Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
T681Aj3oN9.dll

Overview

General Information

Sample name:T681Aj3oN9.dll
renamed because original name is a hash value
Original sample name:111d2849e97391a16ad33ad6c7cd4157b35bbda80f07a691f339f8f678eb1d04.dll
Analysis ID:1544814
MD5:5f9cd1ca927bcfd120658bd913aa5b00
SHA1:469949600eb14f9f1e9c35b73424ad9bbb3c3455
SHA256:111d2849e97391a16ad33ad6c7cd4157b35bbda80f07a691f339f8f678eb1d04
Tags:2024bankerdllgolangloadermekotiouser-johnk3r
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 7520 cmdline: loaddll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 7528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7576 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 7600 cmdline: rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • WerFault.exe (PID: 7760 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7600 -s 840 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 7584 cmdline: rundll32.exe C:\Users\user\Desktop\T681Aj3oN9.dll,BarCreate MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 7748 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7584 -s 820 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 7836 cmdline: rundll32.exe C:\Users\user\Desktop\T681Aj3oN9.dll,BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7884 cmdline: rundll32.exe C:\Users\user\Desktop\T681Aj3oN9.dll,BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7944 cmdline: rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",BarCreate MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 8164 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7944 -s 760 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 7972 cmdline: rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7980 cmdline: rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8060 cmdline: rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",_cgo_dummy_export MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8076 cmdline: rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",SpellSpell MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8172 cmdline: rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",SpellInit MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7204 cmdline: rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",SpellFree MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7312 cmdline: rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",SignalInitializeCrashReporting MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1184 cmdline: rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",GetInstallDetailsPayload MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 2916 cmdline: rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",BarRecognize MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.9% probability

Bitcoin Miner

barindex
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBF1830 3_2_6CBF1830
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CE81830 12_2_6CE81830
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_6CE81830 15_2_6CE81830
Source: T681Aj3oN9.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: T681Aj3oN9.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax3_2_6CBC2CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax3_2_6CBC2CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx3_2_6CBDCEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh3_2_6CBE9030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh3_2_6CBEA360
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax12_2_6CE52CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax12_2_6CE52CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx12_2_6CE6CEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh12_2_6CE79030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh12_2_6CE7A360
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax15_2_6CE52CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax15_2_6CE52CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx15_2_6CE6CEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh15_2_6CE79030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh15_2_6CE7A360
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBF2A90 NtCreateWaitCompletionPacket,3_2_6CBF2A90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBF1A70 NtCreateWaitCompletionPacket,3_2_6CBF1A70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBF1570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,3_2_6CBF1570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBF11F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,3_2_6CBF11F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CE82A90 NtCreateWaitCompletionPacket,12_2_6CE82A90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CE81A70 NtCreateWaitCompletionPacket,12_2_6CE81A70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CE81570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,12_2_6CE81570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CE811F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,12_2_6CE811F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_6CE82A90 NtCreateWaitCompletionPacket,15_2_6CE82A90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_6CE81A70 NtCreateWaitCompletionPacket,15_2_6CE81A70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_6CE81570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,15_2_6CE81570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_6CE811F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,15_2_6CE811F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBC2CA63_2_6CBC2CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBC2CA03_2_6CBC2CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC1BC203_2_6CC1BC20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBEAD503_2_6CBEAD50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC15ED03_2_6CC15ED0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBCBE903_2_6CBCBE90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBFCF903_2_6CBFCF90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC2A8723_2_6CC2A872
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBD59F03_2_6CBD59F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBED9C53_2_6CBED9C5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBD0AF03_2_6CBD0AF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBECA303_2_6CBECA30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBCFBC03_2_6CBCFBC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBEBB103_2_6CBEBB10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC064703_2_6CC06470
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBE34003_2_6CBE3400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBE14403_2_6CBE1440
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC185703_2_6CC18570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC1D6E03_2_6CC1D6E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBEC6D03_2_6CBEC6D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBE66303_2_6CBE6630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBD80A03_2_6CBD80A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBEC0803_2_6CBEC080
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBC90F03_2_6CBC90F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBF60103_2_6CBF6010
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBED0403_2_6CBED040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBC32A03_2_6CBC32A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC272803_2_6CC27280
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBEB2D03_2_6CBEB2D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBFE2403_2_6CBFE240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBE93F03_2_6CBE93F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBFA3203_2_6CBFA320
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC2332F3_2_6CC2332F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CE52CA612_2_6CE52CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CE52CA012_2_6CE52CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CEABC2012_2_6CEABC20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CE7AD5012_2_6CE7AD50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CEA5ED012_2_6CEA5ED0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CE5BE9012_2_6CE5BE90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CE8CF9012_2_6CE8CF90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CEBA87212_2_6CEBA872
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CE659F012_2_6CE659F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CE7D9C512_2_6CE7D9C5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CE60AF012_2_6CE60AF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CE7CA3012_2_6CE7CA30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CE5FBC012_2_6CE5FBC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CE7BB1012_2_6CE7BB10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CE9647012_2_6CE96470
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CE7144012_2_6CE71440
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CE7340012_2_6CE73400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CEA857012_2_6CEA8570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CEAD6E012_2_6CEAD6E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CE7C6D012_2_6CE7C6D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CE7663012_2_6CE76630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CE590F012_2_6CE590F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CE680A012_2_6CE680A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CE7C08012_2_6CE7C080
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CE7D04012_2_6CE7D040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CE8601012_2_6CE86010
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CE7B2D012_2_6CE7B2D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CE532A012_2_6CE532A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CEB728012_2_6CEB7280
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CE8E24012_2_6CE8E240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CE793F012_2_6CE793F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CEB332F12_2_6CEB332F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CE8A32012_2_6CE8A320
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_6CE52CA615_2_6CE52CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_6CE52CA015_2_6CE52CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_6CEABC2015_2_6CEABC20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_6CE7AD5015_2_6CE7AD50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_6CEA5ED015_2_6CEA5ED0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_6CE5BE9015_2_6CE5BE90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_6CE8CF9015_2_6CE8CF90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_6CEBA87215_2_6CEBA872
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_6CE659F015_2_6CE659F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_6CE7D9C515_2_6CE7D9C5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_6CE60AF015_2_6CE60AF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_6CE7CA3015_2_6CE7CA30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_6CE5FBC015_2_6CE5FBC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_6CE7BB1015_2_6CE7BB10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_6CE9647015_2_6CE96470
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_6CE7144015_2_6CE71440
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_6CE7340015_2_6CE73400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_6CEA857015_2_6CEA8570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_6CEAD6E015_2_6CEAD6E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_6CE7C6D015_2_6CE7C6D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_6CE7663015_2_6CE76630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_6CE590F015_2_6CE590F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_6CE680A015_2_6CE680A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_6CE7C08015_2_6CE7C080
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_6CE7D04015_2_6CE7D040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_6CE8601015_2_6CE86010
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_6CE7B2D015_2_6CE7B2D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_6CE532A015_2_6CE532A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_6CEB728015_2_6CEB7280
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_6CE8E24015_2_6CE8E240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_6CE793F015_2_6CE793F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_6CEB332F15_2_6CEB332F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_6CE8A32015_2_6CE8A320
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CC26A90 appears 462 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CBF7410 appears 680 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CE85080 appears 46 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CE87410 appears 1360 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CEB6A90 appears 924 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CE83B30 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7584 -s 820
Source: T681Aj3oN9.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: classification engineClassification label: mal48.mine.winDLL@35/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7528:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\fd463745-8624-42d2-b1a6-db12fabfba81Jump to behavior
Source: T681Aj3oN9.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\T681Aj3oN9.dll,BarCreate
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\T681Aj3oN9.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7584 -s 820
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7600 -s 840
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\T681Aj3oN9.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\T681Aj3oN9.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",_cgo_dummy_export
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",SpellSpell
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7944 -s 760
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\T681Aj3oN9.dll,BarCreateJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\T681Aj3oN9.dll,BarDestroyJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\T681Aj3oN9.dll,BarFreeRecJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",BarCreateJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",BarDestroyJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",BarFreeRecJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",_cgo_dummy_exportJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",SpellSpellJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",SpellInitJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",SpellFreeJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",SignalInitializeCrashReportingJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",GetInstallDetailsPayloadJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",BarRecognizeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: T681Aj3oN9.dllStatic PE information: Image base 0x6d8c0000 > 0x60000000
Source: T681Aj3oN9.dllStatic file information: File size 1368576 > 1048576
Source: T681Aj3oN9.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBC13E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,3_2_6CBC13E0
Source: T681Aj3oN9.dllStatic PE information: real checksum: 0x15ce2a should be: 0x14e942
Source: T681Aj3oN9.dllStatic PE information: section name: .eh_fram
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0103AF34 push eax; retf 0_2_0103AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0483AF34 push eax; retf 13_2_0483AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0503C88C pushad ; retf 14_2_0503C89C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0503AF62 push eax; retf 14_2_0503AF61
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0503AF34 push eax; retf 14_2_0503AF61
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0503AFB8 push eax; retf 14_2_0503AF61
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_0483AF34 push eax; retf 17_2_0483AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_0483D854 push edx; retf 17_2_0483D856
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_0483C89B push ecx; ret 17_2_0483C89C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_0503DCE3 pushad ; iretd 19_2_0503DCE4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_0503DCAF push ED35AE50h; retf 19_2_0503DC66
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_0503DCED push edi; iretd 19_2_0503DD02
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_0503DC33 push ED35AE50h; retf 19_2_0503DC66
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_0503AF34 push eax; retf 19_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_05080381 push ecx; ret 19_2_05080395
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_0503CD87 push ecx; ret 20_2_0503CD8A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_0503AF34 push eax; retf 20_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_05080857 push esi; ret 20_2_05080858
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0503C3F2 pushad ; retf 21_2_0503C428
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0503AF34 push eax; retf 21_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_0543AF34 push eax; retf 22_2_0543AF61
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_054803DE push cs; ret 22_2_054803E7
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_04C3AF34 push eax; retf 23_2_04C3AF39
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC2C0C0 rdtscp 3_2_6CC2C0C0
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 1.4 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 1.4 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 1.4 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC2C0C0 rdtscp 3_2_6CC2C0C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBC13E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,3_2_6CBC13E0
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC56300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,3_2_6CC56300
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6CEE6300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,12_2_6CEE6300
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_6CEE6300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,15_2_6CEE6300
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CC56250 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,3_2_6CC56250
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CBF1C90 RtlGetVersion,RtlGetCurrentPeb,3_2_6CBF1C90

