao Tome Standard TimeAleutian Standard TimeParaguay Standard TimeMountain Standard TimeAtlantic Standard TimePakistan Standard TimeSakhalin Standard TimeGeorgian Standard
    • API String ID: 0-3830612415
    • Opcode ID: b7eaf88dfbc19b42f8d01d36c549c91034b67b5362078bb04524aaecfbbefea8
    • Instruction ID: cc6d7defab477a0932cd892dcc2f355a5779ab95cae01ec587923a5703a99928
    • Opcode Fuzzy Hash: b7eaf88dfbc19b42f8d01d36c549c91034b67b5362078bb04524aaecfbbefea8
    • Instruction Fuzzy Hash: 6A32E17860C3919FC365DF25C180BAABBE1AFC9345F058D2EEAC897351DB309845DB92
    Function 6D4C1A70 Relevance: 8.9, Strings: 7, Instructions: 116COMMON
    Download Yara Rule
    Strings
    • timeEndPeriod, xrefs: 6D4C1B73
    • &, xrefs: 6D4C1C3D
    • winmm.dll, xrefs: 6D4C1AF3
    • runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already connectedmismatched count during itab ta, xrefs: 6D4C1BD9
    • timeBeginPeriod, xrefs: 6D4C1B29
    • timeBegin/EndPeriod not foundruntime: sudog with non-nil centersyscall inconsistent bp entersyscall inconsistent sp gfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon, xrefs: 6D4C1C0D
    • runtime: LoadLibraryExW failed; errno=runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already co, xrefs: 6D4C1C34
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: &$runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already connectedmismatched count during itab ta$runtime: LoadLibraryExW failed; errno=runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already co$timeBegin/EndPeriod not foundruntime: sudog with non-nil centersyscall inconsistent bp entersyscall inconsistent sp gfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon$timeBeginPeriod$timeEndPeriod$winmm.dll
    • API String ID: 0-424793872
    • Opcode ID: 13555f13578f3b16d0281f4749bcc9bb94239a5c473834cb41362c89a7636f07
    • Instruction ID: c26da7c58520478aed5d2689de53c8ae69d9b61b41afd61415a37b0437f055b5
    • Opcode Fuzzy Hash: 13555f13578f3b16d0281f4749bcc9bb94239a5c473834cb41362c89a7636f07
    • Instruction Fuzzy Hash: CF51A3B85093419FDB04EF64C194B6ABBF0BF89349F02881DE59887750E7749848CF97
    Function 6D4CCF90 Relevance: 8.6, Strings: 6, Instructions: 1093COMMON
    Download Yara Rule
    Strings
    • findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for [origina, xrefs: 6D4CE0BF
    • findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a corrupted shared librarylfstack node a, xrefs: 6D4CE0A9
    • findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionAdjustTokenPrivilegesLookupPrivilegeValueWNetUserGetLocalGroupsGetProfi, xrefs: 6D4CE0EB
    • global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/metadata/mspan/free:bytesruntime.SetFinaliz, xrefs: 6D4CE093
    • !, xrefs: 6D4CE0DE
    • findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of r, xrefs: 6D4CE0D5
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !$findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of r$findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for [origina$findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a corrupted shared librarylfstack node a$findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionAdjustTokenPrivilegesLookupPrivilegeValueWNetUserGetLocalGroupsGetProfi$global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/metadata/mspan/free:bytesruntime.SetFinaliz
    • API String ID: 0-3518981815
    • Opcode ID: aecb2263e358502bf6df61bacc405f868f523314823403d97fb652ab89c933aa
    • Instruction ID: 661eea15fad0714ee6eec318ce036e50d5e9ccc641c14a7697c2edaf24d74a0b
    • Opcode Fuzzy Hash: aecb2263e358502bf6df61bacc405f868f523314823403d97fb652ab89c933aa
    • Instruction Fuzzy Hash: 08A2BE7864D3419FD764DF69C090B6ABBF0BF89744F12882DE99887390EB359844CB93
    Function 6D4C11F0 Relevance: 7.6, Strings: 6, Instructions: 133COMMON
    Download Yara Rule
    Strings
    • runtime: NtAssociateWaitCompletionPacket failed; errno= runtime: checkmarks found unexpected unmarked object obj=tried to trace goroutine with invalid or unsupported statusmanual span allocation called with non-manually-managed typeaddr range base and limit ar, xrefs: 6D4C1369
    • runtime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocresize: invalid argspan has no free stacksstack growth after forkshrinkstack at bad timereflect.methodValueCallDestroy, xrefs: 6D4C139D, 6D4C13F8, 6D4C144B
    • d, xrefs: 6D4C1276
    • 5, xrefs: 6D4C1420
    • runtime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not , xrefs: 6D4C1417
    • runtime: SetWaitableTimer failed; errno= stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classe, xrefs: 6D4C13C4
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: 5$d$runtime: NtAssociateWaitCompletionPacket failed; errno= runtime: checkmarks found unexpected unmarked object obj=tried to trace goroutine with invalid or unsupported statusmanual span allocation called with non-manually-managed typeaddr range base and limit ar$runtime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not $runtime: SetWaitableTimer failed; errno= stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classe$runtime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocresize: invalid argspan has no free stacksstack growth after forkshrinkstack at bad timereflect.methodValueCallDestroy
    • API String ID: 0-2414937731
    • Opcode ID: 346cf9c775de4e29c64ff2cc3ffe25e129436736eb8f8ca403733fdfe4de434c
    • Instruction ID: 32fb35f79bc96eeafd07280baf86ad2750614a0962f172b3867220d67a9ccc19
    • Opcode Fuzzy Hash: 346cf9c775de4e29c64ff2cc3ffe25e129436736eb8f8ca403733fdfe4de434c
    • Instruction Fuzzy Hash: C1518BB850D7019FD740EF68C094B5ABBF4BB89748F12882DE99887760D7749948CB93
    Function 6D526300 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6D52634F
    • UnhandledExceptionFilter.KERNEL32 ref: 6D52635F
    • GetCurrentProcess.KERNEL32 ref: 6D526368
