Edit tour

Windows Analysis Report
jIcqgmCcrZ.dll

Overview

General Information

Sample name:	jIcqgmCcrZ.dll renamed because original name is a hash value
Original sample name:	9b3744c4390d6fca4984674ada398a9a59872cbc3eefa3e36623550e4abff4cf.dll
Analysis ID:	1544813
MD5:	cf9ab2f055c7237719fbb9adad6e166a
SHA1:	140c28115a21e2b53d02e754b38316764a39cdfb
SHA256:	9b3744c4390d6fca4984674ada398a9a59872cbc3eefa3e36623550e4abff4cf
Tags:	2024bankerdllgolangloadermekotiouser-johnk3r
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 7600 cmdline: loaddll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 7608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7684 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 7712 cmdline: rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 7876 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7712 -s 840 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 7700 cmdline: rundll32.exe C:\Users\user\Desktop\jIcqgmCcrZ.dll,BarCreate MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 7864 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7700 -s 808 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 7924 cmdline: rundll32.exe C:\Users\user\Desktop\jIcqgmCcrZ.dll,BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7992 cmdline: rundll32.exe C:\Users\user\Desktop\jIcqgmCcrZ.dll,BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 8064 cmdline: rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",BarCreate MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 7264 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8064 -s 820 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 8092 cmdline: rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 8128 cmdline: rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 8180 cmdline: rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",_cgo_dummy_export MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7288 cmdline: rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",SpellSpell MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 4608 cmdline: rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",SpellInit MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 1992 cmdline: rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",SpellFree MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7088 cmdline: rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",SignalInitializeCrashReporting MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6348 cmdline: rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",GetInstallDetailsPayload MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6792 cmdline: rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",BarRecognize MD5: 889B99C52A60DD49227C5E485A016679)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 91.6% probability

Bitcoin Miner

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D1314C0		4_2_6D1314C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD814C0		13_2_6CD814C0

Source: jIcqgmCcrZ.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: jIcqgmCcrZ.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	4_2_6D129DA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	4_2_6D11CB60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	4_2_6D128A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	4_2_6D103000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	13_2_6CD79DA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	13_2_6CD78A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	13_2_6CD6CB60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	13_2_6CD53000

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D12AD00	4_2_6D12AD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D117DD0	4_2_6D117DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D157FB0	4_2_6D157FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D176FB0	4_2_6D176FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D128E10	4_2_6D128E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D13CE40	4_2_6D13CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D10BE4F	4_2_6D10BE4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D172940	4_2_6D172940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D110830	4_2_6D110830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D115820	4_2_6D115820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D181A00	4_2_6D181A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D12CA70	4_2_6D12CA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D10CA60	4_2_6D10CA60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D12BAB0	4_2_6D12BAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D12D525	4_2_6D12D525
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D12B540	4_2_6D12B540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D175590	4_2_6D175590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D12C460	4_2_6D12C460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D177490	4_2_6D177490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D183710	4_2_6D183710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D146730	4_2_6D146730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D15F732	4_2_6D15F732
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D12A790	4_2_6D12A790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D103620	4_2_6D103620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D181640	4_2_6D181640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D12C100	4_2_6D12C100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D175100	4_2_6D175100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D1261A0	4_2_6D1261A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D103000	4_2_6D103000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D13E040	4_2_6D13E040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D136040	4_2_6D136040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D123090	4_2_6D123090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D1210D0	4_2_6D1210D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D176240	4_2_6D176240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D1092E0	4_2_6D1092E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD67DD0	13_2_6CD67DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD7AD00	13_2_6CD7AD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD8CE40	13_2_6CD8CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD5BE4F	13_2_6CD5BE4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD78E10	13_2_6CD78E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDA7FB0	13_2_6CDA7FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDC6FB0	13_2_6CDC6FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD60830	13_2_6CD60830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD65820	13_2_6CD65820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDC2940	13_2_6CDC2940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD7BAB0	13_2_6CD7BAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD7CA70	13_2_6CD7CA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD5CA60	13_2_6CD5CA60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDD1A00	13_2_6CDD1A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDC7490	13_2_6CDC7490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD7C460	13_2_6CD7C460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDC5590	13_2_6CDC5590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD7B540	13_2_6CD7B540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD7D525	13_2_6CD7D525
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDD1640	13_2_6CDD1640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD53620	13_2_6CD53620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD7A790	13_2_6CD7A790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDD3710	13_2_6CDD3710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDAF732	13_2_6CDAF732
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD96730	13_2_6CD96730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD710D0	13_2_6CD710D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD73090	13_2_6CD73090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD8E040	13_2_6CD8E040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD86040	13_2_6CD86040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD53000	13_2_6CD53000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD761A0	13_2_6CD761A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD7C100	13_2_6CD7C100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDC5100	13_2_6CDC5100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CD592E0	13_2_6CD592E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDC6240	13_2_6CDC6240

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CD84FD0 appears 461 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CD87450 appears 687 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D137450 appears 687 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D134FD0 appears 461 times

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7700 -s 808

Source: jIcqgmCcrZ.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: classification engine

Classification label: mal48.mine.winDLL@35/0@0/0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D184310 GetLastError,FormatMessageA,fprintf,LocalFree,

4_2_6D184310

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7608:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\1d736759-b1ac-4fb9-b2d8-b54927f0f08f

Jump to behavior

Source: jIcqgmCcrZ.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jIcqgmCcrZ.dll,BarCreate

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jIcqgmCcrZ.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7700 -s 808
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7712 -s 840
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jIcqgmCcrZ.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jIcqgmCcrZ.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",_cgo_dummy_export
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8064 -s 820
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",SpellSpell
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jIcqgmCcrZ.dll,BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jIcqgmCcrZ.dll,BarDestroy	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jIcqgmCcrZ.dll,BarFreeRec	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",BarDestroy	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",BarFreeRec	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",_cgo_dummy_export	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",SpellSpell	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",SpellInit	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",SpellFree	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",SignalInitializeCrashReporting	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",GetInstallDetailsPayload	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",BarRecognize	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: jIcqgmCcrZ.dll

Static PE information: Image base 0x6d8c0000 > 0x60000000

Source: jIcqgmCcrZ.dll

Static file information: File size 1198080 > 1048576

Source: jIcqgmCcrZ.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D1013E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_6D1013E0

Source: jIcqgmCcrZ.dll

Static PE information: real checksum: 0x12f39a should be: 0x12e36a

Source: jIcqgmCcrZ.dll

Static PE information: section name: .eh_fram

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D1F6FBD push cs; ret	4_2_6D1F6FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D1F59F2 push es; iretd	4_2_6D1F5A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D1F76AA push ebx; iretd	4_2_6D1F79EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D1F9120 push esp; iretd	4_2_6D1F918F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05080931 pushfd ; iretd	5_2_05080935
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE46FBD push cs; ret	13_2_6CE46FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE459F2 push es; iretd	13_2_6CE45A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE476AA push ebx; iretd	13_2_6CE479EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CE49120 push esp; iretd	13_2_6CE4918F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C38F4B push es; ret	14_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C38F34 push es; ret	14_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C38F4B push es; ret	15_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C38F34 push es; ret	15_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0503A390 push ebp; ret	19_2_0503A398
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_04C38F4F push es; ret	20_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_04C3A464 push 0000007Dh; iretd	20_2_04C3A46E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_04C38F3B push es; ret	20_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 22_2_054803EA push es; ret	22_2_054803EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_0443B4A6 push edi; iretd	23_2_0443B4A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_0443AF4F push E196DF79h; retf	23_2_0443AF54
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_0503A47A push ebx; ret	24_2_0503A47D

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D160F80 rdtscp

4_2_6D160F80

Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: rundll32.exe, 0000000F.00000002.1499455849.0000000002DDA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
Source: rundll32.exe, 0000000E.00000002.1499453953.0000000002EFA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000015.00000002.1502118440.0000000002D7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll)
Source: rundll32.exe, 00000018.00000002.1503835346.0000000002CDA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlli
Source: rundll32.exe, 00000013.00000002.1502109369.0000000002EBA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla
Source: loaddll32.exe, 00000000.00000002.1504048906.0000000000A1E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1408565033.0000000002A9A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1408831398.000000000311A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1439715963.00000000033FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1466006166.00000000026DA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.1500561092.000000000280A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.1499453953.0000000002EFA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000002.1501918757.0000000002C0A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000002.1503606102.000000000328A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.1503891564.00000000025BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: rundll32.exe, 00000011.00000002.1500255453.000000000278A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D160F80 rdtscp

4_2_6D160F80

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D1013E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_6D1013E0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D183710 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,memcpy,memset,IsBadReadPtr,realloc,SetLastError,SetLastError,SetLastError,SetLastError,SetLastError,memcpy,SetLastError,SetLastError,SetLastError,SetLastError,

4_2_6D183710

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D184ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	4_2_6D184ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D184AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	4_2_6D184AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDD4ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	13_2_6CDD4ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CDD4AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	13_2_6CDD4AE0

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D184A30 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

4_2_6D184A30

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	1 Rundll32	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
jIcqgmCcrZ.dll	3%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544813
Start date and time:	2024-10-29 19:25:24 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	jIcqgmCcrZ.dll renamed because original name is a hash value
Original Sample Name:	9b3744c4390d6fca4984674ada398a9a59872cbc3eefa3e36623550e4abff4cf.dll
Detection:	MAL
Classification:	mal48.mine.winDLL@35/0@0/0
EGA Information:	Successful, ratio: 13.3%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target loaddll32.exe, PID 7600 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 1992 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 4608 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 6348 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 6792 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 7088 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 7288 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 7712 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 7924 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 7992 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 8092 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 8128 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 8180 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
VT rate limit hit for: jIcqgmCcrZ.dll

Simulations

Behavior and APIs

Time	Type	Description
14:26:28	API Interceptor	1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.272421259544307
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	jIcqgmCcrZ.dll
File size:	1'198'080 bytes
MD5:	cf9ab2f055c7237719fbb9adad6e166a
SHA1:	140c28115a21e2b53d02e754b38316764a39cdfb
SHA256:	9b3744c4390d6fca4984674ada398a9a59872cbc3eefa3e36623550e4abff4cf
SHA512:	5b01efc86fedba70a766ac4ebe61b4defa32e5281b67e1cb1ab55b6c7fb8f2f87bae7f89ff13fdccfb1c957d9dabd6d69e393fe190914c472ef5f3df4ee33b44
SSDEEP:	24576:rSp2hQfLXmgFSdX5VeRECRjd67ZH2gwqBDBuD3Sg:rUMjVfl+Cg
TLSH:	94452800FD8744F1E50B2672A96B62AF3725AD054F319BC7FA54B679FB732E10832285
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....L...D...F...........`.....m......................................@... ......................@..-..

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x6d8c1380
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x6d8c0000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:	0x6d944bc0, 0x6d944b70
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	a4a784e5029279463818b31167e8f38b

Entrypoint Preview

Instruction
sub esp, 1Ch
mov dword ptr [6DA23550h], 00000000h
mov edx, dword ptr [esp+24h]
cmp edx, 01h
je 00007F4C80863E8Ch
mov ecx, dword ptr [esp+28h]
mov eax, dword ptr [esp+20h]
call 00007F4C80863CF2h
add esp, 1Ch
retn 000Ch
lea esi, dword ptr [esi+00000000h]
mov dword ptr [esp+0Ch], edx
call 00007F4C808E74ECh
mov edx, dword ptr [esp+0Ch]
jmp 00007F4C80863E49h
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], 6D9DF000h
mov dword ptr [esp+04h], eax
call 00007F4C808E834Eh
add esp, 1Ch
ret
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 6D94D000h
call dword ptr [6DA25224h]
sub esp, 04h
test eax, eax
je 00007F4C80863EE5h
mov ebx, eax
mov dword ptr [esp], 6D94D000h
call dword ptr [6DA2526Ch]
mov edi, dword ptr [6DA2522Ch]
sub esp, 04h
mov dword ptr [6DA23584h], eax
mov dword ptr [esp+04h], 6D94D013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 6D94D029h
mov dword ptr [esp], ebx
call edi
mov dword ptr [6D946000h], eax
sub esp, 08h
test esi, esi
je 00007F4C80863E83h
mov dword ptr [esp+00h], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x164000	0x12d	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x165000	0xb94	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x168000	0x72d8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x11c670	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1651d0	0x194	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x84a98	0x84c00	9b46df07e86797f080c5d2f6c8e31b9f	False	0.4715454331450094	data	6.285912045167337	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x86000	0x60c8	0x6200	fc057da4c3da27ffb4603687731453eb	False	0.42251275510204084	data	4.418515878941253	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x8d000	0x8fa40	0x8fc00	fdd63b2a81df51a7180200934a2a068f	False	0.436460597826087	data	5.59084418212656	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.eh_fram	0x11d000	0x1274	0x1400	7e0c196a5297fcb1314a2ce26d210985	False	0.3359375	data	4.556527782531458	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x11f000	0x4459c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x164000	0x12d	0x200	413e4b4248816189509f7ffe80d08073	False	0.458984375	data	3.4189467598340144	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.idata	0x165000	0xb94	0xc00	e1ea2a2551376701992ead81eecc63e4	False	0.3958333333333333	data	5.069558373921308	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x166000	0x2c	0x200	51289c22ed2d6bf0af49e9f6ae9824ce	False	0.0546875	data	0.2069200177871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x167000	0x8	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x168000	0x72d8	0x7400	d911044f1b4531bd811dd017bc3b4259	False	0.6955482219827587	data	6.6386802754159415	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