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		11
Process Injection		11
Virtualization/Sandbox Evasion		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		Boot or Logon Initialization Scripts1
DLL Side-Loading		11
Process Injection		LSASS Memory2
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager11
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS3
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Rundll32		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544814 Sample: T681Aj3oN9.dll Startdate: 29/10/2024 Architecture: WINDOWS Score: 48 27 AI detected suspicious sample 2->27 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 12 other processes 8->17 signatures5 29 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 10->29 19 WerFault.exe 2 10->19         started        21 rundll32.exe 13->21         started        23 WerFault.exe 2 15->23         started        process6 process7 25 WerFault.exe 2 21->25         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
T681Aj3oN9.dll5%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1544814
Start date and time:2024-10-29 19:27:12 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 6m 28s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:28
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:T681Aj3oN9.dll
renamed because original name is a hash value
Original Sample Name:111d2849e97391a16ad33ad6c7cd4157b35bbda80f07a691f339f8f678eb1d04.dll
Detection:MAL
Classification:mal48.mine.winDLL@35/0@0/0
EGA Information:
  • Successful, ratio: 20%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .dll

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Execution Graph export aborted for target loaddll32.exe, PID 7520 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 1184 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 2916 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 7204 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 7312 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 7600 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 7836 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 7884 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 7972 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 7980 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 8076 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 8172 because there are no executed function
  • Not all processes where analyzed, report is missing behavior information
  • Report size exceeded maximum capacity and may have missing behavior information.
  • VT rate limit hit for: T681Aj3oN9.dll

Simulations

Behavior and APIs

TimeTypeDescription
14:28:13API Interceptor1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):6.2712483836578174
TrID:
  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
  • Generic Win/DOS Executable (2004/3) 0.20%
  • DOS Executable Generic (2002/1) 0.20%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:T681Aj3oN9.dll
File size:1'368'576 bytes
MD5:5f9cd1ca927bcfd120658bd913aa5b00
SHA1:469949600eb14f9f1e9c35b73424ad9bbb3c3455
SHA256:111d2849e97391a16ad33ad6c7cd4157b35bbda80f07a691f339f8f678eb1d04
SHA512:477d9cf7f1c5ba0cf4aab807901d2eab694e5ddb87c015e78901097eb66ffd2863f3eacde35032e24c3f95fe8d37e83b750c8e87fcca51ffe3fcb62a3031e86e
SSDEEP:24576:ZmrVZtevjrWnfLmMQmfjFRIhrKuHjVznls+MXcS8DQ02nMYm:ZzjrKrh/8fkL
TLSH:B4551800FDC784F1E403263285AB62AB6325AD195F31CBC7FB44BB79FA776950836285
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....d.......H.................m................................*.....@... .........................-..

File Icon

Icon Hash:7ae282899bbab082

Static PE Info

General

Entrypoint:0x6d8c1380
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x6d8c0000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:0x6d9563e0, 0x6d956390
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:1
File Version Major:6
File Version Minor:1
Subsystem Version Major:6
Subsystem Version Minor:1
Import Hash:47d9e8363ec498a9360ee0a7da269805

Entrypoint Preview

Instruction
sub esp, 1Ch
mov dword ptr [6DA2C730h], 00000000h
mov edx, dword ptr [esp+24h]
cmp edx, 01h
je 00007F0828E16B8Ch
mov ecx, dword ptr [esp+28h]
mov eax, dword ptr [esp+20h]
call 00007F0828E169F2h
add esp, 1Ch
retn 000Ch
lea esi, dword ptr [esi+00000000h]
mov dword ptr [esp+0Ch], edx
call 00007F0828EABA0Ch
mov edx, dword ptr [esp+0Ch]
jmp 00007F0828E16B49h
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], 6DA08000h
mov dword ptr [esp+04h], eax
call 00007F0828EAC85Eh
add esp, 1Ch
ret
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 6D95F000h
call dword ptr [6DA2E21Ch]
sub esp, 04h
test eax, eax
je 00007F0828E16BE5h
mov ebx, eax
mov dword ptr [esp], 6D95F000h
call dword ptr [6DA2E264h]
mov edi, dword ptr [6DA2E224h]
sub esp, 04h
mov dword ptr [6DA2C764h], eax
mov dword ptr [esp+04h], 6D95F013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 6D95F029h
mov dword ptr [esp], ebx
call edi
mov dword ptr [6D958000h], eax
sub esp, 08h
test esi, esi
je 00007F0828E16B83h
mov dword ptr [esp+00h], 00000000h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x16d0000x12d.edata
IMAGE_DIRECTORY_ENTRY_IMPORT0x16e0000xb78.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x1710000x868c.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x144fb00x18.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x16e1cc0x190.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x962a80x96400c71d43de37ad2b1076cdeb172301c54cFalse0.4698094321963394data6.282349708256424IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0x980000x67c80x6800358b8a7767e700a9bb5723298ae4b2d5False0.42041015625data4.443097552653927IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata0x9f0000xa63800xa64000ee42fb6cd396238d8ac6d9eb157b15aFalse0.43181390977443607data5.591347872659806IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.eh_fram0x1460000x12740x140085e22b3e84813337ea1a67b904c6bbcdFalse0.3369140625data4.565839626312234IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss0x1480000x2477c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata0x16d0000x12d0x20067859e1c9d81f1d2bdf6b531a2016f52False0.44921875data3.400613123216997IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.idata0x16e0000xb780xc00cb8eb4a241279d6fed66c3ea8ecac795False0.3961588541666667data5.12056831676781IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT0x16f0000x2c0x200db151290603a2662b590a75b7e0b0988False0.0546875data0.2069200177871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls0x1700000x80x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc0x1710000x868c0x880079ed408bbe5c4bbb01c59442165783edFalse0.6667911305147058data6.630417318575256IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLLImport
KERNEL32.dllAddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateIoCompletionPort, CreateThread, CreateWaitableTimerExW, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FormatMessageA, FreeEnvironmentStringsW, FreeLibrary, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetLastError, GetModuleHandleA, GetNativeSystemInfo, GetProcAddress, GetProcessAffinityMask, GetProcessHeap, GetQueuedCompletionStatusEx, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadLocale, GetTickCount, HeapAlloc, HeapFree, InitializeCriticalSection, IsBadReadPtr, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, LoadLibraryW, LocalFree, PostQueuedCompletionStatus, QueryPerformanceCounter, RaiseFailFastException, ResumeThread, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessPriorityBoost, SetThreadContext, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TerminateProcess, TlsAlloc, TlsGetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WriteConsoleW, WriteFile, lstrlenA
msvcrt.dll_amsg_exit, _beginthread, _errno, _initterm, _iob, _lock, _unlock, _wcsnicmp, abort, bsearch, calloc, fprintf, free, fwrite, malloc, mbstowcs, memcpy, memset, qsort, realloc, strcmp, strlen, strncmp, strtol, vfprintf, wcstombs

Exports

NameOrdinalAddress
BarCreate10x6d9545d0
BarDestroy20x6d954850
BarFreeRec30x6d954800
BarRecognize40x6d9547b0
GetInstallDetailsPayload50x6d954710
SignalInitializeCrashReporting60x6d954760
SpellFree70x6d954620
SpellInit80x6d954670
SpellSpell90x6d9546c0
_cgo_dummy_export100x6da2c768