    • TerminateProcess.KERNEL32 ref: 6D526379
    • abort.MSVCRT ref: 6D526382
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: 90992f270a30fb7a8c6b918ca386c0f0dc9f022242b391306f8c457ddd9bacff
    • Instruction ID: aa16a8786d779ae9aed6c7714f2deaf593d3e44076abe82cfc8a7f039a9cbcaa
    • Opcode Fuzzy Hash: 90992f270a30fb7a8c6b918ca386c0f0dc9f022242b391306f8c457ddd9bacff
    • Instruction Fuzzy Hash: 1911D4B5908341CFCF00EF6DD18972A7BF0BB59305F428929E948DBB90E73499488F92
    Function 6D526250 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON
    Download Yara Rule
    APIs
    • GetSystemTimeAsFileTime.KERNEL32 ref: 6D526289
    • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D4913B9), ref: 6D52629A
    • GetCurrentThreadId.KERNEL32 ref: 6D5262A2
    • GetTickCount.KERNEL32 ref: 6D5262AA
    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D4913B9), ref: 6D5262B9
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
    • String ID:
    • API String ID: 1445889803-0
    • Opcode ID: 1638d95b2e350c0fff38d211fa45aa040b45ecd8b4d06cfdf1131eb7ffdce697
    • Instruction ID: a2b725890f0676eb794562908df5ca6fb72b8cae3ec5c1e0ea1326e77963e86c
    • Opcode Fuzzy Hash: 1638d95b2e350c0fff38d211fa45aa040b45ecd8b4d06cfdf1131eb7ffdce697
    • Instruction Fuzzy Hash: EB115AB6A053418BDF00DF79E48874BBBF4FB89264F064D3AE444CBA40EB31D4488B92
    Function 6D4B1440 Relevance: 5.5, Strings: 4, Instructions: 494COMMON
    Download Yara Rule
    Strings
    • min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce, xrefs: 6D4B1A0F
    • !, xrefs: 6D4B1A18
    • min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=dalTLDpSugct?GetTempPath2WModule32NextW, xrefs: 6D4B19C0
    • runtime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame ts set in timertraceback stuckrunti, xrefs: 6D4B198C, 6D4B19DB
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !$min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce$min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=dalTLDpSugct?GetTempPath2WModule32NextW$runtime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame ts set in timertraceback stuckrunti
    • API String ID: 0-967014423
    • Opcode ID: 9fbdaeca6afd5279c1d70086c6e86de6b3ab12f087843d6c9174263f0bb19f2d
    • Instruction ID: 77ae3533196d7a5ff527fdb5815357b5a2ec55a1f76a3c2c6627882f7113ca49
    • Opcode Fuzzy Hash: 9fbdaeca6afd5279c1d70086c6e86de6b3ab12f087843d6c9174263f0bb19f2d
    • Instruction Fuzzy Hash: B1F1D1366093268FD705DE98C4C0A1EB7E2FBD8344F158A3CD9949B385EB71AC46C6D2
    Function 6D4CA320 Relevance: 5.4, Strings: 4, Instructions: 352COMMON
    Download Yara Rule
    Strings
    • stopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executionruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base pointer out of rangeattempting to link in too many, xrefs: 6D4CA7B0
    • stopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a , xrefs: 6D4CA843
    • stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classes/gc/mark/dedicated:cpu-seconds/memory/cl, xrefs: 6D4CA690
    • stopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/met, xrefs: 6D4CA7EB
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: stopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/met$stopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a $stopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executionruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base pointer out of rangeattempting to link in too many$stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classes/gc/mark/dedicated:cpu-seconds/memory/cl
    • API String ID: 0-2039697367
    • Opcode ID: dcf9040c6b786d345aa4ea15dbe0aaf629e5b44d7b21ae81472199a8491593e9
    • Instruction ID: d399050fdeac1908233685fad2bc8f55776f4c24dbc188350f9e9bfaeb1128eb
    • Opcode Fuzzy Hash: dcf9040c6b786d345aa4ea15dbe0aaf629e5b44d7b21ae81472199a8491593e9
    • Instruction Fuzzy Hash: D4F1DF786093418FC708DF69C190A6ABBF1BF89704F16892EE99887361D770ED45CF92
    Function 6D4C1830 Relevance: 5.1, Strings: 4, Instructions: 57COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: '$'$PowerRegisterSuspendResumeNotification$powrprof.dll
    • API String ID: 0-4026319467
    • Opcode ID: 88681a91e84dedd9ff89ef51daea320344572a06c5cfa1b7a122ce2f46aea5df
    • Instruction ID: 788ccde12e035f2163e66a08f69f5bfcf72aa0c13e3da5dbaaa4c46f2e8e06fc
    • Opcode Fuzzy Hash: 88681a91e84dedd9ff89ef51daea320344572a06c5cfa1b7a122ce2f46aea5df
    • Instruction Fuzzy Hash: 1721ACB85083429FDB04CF25C094B5ABBF0BB89748F51892EE48887750E774DA89CF83
    Function 6D4D6470 Relevance: 4.2, Strings: 3, Instructions: 451COMMON
    Download Yara Rule
    Strings
    • runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplete multibyte or wide characterslice bounds out of range [::%x] with capacity %yinvalid memory add, xrefs: 6D4D69D7
    • <, xrefs: 6D4D6A0D
    • runtime: malformed profBuf buffer - tag and data out of syncabiRegArgsType needs GC Prog, update methodValueCallFrameObjsfound bad pointer in Go heap (incorrect use of unsafe or cgo?)limiterEvent.stop: found wrong event in p's limiter event slotruntime: intern, xrefs: 6D4D6A04
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: <$runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplete multibyte or wide characterslice bounds out of range [::%x] with capacity %yinvalid memory add$runtime: malformed profBuf buffer - tag and data out of syncabiRegArgsType needs GC Prog, update methodValueCallFrameObjsfound bad pointer in Go heap (incorrect use of unsafe or cgo?)limiterEvent.stop: found wrong event in p's limiter event slotruntime: intern
    • API String ID: 0-450027851
    • Opcode ID: 8a823d1a6e1b85790f1cf21e8d34c092a940ed4971034d1ddc2ec52fd7cb7a1a
    • Instruction ID: 738091f0336a785c095b7a731ac743031f74387ded84d990bc9307c5ac784eb8
    • Opcode Fuzzy Hash: 8a823d1a6e1b85790f1cf21e8d34c092a940ed4971034d1ddc2ec52fd7cb7a1a