KERNEL32.dll

AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateFileA, CreateIoCompletionPort, CreateThread, CreateWaitableTimerExW, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FormatMessageA, FreeEnvironmentStringsW, FreeLibrary, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetLastError, GetModuleHandleA, GetNativeSystemInfo, GetProcAddress, GetProcessAffinityMask, GetProcessHeap, GetQueuedCompletionStatusEx, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadLocale, GetTickCount, HeapAlloc, HeapFree, InitializeCriticalSection, IsBadReadPtr, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, LoadLibraryW, LocalFree, PostQueuedCompletionStatus, QueryPerformanceCounter, RaiseFailFastException, ResumeThread, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessPriorityBoost, SetThreadContext, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TerminateProcess, TlsAlloc, TlsGetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WriteConsoleW, WriteFile, lstrlenA

msvcrt.dll

_amsg_exit, _beginthread, _errno, _initterm, _iob, _lock, _unlock, _wcsnicmp, abort, bsearch, calloc, fprintf, free, fwrite, malloc, mbstowcs, memcpy, memset, qsort, realloc, strcmp, strlen, strncmp, strtol, vfprintf, wcstombs

Exports

Name	Ordinal	Address
BarCreate	1	0x6d942db0
BarDestroy	2	0x6d943030
BarFreeRec	3	0x6d942fe0
BarRecognize	4	0x6d942f90
GetInstallDetailsPayload	5	0x6d942ef0
SignalInitializeCrashReporting	6	0x6d942f40
SpellFree	7	0x6d942e00
SpellInit	8	0x6d942e50
SpellSpell	9	0x6d942ea0
_cgo_dummy_export	10	0x6da23588

Network Behavior

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 19:26:45.539730072 CET	53	53369	1.1.1.1	192.168.2.8

Target ID:	0
Start time:	14:26:18
Start date:	29/10/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll"
Imagebase:	0x30000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:26:18
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:26:18
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",#1
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:26:18
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\jIcqgmCcrZ.dll,BarCreate
Imagebase:	0x40000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	14:26:18
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",#1
Imagebase:	0x40000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	14:26:18
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7700 -s 808
Imagebase:	0x780000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	14:26:18
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7712 -s 840
Imagebase:	0x780000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	14:26:21
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\jIcqgmCcrZ.dll,BarDestroy
Imagebase:	0x40000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	14:26:24
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\jIcqgmCcrZ.dll,BarFreeRec
Imagebase:	0x40000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	14:26:27
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",BarCreate
Imagebase:	0x40000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	14:26:27
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",BarDestroy
Imagebase:	0x40000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	14:26:27
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",BarFreeRec
Imagebase:	0x40000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	14:26:27
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",_cgo_dummy_export
Imagebase:	0x40000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	14:26:27
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 8064 -s 820
Imagebase:	0x780000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	14:26:27
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",SpellSpell
Imagebase:	0x40000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	14:26:27
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",SpellInit
Imagebase:	0x40000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	14:26:27
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",SpellFree
Imagebase:	0x40000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	14:26:27
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",SignalInitializeCrashReporting
Imagebase:	0x40000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	14:26:28
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",GetInstallDetailsPayload
Imagebase:	0x40000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	14:26:28
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\jIcqgmCcrZ.dll",BarRecognize
Imagebase:	0x40000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	11
Total number of Limit Nodes:	1

Executed Functions

Function 6D184790 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_beginthread.MSVCRT ref: 6D1847B6
_errno.MSVCRT ref: 6D1847C1
_errno.MSVCRT ref: 6D1847C8
fprintf.MSVCRT ref: 6D1847E8
abort.MSVCRT ref: 6D1847ED
Sleep.KERNEL32 ref: 6D184806

Strings

runtime: failed to create new OS thread (%d), xrefs: 6D1847D9

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID: _errno$Sleep_beginthreadabortfprintf
String ID: runtime: failed to create new OS thread (%d)
API String ID: 1261927973-3231778263
Opcode ID: 228043e70378de54e0fe63e19d21fd352f7412403ff3a57b710022750bcd11d0
Instruction ID: 31a206c9a920f5ba701d02b1ac1ec743c08960355e439bfddaf2b0b2a222526d
Opcode Fuzzy Hash: 228043e70378de54e0fe63e19d21fd352f7412403ff3a57b710022750bcd11d0
Instruction Fuzzy Hash: 6B0162745093449FD700AF64D88823EBBF8FF4A715F42891DE58543216D7719440DE63

Function 6D161D40 Relevance: 1.3, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 6D161D68

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
Instruction ID: b5e29affe2ec0ce561a7343d736bf222842a31e05448cc81a7a2007b020f04cd
Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
Instruction Fuzzy Hash: 3FE0C2715056408FCB15DF18C2C5316BBE1EB48A00F0485A8DE098B74AD774ED10DA92

Non-executed Functions

Function 6D183710 Relevance: 33.8, APIs: 17, Strings: 2, Instructions: 564
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNEL32 ref: 6D1837CC
GetProcessHeap.KERNEL32 ref: 6D18382D
HeapAlloc.KERNEL32 ref: 6D183846
memcpy.MSVCRT ref: 6D183912
memset.MSVCRT ref: 6D1839A9
IsBadReadPtr.KERNEL32 ref: 6D183A0F
realloc.MSVCRT ref: 6D183A5E
SetLastError.KERNEL32 ref: 6D183B19
SetLastError.KERNEL32 ref: 6D183B39

Strings

?, xrefs: 6D18371A
@, xrefs: 6D183833

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID: ErrorHeapLast$AllocInfoNativeProcessReadSystemmemcpymemsetrealloc
String ID: ?$@
API String ID: 2257136212-1463999369
Opcode ID: 5b3d347343e7ba15c2d58f5c1db0aa88d63b5cfe62ff3d235d30b4f331e9a1cc
Instruction ID: 702db19b7b46fbcc6c5d596617a7a7b085e8c7d1abd1cad058c58b2dc9b9c66a
Opcode Fuzzy Hash: 5b3d347343e7ba15c2d58f5c1db0aa88d63b5cfe62ff3d235d30b4f331e9a1cc
Instruction Fuzzy Hash: 8642F5B46087429FD710DF29C58462ABBF0BF88314F49892DE999C7305E7B4E856CF82

Function 6D115820 Relevance: 19.8, Strings: 15, Instructions: 1007
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+:(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+1, xrefs: 6D116313, 6D1165D0
@s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-0, xrefs: 6D116136
MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException , xrefs: 6D1167E1
., xrefs: 6D11606D
ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ lockedm, xrefs: 6D116721
/]+:(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT, xrefs: 6D116595
5, xrefs: 6D116A6C
MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, xrefs: 6D11684B
gc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltadxaesshaavxfmaintmapbindfile, xrefs: 6D116109
gcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= , xrefs: 6D1158EA
non-concurrent sweep failed to drain all sweep queuescompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not enabledno goroutines (main called runtime.Goexit) - d, xrefs: 6D116A63
failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre, xrefs: 6D116A79
ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32, xrefs: 6D11635B
gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foun, xrefs: 6D116A8F
, xrefs: 6D115ED9

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID:
String ID: $ @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-0$ MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:$ MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException $ ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32$ ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ lockedm$+:(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+1$.$/]+:(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT$5$failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre$gc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltadxaesshaavxfmaintmapbindfile$gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foun$gcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= $non-concurrent sweep failed to drain all sweep queuescompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not enabledno goroutines (main called runtime.Goexit) - d
API String ID: 0-4142148823
Opcode ID: 1690043fb06d0711a892de7138d31bba4cb0ab4d0b88244050ef25c961df7b3f
Instruction ID: 5e2eadc45cc75ec789b1dac5d96c9efe5f0434420f459a1e6a7112735832cfb4
Opcode Fuzzy Hash: 1690043fb06d0711a892de7138d31bba4cb0ab4d0b88244050ef25c961df7b3f
Instruction Fuzzy Hash: DAB2E3B450D3858FC724DF28C594B9BBBF1FB8A308F02892ED99987355DBB49844CB52

Function 6D128E10 Relevance: 16.9, Strings: 13, Instructions: 645
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+1, xrefs: 6D12912D, 6D129157, 6D12957A, 6D1295A4
runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 6D1290B0, 6D1294E9
runtime: npages = runtime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupQueryServiceStatusGetCompu, xrefs: 6D1291A1
, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= (...) m=nil base stringGetACPSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13rdtscppopcntuint16uint32uint64structCommonLazyCatCopySidWSARecvWSASendconnectconsole\\.\UNCforcegcallocmWcpupr, xrefs: 6D1296BE
runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSrunqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard TimeSA Western Standard , xrefs: 6D129691
, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type float32float64TuesdayJanuaryOctoberMUI_StdMUI_Dltavx512finvaliduintptrno anodeCancelIoReadFileAcceptExWSAIoctlshutdownnil PoolscavengepollDes, xrefs: 6D12963A
, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by ProcessPrngMoveFileExWNetShar, xrefs: 6D12960D
] = pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleep, xrefs: 6D129550
][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CET, xrefs: 6D1290DA, 6D129523
bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6D1291D8, 6D12999E
runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foundruntime: sudog with non-nil cgfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon, xrefs: 6D12971E
] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc, xrefs: 6D129103
, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime:, xrefs: 6D12974B

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID:
String ID: , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+1$, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= (...) m=nil base stringGetACPSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13rdtscppopcntuint16uint32uint64structCommonLazyCatCopySidWSARecvWSASendconnectconsole\\.\UNCforcegcallocmWcpupr$, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type float32float64TuesdayJanuaryOctoberMUI_StdMUI_Dltavx512finvaliduintptrno anodeCancelIoReadFileAcceptExWSAIoctlshutdownnil PoolscavengepollDes$, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime:$, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by ProcessPrngMoveFileExWNetShar$] = pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleep$] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc$][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CET$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foundruntime: sudog with non-nil cgfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon$runtime: npages = runtime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupQueryServiceStatusGetCompu$runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSrunqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard TimeSA Western Standard $runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
API String ID: 0-1393750224
Opcode ID: 370ae4bfdf8e4591126de72d530c638b39a9e9cb635fae8bc90962fdaa2cd030
Instruction ID: 8abd75a2453047764781cd28ec29bab2cd09d3e9fac7c46d68db61a5c890330e
Opcode Fuzzy Hash: 370ae4bfdf8e4591126de72d530c638b39a9e9cb635fae8bc90962fdaa2cd030
Instruction Fuzzy Hash: 81523675A4C758CFD320DF68C49075EB7F1BB89304F06892DEA9887349D7B5A984CB82

Function 6D123090 Relevance: 14.6, Strings: 11, Instructions: 823COMMON

Download Yara Rule

Strings

previous allocCount=, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:, xrefs: 6D123A68
mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1, xrefs: 6D123D9C
sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = WSAGetOverlappedResult not found_cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevrunt, xrefs: 6D123AC6
, xrefs: 6D123ACF
swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 6D123922
sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executionattempte, xrefs: 6D12390C
sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine LockFileEx, xrefs: 6D123975, 6D123D1F
mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification, xrefs: 6D1239D3
mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcinternal lockOSThread errorruntime: checkdea, xrefs: 6D123D7D
mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6D12399F, 6D123D49
nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(avx512bwavx512vlFindCloseLocalFreeMoveFileWWriteFileWSASendTontdll.dlld.nx != 0profBlockstac, xrefs: 6D123A3E

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID:
String ID: $ mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$ nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(avx512bwavx512vlFindCloseLocalFreeMoveFileWWriteFileWSASendTontdll.dlld.nx != 0profBlockstac$ previous allocCount=, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:$ sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine LockFileEx$mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification$mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcinternal lockOSThread errorruntime: checkdea$mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1$sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = WSAGetOverlappedResult not found_cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevrunt$sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executionattempte$swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
API String ID: 0-23978083
Opcode ID: 7783d2cf8786d0f51e6de9c20b3414f2542cd1f119d11f57173d82024c9b46c9
Instruction ID: c2dff7810f3ee1a43202142b2817f75784e4854e5393145f5c4b24a987f16412
Opcode Fuzzy Hash: 7783d2cf8786d0f51e6de9c20b3414f2542cd1f119d11f57173d82024c9b46c9
Instruction Fuzzy Hash: 918235B460C3958FC314DF24C08076ABBF1BF89708F41896DE9D88B399D7B59989CB52

Function 6D1013E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 6D1013F0
LoadLibraryA.KERNEL32 ref: 6D101406
GetProcAddress.KERNEL32 ref: 6D101425
GetProcAddress.KERNEL32 ref: 6D101437

Strings

__deregister_frame_info, xrefs: 6D10142C
__register_frame_info, xrefs: 6D10141A
libgcc_s_dw2-1.dll, xrefs: 6D1013E9, 6D1013FF

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: 9d4ee72fd4dedee04b1d52a5c6938c282585d1e68b6880562d3320fd3de5e929
Instruction ID: 5aa03758e51ce43a84d175f03e8733a6d6ba4bce9892876d6b3539f35f01afc3
Opcode Fuzzy Hash: 9d4ee72fd4dedee04b1d52a5c6938c282585d1e68b6880562d3320fd3de5e929
Instruction Fuzzy Hash: A00125B18093549FCB00BFB9A54D32EBFF4AB86659F01852DD988D720ADBB49444CBD3