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:14:28:03
Start date:29/10/2024
Path:C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):true
Commandline:loaddll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll"
Imagebase:0xe0000
File size:126'464 bytes
MD5 hash:51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:1
Start time:14:28:03
Start date:29/10/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7699e0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:2
Start time:14:28:03
Start date:29/10/2024
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",#1
Imagebase:0x240000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:3
Start time:14:28:03
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\T681Aj3oN9.dll,BarCreate
Imagebase:0xea0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:4
Start time:14:28:03
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",#1
Imagebase:0xea0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:8
Start time:14:28:04
Start date:29/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7584 -s 820
Imagebase:0xd20000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:9
Start time:14:28:04
Start date:29/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7600 -s 840
Imagebase:0xd20000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:10
Start time:14:28:06
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\T681Aj3oN9.dll,BarDestroy
Imagebase:0xea0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:11
Start time:14:28:09
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\T681Aj3oN9.dll,BarFreeRec
Imagebase:0xea0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:12
Start time:14:28:12
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",BarCreate
Imagebase:0xea0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:13
Start time:14:28:12
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",BarDestroy
Imagebase:0xea0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:14
Start time:14:28:13
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",BarFreeRec
Imagebase:0xea0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:15
Start time:14:28:13
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",_cgo_dummy_export
Imagebase:0xea0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:17
Start time:14:28:13
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",SpellSpell
Imagebase:0xea0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:18
Start time:14:28:13
Start date:29/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7944 -s 760
Imagebase:0xd20000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:19
Start time:14:28:13
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",SpellInit
Imagebase:0xea0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:20
Start time:14:28:13
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",SpellFree
Imagebase:0xea0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:21
Start time:14:28:13
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",SignalInitializeCrashReporting
Imagebase:0xea0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:22
Start time:14:28:13
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",GetInstallDetailsPayload
Imagebase:0xea0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:23
Start time:14:28:13
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\T681Aj3oN9.dll",BarRecognize
Imagebase:0xea0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:0%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:3
    Total number of Limit Nodes:0
    execution_graph 41690 6cc2cea0 41691 6cc2cec8 WriteFile 41690->41691 41692 6cc2ceb9 41690->41692 41692->41691

    Executed Functions

    Function 6CC2CEA0 Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 6cc2cea0-6cc2ceb7 1 6cc2cec8-6cc2cee0 WriteFile 0->1 2 6cc2ceb9-6cc2cec6 0->2 2->1
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID: FileWrite
    • String ID:
    • API String ID: 3934441357-0
    • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction ID: 0201a53585980ab47dbe76e007d5695c19c32326a49169a7a9353ac179f8a8c3
    • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction Fuzzy Hash: 1EE0E571505700CFDB15DF18C2C1306BBE1EB48A00F0485A8DE098FB4AE738EE10CB92