    • Instruction Fuzzy Hash: 07026A70A087098FC754DF69C1A0A1ABBE1BFC9744F15892DE99987350EB71EC45CF82
    Function 6D4C6010 Relevance: 4.1, Strings: 3, Instructions: 313COMMON
    Download Yara Rule
    Strings
    • ', xrefs: 6D4C64AC
    • invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:DuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "[bisect-match 0xpermission deniedwro, xrefs: 6D4C648D
    • suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function traceRegion: alloc with concurrent drop2006-01-02 15:04:05.999999999 -0700 MSTaddress family not support, xrefs: 6D4C64A3
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: '$invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:DuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "[bisect-match 0xpermission deniedwro$suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function traceRegion: alloc with concurrent drop2006-01-02 15:04:05.999999999 -0700 MSTaddress family not support
    • API String ID: 0-3278438963
    • Opcode ID: 560fc46e3fe941d059e87ca14b3d6d6abf52a3022408072205ff60cf0a976539
    • Instruction ID: 013417992d8dafb5dc71f60a34b88cab1e84a546547451b5973129227909f8a1
    • Opcode Fuzzy Hash: 560fc46e3fe941d059e87ca14b3d6d6abf52a3022408072205ff60cf0a976539
    • Instruction Fuzzy Hash: 29D12F7860D3418BC705DF29C090A2ABBF2AF8A708F55886DE9C59B361D735ED45CB83
    Function 6D4B6630 Relevance: 3.0, Strings: 2, Instructions: 499COMMON
    Download Yara Rule
    Strings
    • +, xrefs: 6D4B6D57
    • grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me, xrefs: 6D4B6D4E
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: +$grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me
    • API String ID: 0-3347251187
    • Opcode ID: 86a108f4b3027a37efd62c24cb9639117b983845b141948ae8d4075a2e47b8d2
    • Instruction ID: 7de4f2db1082c4c891ce7c26b8a870c5301840748405f6f5490c60cec24c0281
    • Opcode Fuzzy Hash: 86a108f4b3027a37efd62c24cb9639117b983845b141948ae8d4075a2e47b8d2
    • Instruction Fuzzy Hash: D822DC7460D3819FC718DF29C190A2ABBF1BF99744F15882DE9D88B350EB35E845CB92
    Function 6D4BB2D0 Relevance: 2.8, Strings: 2, Instructions: 264COMMON
    Download Yara Rule
    Strings
    • bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6D4BB60F
    • @, xrefs: 6D4BB4FB
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: @$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod
    • API String ID: 0-1191861649
    • Opcode ID: bbe1563f73de538c3b1711e0860603d979d011b5feece3fd268e21aadf7e0f37
    • Instruction ID: 66cf842d3e2726144e686ac283d984628797c45b3d221cf65d2e3768215aa595
    • Opcode Fuzzy Hash: bbe1563f73de538c3b1711e0860603d979d011b5feece3fd268e21aadf7e0f37
    • Instruction Fuzzy Hash: BFA19D75A0871A8FC704CF18C88065AB7E1FBC8314F598A2DE9959B351DB34ED5ACBC2
    Function 6D4FA872 Relevance: 2.6, Strings: 2, Instructions: 137COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $@
    • API String ID: 0-1077428164
    • Opcode ID: e3ba5debd15f76a6aaefa3a3887d2a143ccbd6bbcc34f6ba0f96bb95f1b9330d
    • Instruction ID: 0cea6e6ef73c525de87323c69e561020db1f40b69c86f370ca4acf9ad77518bb
    • Opcode Fuzzy Hash: e3ba5debd15f76a6aaefa3a3887d2a143ccbd6bbcc34f6ba0f96bb95f1b9330d
    • Instruction Fuzzy Hash: 4E517514C1CF5B65EA3307BDC402A667B206EB3140B01D76FFDD6B58B2E7526D44BA22
    Function 6D4ACEC0 Relevance: 2.6, Strings: 2, Instructions: 88COMMON
    Download Yara Rule
    Strings
    • gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackcannot send after transport endpoint shu, xrefs: 6D4ACFA1
    • ,, xrefs: 6D4ACFAA
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: ,$gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackcannot send after transport endpoint shu
    • API String ID: 0-27675022
    • Opcode ID: 62a1c28f5f90129b5b752aa15a17c1d3eee1aa77083afea2e4b98cda9555f123
    • Instruction ID: eea1a67f056a4427b4ae4e6ed8bf1a86d3312df0852fa84d2132784eb8809c31
    • Opcode Fuzzy Hash: 62a1c28f5f90129b5b752aa15a17c1d3eee1aa77083afea2e4b98cda9555f123
    • Instruction Fuzzy Hash: 38318E75A093968FD305DF18C480B69B7F1AB86608F1981BDDC884F383CB31A84ACBC5
    Function 6D4E8570 Relevance: 1.8, Strings: 1, Instructions: 543COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: 4
    • API String ID: 0-4088798008
    • Opcode ID: e6898a2444d43588d1f9da8cabea7cd54fc44ee9725e8cfb5668a477f88acb14
    • Instruction ID: 84ac198abf681daf216b33ef9b21329c453571c820e1682338683944d9e482ac
    • Opcode Fuzzy Hash: e6898a2444d43588d1f9da8cabea7cd54fc44ee9725e8cfb5668a477f88acb14
    • Instruction Fuzzy Hash: 3D22CF7560D3468FCB24DF58C4C4A6EB7E1AFC5385F148A2DD9998B391DB30AC06CB82
    Function 6D4A0AF0 Relevance: 1.6, Strings: 1, Instructions: 306COMMON
    Download Yara Rule
    Strings
    • span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor, xrefs: 6D4A0D52
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor
    • API String ID: 0-1712010102
    • Opcode ID: 14005ac0e0759c12e1e7fe3b0a1d002a6523f8ba1dfbdbd8422065016f160914
    • Instruction ID: 1c4497720f1d5b02f334f795ca038d73789730eb7ec000ef938e973c8272a607
    • Opcode Fuzzy Hash: 14005ac0e0759c12e1e7fe3b0a1d002a6523f8ba1dfbdbd8422065016f160914
    • Instruction Fuzzy Hash: 92D1337460D3459FC744DF29C090A2ABBE0BF99748F05892EE8D987388E735DD45CB92
    Function 6D4BD040 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
    Download Yara Rule
    Strings
    • runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin, xrefs: 6D4BD3CB
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin
    • API String ID: 0-429552053
    • Opcode ID: 8d47cb719778fe562bdf8444e2251b133f13d18da7ecbf0e9e2d1054908e4ca0
    • Instruction ID: 8d088b234c2fed27c1658112c79f19dedf4dc98d239924130b6ac77a78a4ef22
    • Opcode Fuzzy Hash: 8d47cb719778fe562bdf8444e2251b133f13d18da7ecbf0e9e2d1054908e4ca0