Function 6D10BE4F Relevance: 12.0, Strings: 9, Instructions: 703COMMON

Download Yara Rule

Strings

mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential, xrefs: 6D10C7B0
mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= , xrefs: 6D10C76E
malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no , xrefs: 6D10C79A
2, xrefs: 6D10C7B9
4, xrefs: 6D10C777
malloc during signalclose of nil channelnotetsleep not on g0bad system page size to unallocated spanp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitws2_32.dll not found, xrefs: 6D10C784
delayed zeroing on data that may contain pointerssweeper left outstanding across sweep generationsfully empty unfreed span set block found in resetcasgstatus: waiting for Gwaiting but is Grunnablecgo argument has Go pointer to unpinned Go pointerruntime: unabl, xrefs: 6D10C72A
!"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 6D10C219
unexpected malloc header in delayed zeroing of large objectmanual span allocation called with non-manually-managed typeaddr range base and limit are not in the same memory segmentruntime: netpoll: PostQueuedCompletionStatus failed (errno= runtime: GetQueuedCom, xrefs: 6D10C714

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID:
String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC$2$4$delayed zeroing on data that may contain pointerssweeper left outstanding across sweep generationsfully empty unfreed span set block found in resetcasgstatus: waiting for Gwaiting but is Grunnablecgo argument has Go pointer to unpinned Go pointerruntime: unabl$malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no $malloc during signalclose of nil channelnotetsleep not on g0bad system page size to unallocated spanp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitws2_32.dll not found$mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential$mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= $unexpected malloc header in delayed zeroing of large objectmanual span allocation called with non-manually-managed typeaddr range base and limit are not in the same memory segmentruntime: netpoll: PostQueuedCompletionStatus failed (errno= runtime: GetQueuedCom
API String ID: 0-4221549744
Opcode ID: ed94c28fb7d79cfcd7ca627434e8b3c9f76621a0dee180c6f45f4f75a49eafd2
Instruction ID: d100c100556dad1e30b40df8c72119c5c29d8639a8e1d53666395acdbf319f44
Opcode Fuzzy Hash: ed94c28fb7d79cfcd7ca627434e8b3c9f76621a0dee180c6f45f4f75a49eafd2
Instruction Fuzzy Hash: 5152AE746083458FC304EF29C09076ABBF2BF89708F05896DE9948B399DBB5D945CF92

Function 6D184AE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 6D184B2F
UnhandledExceptionFilter.KERNEL32 ref: 6D184B3F
GetCurrentProcess.KERNEL32 ref: 6D184B48
TerminateProcess.KERNEL32 ref: 6D184B59
abort.MSVCRT ref: 6D184B62

Strings

4&m, xrefs: 6D184B38

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
String ID: 4&m
API String ID: 520269711-4175483643
Opcode ID: 2408a0efcdc3603763a3fb0dabf0478da9915fe8cad2f3a9433293f0ea4c6351
Instruction ID: 42283368be7b10bd263cd4158ff859e7af0fd9d5fe1ea150c56d8935f46b161c
Opcode Fuzzy Hash: 2408a0efcdc3603763a3fb0dabf0478da9915fe8cad2f3a9433293f0ea4c6351
Instruction Fuzzy Hash: 611113B5908381CFDB00EF69C54876EBBF1FB4A309F448929E8888B305E7749944CF92

Function 6D184ADC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 6D184B2F
UnhandledExceptionFilter.KERNEL32 ref: 6D184B3F
GetCurrentProcess.KERNEL32 ref: 6D184B48
TerminateProcess.KERNEL32 ref: 6D184B59
abort.MSVCRT ref: 6D184B62

Strings

4&m, xrefs: 6D184B38

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
String ID: 4&m
API String ID: 520269711-4175483643
Opcode ID: 491827d73e20894bc86153974839006be2f6f24ab62b9690ba91ae060bf6d67a
Instruction ID: 087624b521c668e7bed2fbdc5c2b9b7f1c26247afd3d3665d47eda3b6af327a9
Opcode Fuzzy Hash: 491827d73e20894bc86153974839006be2f6f24ab62b9690ba91ae060bf6d67a
Instruction Fuzzy Hash: FA11F0B5805385CFDB00EFA9D64876EBBF5FB0A309F048529E9489B346E7709844CF92

Function 6D172940 Relevance: 10.5, Strings: 7, Instructions: 1779COMMON

Download Yara Rule

Strings

0, xrefs: 6D173647
)./]+:(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08I, xrefs: 6D173FC4, 6D17428F, 6D1743D3, 6D1746B5
0, xrefs: 6D173491
0, xrefs: 6D173724
%!Weekday(complex128MessageBoxWbroken pipebad messagefile existsbad addressRegCloseKeyCloseHandleCreateFileWDeleteFileWExitProcessFreeLibraryGetFileTypeOpenProcessSetFileTimeVirtualLockWSARecvFromclosesocketgetpeernamegetsocknamecrypt32.dllmswsock.dllsecur32.d, xrefs: 6D173FAA, 6D174275
%!Month(avx512bwavx512vlFindCloseLocalFreeMoveFileWWriteFileWSASendTontdll.dlld.nx != 0profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedcoroutinecopystackinterface ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B, xrefs: 6D1743B9, 6D17469B
0, xrefs: 6D173530

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID:
String ID: %!Month(avx512bwavx512vlFindCloseLocalFreeMoveFileWWriteFileWSASendTontdll.dlld.nx != 0profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedcoroutinecopystackinterface ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B$%!Weekday(complex128MessageBoxWbroken pipebad messagefile existsbad addressRegCloseKeyCloseHandleCreateFileWDeleteFileWExitProcessFreeLibraryGetFileTypeOpenProcessSetFileTimeVirtualLockWSARecvFromclosesocketgetpeernamegetsocknamecrypt32.dllmswsock.dllsecur32.d$)./]+:(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08I$0$0$0$0
API String ID: 0-2591048153
Opcode ID: dcdee9082f890a57f7dfef0a9dace0a757c44630d5ebd5dd3ad84c5e2e35cda0
Instruction ID: 3bce5727420e846b024c574c0e0ec35891c1d955cbfa329fff44ad7459cdcb0e
Opcode Fuzzy Hash: dcdee9082f890a57f7dfef0a9dace0a757c44630d5ebd5dd3ad84c5e2e35cda0
Instruction Fuzzy Hash: F903D374A0D3828FC335CF18C09069EFBE1BBC9314F15892EE99997365D7B0A945CB92

Function 6D157FB0 Relevance: 10.5, Strings: 8, Instructions: 515COMMON

Download Yara Rule

Strings

sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit , xrefs: 6D158654
, xrefs: 6D158127
, xrefs: 6D15811F
(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12P, xrefs: 6D15840E
fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault an, xrefs: 6D158627
:(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12, xrefs: 6D1584EB
non-Go function at pc=RtlLookupFunctionEntryCreateEnvironmentBlockSao Tome Standard TimeAleutian Standard TimeParaguay Standard TimeMountain Standard TimeAtlantic Standard TimePakistan Standard TimeSakhalin Standard TimeGeorgian Standard TimeCaucasus Standard , xrefs: 6D1587B3
pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleepgcin, xrefs: 6D158681

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID:
String ID: $ $ fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault an$ pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleepgcin$ sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit $(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12P$:(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12$non-Go function at pc=RtlLookupFunctionEntryCreateEnvironmentBlockSao Tome Standard TimeAleutian Standard TimeParaguay Standard TimeMountain Standard TimeAtlantic Standard TimePakistan Standard TimeSakhalin Standard TimeGeorgian Standard TimeCaucasus Standard
API String ID: 0-1565611637
Opcode ID: c0cd4009faa71d221b10d9716bbc92991c4d495bd8f8bc5ce25879fde3856a17
Instruction ID: 39ba0b5dac9fd608e865cfdc6e896a58a6ed414f4711680d0f534573857bae21
Opcode Fuzzy Hash: c0cd4009faa71d221b10d9716bbc92991c4d495bd8f8bc5ce25879fde3856a17
Instruction Fuzzy Hash: 4632E3B461C3818FC365DF29C180B9EBBE1AFC9304F06882EE9D897359D7B49855CB52

Function 6D184310 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 6D184314
FormatMessageA.KERNEL32 ref: 6D184359
fprintf.MSVCRT ref: 6D184382
LocalFree.KERNEL32 ref: 6D18438E

Strings

Erro: %s, xrefs: 6D184373

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessagefprintf
String ID: Erro: %s
API String ID: 659079672-2412703935
Opcode ID: f96c05382cb552922bdb852111f8a4999b2f52a6ed895009740da012a7c782ba
Instruction ID: 9fb5902bbf61ad0132a9e8bea739485648d6c8e239d35fb567b4cae3b7ff5335
Opcode Fuzzy Hash: f96c05382cb552922bdb852111f8a4999b2f52a6ed895009740da012a7c782ba
Instruction Fuzzy Hash: A2019DB44083419FE700EF64C08832EFFF0AB89349F40891DE8989A255E7B88148CF93

Function 6D13CE40 Relevance: 8.6, Strings: 6, Instructions: 1065COMMON

Download Yara Rule

Strings

findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for traceReg, xrefs: 6D13DEC2
findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a corrupted shared librarylfstack node a, xrefs: 6D13DEAC
findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of r, xrefs: 6D13DED8
findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionAdjustTokenPrivilegesLookupPrivilegeValueWNetUserGetLocalGroupsGetProfi, xrefs: 6D13DEEE
global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsruntime: typeBitsBulkBarrier without typeruntime.SetFinalizer: second argument is gcSweep being done but phase is not GCoffobjects added out, xrefs: 6D13DE96
!, xrefs: 6D13DEE1

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID:
String ID: !$findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of r$findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for traceReg$findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a corrupted shared librarylfstack node a$findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionAdjustTokenPrivilegesLookupPrivilegeValueWNetUserGetLocalGroupsGetProfi$global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsruntime: typeBitsBulkBarrier without typeruntime.SetFinalizer: second argument is gcSweep being done but phase is not GCoffobjects added out
API String ID: 0-3247796029
Opcode ID: a7e71ba8b18f6a89d35288ef52ce2ae9bc76f3f82dafa90f7b8e8f9b1fba7672
Instruction ID: d9bfd71032f1f898d43832a7538d8ce7f4be1dd8019aeaeec172b13d65c958a5
Opcode Fuzzy Hash: a7e71ba8b18f6a89d35288ef52ce2ae9bc76f3f82dafa90f7b8e8f9b1fba7672
Instruction Fuzzy Hash: C0A2DEB460D3518FD714DF28C194B6BBBE1AF8A748F42882DE9D887354EBB5D844CB42

Function 6D184A30 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 6D184A69
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D1013B9), ref: 6D184A7A
GetCurrentThreadId.KERNEL32 ref: 6D184A82
GetTickCount.KERNEL32 ref: 6D184A8A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D1013B9), ref: 6D184A99

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 66d7770ed607a37dd30653389908ff40f2c4896f50e34101b4674b70cdbea587
Instruction ID: c5db93f440fff8f22ed077afcb8fc412054aee4222047454eb0362bec45eefad
Opcode Fuzzy Hash: 66d7770ed607a37dd30653389908ff40f2c4896f50e34101b4674b70cdbea587
Instruction Fuzzy Hash: 5F119EB65043418FCB00DFB8E88866BBBF5FB89259F014D39E545CB200EB74D458CB92

Function 6D1210D0 Relevance: 5.5, Strings: 4, Instructions: 494COMMON

Download Yara Rule

Strings

!, xrefs: 6D1216A8
min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= runtime: pid=: unknown pc called from dalTLDpSugct?GetTempPath2WModule32NextW, xrefs: 6D121650
runtime: min = runtime: inUse=runtime: max = bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame runtimer: bad ptraceback stuckruntime.gopanicImper, xrefs: 6D12161C, 6D12166B
min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce, xrefs: 6D12169F

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID:
String ID: !$min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce$min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= runtime: pid=: unknown pc called from dalTLDpSugct?GetTempPath2WModule32NextW$runtime: min = runtime: inUse=runtime: max = bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame runtimer: bad ptraceback stuckruntime.gopanicImper
API String ID: 0-1474820873
Opcode ID: 66d055560a8e6a5a2aa3f2478217d392b4c8865653317bc8b452084ad132e126
Instruction ID: 76f3161dcef61f12581593e7d90e64ab4f8ccf930b1bb525d3522ad42f949f6d
Opcode Fuzzy Hash: 66d055560a8e6a5a2aa3f2478217d392b4c8865653317bc8b452084ad132e126
Instruction Fuzzy Hash: AAF1D3726093268FD705DE58C4D061EB7E2BBC5348F15853CD9988B349EBB3D985C6C2

Function 6D1314C0 Relevance: 5.1, Strings: 4, Instructions: 57COMMON

Download Yara Rule

Strings

powrprof.dll, xrefs: 6D1314DD
', xrefs: 6D131519
', xrefs: 6D131521
PowerRegisterSuspendResumeNotification, xrefs: 6D13150F

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID:
String ID: '$'$PowerRegisterSuspendResumeNotification$powrprof.dll
API String ID: 0-4026319467
Opcode ID: 8ff2beb508030891229f2f50efd332b2eac58328e4a0aa4d5278fbaf573a08ea
Instruction ID: de9383183fdfce8b047e716ce828190ab482d65907edcdf6349b2ac622c990f0
Opcode Fuzzy Hash: 8ff2beb508030891229f2f50efd332b2eac58328e4a0aa4d5278fbaf573a08ea
Instruction Fuzzy Hash: 4421AEB49083029FD704DF25D094B6ABBF0BB89708F41891EE49987354E7B9D688CF93