    Non-executed Functions

    Function 6CBD59F0 Relevance: 18.5, Strings: 14, Instructions: 1019COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 870 6cbd59f0-6cbd5a05 871 6cbd5a0b-6cbd5a31 call 6cc30980 870->871 872 6cbd6c61-6cbd6c66 call 6cc2ae50 870->872 877 6cbd5a3a-6cbd5a3d 871->877 878 6cbd5a33-6cbd5a38 871->878 872->870 879 6cbd5a40-6cbd5aa7 call 6cc309b0 call 6cc2cff0 877->879 878->879 884 6cbd5aa9-6cbd5ab1 call 6cc2c260 879->884 885 6cbd5ab3-6cbd5b83 call 6cbf9e30 call 6cc2ad60 * 2 call 6cbf9a20 879->885 884->885 896 6cbd5b8b-6cbd5b93 call 6cc19ba0 885->896 897 6cbd5b85-6cbd5b89 885->897 898 6cbd5b97-6cbd5b99 896->898 897->898 900 6cbd5bcf-6cbd5be5 898->900 901 6cbd5b9b-6cbd5bca call 6cc1a140 call 6cc19cd0 898->901 904 6cbd5be7-6cbd5bef call 6cc2c260 900->904 905 6cbd5bf1-6cbd5c00 900->905 901->900 904->905 908 6cbd6c4a-6cbd6c60 call 6cc26a90 905->908 909 6cbd5c06-6cbd5f1c call 6cc309b0 call 6cc2ad60 call 6cc2cff0 call 6cc2d050 call 6cc309d0 * 2 call 6cbefc30 call 6cc1f810 * 2 call 6cc307f0 * 3 905->909 908->872 938 6cbd5f1e 909->938 939 6cbd5f24-6cbd5fc2 call 6cbca4e0 call 6cbfed60 call 6cbca700 call 6cbe1f00 call 6cbd85c0 call 6cbece30 call 6cbe29f0 909->939 938->939 954 6cbd5fc4-6cbd5fc6 939->954 955 6cbd5fd0-6cbd5fd2 939->955 956 6cbd5fcc-6cbd5fce 954->956 957 6cbd6c34-6cbd6c45 call 6cc26a90 954->957 958 6cbd6c1e-6cbd6c2f call 6cc26a90 955->958 959 6cbd5fd8-6cbd6095 call 6cc2c476 call 6cc2c94a call 6cc2ad60 call 6cbed3f0 call 6cbe5470 call 6cc2ad60 * 2 955->959 956->955 956->959 957->908 958->957 976 6cbd60b4-6cbd60bc 959->976 977 6cbd6097-6cbd60af call 6cbe2a70 959->977 979 6cbd6abf-6cbd6b05 call 6cbca4e0 976->979 980 6cbd60c2-6cbd6130 call 6cc2c47a call 6cbf6bb0 call 6cc1fa50 976->980 977->976 985 6cbd6b14-6cbd6b30 call 6cbca700 979->985 986 6cbd6b07-6cbd6b12 call 6cc2c260 979->986 998 6cbd6140-6cbd615e 980->998 995 6cbd6b55-6cbd6b5e 985->995 986->985 996 6cbd6b60-6cbd6b8b call 6cbded90 995->996 997 6cbd6b32-6cbd6b54 call 6cbc43c0 995->997 1011 6cbd6b8d-6cbd6b96 call 6cc2ad60 996->1011 1012 6cbd6b9b-6cbd6bf2 call 6cc08b70 * 2 996->1012 997->995 1000 6cbd6169-6cbd61ec 998->1000 1001 6cbd6160-6cbd6163 998->1001 1005 6cbd6c14-6cbd6c19 call 6cc2c2e0 1000->1005 1006 6cbd61f2-6cbd61fc 1000->1006 1001->1000 1004 6cbd6216-6cbd621c 1001->1004 1013 6cbd6c0a-6cbd6c0f call 6cc2c2e0 1004->1013 1014 6cbd6222-6cbd63bc call 6cc27ed0 call 6cbf6bb0 call 6cbf7410 call 6cbf7100 call 6cbf7410 * 3 call 6cbf7230 call 6cbf7410 call 6cbf6c10 call 6cc2c47a 1004->1014 1005->958 1009 6cbd620f-6cbd6211 1006->1009 1010 6cbd61fe-6cbd620a 1006->1010 1016 6cbd6132-6cbd613e 1009->1016 1010->1016 1011->1012 1027 6cbd6bf4-6cbd6bfa 1012->1027 1028 6cbd6c03-6cbd6c09 1012->1028 1013->1005 1047 6cbd645e-6cbd6461 1014->1047 1016->998 1027->1028 1030 6cbd6bfc 1027->1030 1030->1028 1048 6cbd64e7-6cbd6690 call 6cbf6bb0 call 6cbf7410 call 6cbf6c10 call 6cc30830 * 4 call 6cc2c476 1047->1048 1049 6cbd6467-6cbd6484 1047->1049 1084 6cbd6717-6cbd671a 1048->1084 1051 6cbd648a-6cbd64e2 call 6cbf6bb0 call 6cbf7410 call 6cbf6c10 1049->1051 1052 6cbd63c1-6cbd6457 call 6cbd80a0 call 6cc27ed0 call 6cbf6bb0 call 6cbf7410 call 6cbf6c10 1049->1052 1051->1052 1052->1047 1085 6cbd67c0-6cbd6a5a call 6cc309b0 * 2 call 6cbf6bb0 call 6cbf7410 call 6cbf7100 call 6cbf7410 call 6cbf7100 call 6cbf7410 call 6cbf7100 call 6cbf7410 call 6cbf7100 call 6cbf7410 call 6cbf7100 call 6cbf7410 call 6cbf7100 call 6cbf7410 call 6cbf7230 call 6cbf7410 call 6cbf6c10 1084->1085 1086 6cbd6720-6cbd6744 1084->1086 1152 6cbd6a7c-6cbd6aad call 6cbf6bb0 call 6cbf6db0 call 6cbf6c10 1085->1152 1153 6cbd6a5c-6cbd6a77 call 6cbf6bb0 call 6cbf7410 call 6cbf6c10 1085->1153 1087 6cbd674b-6cbd6779 call 6cbf6bb0 call 6cbf7410 call 6cbf6c10 1086->1087 1088 6cbd6746-6cbd6749 1086->1088 1095 6cbd6695-6cbd6716 call 6cbd80a0 call 6cc27ed0 call 6cbf6bb0 call 6cbf7410 call 6cbf6c10 1087->1095 1088->1087 1090 6cbd677e-6cbd6780 1088->1090 1090->1095 1096 6cbd6786-6cbd67bb call 6cbf6bb0 call 6cbf7410 call 6cbf6c10 1090->1096 1095->1084 1096->1095 1152->979 1165 6cbd6aaf-6cbd6aba call 6cbca700 1152->1165 1153->1152 1165->979
    Strings
    • gcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= , xrefs: 6CBD5ABA
    • 5, xrefs: 6CBD6C27
    • gc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltadxaesshaavxfmaintma, xrefs: 6CBD629A
    • ., xrefs: 6CBD61FE
    • gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket, xrefs: 6CBD6C4A
    • MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, xrefs: 6CBD6A06
    • ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ gp.goid, xrefs: 6CBD68DC
    • MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc=, xrefs: 6CBD699C
    • +:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08, xrefs: 6CBD64A4, 6CBD678B
    • failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre, xrefs: 6CBD6C34
    • ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACE, xrefs: 6CBD64EC
    • , xrefs: 6CBD606A
    • non-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class bo, xrefs: 6CBD6C1E
    • @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12, xrefs: 6CBD62C7
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12$ MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:$ MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc=$ ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACE$ ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ gp.goid$+:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08$.$5$failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre$gc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltadxaesshaavxfmaintma$gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket$gcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= $non-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class bo
    • API String ID: 0-2575422049
    • Opcode ID: c32927b2202ba063a2f13d25948740b720b1077261d4daae7cb512104897301c
    • Instruction ID: 40e4ed9a2cd32d9d62ee2c456e3b231f7131bea6ba60cd80d36a78bcee9ba2ce
    • Opcode Fuzzy Hash: c32927b2202ba063a2f13d25948740b720b1077261d4daae7cb512104897301c
    • Instruction Fuzzy Hash: 73B214746097848FD724DF68C490B9EBBF5FB8A304F01892ED98987750EB74A849CF52
    Function 6CBE93F0 Relevance: 16.9, Strings: 13, Instructions: 643COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1167 6cbe93f0-6cbe9402 1168 6cbe9408-6cbe9450 1167->1168 1169 6cbe9f94-6cbe9f99 call 6cc2ae50 1167->1169 1171 6cbe9476-6cbe947d 1168->1171 1169->1167 1173 6cbe957b-6cbe9581 1171->1173 1174 6cbe9483-6cbe94ed 1171->1174 1177 6cbe97f9-6cbe9800 call 6cc2c2f0 1173->1177 1178 6cbe9587-6cbe95b3 call 6cbec5d0 1173->1178 1175 6cbe9f8c-6cbe9f93 call 6cc2c320 1174->1175 1176 6cbe94f3-6cbe94f5 1174->1176 1175->1169 1180 6cbe94fb-6cbe9545 1176->1180 1181 6cbe9f85-6cbe9f87 call 6cc2c340 1176->1181 1184 6cbe9805-6cbe980c 1177->1184 1192 6cbe95b5-6cbe9620 call 6cbe9360 1178->1192 1193 6cbe9621-6cbe9631 1178->1193 1185 6cbe9547-6cbe9550 1180->1185 1186 6cbe9552-6cbe9556 1180->1186 1181->1175 1190 6cbe9810-6cbe9812 1184->1190 1191 6cbe9558-6cbe9576 1185->1191 1186->1191 1194 6cbe99fd 1190->1194 1195 6cbe9818 1190->1195 1191->1190 1196 6cbe9637-6cbe9648 1193->1196 1197 6cbe97f4 call 6cc2c2e0 1193->1197 1203 6cbe9a01-6cbe9a0a 1194->1203 1200 6cbe9f7e-6cbe9f80 call 6cc2c2e0 1195->1200 1201 6cbe981e-6cbe984c 1195->1201 1198 6cbe964e-6cbe9653 1196->1198 1199 6cbe97e1-6cbe97e9 1196->1199 1197->1177 1205 6cbe9659-6cbe9666 1198->1205 1206 6cbe97c6-6cbe97d6 1198->1206 1199->1197 1200->1181 1208 6cbe984e-6cbe9854 1201->1208 1209 6cbe9856-6cbe98af 1201->1209 1211 6cbe9d72-6cbe9de0 call 6cbe9360 1203->1211 1212 6cbe9a10-6cbe9a16 1203->1212 1215 6cbe966c-6cbe97b3 call 6cbf6bb0 call 6cbf7410 call 6cbf7230 call 6cbf7410 call 6cbf7230 call 6cbf7410 call 6cbf7100 call 6cbf7410 call 6cbf7100 call 6cbf7410 call 6cbf7100 call 6cbf7410 call 6cbf6c10 call 6cbf6bb0 call 6cbf7410 call 6cbf7100 call 6cbf6db0 call 6cbf6c10 call 6cc26a90 1205->1215 1216 6cbe97b8-6cbe97c1 1205->1216 1206->1199 1208->1184 1227 6cbe98bf-6cbe98c8 1209->1227 1228 6cbe98b1-6cbe98bd 1209->1228 1226 6cbe9ee5-6cbe9eeb 1211->1226 1213 6cbe9a1c-6cbe9a26 1212->1213 1214 6cbe9d53-6cbe9d71 1212->1214 1219 6cbe9a28-6cbe9a3f 1213->1219 1220 6cbe9a41-6cbe9a55 1213->1220 1215->1216 1224 6cbe9a5c 1219->1224 1220->1224 1229 6cbe9a5e-6cbe9a6f 1224->1229 1230 6cbe9a71-6cbe9a91 1224->1230 1232 6cbe9eed-6cbe9f02 1226->1232 1233 6cbe9f68-6cbe9f79 call 6cc26a90 1226->1233 1234 6cbe98ce-6cbe98e0 1227->1234 1228->1234 1236 6cbe9a98 1229->1236 1230->1236 1238 6cbe9f0b-6cbe9f1d 1232->1238 1239 6cbe9f04-6cbe9f09 1232->1239 1233->1200 1240 6cbe99c8-6cbe99ca 1234->1240 1241 6cbe98e6-6cbe98eb 1234->1241 1242 6cbe9a9a-6cbe9a9f 1236->1242 1243 6cbe9aa1-6cbe9aa4 1236->1243 1245 6cbe9f1f 1238->1245 1239->1245 1246 6cbe99cc-6cbe99e0 1240->1246 1247 6cbe99e2 1240->1247 1248 6cbe98ed-6cbe98f2 1241->1248 1249 6cbe98f4-6cbe9908 1241->1249 1250 6cbe9aaa-6cbe9d4e call 6cbf6bb0 call 6cbf7410 call 6cbf7230 call 6cbf7410 call 6cbf7230 call 6cbf7410 call 6cbf7100 call 6cbf7410 call 6cbf7100 call 6cbf7410 call 6cbf7100 call 6cbf6db0 call 6cbf6c10 call 6cbf6bb0 call 6cbf7410 call 6cbf7230 call 6cbf7410 call 6cbf7100 call 6cbf7410 call 6cbf7230 call 6cbf6db0 call 6cbf6c10 call 6cbf6bb0 call 6cbf7410 call 6cbf72a0 call 6cbf7410 call 6cbf7230 call 6cbf6db0 call 6cbf6c10 call 6cbf6bb0 call 6cbf7410 call 6cbf7100 call 6cbf7410 call 6cbf7100 call 6cbf6db0 call 6cbf6c10 1242->1250 1243->1250 1252 6cbe9f28-6cbe9f40 1245->1252 1253 6cbe9f21-6cbe9f26 1245->1253 1254 6cbe99e6-6cbe99fb 1246->1254 1247->1254 1255 6cbe990f-6cbe9911 1248->1255 1249->1255 1250->1226 1259 6cbe9f42-6cbe9f4e 1252->1259 1253->1259 1254->1203 1256 6cbe9917-6cbe9919 1255->1256 1257 6cbe9452-6cbe946f 1255->1257 1261 6cbe991b-6cbe9920 1256->1261 1262 6cbe9922-6cbe993d 1256->1262 1257->1171 1264 6cbe9f5a-6cbe9f5d 1259->1264 1265 6cbe9f50-6cbe9f55 1259->1265 1267 6cbe994b 1261->1267 1268 6cbe993f-6cbe9944 1262->1268 1269 6cbe99a7-6cbe99c3 1262->1269 1264->1233 1272 6cbe995e-6cbe996d 1267->1272 1273 6cbe994d-6cbe995c 1267->1273 1268->1267 1269->1184 1276 6cbe9970-6cbe99a2 1272->1276 1273->1276 1276->1184