    • Instruction Fuzzy Hash: 54B1D0786093469FCB44DF68C08092ABBF1BBD9344F52986DE99987350E734EC45CFA2
    Function 6D4BA360 Relevance: 1.5, Strings: 1, Instructions: 213COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: @
    • API String ID: 0-2766056989
    • Opcode ID: b5840d282f328f845e8c7a512bb470953c99de65aff0c90bc7a6e6d604430f03
    • Instruction ID: 29a8b0459c677ad7bfff44eb4615e62638fb1487fd0cd19ae8299533d412b215
    • Opcode Fuzzy Hash: b5840d282f328f845e8c7a512bb470953c99de65aff0c90bc7a6e6d604430f03
    • Instruction Fuzzy Hash: B9911DB5A093059FC344CF28C080A1ABBE1FF88744F459A2EE99897341E774ED85CF92
    Function 6D4BC080 Relevance: .5, Instructions: 477COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 209bfcf6607d6e35202bc5dd13ad6b5d58f4564cb1086c2278e8528b69295104
    • Instruction ID: 6bd139d1022ee9b8e3fb6cc2089e096d7c5531564c35331478b11fc8bfd412ab
    • Opcode Fuzzy Hash: 209bfcf6607d6e35202bc5dd13ad6b5d58f4564cb1086c2278e8528b69295104
    • Instruction Fuzzy Hash: 2EE13433B5972A4BD319DDBC88C065EB2D2ABC8344F19863CDD649B380FA75DD0A86D1
    Function 6D4EBC20 Relevance: .5, Instructions: 462COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 7126408a7f447bd680b61c8c40ab04f50541d2a07e35632a74a433b8a9bf27c2
    • Instruction ID: 7d158b5ea1bf740015a81388c2bfca19c5456a6e9d30aa335a2d19c035dbd857
    • Opcode Fuzzy Hash: 7126408a7f447bd680b61c8c40ab04f50541d2a07e35632a74a433b8a9bf27c2
    • Instruction Fuzzy Hash: 53025D35A083569FD324CF68C480A1ABBE1BFC9384F55892DE9998B351D730EC46CB92
    Function 6D4BBB10 Relevance: .5, Instructions: 462COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 0401a477030229bac47113f792d246dc142bb5e7f54d23b543e8ecc23a5d734b
    • Instruction ID: b5f0f9a9282381d867a77e9714f4c376cf33e16ccb5b7ac0a711b9997ba1fd3b
    • Opcode Fuzzy Hash: 0401a477030229bac47113f792d246dc142bb5e7f54d23b543e8ecc23a5d734b
    • Instruction Fuzzy Hash: CDE1C433F247250BD3149E58CC80249B6D2ABC8670F4EC72DED95AB781E9B4ED5987C2
    Function 6D4A80A0 Relevance: .4, Instructions: 378COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 1d6a60dbe60b2681961fa36dce72b1c63ba4a39f34ef18bb0c02abadf2520839
    • Instruction ID: 49aa69c9540606e3e701c3d28a0d5a3d96784650f9f354ee60ebde7d297ccca2
    • Opcode Fuzzy Hash: 1d6a60dbe60b2681961fa36dce72b1c63ba4a39f34ef18bb0c02abadf2520839
    • Instruction Fuzzy Hash: D5C1B232B083164FC709DE6DC89061EB7E2ABC8344F59863CE9559B3A5E775EC0687C1
    Function 6D4ED6E0 Relevance: .4, Instructions: 368COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9b7b26cfc792f1c335f1725b7868ce85b5e2b8dcfe4318b7255c89a52b6a9402
    • Instruction ID: a3205bb190d7718ba57d78c0fcdbdb576fe95eebaf6c1b0a5d2fc4bdab4f6734
    • Opcode Fuzzy Hash: 9b7b26cfc792f1c335f1725b7868ce85b5e2b8dcfe4318b7255c89a52b6a9402
    • Instruction Fuzzy Hash: BFE1A07560C3569FC315CF29C4C092EFBE1AFCA245F058A6DE9958B392D730E906CB92
    Function 6D4CE240 Relevance: .3, Instructions: 331COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 7c598f4bcac78695afc13ac2520ff06508f3cf6e71c4104e4ef145a19d086a33
    • Instruction ID: a02125ebd74f75a427a234481094f704e95cab0b0e3a7a8f01691972a07ee332
    • Opcode Fuzzy Hash: 7c598f4bcac78695afc13ac2520ff06508f3cf6e71c4104e4ef145a19d086a33
    • Instruction Fuzzy Hash: 2CF1CF7860D3918FC765CF29C090B5ABBE2BBC9304F54892EE9D887351EB31A845CB53
    Function 6D4BC6D0 Relevance: .3, Instructions: 285COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a9c6e22190f3f1b4da55449456ea5d3585ad3df93e3dbb0fe69e7934be5cc2d3
    • Instruction ID: e5352a59171fdb8759a470b97b6a27ad7fecfc881fc74718482b97099a7d056e
    • Opcode Fuzzy Hash: a9c6e22190f3f1b4da55449456ea5d3585ad3df93e3dbb0fe69e7934be5cc2d3
    • Instruction Fuzzy Hash: 2691353260871A4FC719CEADC4D091EB3E2FBC8344F65863CD9A94B380EB719D098691
    Function 6D4BCA30 Relevance: .3, Instructions: 281COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e378392b6de6c717c7d2af4e6b815158d753a424ef2bcb6ac9fcf354f05ea77d
    • Instruction ID: 4c20642df03e344f3a25dace86fa8c02507194b27213e78d627628e40e4e9c75
    • Opcode Fuzzy Hash: e378392b6de6c717c7d2af4e6b815158d753a424ef2bcb6ac9fcf354f05ea77d
    • Instruction Fuzzy Hash: 92813637B4C72A0FD722CEA888D0A5D3692ABC8314F1A463CD9749B3C1FB719D0686D1
    Function 6D4BAD50 Relevance: .3, Instructions: 276COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 06bb6eb002fb3cdd5649d8311c964d1036a1e851e609df9cb6ecd44ac8f8ac23
    • Instruction ID: 59529dafd320c07ffa9223198709b8ea65b47aceb34c528106e29133bc0e9b8a
    • Opcode Fuzzy Hash: 06bb6eb002fb3cdd5649d8311c964d1036a1e851e609df9cb6ecd44ac8f8ac23
    • Instruction Fuzzy Hash: 1D91B776A187194BD304DE59CCC0659B3D2BBC8724F49C63CECA89B345E674EE49CB81
    Function 6D4932A0 Relevance: .2, Instructions: 219COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 258cd515527484658cf994512891aed2257e0345bb7e6b296fa9ee358b41b362
    • Instruction ID: 587467e5ea9df3a4ca0625f63fa9496e61cbeb6113ebdf67990aa4ce71e8f079
    • Opcode Fuzzy Hash: 258cd515527484658cf994512891aed2257e0345bb7e6b296fa9ee358b41b362
    • Instruction Fuzzy Hash: 6481F9B2A183108FC314DF19D88095AFBE2BFC9758F46892DF988D7311E771E9158B86
    Function 6D4B9030 Relevance: .2, Instructions: 193COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e9c2482b27bfd74e4f6d63f37f01f187a51e2ca5a3403d108932c6f3fc093e2c
    • Instruction ID: 939e6ccb729db9a052c80a628ee4f26a485a49837de55bc24dc263f51d7f558b
    • Opcode Fuzzy Hash: e9c2482b27bfd74e4f6d63f37f01f187a51e2ca5a3403d108932c6f3fc093e2c
    • Instruction Fuzzy Hash: C691B9B8A093459FC308CF28C090A1ABBF1FF89748F119A6EE99997351D731E945CF46
    Function 6D492CA6 Relevance: .2, Instructions: 161COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: aaac1fa95927537056fa748d1ed80cb4c36531cfe69fe86e380ee050db7f54d2
    • Instruction ID: 7e7f98d2b37547330a7e7e1af9c050adb64f92266385255146126434604a464a
    • Opcode Fuzzy Hash: aaac1fa95927537056fa748d1ed80cb4c36531cfe69fe86e380ee050db7f54d2