Function 6D136040 Relevance: 4.1, Strings: 3, Instructions: 316COMMON

Download Yara Rule

Strings

invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:DuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "permission deniedwrong medium typeno, xrefs: 6D1364C4
suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function 2006-01-02 15:04:05.999999999 -0700 MSTaddress family not supported by protocolinvalid span in heapArena, xrefs: 6D1364DA
', xrefs: 6D1364E3

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID:
String ID: '$invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:DuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "permission deniedwrong medium typeno$suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function 2006-01-02 15:04:05.999999999 -0700 MSTaddress family not supported by protocolinvalid span in heapArena
API String ID: 0-536681504
Opcode ID: 71bec0cd5aca25391225cb5c84c5b5c826d492e74a75709a886841927b2373ad
Instruction ID: 92a1b076a34ea13d060ea1e370c6a27fa4ca510094ef284aa7496c56ffe3efae
Opcode Fuzzy Hash: 71bec0cd5aca25391225cb5c84c5b5c826d492e74a75709a886841927b2373ad
Instruction Fuzzy Hash: 43D1437460D3658FC305DF29C090A2ABBF1AFCA708F46885DE9C48B356D7B5E944CB92

Function 6D1261A0 Relevance: 3.0, Strings: 2, Instructions: 472COMMON

Download Yara Rule

Strings

grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me, xrefs: 6D126840
+, xrefs: 6D126849

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID:
String ID: +$grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me
API String ID: 0-3347251187
Opcode ID: 9790728d7d7662a4b5dea4d360b0165a83f9a45632c3dbb252262f7b69557e21
Instruction ID: c4e7a8e3dbbf7ebff747e521e6be9e3409e2a8c6a596053b52708b2e6e91ca72
Opcode Fuzzy Hash: 9790728d7d7662a4b5dea4d360b0165a83f9a45632c3dbb252262f7b69557e21
Instruction Fuzzy Hash: 5722E07460C3458FC714DF68C190A2ABBF1BF89744F05892DE9D887398EBB5D884CB82

Function 6D12AD00 Relevance: 2.8, Strings: 2, Instructions: 280COMMON

Download Yara Rule

Strings

bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6D12B085
@, xrefs: 6D12AF6E

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID:
String ID: @$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod
API String ID: 0-1191861649
Opcode ID: aa5d9dfad288345b996012de7bc610b4f60bbaac79a9d696997b8c3ed41a466f
Instruction ID: 362e4f831a4371f38857a88fd6bdccb4359cd6067f664f6b629b424bda7480b2
Opcode Fuzzy Hash: aa5d9dfad288345b996012de7bc610b4f60bbaac79a9d696997b8c3ed41a466f
Instruction Fuzzy Hash: 88B1C2756087058FC308CF64C49065AB7F1FFC8318F448A2DE9999B385DBB5E95ACB82

Function 6D15F732 Relevance: 2.6, Strings: 2, Instructions: 137COMMON

Download Yara Rule

Strings

@, xrefs: 6D15F75D
, xrefs: 6D15F758

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: d786fed89c584ac20afcacfe5388158820803304fa9747564e340dab32a09f53
Instruction ID: c1183b0c698738cf6e1c6a3f3d465627dad8364055b98fdb210f609efb97177f
Opcode Fuzzy Hash: d786fed89c584ac20afcacfe5388158820803304fa9747564e340dab32a09f53
Instruction Fuzzy Hash: 1F51D514C1CF9B65EA330BBDC4026623B206EB3144B01D76FFDE6B54B2E7576940BA22

Function 6D11CB60 Relevance: 2.6, Strings: 2, Instructions: 88COMMON

Download Yara Rule

Strings

gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackunsafe.Slice: ptr is nil and len is not , xrefs: 6D11CC41
,, xrefs: 6D11CC4A

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID:
String ID: ,$gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackunsafe.Slice: ptr is nil and len is not
API String ID: 0-2682900153
Opcode ID: 70c7ba2b1dbb24d328573f9d1a512067439c6cf9dc81bc3670138d5ad1d94cdc
Instruction ID: 4eb6f4a61e7969f1daae261502e0b6f64ff391b5b005e317a51a0be9debf8540
Opcode Fuzzy Hash: 70c7ba2b1dbb24d328573f9d1a512067439c6cf9dc81bc3670138d5ad1d94cdc
Instruction Fuzzy Hash: 09317C756097568FC305DF18C490B6AB7E2ABD6208F4985BDDC884F387CB71984ACB81

Function 6D176240 Relevance: 1.9, Strings: 1, Instructions: 607COMMON

Download Yara Rule

Strings

,M3.2.0,M11.1.0RegCreateKeyExWRegDeleteValueWstring too large0123456789abcdefinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePointerExOpenProcessTokenRegQueryInfoKeyWRegQueryValueExWDnsNameCompare_WCreateD, xrefs: 6D1763DE

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID:
String ID: ,M3.2.0,M11.1.0RegCreateKeyExWRegDeleteValueWstring too large0123456789abcdefinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePointerExOpenProcessTokenRegQueryInfoKeyWRegQueryValueExWDnsNameCompare_WCreateD
API String ID: 0-4001910974
Opcode ID: e810ec12621c53ea80933bff2437e0524796ac49fa69d45c3565003987bbc96a
Instruction ID: 18b4f32a93bb3448280bcba34ae3e75a30c29fb5bd50d23f4e078be68c875a38
Opcode Fuzzy Hash: e810ec12621c53ea80933bff2437e0524796ac49fa69d45c3565003987bbc96a
Instruction Fuzzy Hash: 785226B1A083898FD374CF19C45039FBBE1ABD8304F45892DDAD897395EBB599448B82

Function 6D12CA70 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pagespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinning: not a spinning mentersyscallblock inconsistent runtime: spl, xrefs: 6D12CDFB

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID:
String ID: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pagespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinning: not a spinning mentersyscallblock inconsistent runtime: spl
API String ID: 0-3032229779
Opcode ID: a2671262da8f38e537413f48011f8cf4924652b4f0f56f3c716b166beb3eb6bc
Instruction ID: 9451bf07d8d7d07fc0cdd01be8c23aa312302d4aad4899ee4e3f58bacdaad20c
Opcode Fuzzy Hash: a2671262da8f38e537413f48011f8cf4924652b4f0f56f3c716b166beb3eb6bc
Instruction Fuzzy Hash: DCB1E67460D3068FC704DF68D48492ABBF2BF89744F42882DEA9487354E7B1E995CB92

Function 6D175100 Relevance: 1.5, Strings: 1, Instructions: 278COMMON

Download Yara Rule

Strings

;, xrefs: 6D1753EA

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID:
String ID: ;
API String ID: 0-1661535913
Opcode ID: 57bdb7829790f2dfba6b8a0dd1de9c95b46fe4f5d81f213143b02c8f10a604c3
Instruction ID: 4310e7ba9a293dae105a456857432dc6a4aa6f2e4f9e5d08acd032826dc12107
Opcode Fuzzy Hash: 57bdb7829790f2dfba6b8a0dd1de9c95b46fe4f5d81f213143b02c8f10a604c3
Instruction Fuzzy Hash: BAA1A471B083054FD71CDE6DD95131AFAE2ABC8304F05CA3DE599DB3A8E674D9058B82

Function 6D129DA0 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

@, xrefs: 6D129FCC

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 44e638d35cb25e6ff303be88e21a65a3a30c71701401989ebcb2679edebcb10d
Instruction ID: 5c458d86e16a6d00d3736849b02d05cdf80241542cdd2bff8565723cfd888780
Opcode Fuzzy Hash: 44e638d35cb25e6ff303be88e21a65a3a30c71701401989ebcb2679edebcb10d
Instruction Fuzzy Hash: DC9131B5A093459FC344CF28C180A5EBBE0FF89744F419A2DE99987345E776E984CF82

Function 6D177490 Relevance: .6, Instructions: 601COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33a1c46c84946b70945b82b9105305da56b3977bc89a5c723635c61695fa94f2
Instruction ID: d5df7aa694d129e2b5f1811620b87bad8ce8998750ebf91c0f557680115dd245
Opcode Fuzzy Hash: 33a1c46c84946b70945b82b9105305da56b3977bc89a5c723635c61695fa94f2
Instruction Fuzzy Hash: 73228171A1C3468FD724CF69C49036BB7E2FB85304F55C82ED9858B258EBF09949CB82

Function 6D175590 Relevance: .5, Instructions: 530COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5ee95cee113ea49648827cd853c5b08b5544ea1c23783732d30037d193dbd4a
Instruction ID: f01b222f1307d1a2c2bd2484fd6e4c503aedcb88283afdd41a909cd4179ede25
Opcode Fuzzy Hash: d5ee95cee113ea49648827cd853c5b08b5544ea1c23783732d30037d193dbd4a
Instruction Fuzzy Hash: 19129C72A087498FD324DE5DC98035AF7E6BBC4304F55CA3DD9548B369EBB0E9058B82

Function 6D12BAB0 Relevance: .5, Instructions: 477COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 701297f1dff33cc2d4f9987fdbfb1d9ddd26b714d2777c1e6c792714a6f84f21
Instruction ID: d1a0b148f3aa47a4a2512057f195b46aafdb67666ae45a065c4ba6926cf444c4
Opcode Fuzzy Hash: 701297f1dff33cc2d4f9987fdbfb1d9ddd26b714d2777c1e6c792714a6f84f21
Instruction Fuzzy Hash: 97E12A33B5971A4BD315DDACC9C025EB2D2ABC4354F09863CDD649B388FAB6DC4986C1

Function 6D12B540 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2e5a6af7f3d4c42c18bc959e1875a3e902dc8287de9292714091ec41d774fc3
Instruction ID: 93c05705b3339f581758c69c72b61b53fc689a513d885ca76cfd6e4636ee784f
Opcode Fuzzy Hash: f2e5a6af7f3d4c42c18bc959e1875a3e902dc8287de9292714091ec41d774fc3
Instruction Fuzzy Hash: 48E1E433E2472507D3149E58CC80249B2D3ABC8670F4EC72DED95AB785EAB4ED5987C2

Function 6D176FB0 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a436fec61f9fc692dd3c182882756e62319e5d4d6c7cee8ef08486301b06bb1
Instruction ID: 4b71b3f20ae71007890ad9f525b5e86a712d280142124f0b0a2f7ff68ff9e439
Opcode Fuzzy Hash: 9a436fec61f9fc692dd3c182882756e62319e5d4d6c7cee8ef08486301b06bb1
Instruction Fuzzy Hash: 4DE1A2B2E0C3568BC325CF25845031FFBE2BBD5704F45896EE8958B355E7B19905CB82

Function 6D117DD0 Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f356220d9015dd2195a60e33bf8e2863c13a247729af01419045982ba0152d59
Instruction ID: 65f740d612a1aa95f030fdfc6b18824a37ec29b73e18f521f639b721c5b09f1d
Opcode Fuzzy Hash: f356220d9015dd2195a60e33bf8e2863c13a247729af01419045982ba0152d59
Instruction Fuzzy Hash: 86C1B132B0C3268FC709DE6CC89061EBBE2ABC4344F49863DE9559B3A5E7B5DD058781

Function 6D13E040 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0bdbb6fa2d77c832f8344e3298698f06cbae0b1955b665182d340aed8f01869
Instruction ID: 96536a715864f438a5a10ac4585c0b041a6f0846613c88a8298999aed2dcb282
Opcode Fuzzy Hash: f0bdbb6fa2d77c832f8344e3298698f06cbae0b1955b665182d340aed8f01869
Instruction Fuzzy Hash: 8DF1D27860C3918FC764CF29C090B5BBBE2BBC9304F558A2DE9D887356DB70A905CB52

Function 6D181A00 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0a6783c65c5ea5cc9f7a3a2f1397ee3f1193f9cd162f9dec9a5656eb1ab2c3f
Instruction ID: ae7c755e88954059fbbf5881096f3c2fc5bc5794796c1aff522f6d2aabb22039
Opcode Fuzzy Hash: b0a6783c65c5ea5cc9f7a3a2f1397ee3f1193f9cd162f9dec9a5656eb1ab2c3f
Instruction Fuzzy Hash: 68C1627060432A4FC251CE5EDCC0A6A73D1AB8821DF91866D96448F7C3DA3AF46B97A4

Function 6D181640 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7428b04ece66dd4d5c446aea92453d3d73293e64f04302531131cb9743e71df
Instruction ID: 11ad9551fb87fc545c8927a2bfe8f3125e3cc224a3821e617b6bec6a31856c1d
Opcode Fuzzy Hash: f7428b04ece66dd4d5c446aea92453d3d73293e64f04302531131cb9743e71df
Instruction Fuzzy Hash: 1CC1627060432A4FC251CE5EDCC0A6A73D1AB8821DF91866D9644CF7C3DA3AF46B97A4

Function 6D12C100 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e5a222bc38e1f1fada085d6feb79e59ab0f0f754cff598e58508d440de4848
Instruction ID: cb75699ef5012b9d308a6f67b6e3a0600e93dfd528073d1b6482dbf3aa7b1a99
Opcode Fuzzy Hash: c3e5a222bc38e1f1fada085d6feb79e59ab0f0f754cff598e58508d440de4848
Instruction Fuzzy Hash: E69178726083268FC719CE98C4D051EB3E3FBC8344F55873CDA690B385EBB2D9498681