    Strings
    • ][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13C, xrefs: 6CBE96A4, 6CBE9AED
    • , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST, xrefs: 6CBE96F7, 6CBE9721, 6CBE9B44, 6CBE9B6E
    • , levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime:, xrefs: 6CBE9D15
    • ] = pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheapt, xrefs: 6CBE9B1A
    • , j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type float32float64\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_Dltavx512finvaliduintptros/execruntimetls3desno anodeCancelIoReadFileAcceptExWSAIoctlshu, xrefs: 6CBE9C04
    • runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSruntime: mp.lockedInt = runqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard , xrefs: 6CBE9C5B
    • , npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by short writeProcessPrngMoveFileExWNetShar, xrefs: 6CBE9BD7
    • , i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base stringGetACPSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13rdtscppopcntuint16uint32uint64structcmd/gonetdnsCommonCopySidWSARecvWSASendconnectconsoleforcegcallocmWc, xrefs: 6CBE9C88
    • runtime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupQuerySer, xrefs: 6CBE976B
    • runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket, xrefs: 6CBE9CE8
    • runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 6CBE967A, 6CBE9AB3
    • ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc, xrefs: 6CBE96CD
    • bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6CBE97A2, 6CBE9F68
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST$, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base stringGetACPSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13rdtscppopcntuint16uint32uint64structcmd/gonetdnsCommonCopySidWSARecvWSASendconnectconsoleforcegcallocmWc$, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type float32float64\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_Dltavx512finvaliduintptros/execruntimetls3desno anodeCancelIoReadFileAcceptExWSAIoctlshu$, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime:$, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by short writeProcessPrngMoveFileExWNetShar$] = pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheapt$] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc$][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13C$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket$runtime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupQuerySer$runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSruntime: mp.lockedInt = runqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard $runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
    • API String ID: 0-566501290
    • Opcode ID: 38f5fc34107cae36c5fde04a1623186e5259d73cef8cad1746d65cab61398fd5
    • Instruction ID: 183563e54c0c9da04fd17dbd8c0d7f044f86a4a9ad6e7f034998880f89138912
    • Opcode Fuzzy Hash: 38f5fc34107cae36c5fde04a1623186e5259d73cef8cad1746d65cab61398fd5
    • Instruction Fuzzy Hash: 32526A75A087948FD720DF68C48079EBBF1FF89748F01892DE99897740DB74A849CB92
    Function 6CBF1570 Relevance: 16.4, Strings: 13, Instructions: 150COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1372 6cbf1570-6cbf157e 1373 6cbf181e-6cbf1823 call 6cc2ae50 1372->1373 1374 6cbf1584-6cbf15b6 call 6cbf32a0 1372->1374 1373->1372 1379 6cbf15bc-6cbf15ea call 6cbf1470 1374->1379 1380 6cbf1807-6cbf181d call 6cc26a90 1374->1380 1385 6cbf15fc-6cbf1631 call 6cbf32a0 1379->1385 1386 6cbf15ec-6cbf15f9 call 6cc2c270 1379->1386 1380->1373 1391 6cbf1637-6cbf1669 call 6cbf1470 1385->1391 1392 6cbf17f1-6cbf1802 call 6cc26a90 1385->1392 1386->1385 1396 6cbf167b-6cbf1683 1391->1396 1397 6cbf166b-6cbf1678 call 6cc2c270 1391->1397 1392->1380 1398 6cbf172d-6cbf175f call 6cbf1470 1396->1398 1399 6cbf1689-6cbf16bb call 6cbf1470 1396->1399 1397->1396 1406 6cbf1771-6cbf17a9 call 6cbf1470 1398->1406 1407 6cbf1761-6cbf176e call 6cc2c270 1398->1407 1408 6cbf16cd-6cbf16d5 1399->1408 1409 6cbf16bd-6cbf16ca call 6cc2c270 1399->1409 1420 6cbf17bb-6cbf17c4 1406->1420 1421 6cbf17ab-6cbf17b8 call 6cc2c270 1406->1421 1407->1406 1413 6cbf17db-6cbf17ec call 6cc26a90 1408->1413 1414 6cbf16db-6cbf170d call 6cbf1470 1408->1414 1409->1408 1413->1392 1424 6cbf171f-6cbf1727 1414->1424 1425 6cbf170f-6cbf171c call 6cc2c270 1414->1425 1421->1420 1424->1398 1428 6cbf17c5-6cbf17d6 call 6cc26a90 1424->1428 1425->1424 1428->1413
    Strings
    • bcryptprimitives.dll, xrefs: 6CBF158D
    • NtCancelWaitCompletionPacket, xrefs: 6CBF16E2
    • bcryptprimitives.dll not foundpanic called with nil argumentcheckdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer found on stack locals stack map entries for abi mismatch detected between runtime: impossible , xrefs: 6CBF1807
    • RtlGetCurrentPeb, xrefs: 6CBF1734
    • NtCreateWaitCompletionPacket, xrefs: 6CBF163E
    • ProcessPrng, xrefs: 6CBF15BF
    • NtCreateWaitCompletionPacket exists but NtCancelWaitCompletionPacket does notcannot convert slice with length %y to array or pointer to array with length %xNtCreateWaitCompletionPacket exists but NtAssociateWaitCompletionPacket does notcgocheck > 1 mode is no , xrefs: 6CBF17C5
    • ntdll.dll, xrefs: 6CBF1608
    • , xrefs: 6CBF169A
    • NtAssociateWaitCompletionPacket, xrefs: 6CBF1690
    • P, xrefs: 6CBF17E4
    • RtlGetVersion, xrefs: 6CBF177E
    • , xrefs: 6CBF16A2
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ $NtAssociateWaitCompletionPacket$NtCancelWaitCompletionPacket$NtCreateWaitCompletionPacket$NtCreateWaitCompletionPacket exists but NtCancelWaitCompletionPacket does notcannot convert slice with length %y to array or pointer to array with length %xNtCreateWaitCompletionPacket exists but NtAssociateWaitCompletionPacket does notcgocheck > 1 mode is no $P$ProcessPrng$RtlGetCurrentPeb$RtlGetVersion$bcryptprimitives.dll$bcryptprimitives.dll not foundpanic called with nil argumentcheckdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer found on stack locals stack map entries for abi mismatch detected between runtime: impossible $ntdll.dll
    • API String ID: 0-2332038095
    • Opcode ID: da1f35fcbe1bf20a4bf8b0bb062487aecb5d4fb298b83349d4675dcf484f9d72
    • Instruction ID: 956b046bfa98465087c5d59c5bef812ecb06ba8df411a6e0ea47578973afd84a
    • Opcode Fuzzy Hash: da1f35fcbe1bf20a4bf8b0bb062487aecb5d4fb298b83349d4675dcf484f9d72
    • Instruction Fuzzy Hash: 3771C5B420A742DFEB04DF28C59065ABBF4FB86748F10882DE5A987740E774D859CF62
    Function 6CBE3400 Relevance: 14.6, Strings: 11, Instructions: 876COMMON
    Download Yara Rule
    Strings
    • swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 6CBE3C65
    • , xrefs: 6CBE3E12
    • sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine LockFileExWSASocketWunixpacket, xrefs: 6CBE3CB8, 6CBE412C
    • nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMo, xrefs: 6CBE3D81
    • mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdea, xrefs: 6CBE418A
    • sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = NtAssociateWaitCompletionPacket, xrefs: 6CBE3E09
    • sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executiontraceSto, xrefs: 6CBE3C4F
    • mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification, xrefs: 6CBE3D16
    • mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1, xrefs: 6CBE41A9
    • previous allocCount=, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:, xrefs: 6CBE3DAB
    • mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6CBE3CE2, 6CBE4156