    • Instruction Fuzzy Hash: 7851657090C3A44AE3158F6F48D412EFFE16FC6301F884A6EF5E443392D5B89515DBAA
    Function 6D492CA0 Relevance: .2, Instructions: 160COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 275990a36b0daf1190de60436580de8b2bb1bb0469d2dc366f044f5f7e000d9e
    • Instruction ID: 6ef84759b06549e47cc2079a8759d5a641f681fca1b2cf9d1a214dd6ecce432b
    • Opcode Fuzzy Hash: 275990a36b0daf1190de60436580de8b2bb1bb0469d2dc366f044f5f7e000d9e
    • Instruction Fuzzy Hash: 3251667090C3A44AE3158F6F48D412AFFF16FC6301F884A6EF5E443392D5B89515DBAA
    Function 6D4BD9C5 Relevance: .1, Instructions: 134COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 0941e459c4c7b3d44e3e7f29a72fb57b6f7ea0caf4bcd586d4432be175d06a8c
    • Instruction ID: e2c6677492e833abfb3bbef7af491b943e340a5c6feb57542d597c291592cc5f
    • Opcode Fuzzy Hash: 0941e459c4c7b3d44e3e7f29a72fb57b6f7ea0caf4bcd586d4432be175d06a8c
    • Instruction Fuzzy Hash: 8A5159756093228FC718DF69C490A1AF7E0BF88604F1585BCD9599B391D731EC46CBC2
    Function 6D49BE90 Relevance: .1, Instructions: 116COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: aa460718a45285219e59b2b64081da273a3212edda0f794421fce98b2b874d8f
    • Instruction ID: 39e93e5b933c902457d5a750bc5cc0f82220baa6e772e3fca9ff1d60bff2dea7
    • Opcode Fuzzy Hash: aa460718a45285219e59b2b64081da273a3212edda0f794421fce98b2b874d8f
    • Instruction Fuzzy Hash: 3941B271908B444FC706DF79C49071AB7E5BFCA384F15872DE94A6B752EB319842CB82
    Function 6D49FBC0 Relevance: .1, Instructions: 97COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2eed1e941005f1f224e1839a4e1ce2b41d6ac9ffdd15f675f91e58205b27f98f
    • Instruction ID: 050755276a0f72a22d1d318a6ea56b48dae06ab2f9d57133cf3ed1f17eafae53
    • Opcode Fuzzy Hash: 2eed1e941005f1f224e1839a4e1ce2b41d6ac9ffdd15f675f91e58205b27f98f
    • Instruction Fuzzy Hash: BE3152B381971D8BD300AF498840249F7E2BAC0A20F5E8A5ED9A457701DBB0AE15CBC7
    Function 6D4990F0 Relevance: .1, Instructions: 76COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a661239ea3064ff0b48847191d940c505993e68adc4987cf570780fde1ac499b
    • Instruction ID: 652e9dc46092c8f9ff3f8406020033589ae1f5681a6567c1683f7d3841cbd67d
    • Opcode Fuzzy Hash: a661239ea3064ff0b48847191d940c505993e68adc4987cf570780fde1ac499b
    • Instruction Fuzzy Hash: 4821C5317042118FDB08CF3AD8D1626BBF3BBCA710B5A856CD555CB764D635AC0ACB46
    Function 6D4C1C90 Relevance: .0, Instructions: 46COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 8f97975bd662a1efe25da3797fe398c3ccf592f51241936849502cf60ccfe36f
    • Instruction ID: 8093a640f733bfb2ee2f451871f13f74e20ef728123382d213ac3fbc29a653d7
    • Opcode Fuzzy Hash: 8f97975bd662a1efe25da3797fe398c3ccf592f51241936849502cf60ccfe36f
    • Instruction Fuzzy Hash: 7D115B786083418FCB05CF20D0A4B69BBF1AF86308F51485CE5868B791D7359C59CF83
    Function 6D4F7280 Relevance: .0, Instructions: 46COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: eb04a15af518204485ffd3a881ce8e205166f18d50083abf45370a8b7e5c1ad0
    • Instruction ID: e2305ef14b32a97cbcdbcdff4afed588a8f705541185ed18e620c3394cc23866
    • Opcode Fuzzy Hash: eb04a15af518204485ffd3a881ce8e205166f18d50083abf45370a8b7e5c1ad0
    • Instruction Fuzzy Hash: CB11EDB4600B118FD398DF59C0D4E65B3E1FB8C200B4A81BDDB0E8BB66C670AC55DB85
    Function 6D4FC0C0 Relevance: .0, Instructions: 10COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 26c5f7abe7412f26dd0192d57b9dc7ba5b62c8c2efc495c8d25cd1be360089d6
    • Instruction ID: 0d105e5f7360f146a032c1ea1bb5160579548c8dc4a6eeaa741e54536e84ade4
    • Opcode Fuzzy Hash: 26c5f7abe7412f26dd0192d57b9dc7ba5b62c8c2efc495c8d25cd1be360089d6
    • Instruction Fuzzy Hash: 09C04CB0C5A352ADF751CB5C8180B56BEF1DBC5350F91C499A54882654C37489865A15
    Function 6D491020 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 112sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,6D4912E0,?,?,?,?,?,?,6D4913A3), ref: 6D491057
    • _amsg_exit.MSVCRT ref: 6D491085
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID: Sleep_amsg_exit
    • String ID: cRm
    • API String ID: 1015461914-3661649468
    • Opcode ID: ab92184433cd05cc5792c16f4496a0f3830f677f2a82883ae4e9774e5801a954
    • Instruction ID: 96376ac8db1e13d7d0e9b29ed8bda85a514e78ada0f577720c11397b849e20cf
    • Opcode Fuzzy Hash: ab92184433cd05cc5792c16f4496a0f3830f677f2a82883ae4e9774e5801a954
    • Instruction Fuzzy Hash: 6B4186716092418BEB019F2AD485B2ABFF8FB86345F11892DD584CFB44D7368C85CF92
    Function 6D5264A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Strings
    • VirtualProtect failed with code 0x%x, xrefs: 6D52659A
    • Address %p has no image-section, xrefs: 6D5265DB
    • @, xrefs: 6D526578
    • VirtualQuery failed for %d bytes at address %p, xrefs: 6D5265C7
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID: QueryVirtual
    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
    • API String ID: 1804819252-1098444051
    • Opcode ID: 356c0bc30465397b992256b796e0ceb37e79124d962999532278008dbcc21bd6
    • Instruction ID: 67d6960a7ed96df04a67ba259b10649dbe3f6ca262e43e5edbd445f519fe1ba7
    • Opcode Fuzzy Hash: 356c0bc30465397b992256b796e0ceb37e79124d962999532278008dbcc21bd6
    • Instruction Fuzzy Hash: F7413DB19053019BCB04DF69D4C475AFBF0FB85314F468A2DD9989BA58E730E448CBD2
    Function 6D525CB0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON
    Download Yara Rule
    APIs
    • CreateEventA.KERNEL32 ref: 6D525CD2
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D525D89), ref: 6D525CEB
    • fwrite.MSVCRT ref: 6D525D20
    • abort.MSVCRT ref: 6D525D25
    Strings
    • runtime: failed to create runtime initialization wait event., xrefs: 6D525D19
    • =, xrefs: 6D525D05
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID: CreateCriticalEventInitializeSectionabortfwrite
    • String ID: =$runtime: failed to create runtime initialization wait event.