Function 6D12C460 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 472cf1b5b86e2c1df1c7ab0aa7b5468a75022a3eeb3612cba9d77577f0068efe
Instruction ID: d3c42d1103a3578b83bbd0095083cc1b4a87a07ff72a36618a8bb9b347a3b9ef
Opcode Fuzzy Hash: 472cf1b5b86e2c1df1c7ab0aa7b5468a75022a3eeb3612cba9d77577f0068efe
Instruction Fuzzy Hash: 6881163664872A4FD716CDA888D065E3293A7C4354F5A473CDA748B3C9EBF6D88582C1

Function 6D12A790 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8d00e93500e2905d8a268cd020ba1b8495951a67098a7030b26e20e04da9ea7
Instruction ID: 0a440fd5879e985b3f8fbc054923b4fd30e7d9675cf3e7204767fb830a64a679
Opcode Fuzzy Hash: a8d00e93500e2905d8a268cd020ba1b8495951a67098a7030b26e20e04da9ea7
Instruction Fuzzy Hash: 1391D876A187184BD304DE59CCC0659B3E2BBC8324F49C63CE9A89B345E675EE49CB81

Function 6D103620 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cf6df4ba4f104e55c43d60d4d6588f41ab6ad3febefbd74c12d316cf743b4c7
Instruction ID: 7409a648edd651c022a07212fda0c17fc1ee23691c7e11b7719983367e4b5dec
Opcode Fuzzy Hash: 4cf6df4ba4f104e55c43d60d4d6588f41ab6ad3febefbd74c12d316cf743b4c7
Instruction Fuzzy Hash: 5E81E8B2A183108FC314DF29D88095AF7E2BFC9748F46892DF988D7315E771E9158B86

Function 6D128A50 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1989fccbdd78ca351e295482f6704f932ef6e4c92120a4e133f9fdac5b8ea623
Instruction ID: 61a207cef558ef6333249606f31e03ba80479f1e1b997754311f5912d03a4a02
Opcode Fuzzy Hash: 1989fccbdd78ca351e295482f6704f932ef6e4c92120a4e133f9fdac5b8ea623
Instruction Fuzzy Hash: FF91CAB49093459FC348CF28C180A1ABBE0FF89708F019A6EE9A997355D775E985CB42

Function 6D103000 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed4b65ca1b712b141f719a6cc410f12405f9590ab16a13d9b57ea69e3b381bed
Instruction ID: d4cc4fc60a25a9a5c95914bfcd51d137ab19308a821a5d3466425cb8611216b5
Opcode Fuzzy Hash: ed4b65ca1b712b141f719a6cc410f12405f9590ab16a13d9b57ea69e3b381bed
Instruction Fuzzy Hash: C461A87090C3A44AE30D9F6E44A503EFFE15BC9701F444E6EF5E603382D9B49505DBAA

Function 6D12D525 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71e3f33d0df16e50c50a52412cf57d6acaa05abcb8a3815240be7da946adc83a
Instruction ID: cfe12ebdf07f521281f543eb4fcd82b8aee04b61cd9e0de7f220a3c7082bc413
Opcode Fuzzy Hash: 71e3f33d0df16e50c50a52412cf57d6acaa05abcb8a3815240be7da946adc83a
Instruction Fuzzy Hash: A9518BB57093128FC308CF65C590A1AB7E0FF88604F058A7CD9998B392D7B1E885CBC2

Function 6D10CA60 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb22e07b0fd2a94ee512ccb4148d75aebd5e42558242964805cdd0b9319361a4
Instruction ID: a69267cfc952991fdfd913abfa632c484eebfbde2c6835c1ad33004c36db0df1
Opcode Fuzzy Hash: cb22e07b0fd2a94ee512ccb4148d75aebd5e42558242964805cdd0b9319361a4
Instruction Fuzzy Hash: F441C571908B058FC306DE39C49031AB3E2BFCA384F14872DE94A9B352EB719882CB41

Function 6D110830 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a03400993cb20c872a264ca1e335c6655e4a3f43ebeff3149ee2d46be10feb10
Instruction ID: e40200ba1ab654b1544bfb7879bcc91ed2a1d2f2646d52f6094ebede019f648f
Opcode Fuzzy Hash: a03400993cb20c872a264ca1e335c6655e4a3f43ebeff3149ee2d46be10feb10
Instruction Fuzzy Hash: C53152B3D1971D8BD300AF498C50259F7E2ABD0B20F5E8A5ED9A417701DBB0AA15CBC7

Function 6D1092E0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b417dc22517812094547a45a680e7e806dcfa33e0991a6384c37cc7f39a37ae
Instruction ID: b68ce926665b18abf08a44202a48c2a0f6d8737c024e802b07ddd345784f9b4c
Opcode Fuzzy Hash: 0b417dc22517812094547a45a680e7e806dcfa33e0991a6384c37cc7f39a37ae
Instruction Fuzzy Hash: C221D731B082058BDB0CCF39C8F0527B7E6BBCA30075A856CD555CB798DA74A805CB56

Function 6D146730 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88cb0598d7670e68b8360e8ae541ccbfadbeae3ab85450a83c44dd2bf9cea2d5
Instruction ID: ad5bd016ef135f8d68f5ce64e276e4873aa723c39b3c76d46b604fe7eef54a64
Opcode Fuzzy Hash: 88cb0598d7670e68b8360e8ae541ccbfadbeae3ab85450a83c44dd2bf9cea2d5
Instruction Fuzzy Hash: 251109B4740B128FC348DF59C0D4D66B3E1FBCE210B4686BDDA4A8B766C670A811DA85

Function 6D160F80 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23791edb0afb137c5dc87c33a8037b032ac93080121a22209459abc4667e15aa
Instruction ID: 276ea63d1beca7f8bc705fbfafb9d227063b57364f960c8acc505cac863f05b1
Opcode Fuzzy Hash: 23791edb0afb137c5dc87c33a8037b032ac93080121a22209459abc4667e15aa
Instruction Fuzzy Hash: 4CC04CB091A3A29EE751CB398144756BEE09B85745F81C4D9A14842148C3B586909765

Function 6D184659 Relevance: 21.0, APIs: 9, Strings: 3, Instructions: 49
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fwrite.MSVCRT ref: 6D18468B
abort.MSVCRT ref: 6D184690
EnterCriticalSection.KERNEL32 ref: 6D1846AF
LeaveCriticalSection.KERNEL32 ref: 6D1846C9
SetEvent.KERNEL32 ref: 6D1846DA
fwrite.MSVCRT ref: 6D184713
abort.MSVCRT ref: 6D184718
EnterCriticalSection.KERNEL32 ref: 6D18472A
LeaveCriticalSection.KERNEL32 ref: 6D184743

Strings

;, xrefs: 6D1846F8
unexpected cgo_bindm on Windows, xrefs: 6D184684
runtime: failed to signal runtime initialization complete., xrefs: 6D18470C

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeaveabortfwrite$Event
String ID: ;$runtime: failed to signal runtime initialization complete.$unexpected cgo_bindm on Windows
API String ID: 3057923235-924395932
Opcode ID: b522a108b7243c105a529f908900c0846b4387a06743e737f67d8714b41834fa
Instruction ID: 128454445b1c69d423d389e543d9643d7291d1baed543109bcee3ae19c025084
Opcode Fuzzy Hash: b522a108b7243c105a529f908900c0846b4387a06743e737f67d8714b41834fa
Instruction Fuzzy Hash: DF11C5B58087418FDB00BFB8C10D36EBAF0BB42308F45895DD98557206DBB99448DF63

Function 6D184C80 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 6D184D0D

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 6D184DA7
Address %p has no image-section, xrefs: 6D184DBB
VirtualProtect failed with code 0x%x, xrefs: 6D184D7A
@, xrefs: 6D184D58

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
API String ID: 1804819252-1098444051
Opcode ID: e59906953809b1e08da8e0788bffdcbbb7bdc11a7ecdd1306e55e7c7caded84d
Instruction ID: a52a9f93967220a084add1109803ba937481dbdd450f840daf2d76af7c7fc4e9
Opcode Fuzzy Hash: e59906953809b1e08da8e0788bffdcbbb7bdc11a7ecdd1306e55e7c7caded84d
Instruction Fuzzy Hash: C34180769043419FD700DF68D4C862AFBF5FB99368F45CA29E9588B209E770E404CF92

Function 6D1832D0 Relevance: 12.2, APIs: 8, Instructions: 156stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6D183306
mbstowcs.MSVCRT ref: 6D183335
_wcsnicmp.MSVCRT ref: 6D183392
strtol.MSVCRT ref: 6D1833F2
lstrlenA.KERNEL32 ref: 6D183400
malloc.MSVCRT ref: 6D183469
SetLastError.KERNEL32 ref: 6D183483
free.MSVCRT ref: 6D1834BA

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID: ErrorLast_wcsnicmpfreelstrlenmallocmbstowcsstrlenstrtol
String ID:
API String ID: 533997002-0
Opcode ID: 69512a29576f7cb063da9984b9ba938e34e0757807ef442b7728b7e5de4d63ad
Instruction ID: 6105d27c543df82146f2a7e5ae3caf482cf489ed86fe0e1693b41968d90960af
Opcode Fuzzy Hash: 69512a29576f7cb063da9984b9ba938e34e0757807ef442b7728b7e5de4d63ad
Instruction Fuzzy Hash: 0251AF75A083158FD700DF29C48026EF7E5FBC8304F49892AE999D7216E7B4D94ACF92

Function 6D184840 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66fileCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6D18484F
fwrite.MSVCRT ref: 6D18489D
abort.MSVCRT ref: 6D1848A2
free.MSVCRT ref: 6D1848C5

Part of subcall function 6D184790: _beginthread.MSVCRT ref: 6D1847B6
Part of subcall function 6D184790: _errno.MSVCRT ref: 6D1847C1
Part of subcall function 6D184790: _errno.MSVCRT ref: 6D1847C8
Part of subcall function 6D184790: fprintf.MSVCRT ref: 6D1847E8
Part of subcall function 6D184790: abort.MSVCRT ref: 6D1847ED

Strings

+, xrefs: 6D184882
runtime/cgo: out of memory in thread_start, xrefs: 6D184896

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID: _errnoabort$_beginthreadfprintffreefwritemalloc
String ID: +$runtime/cgo: out of memory in thread_start
API String ID: 2633710936-1802439445
Opcode ID: fabdbd801fb80c1423ba8611950cca17d58dbf75efbb006b53be27ef72abe9e6
Instruction ID: f210b3210ce1172eab8472258dea111d1457cabde0256620e22ad0b20cc279ba
Opcode Fuzzy Hash: fabdbd801fb80c1423ba8611950cca17d58dbf75efbb006b53be27ef72abe9e6
Instruction Fuzzy Hash: A021C9749087408FD700EF29D58851AFBF5FF8A314F45899DD9888B32AD7759840CF92

Function 6D184490 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32 ref: 6D1844B2
InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D184569), ref: 6D1844CB
fwrite.MSVCRT ref: 6D184500
abort.MSVCRT ref: 6D184505

Strings

=, xrefs: 6D1844E5
runtime: failed to create runtime initialization wait event., xrefs: 6D1844F9

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID: CreateCriticalEventInitializeSectionabortfwrite
String ID: =$runtime: failed to create runtime initialization wait event.
API String ID: 2455830200-3519180978
Opcode ID: ae3f116cc9001ebd2b13a9a4294a104bafca8d92cc53c68f6100f41fd5bee181
Instruction ID: cb2a09bb9ec3ab2ec1ed4da09ed381ec3023862035712eb6049151c79764cc88
Opcode Fuzzy Hash: ae3f116cc9001ebd2b13a9a4294a104bafca8d92cc53c68f6100f41fd5bee181
Instruction Fuzzy Hash: 63F0C9B04083429FE700FF68C40D33EBAF0BB46309F85885DD49986246EBB98044DF93

Function 6D101020 Relevance: 9.1, APIs: 6, Instructions: 112sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,6D1012E0,?,?,?,?,?,?,6D1013A3), ref: 6D101057
_amsg_exit.MSVCRT ref: 6D101085

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: dcb5c0f768005702cd2da2570190f1108de7c36722b3919695948df95a99b4a0
Instruction ID: ce7c564378ce4a1d7988e5261cf3e9b847a4c060e0b124cb023d5f95104892a7
Opcode Fuzzy Hash: dcb5c0f768005702cd2da2570190f1108de7c36722b3919695948df95a99b4a0
Instruction Fuzzy Hash: 194153B16083818BE701AF69C48972BB7F1FB5A34CF45C529E598C724DDBB994C0CB92

Function 6D184D3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 6D184D0D
VirtualProtect.KERNEL32 ref: 6D184D67
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6D21CA48), ref: 6D184D74

Part of subcall function 6D185A10: fwrite.MSVCRT ref: 6D185A3F
Part of subcall function 6D185A10: vfprintf.MSVCRT ref: 6D185A5F
Part of subcall function 6D185A10: abort.MSVCRT ref: 6D185A64

Strings

VirtualProtect failed with code 0x%x, xrefs: 6D184D7A
@, xrefs: 6D184D58

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQueryabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$@
API String ID: 1616349570-2953866262
Opcode ID: 7002c3df102ac9db51a3f04385a5030d3caf440c0c6cd72e05a21d0914adef0f
Instruction ID: 5617a8f946ee26ca18f5283f4f66e49428e65994675a887abb8e0c58c43acb07
Opcode Fuzzy Hash: 7002c3df102ac9db51a3f04385a5030d3caf440c0c6cd72e05a21d0914adef0f
Instruction Fuzzy Hash: 30213AB68083418FD700DF28D48862AFBF0FF99318F55CA29E9988725AE774E504CF52