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$ nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMo$ previous allocCount=, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:$ sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine LockFileExWSASocketWunixpacket$mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification$mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdea$mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1$sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = NtAssociateWaitCompletionPacket$sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executiontraceSto$swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
    • API String ID: 0-893999930
    • Opcode ID: 4241a571faf0815fd0a6f302d17ed06be641bdf5d0dd3bc38dcc558ca4805b3a
    • Instruction ID: 966d37531eb36fd2502d906db68d68ff8f7dc1268a4323892c1c563ac46a5708
    • Opcode Fuzzy Hash: 4241a571faf0815fd0a6f302d17ed06be641bdf5d0dd3bc38dcc558ca4805b3a
    • Instruction Fuzzy Hash: 3F82367460D3948FC351DF29C080A9ABBF1BF89B48F40896DE8D88B751E774D949CB92
    Function 6CBF2A90 Relevance: 14.0, Strings: 11, Instructions: 253COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1985 6cbf2a90-6cbf2a9e 1986 6cbf2f48-6cbf2f4d call 6cc2ae50 1985->1986 1987 6cbf2aa4-6cbf2afb call 6cbf33e0 1985->1987 1986->1985 1992 6cbf2eec-6cbf2f47 call 6cc2cef0 call 6cbf6bb0 call 6cbf7410 call 6cbf7100 call 6cbf6db0 call 6cbf6c10 call 6cc26a90 1987->1992 1993 6cbf2b01-6cbf2b80 call 6cbca4e0 call 6cbf3110 1987->1993 1992->1986 2002 6cbf2b82-6cbf2b8b 1993->2002 2003 6cbf2bd1-6cbf2bd9 1993->2003 2002->2003 2005 6cbf2b8d-6cbf2bcb call 6cbf32f0 2002->2005 2007 6cbf2bdf-6cbf2be8 2003->2007 2008 6cbf2c68-6cbf2ca9 call 6cbca700 call 6cc2c479 call 6cbf32a0 2003->2008 2005->2003 2018 6cbf2e91-6cbf2ee7 call 6cc2cef0 call 6cbf6bb0 call 6cbf7410 call 6cbf7100 call 6cbf6db0 call 6cbf6c10 call 6cc26a90 2005->2018 2007->2008 2011 6cbf2bea-6cbf2c28 call 6cbf32f0 2007->2011 2036 6cbf2caf-6cbf2cd1 2008->2036 2037 6cbf2d84-6cbf2dda call 6cc2cef0 call 6cbf6bb0 call 6cbf7410 call 6cbf7100 call 6cbf6db0 call 6cbf6c10 call 6cc26a90 2008->2037 2024 6cbf2c2e-6cbf2c62 call 6cbf32a0 2011->2024 2025 6cbf2e36-6cbf2e8c call 6cc2cef0 call 6cbf6bb0 call 6cbf7410 call 6cbf7100 call 6cbf6db0 call 6cbf6c10 call 6cc26a90 2011->2025 2018->1992 2024->2008 2041 6cbf2ddf-6cbf2e31 call 6cbf6bb0 call 6cbf7410 call 6cbf7100 call 6cbf6db0 call 6cbf6c10 call 6cc26a90 2024->2041 2025->2018 2042 6cbf2cfa-6cbf2d7f call 6cbf6bb0 call 6cbf7410 call 6cbf72a0 call 6cbf7410 call 6cbf72a0 call 6cbf7410 call 6cbf6c10 call 6cc26a90 2036->2042 2043 6cbf2cd3-6cbf2ce0 2036->2043 2037->2041 2041->2025 2042->2037 2043->2042 2049 6cbf2ce2-6cbf2cf9 call 6cc2c0a0 2043->2049
    Strings
    • VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notunexpected runtime.netpoll error: network dropped connec, xrefs: 6CBF2DC9
    • runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] wi, xrefs: 6CBF2EFD
    • %, xrefs: 6CBF2F3A
    • CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplet, xrefs: 6CBF2E7B, 6CBF2ED6
    • bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timersOpenServiceWRevertToSelfCreateEventWGetConsoleCPUnlockFi, xrefs: 6CBF2D6E
    • ,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12, xrefs: 6CBF2D29
    • runtime: NtCreateWaitCompletionPacket failed; errno=casfrom_Gscanstatus: gp->status is not in scan statenon-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS thr, xrefs: 6CBF2DEC
    • runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:, xrefs: 6CBF2D95
    • runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!internal error: unknown network type godebug: unexpected IncNonDefault of b, xrefs: 6CBF2F31
    • NtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a cor, xrefs: 6CBF2E20
    • runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] with length %ypanicwrap: unexpected string afte, xrefs: 6CBF2E47, 6CBF2EA2
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: %$,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12$CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplet$NtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a cor$VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notunexpected runtime.netpoll error: network dropped connec$bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timersOpenServiceWRevertToSelfCreateEventWGetConsoleCPUnlockFi$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] wi$runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!internal error: unknown network type godebug: unexpected IncNonDefault of b$runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] with length %ypanicwrap: unexpected string afte$runtime: NtCreateWaitCompletionPacket failed; errno=casfrom_Gscanstatus: gp->status is not in scan statenon-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS thr$runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:
    • API String ID: 0-2809656213
    • Opcode ID: b22c8ad05980cdcce4f4cc142b6ce66d176f78b3b82350facc46f7a9aedd3721
    • Instruction ID: 47398be098a18ffb0886e821779e7f10e3ed62feed19894d0d9ae8d7ca07dd66
    • Opcode Fuzzy Hash: b22c8ad05980cdcce4f4cc142b6ce66d176f78b3b82350facc46f7a9aedd3721
    • Instruction Fuzzy Hash: F5C1B3B42097818FD701EF68C19479EBBF4EF89708F00896DE89887740D775994ECB62
    Function 6CBC13E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleLibraryLoadModule
    • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
    • API String ID: 384173800-1835852900
    • Opcode ID: ec9d5bab6cbca56410bf2d0b677558a6117e60143e37f9e7dce635ab89e543d7
    • Instruction ID: eb528891cae927306784dde17d2b2b3d3603212aabdc2e85e2c353c8d42de776
    • Opcode Fuzzy Hash: ec9d5bab6cbca56410bf2d0b677558a6117e60143e37f9e7dce635ab89e543d7
    • Instruction Fuzzy Hash: 610192B2A053008FDB007F78950631F7EF8EB82245F45452DD98597A10E7349425CB93
    Function 6CC2332F Relevance: 12.0, Strings: 9, Instructions: 757COMMON
    Download Yara Rule
    Strings
    • mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= , xrefs: 6CC23D05
    • !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 6CC236FF
    • mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential, xrefs: 6CC23D47
    • 3-, xrefs: 6CC23D58
    • p, xrefs: 6CC23D5E
    • 4, xrefs: 6CC23D0E
    • 2, xrefs: 6CC23D50
    • malloc during signalclose of nil channelnotetsleep not on g0bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not empty, xrefs: 6CC23D1B
    • malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]mo, xrefs: 6CC23D31
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC$2$4$malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]mo$malloc during signalclose of nil channelnotetsleep not on g0bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not empty$mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential$mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= $3-$p
    • API String ID: 0-234616912
    • Opcode ID: 4dd247dd1fef9d8523aa01ec25d81d2dc6188e42c39e3e6c4dae52d702f79893
    • Instruction ID: ad374787555a0efd090d0607a1fd6a0c9af72dff288f41f2a806b73e68d38d60
    • Opcode Fuzzy Hash: 4dd247dd1fef9d8523aa01ec25d81d2dc6188e42c39e3e6c4dae52d702f79893
    • Instruction Fuzzy Hash: 4C62DF746093448FC704CF29C090A6ABBF5FF89718F18896DE9988B792E739D945CF42
    Function 6CC15ED0 Relevance: 10.5, Strings: 8, Instructions: 512COMMON
    Download Yara Rule
    Strings
    • , xrefs: 6CC16031
    • :(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08I, xrefs: 6CC163FD
    • , xrefs: 6CC16039
    • sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (us, xrefs: 6CC16566
    • (1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08ID, xrefs: 6CC16320
    • pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptrace, xrefs: 6CC16593
    • non-Go function at pc=RtlLookupFunctionEntryCreateEnvironmentBlockWSAGetOverlappedResultSao Tome Standard TimeAleutian Standard TimeParaguay Standard TimeMountain Standard TimeAtlantic Standard TimePakistan Standard TimeSakhalin Standard TimeGeorgian Standard , xrefs: 6CC166C5
    • fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit, xrefs: 6CC16539
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ $ fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit$ pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptrace$ sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (us$(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08ID$:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08I$non-Go function at pc=RtlLookupFunctionEntryCreateEnvironmentBlockWSAGetOverlappedResultSao Tome Standard TimeAleutian Standard TimeParaguay Standard TimeMountain Standard TimeAtlantic Standard TimePakistan Standard TimeSakhalin Standard TimeGeorgian Standard
    • API String ID: 0-3830612415
    • Opcode ID: 43690b04a5c2e122e847bd847711b2b3d0d1023ded0caaef5131d3b306bb033c
    • Instruction ID: 39662e63bed877b3eee87af2df0c7d6503cd877c31a737f0b29da091a8a4c82b
    • Opcode Fuzzy Hash: 43690b04a5c2e122e847bd847711b2b3d0d1023ded0caaef5131d3b306bb033c
    • Instruction Fuzzy Hash: 0C32F37460D7818FC361DF66C18079EBBE1EF89308F05896DE8D897B41EB309849DB92
    Function 6CBF1A70 Relevance: 8.9, Strings: 7, Instructions: 116COMMON