    • API String ID: 2455830200-3519180978
    • Opcode ID: 6cfb2e7e75e69bfaa13f11a481762199cfcbd68d74a9b4af00e3c88fc2faaad7
    • Instruction ID: c3c9112c979dc702bc9510b91ad779923f4742dc7258b677fc8c0ee722aa1cc8
    • Opcode Fuzzy Hash: 6cfb2e7e75e69bfaa13f11a481762199cfcbd68d74a9b4af00e3c88fc2faaad7
    • Instruction Fuzzy Hash: 5EF0E1B04083019FEB04BF68D51932E7BF0BB41345F82896DD494CB681D77985588F53
    Function 6D5270C0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID: _lock_unlockcalloc
    • String ID:
    • API String ID: 3876498383-0
    • Opcode ID: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction ID: 1f8bb721b8cec8912e8321b2bac13740bc5d5bb8aa8f9abc483ad90b72c80b0a
    • Opcode Fuzzy Hash: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction Fuzzy Hash: 72115E709082018FE704DF68C88176A7BE4FF85354F158EA9E898CBBC5EB74D848CB52
    Function 6D525DE0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32 ref: 6D525E10
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D5245D9), ref: 6D525E1C
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D5245D9), ref: 6D525E2E
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6D5245D9), ref: 6D525E3E
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D5245D9), ref: 6D525E50
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$ObjectSingleWait
    • String ID:
    • API String ID: 1755037574-0
    • Opcode ID: 85e7e986cd16aac47c4f2994d97bb949edd0143b078c6d866ac314d8ee3f542c
    • Instruction ID: 747475ccb74d758d3a0d6d2616ef1aaf9b365d7210c646e36596bb232456f762
    • Opcode Fuzzy Hash: 85e7e986cd16aac47c4f2994d97bb949edd0143b078c6d866ac314d8ee3f542c
    • Instruction Fuzzy Hash: D70140755043058FDA04FF79A58963ABBF4AF42290F420939D9908B784D731A469CF93
    Function 6D527220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • Mingw-w64 runtime failure:, xrefs: 6D527248
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID: abortfwritevfprintf
    • String ID: Mingw-w64 runtime failure:
    • API String ID: 3176311984-2889761391
    • Opcode ID: 6437e23f0e1f852b3d7aa3a22dcaa5aa5f205588df2c0150a1b15a435b010166
    • Instruction ID: cfdc90dc65d1ca4c208ce2e9ab3d4a5fc7049e7c30e660efb2ab1c95e9cf2dfb
    • Opcode Fuzzy Hash: 6437e23f0e1f852b3d7aa3a22dcaa5aa5f205588df2c0150a1b15a435b010166
    • Instruction Fuzzy Hash: 62E0AEB080D3059AD304EF69C08961EBAF4BF88348F02C91CE1C847691C77888888F63
    Function 6D5265F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6D4912A5), ref: 6D526709
    Strings
    • Unknown pseudo relocation bit size %d., xrefs: 6D526799
    • Unknown pseudo relocation protocol version %d., xrefs: 6D526864
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
    • API String ID: 544645111-395989641
    • Opcode ID: a86e17c903deb3755f444fadfbd6377d709de59916844ac73d2ebde5c5e7373d
    • Instruction ID: bdb2d875d0bf733fe7810c2dc8ed7679cee5b3ccc5ab1a66d6b7387973c04390
    • Opcode Fuzzy Hash: a86e17c903deb3755f444fadfbd6377d709de59916844ac73d2ebde5c5e7373d
    • Instruction Fuzzy Hash: 5461AB75A083068BCB08CF69D4C066EB7F1FB86318F558929D8549BB84D771A81ACBD2
    Function 6D526870 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.1262580199.000000006D491000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D490000, based on PE: true
    • Associated: 00000003.00000002.1262550535.000000006D490000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262655062.000000006D528000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262668868.000000006D529000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262692804.000000006D52A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262713185.000000006D52F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262803209.000000006D5D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5DE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262826815.000000006D5E3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262864204.000000006D5F6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262877843.000000006D5FD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262898118.000000006D5FE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1262921875.000000006D601000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d490000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterErrorLastLeaveValue
    • String ID:
    • API String ID: 682475483-0
    • Opcode ID: b4e330d640d082da5a2d045f1562fcffb1f84cf61894aafaa7f23c383215f35a
    • Instruction ID: 988c897f7679d66946f816b3e4f2e59ac96402ddfb4abe9e14e22b7fe1432de1
    • Opcode Fuzzy Hash: b4e330d640d082da5a2d045f1562fcffb1f84cf61894aafaa7f23c383215f35a
    • Instruction Fuzzy Hash: 00F031769043158FDF047F6D94C9A2ABBF4AB46250B060978DD84CB605E730A95D8FE3

    Execution Graph

    Execution Coverage:0%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:3
    Total number of Limit Nodes:0
    execution_graph 42543 6d48cea0 42544 6d48cec8 VirtualAlloc 42543->42544 42545 6d48ceb9 42543->42545 42545->42544

    Executed Functions

    Function 6D48CEA0 Relevance: 1.3, APIs: 1, Instructions: 21memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 6d48cea0-6d48ceb7 1 6d48cec8-6d48cee0 VirtualAlloc 0->1 2 6d48ceb9-6d48cec6 0->2 2->1
    APIs
    Memory Dump Source
    • Source File: 00000014.00000002.1360758151.000000006D421000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D420000, based on PE: true
    • Associated: 00000014.00000002.1360694439.000000006D420000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1360999687.000000006D4B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361064186.000000006D4B9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361148512.000000006D4BA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361193579.000000006D4BF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361421832.000000006D568000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361484376.000000006D56E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361484376.000000006D573000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361576198.000000006D586000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361636818.000000006D58D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361712108.000000006D58E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361753211.000000006D591000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_6d420000_rundll32.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction ID: 997cde0a417c40a2ef3e2ad5edc3d8bf130b15c7de5dfb91ad0af62857a5c039
    • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction Fuzzy Hash: 0CE0E571505700CFCB15DF18C2C1716BBE1EB48A00F0485A8DE098FB4AD738ED10CB92

    Non-executed Functions

    Function 6D4B6300 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6D4B634F
    • UnhandledExceptionFilter.KERNEL32 ref: 6D4B635F
    • GetCurrentProcess.KERNEL32 ref: 6D4B6368
    • TerminateProcess.KERNEL32 ref: 6D4B6379
    • abort.MSVCRT ref: 6D4B6382
    Memory Dump Source
    • Source File: 00000014.00000002.1360758151.000000006D421000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D420000, based on PE: true
    • Associated: 00000014.00000002.1360694439.000000006D420000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1360999687.000000006D4B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361064186.000000006D4B9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361148512.000000006D4BA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361193579.000000006D4BF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361421832.000000006D568000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361484376.000000006D56E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361484376.000000006D573000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361576198.000000006D586000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361636818.000000006D58D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361712108.000000006D58E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361753211.000000006D591000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_6d420000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: e23ecdf1f743ec4f04f234b462f74a0cc78f77ad009e9f1fa9fd325e5cb3d997