Function 6D1834E0 Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

bsearch.MSVCRT ref: 6D18353F
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6D1843CF), ref: 6D18357A
malloc.MSVCRT ref: 6D1835A8
qsort.MSVCRT ref: 6D1835F6

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID: ErrorLastbsearchmallocqsort
String ID:
API String ID: 1451747280-0
Opcode ID: 30bfd1253e10287e40d63ab5337741731fa1b4910565ca7932f1b8fbe6ec55d0
Instruction ID: 641c09d95bd6e382dce67ac8cc929c4c506e3b5562bc1f01228e8f006f4b032d
Opcode Fuzzy Hash: 30bfd1253e10287e40d63ab5337741731fa1b4910565ca7932f1b8fbe6ec55d0
Instruction Fuzzy Hash: 5F411875A083018BD710DF29D48462AB7E1FF84314F49892DE889C7326E7B4E845CF92

Function 6D184030 Relevance: 7.6, APIs: 5, Instructions: 79threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32 ref: 6D1840D5
SetLastError.KERNEL32 ref: 6D1840F7
SetLastError.KERNEL32 ref: 6D18410B

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID: ErrorLast$LocaleThread
String ID:
API String ID: 2451566642-0
Opcode ID: 50f27549c09efd03c6a83ebe1a3e2046c98998e2203fb42aa0518306c1cdb873
Instruction ID: cb6944ec20cf2f7724dece7854079271d2d27fe01236f9cbd8adb6a7c1c355cb
Opcode Fuzzy Hash: 50f27549c09efd03c6a83ebe1a3e2046c98998e2203fb42aa0518306c1cdb873
Instruction Fuzzy Hash: 8F21A2702142058BD700DF39C884667B7F6BF89318F09C628E5A5CB296DBB5E805CF52

Function 6D1858B0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 6D1858C9
_unlock.MSVCRT ref: 6D1858F1
calloc.MSVCRT ref: 6D18593F

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID: _lock_unlockcalloc
String ID:
API String ID: 3876498383-0
Opcode ID: abf89457b4ab2571923629326531c7e76d384adab28384de11d3b51bd2a4809e
Instruction ID: fbd2ce66e9952b944670f23294358d79c82be6d4b6b4b6e3e4ef0a1bb3cd0c42
Opcode Fuzzy Hash: abf89457b4ab2571923629326531c7e76d384adab28384de11d3b51bd2a4809e
Instruction Fuzzy Hash: 77114CB0618201CFE700DF29C4C076A7BE4FF45364F95866AD99ACB28ADBB4D444CF62

Function 6D1845C0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 6D1845F0
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D182DB9), ref: 6D1845FC
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D182DB9), ref: 6D18460E
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6D182DB9), ref: 6D18461E
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D182DB9), ref: 6D184630

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ObjectSingleWait
String ID:
API String ID: 1755037574-0
Opcode ID: a2ba0d1736b2038c335ac5ecb956e33d44901903bf6f80aa8abe13fbdc4ec376
Instruction ID: 17bfd3c0bb5c4b9a89093869a424ecc3e4a0f1eaadcc9779a88e06a66d2d9104
Opcode Fuzzy Hash: a2ba0d1736b2038c335ac5ecb956e33d44901903bf6f80aa8abe13fbdc4ec376
Instruction Fuzzy Hash: ED018CB0804389CBCB00FF79958962FBBF8BB87214F054569D89047241EB70E849CFA3

Function 6D185A10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 6D185A3F
vfprintf.MSVCRT ref: 6D185A5F
abort.MSVCRT ref: 6D185A64

Strings

Mingw-w64 runtime failure:, xrefs: 6D185A38

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID: abortfwritevfprintf
String ID: Mingw-w64 runtime failure:
API String ID: 3176311984-2889761391
Opcode ID: be54870881739147b28547f730f7066adec8e2bb443181f12e9e0972173ffee6
Instruction ID: 63b4214c1a67667e6d5db444e9afc3ad0eccd9224af1ab6103aebfecd4696b99
Opcode Fuzzy Hash: be54870881739147b28547f730f7066adec8e2bb443181f12e9e0972173ffee6
Instruction Fuzzy Hash: 28E0A5B040D3449AE300EF69C08526EBAF8EF85358F82C91DE5CA4725AC7B884849F53

Function 6D184DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6D1012A5), ref: 6D184EE9

Strings

Unknown pseudo relocation protocol version %d., xrefs: 6D185044
Unknown pseudo relocation bit size %d., xrefs: 6D184F79

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 544645111-395989641
Opcode ID: cef188e56a741c19bb2e7e7b2c6e1168186463ff98594113b1397e10217dd7a0
Instruction ID: bb13a08ae6ee6a43749ec204f56f8243035cba0384c69b15da57b88d427dbce1
Opcode Fuzzy Hash: cef188e56a741c19bb2e7e7b2c6e1168186463ff98594113b1397e10217dd7a0
Instruction Fuzzy Hash: EA61A235A482058BCB10DF6DC8C0669F7FAFB49318F15C169E9159B30EDBB5A806DF81

Function 6D1843A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 6D184408

Part of subcall function 6D1834E0: bsearch.MSVCRT ref: 6D18353F

fprintf.MSVCRT ref: 6D18443C

Strings

$, xrefs: 6D1843ED

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID: bsearchfprintffwrite
String ID: $
API String ID: 1110293247-3993045852
Opcode ID: 614cea7b908677df99892c32ebd19f6ecc1728f469356415d124b3800b612310
Instruction ID: 2e3639f89380ff1690f1b1d14bf41c3ebeccaabf51569b0dcd3cba3e86131c7e
Opcode Fuzzy Hash: 614cea7b908677df99892c32ebd19f6ecc1728f469356415d124b3800b612310
Instruction Fuzzy Hash: 5E0105B940D3109BD700EF68D44825EFBF4BB49358F06892EE98987206E7B58440CF63

Function 6D183630 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

free.MSVCRT ref: 6D183652
free.MSVCRT ref: 6D183692
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,6D183BBA), ref: 6D1836BB
HeapFree.KERNEL32 ref: 6D1836D0

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID: Heapfree$FreeProcess
String ID:
API String ID: 3425746932-0
Opcode ID: 3f22206548c03aecceb8eda96550af2e68d61132edef2096ee44885bd8aa5967
Instruction ID: c538516c6081b1cb27fb8cc29e1885c8a310922e518746f8220c5377cb173d53
Opcode Fuzzy Hash: 3f22206548c03aecceb8eda96550af2e68d61132edef2096ee44885bd8aa5967
Instruction Fuzzy Hash: C721D6B5A053018BDB04EF29C1C872ABBE0BF94704F15C95CD88A8B30AD775D945CF91

Function 6D185050 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 6D18505E
TlsGetValue.KERNEL32 ref: 6D185085
GetLastError.KERNEL32 ref: 6D18508C
LeaveCriticalSection.KERNEL32 ref: 6D1850AC

Memory Dump Source

Source File: 00000004.00000002.1409728066.000000006D101000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D100000, based on PE: true

Associated: 00000004.00000002.1409698268.000000006D100000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409803692.000000006D186000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409821182.000000006D187000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409838556.000000006D189000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D18D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409856535.000000006D1F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409941408.000000006D21F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D225000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1409966004.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410004935.000000006D25D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410018645.000000006D264000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410039844.000000006D265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1410057836.000000006D268000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d100000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: 975831e1b4d7edeead8439cf2352c7ab1ddf9eddf361e8817062c4092f542e69
Instruction ID: fecfb1a0bc6bed7772bef8303687c7fdf64057f88e205a67232abe85ac197191
Opcode Fuzzy Hash: 975831e1b4d7edeead8439cf2352c7ab1ddf9eddf361e8817062c4092f542e69
Instruction Fuzzy Hash: 83F081B19043858BEB00BFB8958863B7BB4FA56304B054528DD854720EE770A855CBE3

Analysis Process: rundll32.exePID: 8064, Parent PID: 7600COMMON

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	11
Total number of Limit Nodes:	1

Executed Functions

Function 6CDD4790 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_beginthread.MSVCRT ref: 6CDD47B6
_errno.MSVCRT ref: 6CDD47C1
_errno.MSVCRT ref: 6CDD47C8
fprintf.MSVCRT ref: 6CDD47E8
abort.MSVCRT ref: 6CDD47ED
Sleep.KERNEL32 ref: 6CDD4806

Strings

runtime: failed to create new OS thread (%d), xrefs: 6CDD47D9

Memory Dump Source

Source File: 0000000D.00000002.1507472901.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true

Associated: 0000000D.00000002.1507376420.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507733877.000000006CDD6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507826733.000000006CDD7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507906360.000000006CDD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CDDD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CE45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508271789.000000006CE6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE79000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508453764.000000006CEAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508518032.000000006CEB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508577121.000000006CEB5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508634223.000000006CEB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cd50000_rundll32.jbxd

Similarity

API ID: _errno$Sleep_beginthreadabortfprintf
String ID: runtime: failed to create new OS thread (%d)
API String ID: 1261927973-3231778263
Opcode ID: c7a389426eb59a5a3d3a5ea8cd9ce07831c93acf185735671749ae0aa424f691
Instruction ID: 2aff66d438ab59ff9578bee2a2481aead41d11d75df9a856a76a254fce034c65
Opcode Fuzzy Hash: c7a389426eb59a5a3d3a5ea8cd9ce07831c93acf185735671749ae0aa424f691
Instruction Fuzzy Hash: 9301ADB090A300DFC7007F68D98912EBBB4EF86314F46451DE48843720D730A484CBA3

Function 6CDB1D40 Relevance: 1.5, APIs: 1, Instructions: 21
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE ref: 6CDB1D68

Memory Dump Source

Source File: 0000000D.00000002.1507472901.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true

Associated: 0000000D.00000002.1507376420.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507733877.000000006CDD6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507826733.000000006CDD7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507906360.000000006CDD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CDDD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CE45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508271789.000000006CE6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE79000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508453764.000000006CEAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508518032.000000006CEB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508577121.000000006CEB5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508634223.000000006CEB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cd50000_rundll32.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
Instruction ID: d12c1d1f2ab0480705f5eb9bef94e247ef6dc214db92af455d30a815f3f3c7b0
Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
Instruction Fuzzy Hash: 95E0E571505700CFCB15DF18C2C130ABBE1EB48A00F0485A8DE099FB4AD734ED10CB92

Non-executed Functions

Function 6CDD4AE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 6CDD4B2F
UnhandledExceptionFilter.KERNEL32 ref: 6CDD4B3F
GetCurrentProcess.KERNEL32 ref: 6CDD4B48
TerminateProcess.KERNEL32 ref: 6CDD4B59
abort.MSVCRT ref: 6CDD4B62

Strings

4l, xrefs: 6CDD4B38

Memory Dump Source

Source File: 0000000D.00000002.1507472901.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true

Associated: 0000000D.00000002.1507376420.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507733877.000000006CDD6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507826733.000000006CDD7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507906360.000000006CDD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CDDD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CE45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508271789.000000006CE6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE79000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508453764.000000006CEAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508518032.000000006CEB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508577121.000000006CEB5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508634223.000000006CEB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cd50000_rundll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
String ID: 4l
API String ID: 520269711-1315691717
Opcode ID: 0dbbf7211afbe828e7094980858bc211f9ac07c0ff568d8643f5047dcb5438c1
Instruction ID: df7677feecf35520c64bd79249ddbfdb0189fb4e9c92828de0e1a59ee440ab97
Opcode Fuzzy Hash: 0dbbf7211afbe828e7094980858bc211f9ac07c0ff568d8643f5047dcb5438c1
Instruction Fuzzy Hash: FE1136B5A06701CFDB00EF69C64566EBBF4FB4A304F41892AE888C7350E734A944CF96

Function 6CDD4ADC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 6CDD4B2F
UnhandledExceptionFilter.KERNEL32 ref: 6CDD4B3F
GetCurrentProcess.KERNEL32 ref: 6CDD4B48
TerminateProcess.KERNEL32 ref: 6CDD4B59
abort.MSVCRT ref: 6CDD4B62

Strings

4l, xrefs: 6CDD4B38

Memory Dump Source

Source File: 0000000D.00000002.1507472901.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true

Associated: 0000000D.00000002.1507376420.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507733877.000000006CDD6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507826733.000000006CDD7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507906360.000000006CDD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CDDD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CE45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508271789.000000006CE6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE79000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508453764.000000006CEAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508518032.000000006CEB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508577121.000000006CEB5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508634223.000000006CEB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cd50000_rundll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
String ID: 4l
API String ID: 520269711-1315691717
Opcode ID: a781447aaa3ce883f88384bc819795c9a877572b189c25e0691b4639e6640ebd
Instruction ID: bd2c1cec78b73bb8af5848a6da6389b9619ca278919986476592767b882e7cc4
Opcode Fuzzy Hash: a781447aaa3ce883f88384bc819795c9a877572b189c25e0691b4639e6640ebd
Instruction Fuzzy Hash: 1F1117B5A02701CFDB00EF69D64A66DBBF4FB06304F014529E94897350EB70A844CF96