    Download Yara Rule
    Strings
    • runtime: LoadLibraryExW failed; errno=runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already co, xrefs: 6CBF1C34
    • &, xrefs: 6CBF1C3D
    • runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already connectedmismatched count during itab ta, xrefs: 6CBF1BD9
    • winmm.dll, xrefs: 6CBF1AF3
    • timeBeginPeriod, xrefs: 6CBF1B29
    • timeBegin/EndPeriod not foundruntime: sudog with non-nil centersyscall inconsistent bp entersyscall inconsistent sp gfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon, xrefs: 6CBF1C0D
    • timeEndPeriod, xrefs: 6CBF1B73
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: &$runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already connectedmismatched count during itab ta$runtime: LoadLibraryExW failed; errno=runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already co$timeBegin/EndPeriod not foundruntime: sudog with non-nil centersyscall inconsistent bp entersyscall inconsistent sp gfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon$timeBeginPeriod$timeEndPeriod$winmm.dll
    • API String ID: 0-424793872
    • Opcode ID: 1e1d5e5d7b6d873c1e1998e3795975e957e0aed0212fef3a2c2c4097413cd19d
    • Instruction ID: a23a91f316128082e532d290dba9dd1429e181f60bad956139de07ce907f9fbf
    • Opcode Fuzzy Hash: 1e1d5e5d7b6d873c1e1998e3795975e957e0aed0212fef3a2c2c4097413cd19d
    • Instruction Fuzzy Hash: 9851B3B06097418FEB04EF68C19466EBBF4EB89308F00881DE5A987B40E774D44DCB62
    Function 6CBFCF90 Relevance: 8.6, Strings: 6, Instructions: 1093COMMON
    Download Yara Rule
    Strings
    • findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of r, xrefs: 6CBFE0D5
    • findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for [origina, xrefs: 6CBFE0BF
    • global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/metadata/mspan/free:bytesruntime.SetFinaliz, xrefs: 6CBFE093
    • findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a corrupted shared librarylfstack node a, xrefs: 6CBFE0A9
    • !, xrefs: 6CBFE0DE
    • findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionAdjustTokenPrivilegesLookupPrivilegeValueWNetUserGetLocalGroupsGetProfi, xrefs: 6CBFE0EB
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !$findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of r$findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for [origina$findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a corrupted shared librarylfstack node a$findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionAdjustTokenPrivilegesLookupPrivilegeValueWNetUserGetLocalGroupsGetProfi$global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/metadata/mspan/free:bytesruntime.SetFinaliz
    • API String ID: 0-3518981815
    • Opcode ID: f4943ab7348debe6940e9cd2b52c1324ed12ebe2d99b288e8965edc040eb0b91
    • Instruction ID: d65165081af9903f9906d1a4100f7d97bc4c47c5ba82d94312b8ad524b62f8e1
    • Opcode Fuzzy Hash: f4943ab7348debe6940e9cd2b52c1324ed12ebe2d99b288e8965edc040eb0b91
    • Instruction Fuzzy Hash: AEA2D0746093818FE724DF69D090B9EBBF4BF89748F04892DE9D887780E7359849CB52
    Function 6CBF11F0 Relevance: 7.6, Strings: 6, Instructions: 133COMMON
    Download Yara Rule
    Strings
    • runtime: SetWaitableTimer failed; errno= stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classe, xrefs: 6CBF13C4
    • 5, xrefs: 6CBF1420
    • runtime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocresize: invalid argspan has no free stacksstack growth after forkshrinkstack at bad timereflect.methodValueCallDestroy, xrefs: 6CBF139D, 6CBF13F8, 6CBF144B
    • runtime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not , xrefs: 6CBF1417
    • runtime: NtAssociateWaitCompletionPacket failed; errno= runtime: checkmarks found unexpected unmarked object obj=tried to trace goroutine with invalid or unsupported statusmanual span allocation called with non-manually-managed typeaddr range base and limit ar, xrefs: 6CBF1369
    • d, xrefs: 6CBF1276
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: 5$d$runtime: NtAssociateWaitCompletionPacket failed; errno= runtime: checkmarks found unexpected unmarked object obj=tried to trace goroutine with invalid or unsupported statusmanual span allocation called with non-manually-managed typeaddr range base and limit ar$runtime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not $runtime: SetWaitableTimer failed; errno= stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classe$runtime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocresize: invalid argspan has no free stacksstack growth after forkshrinkstack at bad timereflect.methodValueCallDestroy
    • API String ID: 0-2414937731
    • Opcode ID: 935d4cd8ca3b5a9012e3a56ac175d8a215c43bc2a5f5baff2145a1e8fc4b62a0
    • Instruction ID: d6976b4485c58bc0f0e56822aa78c7ffa9666effb22affa7bf4ef619bffce85f
    • Opcode Fuzzy Hash: 935d4cd8ca3b5a9012e3a56ac175d8a215c43bc2a5f5baff2145a1e8fc4b62a0
    • Instruction Fuzzy Hash: DB51BDB42097809FD740DF68C19479EBBF4AF88708F008C2DE8A887B50E77499498B63
    Function 6CC56250 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON
    Download Yara Rule
    APIs
    • GetSystemTimeAsFileTime.KERNEL32 ref: 6CC56289
    • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CBC13B9), ref: 6CC5629A
    • GetCurrentThreadId.KERNEL32 ref: 6CC562A2
    • GetTickCount.KERNEL32 ref: 6CC562AA
    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CBC13B9), ref: 6CC562B9
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
    • String ID:
    • API String ID: 1445889803-0
    • Opcode ID: 78746d9e3b7637f5435700f4dcfd6a3ab2c204478f0f756392823b27862b4f66
    • Instruction ID: 12cc088b5216fb46c8f718d22f4c96261efc341676c746b0c2bf170be359283a
    • Opcode Fuzzy Hash: 78746d9e3b7637f5435700f4dcfd6a3ab2c204478f0f756392823b27862b4f66
    • Instruction Fuzzy Hash: 4D115EB56053008FDB00DF79E88868BBBF8FB89255F450D39E549C6700EA39D4698BD2
    Function 6CC56300 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6CC5634F
    • UnhandledExceptionFilter.KERNEL32 ref: 6CC5635F
    • GetCurrentProcess.KERNEL32 ref: 6CC56368
    • TerminateProcess.KERNEL32 ref: 6CC56379
    • abort.MSVCRT ref: 6CC56382
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: 7b194e1097102f48267c21cd72dbb919a2873ab6cdf0c27a3de6efdab7e3192b
    • Instruction ID: fbd5d914c4f8300b1782e81e08fb2852efdec43ab90ee3d18723f0947771aa9d
    • Opcode Fuzzy Hash: 7b194e1097102f48267c21cd72dbb919a2873ab6cdf0c27a3de6efdab7e3192b
    • Instruction Fuzzy Hash: 031116B5A05200CFEB00EF78C14965A7BF4BB95305F40896DEA89C7360E738D9648F92
    Function 6CBE1440 Relevance: 5.5, Strings: 4, Instructions: 494COMMON
    Download Yara Rule
    Strings
    • runtime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame ts set in timertraceback stuckrunti, xrefs: 6CBE198C, 6CBE19DB
    • min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce, xrefs: 6CBE1A0F
    • !, xrefs: 6CBE1A18
    • min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=dalTLDpSugct?GetTempPath2WModule32NextW, xrefs: 6CBE19C0
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !$min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce$min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=dalTLDpSugct?GetTempPath2WModule32NextW$runtime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame ts set in timertraceback stuckrunti
    • API String ID: 0-967014423
    • Opcode ID: ae9ee019eb49785c56ddf12186f32094d2ebee0f2c5dc29d96ab431e299fb739
    • Instruction ID: 0e696307a3f8e93947d2c7575181dcdda70896026ac00ef4a31c1b6285cab363
    • Opcode Fuzzy Hash: ae9ee019eb49785c56ddf12186f32094d2ebee0f2c5dc29d96ab431e299fb739
    • Instruction Fuzzy Hash: 7DF1E4766093654FD301DF99C4C064EB7E2EBC8788F288A3CD89597782EB75D849C6C2
    Function 6CBFA320 Relevance: 5.4, Strings: 4, Instructions: 352COMMON
    Download Yara Rule
    Strings
    • stopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executionruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base pointer out of rangeattempting to link in too many, xrefs: 6CBFA7B0
    • stopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/met, xrefs: 6CBFA7EB
    • stopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a , xrefs: 6CBFA843
    • stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classes/gc/mark/dedicated:cpu-seconds/memory/cl, xrefs: 6CBFA690
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: stopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/met$stopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a $stopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executionruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base pointer out of rangeattempting to link in too many$stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classes/gc/mark/dedicated:cpu-seconds/memory/cl
    • API String ID: 0-2039697367
    • Opcode ID: 5b0aa2a58c15842ecad6bcdf60e7a6913745212f803c518d240e9a298938ce68