    • Instruction ID: 1ccc55e2f883e4ea49709ffd5bb0eeb7c3dfbc2ad3fd09e204751a891b084a77
    • Opcode Fuzzy Hash: e23ecdf1f743ec4f04f234b462f74a0cc78f77ad009e9f1fa9fd325e5cb3d997
    • Instruction Fuzzy Hash: 701119B5904211CFDF00EF69C14572ABBF0FB5A302F02AA29E849C7750E73599448F92
    Function 6D421020 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 112sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,6D4212E0,?,?,?,?,?,?,6D4213A3), ref: 6D421057
    • _amsg_exit.MSVCRT ref: 6D421085
    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.1360758151.000000006D421000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D420000, based on PE: true
    • Associated: 00000014.00000002.1360694439.000000006D420000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1360999687.000000006D4B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361064186.000000006D4B9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361148512.000000006D4BA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361193579.000000006D4BF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361421832.000000006D568000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361484376.000000006D56E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361484376.000000006D573000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361576198.000000006D586000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361636818.000000006D58D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361712108.000000006D58E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361753211.000000006D591000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_6d420000_rundll32.jbxd
    Similarity
    • API ID: Sleep_amsg_exit
    • String ID: cKm
    • API String ID: 1015461914-1094778660
    • Opcode ID: 63afef1a8c96878ac16cf73b5bccafa9d6802e1d13ceaa84bc8cb99d0817c068
    • Instruction ID: b44e6293878c97e139ac848db80e9aacd7696f4c7a9c4dc172388150241426d4
    • Opcode Fuzzy Hash: 63afef1a8c96878ac16cf73b5bccafa9d6802e1d13ceaa84bc8cb99d0817c068
    • Instruction Fuzzy Hash: 87417E71A082518BEB01AF6DC585B2AB7F0FB97345F12862ED544CBB44DB368C81CB92
    Function 6D4B64A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Strings
    • Address %p has no image-section, xrefs: 6D4B65DB
    • @, xrefs: 6D4B6578
    • VirtualQuery failed for %d bytes at address %p, xrefs: 6D4B65C7
    • VirtualProtect failed with code 0x%x, xrefs: 6D4B659A
    Memory Dump Source
    • Source File: 00000014.00000002.1360758151.000000006D421000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D420000, based on PE: true
    • Associated: 00000014.00000002.1360694439.000000006D420000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1360999687.000000006D4B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361064186.000000006D4B9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361148512.000000006D4BA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361193579.000000006D4BF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361421832.000000006D568000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361484376.000000006D56E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361484376.000000006D573000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361576198.000000006D586000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361636818.000000006D58D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361712108.000000006D58E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361753211.000000006D591000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_6d420000_rundll32.jbxd
    Similarity
    • API ID: QueryVirtual
    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
    • API String ID: 1804819252-1098444051
    • Opcode ID: 287245bc53317a1c1d97a51a84d88ca0216d3e7bd1d598909ff034a2b794e8fa
    • Instruction ID: 406b89eb1c3c1389d912c3dbf2fcef0da484c171e96eeca21b0dc325353be628
    • Opcode Fuzzy Hash: 287245bc53317a1c1d97a51a84d88ca0216d3e7bd1d598909ff034a2b794e8fa
    • Instruction Fuzzy Hash: 20418EB19043119FCB00DF68D484A2AFBF4FB55315F568A2DD9589B714E730E854CBE2
    Function 6D4213E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.1360758151.000000006D421000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D420000, based on PE: true
    • Associated: 00000014.00000002.1360694439.000000006D420000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1360999687.000000006D4B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361064186.000000006D4B9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361148512.000000006D4BA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361193579.000000006D4BF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361421832.000000006D568000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361484376.000000006D56E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361484376.000000006D573000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361576198.000000006D586000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361636818.000000006D58D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361712108.000000006D58E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361753211.000000006D591000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_6d420000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleLibraryLoadModule
    • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
    • API String ID: 384173800-1835852900
    • Opcode ID: 12c8f8330b79481422e13db15eb533e2f6f1dfdf4299282efcbc6eb9c0cbd12c
    • Instruction ID: 79b09d51d96c4eefc08800683f78d732081a089a413272d296d250878eb44a85
    • Opcode Fuzzy Hash: 12c8f8330b79481422e13db15eb533e2f6f1dfdf4299282efcbc6eb9c0cbd12c
    • Instruction Fuzzy Hash: ED011EB58093149BCB00BF78960971EBEF4AF52655F02452DD8C997614D73298548BA3
    Function 6D4B5CB0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON
    Download Yara Rule
    APIs
    • CreateEventA.KERNEL32 ref: 6D4B5CD2
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D4B5D89), ref: 6D4B5CEB
    • fwrite.MSVCRT ref: 6D4B5D20
    • abort.MSVCRT ref: 6D4B5D25
    Strings
    • =, xrefs: 6D4B5D05
    • runtime: failed to create runtime initialization wait event., xrefs: 6D4B5D19
    Memory Dump Source
    • Source File: 00000014.00000002.1360758151.000000006D421000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D420000, based on PE: true
    • Associated: 00000014.00000002.1360694439.000000006D420000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1360999687.000000006D4B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361064186.000000006D4B9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361148512.000000006D4BA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361193579.000000006D4BF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361421832.000000006D568000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361484376.000000006D56E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361484376.000000006D573000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361576198.000000006D586000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361636818.000000006D58D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361712108.000000006D58E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361753211.000000006D591000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_6d420000_rundll32.jbxd
    Similarity
    • API ID: CreateCriticalEventInitializeSectionabortfwrite
    • String ID: =$runtime: failed to create runtime initialization wait event.