Function 6CDD4659 Relevance: 21.0, APIs: 9, Strings: 3, Instructions: 49
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fwrite.MSVCRT ref: 6CDD468B
abort.MSVCRT ref: 6CDD4690
EnterCriticalSection.KERNEL32 ref: 6CDD46AF
LeaveCriticalSection.KERNEL32 ref: 6CDD46C9
SetEvent.KERNEL32 ref: 6CDD46DA
fwrite.MSVCRT ref: 6CDD4713
abort.MSVCRT ref: 6CDD4718
EnterCriticalSection.KERNEL32 ref: 6CDD472A
LeaveCriticalSection.KERNEL32 ref: 6CDD4743

Strings

;, xrefs: 6CDD46F8
runtime: failed to signal runtime initialization complete., xrefs: 6CDD470C
unexpected cgo_bindm on Windows, xrefs: 6CDD4684

Memory Dump Source

Source File: 0000000D.00000002.1507472901.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true

Associated: 0000000D.00000002.1507376420.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507733877.000000006CDD6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507826733.000000006CDD7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507906360.000000006CDD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CDDD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CE45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508271789.000000006CE6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE79000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508453764.000000006CEAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508518032.000000006CEB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508577121.000000006CEB5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508634223.000000006CEB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cd50000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeaveabortfwrite$Event
String ID: ;$runtime: failed to signal runtime initialization complete.$unexpected cgo_bindm on Windows
API String ID: 3057923235-924395932
Opcode ID: 9e84b79e40cd90c3e7911134487b90c9fa22d125c01873df3180d4932b0568b5
Instruction ID: 8a823ad451141efc8f708bc5c4b8d2d2bee76831d9449ec7a23821c87157f977
Opcode Fuzzy Hash: 9e84b79e40cd90c3e7911134487b90c9fa22d125c01873df3180d4932b0568b5
Instruction Fuzzy Hash: 1A11A7F29057118FDB00BFB8C20A36EBBF4BB42304F81491DD8895B611EB75A559CB67

Function 6CDD4C80 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 6CDD4D0D

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 6CDD4DA7
@, xrefs: 6CDD4D58
Address %p has no image-section, xrefs: 6CDD4DBB
VirtualProtect failed with code 0x%x, xrefs: 6CDD4D7A

Memory Dump Source

Source File: 0000000D.00000002.1507472901.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true

Associated: 0000000D.00000002.1507376420.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507733877.000000006CDD6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507826733.000000006CDD7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507906360.000000006CDD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CDDD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CE45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508271789.000000006CE6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE79000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508453764.000000006CEAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508518032.000000006CEB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508577121.000000006CEB5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508634223.000000006CEB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cd50000_rundll32.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
API String ID: 1804819252-1098444051
Opcode ID: 7af5a71f3745c56b3d746f5066e09061fba98c69404d0d4cc3cecf1ade1de7fa
Instruction ID: 5da9b3fb09e24c5d910e46d2d33f6a90c80e941aad7018cdba2b4ad2ba8b3fe6
Opcode Fuzzy Hash: 7af5a71f3745c56b3d746f5066e09061fba98c69404d0d4cc3cecf1ade1de7fa
Instruction Fuzzy Hash: 67418DB6A05301DFCB00DF69D585A6AFBF0FB85314F568A29D8589B724E730F404CB92

Function 6CD513E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 6CD513F0
LoadLibraryA.KERNEL32 ref: 6CD51406
GetProcAddress.KERNEL32 ref: 6CD51425
GetProcAddress.KERNEL32 ref: 6CD51437

Strings

__register_frame_info, xrefs: 6CD5141A
libgcc_s_dw2-1.dll, xrefs: 6CD513E9, 6CD513FF
__deregister_frame_info, xrefs: 6CD5142C

Memory Dump Source

Source File: 0000000D.00000002.1507472901.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true

Associated: 0000000D.00000002.1507376420.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507733877.000000006CDD6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507826733.000000006CDD7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507906360.000000006CDD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CDDD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CE45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508271789.000000006CE6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE79000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508453764.000000006CEAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508518032.000000006CEB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508577121.000000006CEB5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508634223.000000006CEB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cd50000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: e0b871b47e557b1021b0f9df0ee87399154e0a5fc5c878195d0aa6e68bc634c7
Instruction ID: f8766cca12584d428404b5a7bbdb3250129ddcef814357eae38e185c1357cbc1
Opcode Fuzzy Hash: e0b871b47e557b1021b0f9df0ee87399154e0a5fc5c878195d0aa6e68bc634c7
Instruction Fuzzy Hash: 6F0152B294A2009BDF007F79A60633EBFB4AB42245F42452DD88587B20D730A4148BA3

Function 6CDD32D0 Relevance: 12.2, APIs: 8, Instructions: 156stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6CDD3306
mbstowcs.MSVCRT ref: 6CDD3335
_wcsnicmp.MSVCRT ref: 6CDD3392
strtol.MSVCRT ref: 6CDD33F2
lstrlenA.KERNEL32 ref: 6CDD3400
malloc.MSVCRT ref: 6CDD3469
SetLastError.KERNEL32 ref: 6CDD3483
free.MSVCRT ref: 6CDD34BA

Memory Dump Source

Source File: 0000000D.00000002.1507472901.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true

Associated: 0000000D.00000002.1507376420.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507733877.000000006CDD6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507826733.000000006CDD7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507906360.000000006CDD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CDDD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CE45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508271789.000000006CE6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE79000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508453764.000000006CEAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508518032.000000006CEB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508577121.000000006CEB5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508634223.000000006CEB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cd50000_rundll32.jbxd

Similarity

API ID: ErrorLast_wcsnicmpfreelstrlenmallocmbstowcsstrlenstrtol
String ID:
API String ID: 533997002-0
Opcode ID: 3d22335908fd10d5acc7053ebfdd6ec17d53da275184b08b8431b594f622092d
Instruction ID: d67b243b755e28ba1ac8f12529f8b9817a619fce23b36eb185ad0216d638ad37
Opcode Fuzzy Hash: 3d22335908fd10d5acc7053ebfdd6ec17d53da275184b08b8431b594f622092d
Instruction Fuzzy Hash: 77518FB5A093158FC700DF29D48026AF7F5FBC8305F56892EE898D7620E774E949CB92

Function 6CDD4840 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66fileCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6CDD484F
fwrite.MSVCRT ref: 6CDD489D
abort.MSVCRT ref: 6CDD48A2
free.MSVCRT ref: 6CDD48C5

Part of subcall function 6CDD4790: _beginthread.MSVCRT ref: 6CDD47B6
Part of subcall function 6CDD4790: _errno.MSVCRT ref: 6CDD47C1
Part of subcall function 6CDD4790: _errno.MSVCRT ref: 6CDD47C8
Part of subcall function 6CDD4790: fprintf.MSVCRT ref: 6CDD47E8
Part of subcall function 6CDD4790: abort.MSVCRT ref: 6CDD47ED

Strings

runtime/cgo: out of memory in thread_start, xrefs: 6CDD4896
+, xrefs: 6CDD4882

Memory Dump Source

Source File: 0000000D.00000002.1507472901.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true

Associated: 0000000D.00000002.1507376420.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507733877.000000006CDD6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507826733.000000006CDD7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507906360.000000006CDD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CDDD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CE45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508271789.000000006CE6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE79000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508453764.000000006CEAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508518032.000000006CEB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508577121.000000006CEB5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508634223.000000006CEB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cd50000_rundll32.jbxd

Similarity

API ID: _errnoabort$_beginthreadfprintffreefwritemalloc
String ID: +$runtime/cgo: out of memory in thread_start
API String ID: 2633710936-1802439445
Opcode ID: 6768e045c2e36bf90a685b2334b5d3049bc23f2d31961ffe555c97869a89270b
Instruction ID: 84ccd7f5919b10bc34da590154bf7f38040e23245260e6901e34681634f45fe2
Opcode Fuzzy Hash: 6768e045c2e36bf90a685b2334b5d3049bc23f2d31961ffe555c97869a89270b
Instruction Fuzzy Hash: 222113B49043008FD700AF28D18591AFBF4FF89304F42899DE8888B721E334A880CBA2

Function 6CDD4490 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32 ref: 6CDD44B2
InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CDD4569), ref: 6CDD44CB
fwrite.MSVCRT ref: 6CDD4500
abort.MSVCRT ref: 6CDD4505

Strings

=, xrefs: 6CDD44E5
runtime: failed to create runtime initialization wait event., xrefs: 6CDD44F9

Memory Dump Source

Source File: 0000000D.00000002.1507472901.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true

Associated: 0000000D.00000002.1507376420.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507733877.000000006CDD6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507826733.000000006CDD7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507906360.000000006CDD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CDDD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CE45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508271789.000000006CE6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE79000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508453764.000000006CEAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508518032.000000006CEB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508577121.000000006CEB5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508634223.000000006CEB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cd50000_rundll32.jbxd

Similarity

API ID: CreateCriticalEventInitializeSectionabortfwrite
String ID: =$runtime: failed to create runtime initialization wait event.
API String ID: 2455830200-3519180978
Opcode ID: 091c55d3f7dcf96b85dca71503f589c711b40bb5e9b2e32a666208a339743532
Instruction ID: 1cc58face957aa85e0a05d3cd100ea1b404a48fd07394a411b328b7250bff861
Opcode Fuzzy Hash: 091c55d3f7dcf96b85dca71503f589c711b40bb5e9b2e32a666208a339743532
Instruction Fuzzy Hash: F9F0ECF19057019FE700BF68C50A36EBBF4BB41305F92885DD49997650EB79A088CF63

Function 6CD51020 Relevance: 9.1, APIs: 6, Instructions: 112sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,6CD512E0,?,?,?,?,?,?,6CD513A3), ref: 6CD51057
_amsg_exit.MSVCRT ref: 6CD51085

Memory Dump Source

Source File: 0000000D.00000002.1507472901.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true

Associated: 0000000D.00000002.1507376420.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507733877.000000006CDD6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507826733.000000006CDD7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507906360.000000006CDD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CDDD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CE45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508271789.000000006CE6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE79000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508453764.000000006CEAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508518032.000000006CEB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508577121.000000006CEB5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508634223.000000006CEB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cd50000_rundll32.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: bb4c7eb706f8f29ed397fe584c6e0ff33212182035910a55b4246c7f80d7ddb1
Instruction ID: 4b2bf915ef1298fa68004157d80419ae2aaa4e9e90f41c1d1a7211e56ce4440d
Opcode Fuzzy Hash: bb4c7eb706f8f29ed397fe584c6e0ff33212182035910a55b4246c7f80d7ddb1
Instruction Fuzzy Hash: E541A9B1709240CBEF009F1EC68676BB7B1EB45344F91452DD488C7761DB35D494CB92

Function 6CDD4D3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 6CDD4D0D
VirtualProtect.KERNEL32 ref: 6CDD4D67
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CE6CA48), ref: 6CDD4D74

Part of subcall function 6CDD5A10: fwrite.MSVCRT ref: 6CDD5A3F
Part of subcall function 6CDD5A10: vfprintf.MSVCRT ref: 6CDD5A5F
Part of subcall function 6CDD5A10: abort.MSVCRT ref: 6CDD5A64

Strings

@, xrefs: 6CDD4D58
VirtualProtect failed with code 0x%x, xrefs: 6CDD4D7A

Memory Dump Source

Source File: 0000000D.00000002.1507472901.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true

Associated: 0000000D.00000002.1507376420.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507733877.000000006CDD6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507826733.000000006CDD7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507906360.000000006CDD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CDDD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CE45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508271789.000000006CE6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE79000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508453764.000000006CEAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508518032.000000006CEB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508577121.000000006CEB5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508634223.000000006CEB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cd50000_rundll32.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQueryabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$@
API String ID: 1616349570-2953866262
Opcode ID: 9fc9aec36c4006f19c52de8403fbf4029362e20ef130f84c080d85e2c8510984
Instruction ID: 5853a2f449de983395a3f7201af28457ab4d797d792f8952cb9fff5676b315c3
Opcode Fuzzy Hash: 9fc9aec36c4006f19c52de8403fbf4029362e20ef130f84c080d85e2c8510984
Instruction Fuzzy Hash: 122149B6905701CFDB00DF28D68566AFBF0FF89318F568A29D89897664E730E508CF52

Function 6CDD4310 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 6CDD4314
FormatMessageA.KERNEL32 ref: 6CDD4359
fprintf.MSVCRT ref: 6CDD4382
LocalFree.KERNEL32 ref: 6CDD438E

Strings

Erro: %s, xrefs: 6CDD4373

Memory Dump Source

Source File: 0000000D.00000002.1507472901.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true

Associated: 0000000D.00000002.1507376420.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507733877.000000006CDD6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507826733.000000006CDD7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507906360.000000006CDD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CDDD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CE45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508271789.000000006CE6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE79000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508453764.000000006CEAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508518032.000000006CEB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508577121.000000006CEB5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508634223.000000006CEB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cd50000_rundll32.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessagefprintf
String ID: Erro: %s
API String ID: 659079672-2412703935
Opcode ID: 66ad5f3732bf4d5e37b4e55bf31c66deaad7e894b030bc32928c0d9944538f33
Instruction ID: 0a2ab11b581e2820e815c61ab35f8025a0805f4bac1ba9bafee9d63ef0889573
Opcode Fuzzy Hash: 66ad5f3732bf4d5e37b4e55bf31c66deaad7e894b030bc32928c0d9944538f33
Instruction Fuzzy Hash: 90019DB09097019FEB00AF68C18931EBFF4AB88349F01891DE8D89A250E7799148CF97