    • API String ID: 2455830200-3519180978
    • Opcode ID: ab1864232bdea4cc5c41f23759015b616d729c5962abec692a4101b5bd229b79
    • Instruction ID: a6700a7dd96b6eb1eb532e1a253f6d23da6ba4b707c6b68c547d9ce94ac4d353
    • Opcode Fuzzy Hash: ab1864232bdea4cc5c41f23759015b616d729c5962abec692a4101b5bd229b79
    • Instruction Fuzzy Hash: 4FF0ECB04087119FEB40BF68C51932EBBF0BB41345F92996DD89986681DB798449CFA3
    Function 6D4B70C0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000014.00000002.1360758151.000000006D421000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D420000, based on PE: true
    • Associated: 00000014.00000002.1360694439.000000006D420000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1360999687.000000006D4B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361064186.000000006D4B9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361148512.000000006D4BA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361193579.000000006D4BF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361421832.000000006D568000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361484376.000000006D56E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361484376.000000006D573000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361576198.000000006D586000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361636818.000000006D58D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361712108.000000006D58E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361753211.000000006D591000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_6d420000_rundll32.jbxd
    Similarity
    • API ID: _lock_unlockcalloc
    • String ID:
    • API String ID: 3876498383-0
    • Opcode ID: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction ID: 822d518153aa1c8435f80ecddb036838023900477c1e324c2757df7d83f35b8a
    • Opcode Fuzzy Hash: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction Fuzzy Hash: 521129B090C3018BE7009F68C880B6A7BE4BB55354F158A69E498CB785EB74DC41CBB2
    Function 6D4B6250 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON
    Download Yara Rule
    APIs
    • GetSystemTimeAsFileTime.KERNEL32 ref: 6D4B6289
    • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D4213B9), ref: 6D4B629A
    • GetCurrentThreadId.KERNEL32 ref: 6D4B62A2
    • GetTickCount.KERNEL32 ref: 6D4B62AA
    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D4213B9), ref: 6D4B62B9
    Memory Dump Source
    • Source File: 00000014.00000002.1360758151.000000006D421000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D420000, based on PE: true
    • Associated: 00000014.00000002.1360694439.000000006D420000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1360999687.000000006D4B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361064186.000000006D4B9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361148512.000000006D4BA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361193579.000000006D4BF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361421832.000000006D568000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361484376.000000006D56E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361484376.000000006D573000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361576198.000000006D586000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361636818.000000006D58D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361712108.000000006D58E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361753211.000000006D591000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_6d420000_rundll32.jbxd
    Similarity
    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
    • String ID:
    • API String ID: 1445889803-0
    • Opcode ID: 48517c2d683b67d989a6ef92253b1b664c36446b0913242554eb612d1a7cac94
    • Instruction ID: 266e803d666826b1bf97764bc5c784c98a9c4d5c61eaa0030c3beaeeca827ff8
    • Opcode Fuzzy Hash: 48517c2d683b67d989a6ef92253b1b664c36446b0913242554eb612d1a7cac94
    • Instruction Fuzzy Hash: 07115EB55053118BDF00EF79E48864BBBF4FB8A265F055D39E445C6700EB31D8498B92
    Function 6D4B5DE0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32 ref: 6D4B5E10
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D4B45D9), ref: 6D4B5E1C
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D4B45D9), ref: 6D4B5E2E
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6D4B45D9), ref: 6D4B5E3E
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D4B45D9), ref: 6D4B5E50
    Memory Dump Source
    • Source File: 00000014.00000002.1360758151.000000006D421000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D420000, based on PE: true
    • Associated: 00000014.00000002.1360694439.000000006D420000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1360999687.000000006D4B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361064186.000000006D4B9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361148512.000000006D4BA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361193579.000000006D4BF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361421832.000000006D568000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361484376.000000006D56E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361484376.000000006D573000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361576198.000000006D586000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361636818.000000006D58D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361712108.000000006D58E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361753211.000000006D591000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_6d420000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$ObjectSingleWait
    • String ID:
    • API String ID: 1755037574-0
    • Opcode ID: f977d2017fe13043c9435dfd3df2e8a9a211778b6e478ae335d4836e0c2e9dc4
    • Instruction ID: 9239abf72826ef2f3ee2846e5d7cd93a75b09010eb047c38d9aa24cb8fa1f621
    • Opcode Fuzzy Hash: f977d2017fe13043c9435dfd3df2e8a9a211778b6e478ae335d4836e0c2e9dc4
    • Instruction Fuzzy Hash: 6D0140716047198FDA00FF79D58952AFBF4AF53251F420629D89047741DB31A469CBA3
    Function 6D4B7220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • Mingw-w64 runtime failure:, xrefs: 6D4B7248
    Memory Dump Source
    • Source File: 00000014.00000002.1360758151.000000006D421000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D420000, based on PE: true
    • Associated: 00000014.00000002.1360694439.000000006D420000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1360999687.000000006D4B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361064186.000000006D4B9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361148512.000000006D4BA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361193579.000000006D4BF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361421832.000000006D568000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361484376.000000006D56E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361484376.000000006D573000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361576198.000000006D586000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361636818.000000006D58D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361712108.000000006D58E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361753211.000000006D591000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_6d420000_rundll32.jbxd
    Similarity
    • API ID: abortfwritevfprintf
    • String ID: Mingw-w64 runtime failure:
    • API String ID: 3176311984-2889761391
    • Opcode ID: c34f6947ffe0de3369c39f59b1fdfc2a26f71ee6f696d45495e704349ef1d537
    • Instruction ID: 5f53b14a94582768fc5b4486217fc951e9133218a3da5bfb91d5e8b297fb5fa6
    • Opcode Fuzzy Hash: c34f6947ffe0de3369c39f59b1fdfc2a26f71ee6f696d45495e704349ef1d537
    • Instruction Fuzzy Hash: 8FE0C2B080D3049ED304EF68C085A1EBAE4BF98348F02C91DE1C847251C7798984CBA3
    Function 6D4B65F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6D4212A5), ref: 6D4B6709
    Strings
    • Unknown pseudo relocation bit size %d., xrefs: 6D4B6799
    • Unknown pseudo relocation protocol version %d., xrefs: 6D4B6864
    Memory Dump Source
    • Source File: 00000014.00000002.1360758151.000000006D421000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D420000, based on PE: true
    • Associated: 00000014.00000002.1360694439.000000006D420000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1360999687.000000006D4B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361064186.000000006D4B9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361148512.000000006D4BA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361193579.000000006D4BF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361421832.000000006D568000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361484376.000000006D56E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361484376.000000006D573000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361576198.000000006D586000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361636818.000000006D58D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361712108.000000006D58E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361753211.000000006D591000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_6d420000_rundll32.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
    • API String ID: 544645111-395989641
    • Opcode ID: c8eb756307d32d99d7254443e8493ba49265c11a85a0e8e77af5252156619c1f
    • Instruction ID: 4b16cd58b1e8539aec77169204a7555d51f57eeb5074ea7cc0962e7b8ef889ac
    • Opcode Fuzzy Hash: c8eb756307d32d99d7254443e8493ba49265c11a85a0e8e77af5252156619c1f
    • Instruction Fuzzy Hash: CE61BC70A042168FCF04CF68D4C0A6DB7F2FBA6718B65862DD9449F715DB71AC128BE2
    Function 6D4B6870 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000014.00000002.1360758151.000000006D421000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D420000, based on PE: true
    • Associated: 00000014.00000002.1360694439.000000006D420000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1360999687.000000006D4B8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361064186.000000006D4B9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361148512.000000006D4BA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361193579.000000006D4BF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361421832.000000006D568000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361484376.000000006D56E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361484376.000000006D573000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361576198.000000006D586000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361636818.000000006D58D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361712108.000000006D58E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000014.00000002.1361753211.000000006D591000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_6d420000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterErrorLastLeaveValue
    • String ID:
    • API String ID: 682475483-0
    • Opcode ID: 7b02f3082d5c423e3db5278abc4a426c15099a091d3fa7fe98ebdd2374e0be30
    • Instruction ID: b205ecf7ccb69de5e80e782f625ed80bc13531dab1c1b11c58d84e851a1ab714
    • Opcode Fuzzy Hash: 7b02f3082d5c423e3db5278abc4a426c15099a091d3fa7fe98ebdd2374e0be30
    • Instruction Fuzzy Hash: A3F0A4719006258FEF007F6CD489A2A7BB4EA57251B060668DD85CB705E731A819CBE3