Function 6CDD34E0 Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

bsearch.MSVCRT ref: 6CDD353F
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6CDD43CF), ref: 6CDD357A
malloc.MSVCRT ref: 6CDD35A8
qsort.MSVCRT ref: 6CDD35F6

Memory Dump Source

Source File: 0000000D.00000002.1507472901.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true

Associated: 0000000D.00000002.1507376420.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507733877.000000006CDD6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507826733.000000006CDD7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507906360.000000006CDD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CDDD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CE45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508271789.000000006CE6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE79000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508453764.000000006CEAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508518032.000000006CEB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508577121.000000006CEB5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508634223.000000006CEB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cd50000_rundll32.jbxd

Similarity

API ID: ErrorLastbsearchmallocqsort
String ID:
API String ID: 1451747280-0
Opcode ID: 0ff26cda9085bf08dc5eba4c4258d2d479da2e5940c9192a7a33b5011d2f0117
Instruction ID: 37035dbc9d1438ff5687c4581e661ad99f9ba91b76930bbf4bb6b367ddb610cc
Opcode Fuzzy Hash: 0ff26cda9085bf08dc5eba4c4258d2d479da2e5940c9192a7a33b5011d2f0117
Instruction Fuzzy Hash: 30411AB5A193018FD710DF69C48062AB7F5FF84314F16892DE88987761E774F858CB92

Function 6CDD4030 Relevance: 7.6, APIs: 5, Instructions: 79threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32 ref: 6CDD40D5
SetLastError.KERNEL32 ref: 6CDD40F7
SetLastError.KERNEL32 ref: 6CDD410B

Memory Dump Source

Source File: 0000000D.00000002.1507472901.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true

Associated: 0000000D.00000002.1507376420.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507733877.000000006CDD6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507826733.000000006CDD7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507906360.000000006CDD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CDDD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CE45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508271789.000000006CE6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE79000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508453764.000000006CEAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508518032.000000006CEB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508577121.000000006CEB5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508634223.000000006CEB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cd50000_rundll32.jbxd

Similarity

API ID: ErrorLast$LocaleThread
String ID:
API String ID: 2451566642-0
Opcode ID: 76260d0f5912b07ede1e691481d95b0e6a8b540ad7ae3bed758079dd2d4b7536
Instruction ID: 76713ada177b009da399a12db7868e9c7bd214c76a55df5c49a8a4f77337ec73
Opcode Fuzzy Hash: 76260d0f5912b07ede1e691481d95b0e6a8b540ad7ae3bed758079dd2d4b7536
Instruction Fuzzy Hash: 7221A570A05200CBD7009B39C984667B7F5AF85318F168A28E9A5CB3A0EB35F845CB92

Function 6CDD58B0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 6CDD58C9
_unlock.MSVCRT ref: 6CDD58F1
calloc.MSVCRT ref: 6CDD593F

Memory Dump Source

Source File: 0000000D.00000002.1507472901.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true

Associated: 0000000D.00000002.1507376420.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507733877.000000006CDD6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507826733.000000006CDD7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507906360.000000006CDD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CDDD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CE45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508271789.000000006CE6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE79000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508453764.000000006CEAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508518032.000000006CEB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508577121.000000006CEB5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508634223.000000006CEB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cd50000_rundll32.jbxd

Similarity

API ID: _lock_unlockcalloc
String ID:
API String ID: 3876498383-0
Opcode ID: abf89457b4ab2571923629326531c7e76d384adab28384de11d3b51bd2a4809e
Instruction ID: d12150eadf4799b44ba40ec88056300aee21be16007d37979b7e7be5a862ab5b
Opcode Fuzzy Hash: abf89457b4ab2571923629326531c7e76d384adab28384de11d3b51bd2a4809e
Instruction Fuzzy Hash: 90113AB0A45211CFD7009F2CC48075ABBE4FF45364F568669D898CB7A5EB34E888CB62

Function 6CDD4A30 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 6CDD4A69
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CD513B9), ref: 6CDD4A7A
GetCurrentThreadId.KERNEL32 ref: 6CDD4A82
GetTickCount.KERNEL32 ref: 6CDD4A8A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CD513B9), ref: 6CDD4A99

Memory Dump Source

Source File: 0000000D.00000002.1507472901.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true

Associated: 0000000D.00000002.1507376420.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507733877.000000006CDD6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507826733.000000006CDD7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507906360.000000006CDD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CDDD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CE45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508271789.000000006CE6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE79000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508453764.000000006CEAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508518032.000000006CEB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508577121.000000006CEB5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508634223.000000006CEB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cd50000_rundll32.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: b03b5f1ccbabfe0778075dafa7df6df6a346ecec3fa838f295528f8aaa46a637
Instruction ID: 58abc1e6559362439be501e95aeab3e750aa453a519875b458158d944992476b
Opcode Fuzzy Hash: b03b5f1ccbabfe0778075dafa7df6df6a346ecec3fa838f295528f8aaa46a637
Instruction Fuzzy Hash: 8A1151B6A063018FDB00EF79EA8856BBBF4FB89258F010939E544C7610EB35E4488792

Function 6CDD45C0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 6CDD45F0
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CDD2DB9), ref: 6CDD45FC
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CDD2DB9), ref: 6CDD460E
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6CDD2DB9), ref: 6CDD461E
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6CDD2DB9), ref: 6CDD4630

Memory Dump Source

Source File: 0000000D.00000002.1507472901.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true

Associated: 0000000D.00000002.1507376420.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507733877.000000006CDD6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507826733.000000006CDD7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507906360.000000006CDD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CDDD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CE45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508271789.000000006CE6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE79000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508453764.000000006CEAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508518032.000000006CEB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508577121.000000006CEB5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508634223.000000006CEB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cd50000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ObjectSingleWait
String ID:
API String ID: 1755037574-0
Opcode ID: 03826c093261b48d5b13707dbe02b7b1796e0cea35c391cbe7c11e753d866026
Instruction ID: 7ffe8f98ed99b338470d78f187cc8fd14665a50cf6996670db69c54a9cab1eb8
Opcode Fuzzy Hash: 03826c093261b48d5b13707dbe02b7b1796e0cea35c391cbe7c11e753d866026
Instruction Fuzzy Hash: 4601B1B2A053158BCB00BFB9D68752ABBF8AF42310F01052DD8985B650DA30E449CBA3

Function 6CDD5A10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 6CDD5A3F
vfprintf.MSVCRT ref: 6CDD5A5F
abort.MSVCRT ref: 6CDD5A64

Strings

Mingw-w64 runtime failure:, xrefs: 6CDD5A38

Memory Dump Source

Source File: 0000000D.00000002.1507472901.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true

Associated: 0000000D.00000002.1507376420.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507733877.000000006CDD6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507826733.000000006CDD7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507906360.000000006CDD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CDDD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CE45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508271789.000000006CE6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE79000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508453764.000000006CEAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508518032.000000006CEB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508577121.000000006CEB5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508634223.000000006CEB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cd50000_rundll32.jbxd

Similarity

API ID: abortfwritevfprintf
String ID: Mingw-w64 runtime failure:
API String ID: 3176311984-2889761391
Opcode ID: 22b91e50af76562d70665a9ae6c3427dc621a12671ad7691809d747cb47c897b
Instruction ID: e6b511a656506c7bbe7c5391601fb60d5c87aa6bf30ca2d9c3c0d093dabc5ffe
Opcode Fuzzy Hash: 22b91e50af76562d70665a9ae6c3427dc621a12671ad7691809d747cb47c897b
Instruction Fuzzy Hash: F0E0A5B08093009AD300AF68C08529EBAE4EF84358F52891DD4C947B61E778A4888F63

Function 6CDD4DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CD512A5), ref: 6CDD4EE9

Strings

Unknown pseudo relocation protocol version %d., xrefs: 6CDD5044
Unknown pseudo relocation bit size %d., xrefs: 6CDD4F79

Memory Dump Source

Source File: 0000000D.00000002.1507472901.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true

Associated: 0000000D.00000002.1507376420.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507733877.000000006CDD6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507826733.000000006CDD7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507906360.000000006CDD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CDDD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CE45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508271789.000000006CE6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE79000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508453764.000000006CEAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508518032.000000006CEB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508577121.000000006CEB5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508634223.000000006CEB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cd50000_rundll32.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 544645111-395989641
Opcode ID: 20e0a1d4690d3a94cbfcbb86f82fe09431b6ff759289a8353e9bc520f4cf8f2c
Instruction ID: 29638da14b57c56ca442f6605893fb434d7ae21eeec6985221892faa8f9499bd
Opcode Fuzzy Hash: 20e0a1d4690d3a94cbfcbb86f82fe09431b6ff759289a8353e9bc520f4cf8f2c
Instruction Fuzzy Hash: 8761DE71F012458BCB00DF6DC5C1AAAB7B5FB85348F66C229D8599BB20E331F805CB91

Function 6CDD43A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 6CDD4408

Part of subcall function 6CDD34E0: bsearch.MSVCRT ref: 6CDD353F

fprintf.MSVCRT ref: 6CDD443C

Strings

$, xrefs: 6CDD43ED

Memory Dump Source

Source File: 0000000D.00000002.1507472901.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true

Associated: 0000000D.00000002.1507376420.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507733877.000000006CDD6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507826733.000000006CDD7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507906360.000000006CDD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CDDD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CE45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508271789.000000006CE6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE79000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508453764.000000006CEAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508518032.000000006CEB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508577121.000000006CEB5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508634223.000000006CEB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cd50000_rundll32.jbxd

Similarity

API ID: bsearchfprintffwrite
String ID: $
API String ID: 1110293247-3993045852
Opcode ID: b0f09ebaa5c81574dc4bdd1ef3b724b034e1ade3c9be14db5dda54a231a77359
Instruction ID: 7b21ce8cf5576b48477081cf9d7e5ad21ec26f05fc74c7fe71eb299f63d5ace7
Opcode Fuzzy Hash: b0f09ebaa5c81574dc4bdd1ef3b724b034e1ade3c9be14db5dda54a231a77359
Instruction Fuzzy Hash: 2C0117B59493109FDB00AF68944525EFBF4AB48318F12892EE8C987720E379A484CF63

Function 6CDD3630 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

free.MSVCRT ref: 6CDD3652
free.MSVCRT ref: 6CDD3692
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,6CDD3BBA), ref: 6CDD36BB
HeapFree.KERNEL32 ref: 6CDD36D0

Memory Dump Source

Source File: 0000000D.00000002.1507472901.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true

Associated: 0000000D.00000002.1507376420.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507733877.000000006CDD6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507826733.000000006CDD7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507906360.000000006CDD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CDDD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CE45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508271789.000000006CE6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE79000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508453764.000000006CEAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508518032.000000006CEB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508577121.000000006CEB5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508634223.000000006CEB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cd50000_rundll32.jbxd

Similarity

API ID: Heapfree$FreeProcess
String ID:
API String ID: 3425746932-0
Opcode ID: f74f7210920a0cd5dca4adb765baf2237a35f32cf28471cbabba2e213c9dfefc
Instruction ID: d4b7179add4554ef4b6959c895fbbe9288265cabc64456d43c745ab44f8e5382
Opcode Fuzzy Hash: f74f7210920a0cd5dca4adb765baf2237a35f32cf28471cbabba2e213c9dfefc
Instruction Fuzzy Hash: 8B21E5B5A05600CBDB00AF25C5C871ABBF4BF84714F16C96CE8888B719D734E845CB91

Function 6CDD5050 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 6CDD505E
TlsGetValue.KERNEL32 ref: 6CDD5085
GetLastError.KERNEL32 ref: 6CDD508C
LeaveCriticalSection.KERNEL32 ref: 6CDD50AC

Memory Dump Source

Source File: 0000000D.00000002.1507472901.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true

Associated: 0000000D.00000002.1507376420.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507733877.000000006CDD6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507826733.000000006CDD7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507906360.000000006CDD9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CDDD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1507995712.000000006CE45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508271789.000000006CE6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508341426.000000006CE79000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508453764.000000006CEAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508518032.000000006CEB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508577121.000000006CEB5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1508634223.000000006CEB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cd50000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: f670d96e82633c3f9bd774b482e78a07d1fbbc35607cd5590431ea1061432774
Instruction ID: 802a6834ecc12132f3def764ed8a4056e121a5210369ffde53ab286cbbd4b8c7
Opcode Fuzzy Hash: f670d96e82633c3f9bd774b482e78a07d1fbbc35607cd5590431ea1061432774
Instruction Fuzzy Hash: 4AF0A4F2A067008BDB00BFBDD68653A7BB4FB45304B160528DD4557215E631B805CBE3

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report jIcqgmCcrZ.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Software Vulnerabilities

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Exports

Network Behavior

UDP Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: loaddll32.exePID: 7600, Parent PID: 4084

General

Chronological Activities

Analysis Process: conhost.exePID: 7608, Parent PID: 7600

General

Chronological Activities

Analysis Process: cmd.exePID: 7684, Parent PID: 7600

General

Chronological Activities

Windows Analysis Report
jIcqgmCcrZ.dll

Function 6D184790 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40
sleepCOMMON

Function 6D161D40 Relevance: 1.3, APIs: 1, Instructions: 21
memoryCOMMON

Function 6D183710 Relevance: 33.8, APIs: 17, Strings: 2, Instructions: 564
memoryCOMMON

Function 6D115820 Relevance: 19.8, Strings: 15, Instructions: 1007
COMMON

Function 6D128E10 Relevance: 16.9, Strings: 13, Instructions: 645
COMMON