    • Instruction ID: 192a7ac3e385d4cc1db12f3933035f963494c842ae3ff18dc66e3f8401e9d43a
    • Opcode Fuzzy Hash: 5b0aa2a58c15842ecad6bcdf60e7a6913745212f803c518d240e9a298938ce68
    • Instruction Fuzzy Hash: 4EF1C0746093808FD308DF69C190A9AFBF1BF89704F54892EE9A887751D774E94ACF42
    Function 6CBF1830 Relevance: 5.1, Strings: 4, Instructions: 57COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: '$'$PowerRegisterSuspendResumeNotification$powrprof.dll
    • API String ID: 0-4026319467
    • Opcode ID: 7898b2620bccb62690e5a97e27f12789bc6f5779f7b78d90cc9496f57cfdc517
    • Instruction ID: 38dd52a4ace4d16ea8acb9af7816e5f9d8dc6a39490491d61e62c5b8bc85f571
    • Opcode Fuzzy Hash: 7898b2620bccb62690e5a97e27f12789bc6f5779f7b78d90cc9496f57cfdc517
    • Instruction Fuzzy Hash: 5E21E3B46093428FD704CF25C190A5ABBF0BB89708F44881DE4D997750E779DA49CF93
    Function 6CC06470 Relevance: 4.2, Strings: 3, Instructions: 451COMMON
    Download Yara Rule
    Strings
    • runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplete multibyte or wide characterslice bounds out of range [::%x] with capacity %yinvalid memory add, xrefs: 6CC069D7
    • runtime: malformed profBuf buffer - tag and data out of syncabiRegArgsType needs GC Prog, update methodValueCallFrameObjsfound bad pointer in Go heap (incorrect use of unsafe or cgo?)limiterEvent.stop: found wrong event in p's limiter event slotruntime: intern, xrefs: 6CC06A04
    • <, xrefs: 6CC06A0D
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: <$runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplete multibyte or wide characterslice bounds out of range [::%x] with capacity %yinvalid memory add$runtime: malformed profBuf buffer - tag and data out of syncabiRegArgsType needs GC Prog, update methodValueCallFrameObjsfound bad pointer in Go heap (incorrect use of unsafe or cgo?)limiterEvent.stop: found wrong event in p's limiter event slotruntime: intern
    • API String ID: 0-450027851
    • Opcode ID: ac4bfccd25c89c27d5d4ddc6e8459338e6e3b9f22b352f51969465332afebbde
    • Instruction ID: e2f22d056ceece15816348be4282a3f2bb17d229e9f25ed0387d0454da5afd84
    • Opcode Fuzzy Hash: ac4bfccd25c89c27d5d4ddc6e8459338e6e3b9f22b352f51969465332afebbde
    • Instruction Fuzzy Hash: 83026C70B08B058FD714DF69C19065EBBE1BFC8704F14892DE99987B50EB76E885CB82
    Function 6CBF6010 Relevance: 4.1, Strings: 3, Instructions: 313COMMON
    Download Yara Rule
    Strings
    • suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function traceRegion: alloc with concurrent drop2006-01-02 15:04:05.999999999 -0700 MSTaddress family not support, xrefs: 6CBF64A3
    • ', xrefs: 6CBF64AC
    • invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:DuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "[bisect-match 0xpermission deniedwro, xrefs: 6CBF648D
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: '$invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:DuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "[bisect-match 0xpermission deniedwro$suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function traceRegion: alloc with concurrent drop2006-01-02 15:04:05.999999999 -0700 MSTaddress family not support
    • API String ID: 0-3278438963
    • Opcode ID: 023258067ef08bd9c750f4a5260507993877b40f6af42c9473327f2677f647ff
    • Instruction ID: 0916ad2fd117c5d1b6d43e84d615c0a68cd79c17f95c416e4adb036495d5d5c5
    • Opcode Fuzzy Hash: 023258067ef08bd9c750f4a5260507993877b40f6af42c9473327f2677f647ff
    • Instruction Fuzzy Hash: 04D1207460D3908FC704DF29C09065BBBF2AF8A708F54886DE8E587B51D735E94ACB82
    Function 6CBE6630 Relevance: 3.0, Strings: 2, Instructions: 499COMMON
    Download Yara Rule
    Strings
    • +, xrefs: 6CBE6D57
    • grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me, xrefs: 6CBE6D4E
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: +$grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me
    • API String ID: 0-3347251187
    • Opcode ID: 0360194db3780e3d07e0e5944f3a422aba3fe560a61f53f0e3db63ac2cdf2931
    • Instruction ID: 2d0ff8d0da5ee99d5cd638d6f967aca3c773318ea81ec987188ebcb84f07dd95
    • Opcode Fuzzy Hash: 0360194db3780e3d07e0e5944f3a422aba3fe560a61f53f0e3db63ac2cdf2931
    • Instruction Fuzzy Hash: BB22EE746093858FD354DF29C090A5EBBF1BF89B84F14892DEAD987750EB34E848CB42
    Function 6CBEB2D0 Relevance: 2.8, Strings: 2, Instructions: 264COMMON
    Download Yara Rule
    Strings
    • @, xrefs: 6CBEB4FB
    • bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6CBEB60F
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: @$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod
    • API String ID: 0-1191861649
    • Opcode ID: 9019dd8149adbf5636abecfa4b129fc6db8cc82ad4a28198e1062eb226ebc897
    • Instruction ID: e4afdb86a79703251cc0f84828c5e2aac9d875d94696626971f27b4696d727db
    • Opcode Fuzzy Hash: 9019dd8149adbf5636abecfa4b129fc6db8cc82ad4a28198e1062eb226ebc897
    • Instruction Fuzzy Hash: F5A1D17560871A8FD304DF18C88015EB7E1FFC8358F488A2DE9959B751EB34E95ACB82
    Function 6CC2A872 Relevance: 2.6, Strings: 2, Instructions: 137COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $@
    • API String ID: 0-1077428164
    • Opcode ID: c4411b23eccc7b1ddc3486aa9724f1a918e0d7523ab9dfa00bea8f07cb01a124
    • Instruction ID: 828f1a2a7d12c387e2bcd04f5881e59c416774bfa19f9e273a2c3458c4b5e97d
    • Opcode Fuzzy Hash: c4411b23eccc7b1ddc3486aa9724f1a918e0d7523ab9dfa00bea8f07cb01a124
    • Instruction Fuzzy Hash: 5B51B910C1DF9B65EA33077EC4026263B206EB7144B01D76FFEC6B58B2E7176940BA22
    Function 6CBDCEC0 Relevance: 2.6, Strings: 2, Instructions: 88COMMON
    Download Yara Rule
    Strings
    • gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackcannot send after transport endpoint shu, xrefs: 6CBDCFA1
    • ,, xrefs: 6CBDCFAA
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: ,$gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackcannot send after transport endpoint shu
    • API String ID: 0-27675022
    • Opcode ID: ca60b8957a7b89e67835e7e9399708c42f5b24b11b910f0fe4470d18ac28e406
    • Instruction ID: dd879522bd6fe56200d3e54d4071d553ce0e2cc3348fc2e70a226628e04d6f06
    • Opcode Fuzzy Hash: ca60b8957a7b89e67835e7e9399708c42f5b24b11b910f0fe4470d18ac28e406
    • Instruction Fuzzy Hash: 66319175A493A68FD305DF14C480A99B7F1FB86608F0981BDCD884F383DB35A84ACB85
    Function 6CC18570 Relevance: 1.8, Strings: 1, Instructions: 543COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: 4
    • API String ID: 0-4088798008
    • Opcode ID: ce9e0416bba0d52d6c8fa6360f3020b671c2649b5370e2968d1df84a03f53972
    • Instruction ID: c69c363ddd88e272cccdafdeaeda20600de1127ca259fae7de21b05a1775ff2f
    • Opcode Fuzzy Hash: ce9e0416bba0d52d6c8fa6360f3020b671c2649b5370e2968d1df84a03f53972
    • Instruction Fuzzy Hash: 8C22E27560D3468FD730DE19C4C4A9EB7E1BFC5304F158A2ED9998BB81EB30A905DB82
    Function 6CBD0AF0 Relevance: 1.6, Strings: 1, Instructions: 306COMMON
    Download Yara Rule
    Strings
    • span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor, xrefs: 6CBD0D52
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor
    • API String ID: 0-1712010102
    • Opcode ID: b1f8b181cec8175884e61613d19907cfd9d2e4e45982acfff33c64efa96587a0
    • Instruction ID: 41dc84c11531fa02f75d0a2ec78d33ef42a7a8bbf4e10566efae9b7f20f7c689
    • Opcode Fuzzy Hash: b1f8b181cec8175884e61613d19907cfd9d2e4e45982acfff33c64efa96587a0
    • Instruction Fuzzy Hash: 21D1307460D3858FC704DF28D09066EBBE0AF89748F41892EE8D987B50E735E949CB42
    Function 6CBED040 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
    Download Yara Rule
    Strings
    • runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin, xrefs: 6CBED3CB
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin
    • API String ID: 0-429552053
    • Opcode ID: 4013b54feaa6a5069f7dd78edcef4b54281d0649e5c69cb0f8974b82ef2831f7
    • Instruction ID: 345fc6ef4936ab63ebb83d3c0696c6f181dcc64d312128849df1cc0d7568bff6
    • Opcode Fuzzy Hash: 4013b54feaa6a5069f7dd78edcef4b54281d0649e5c69cb0f8974b82ef2831f7
    • Instruction Fuzzy Hash: 08B1F3786093858FC704DF68D08085ABBF1FBCAB88F51592DE99987710E774E949CF82
    Function 6CBEA360 Relevance: 1.5, Strings: 1, Instructions: 213COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: @
    • API String ID: 0-2766056989
    • Opcode ID: 5fbf1cc58a88f309f6c65d497214c3d36b41247917c7867155a742ef1b933efc
    • Instruction ID: 90e8ee5bfe89d91f0b389eb237e724b01bd59acce634d559ff066c4912820b7b
    • Opcode Fuzzy Hash: 5fbf1cc58a88f309f6c65d497214c3d36b41247917c7867155a742ef1b933efc
    • Instruction Fuzzy Hash: 8D9100B5A093459FC344DF28C08065EBBF1FB88B44F549A2DE89997741E734D949CF82
    Function 6CBEC080 Relevance: .5, Instructions: 477COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 79d94cfd1cadeab2ca5ee81f11638ed601e3999de06f4ab2b6999be7e7ee7fa5
    • Instruction ID: 9347a0e011e8a671428f48076b4d0d8e795f04ac0dc6c000540dc685b6d5dc8d
    • Opcode Fuzzy Hash: 79d94cfd1cadeab2ca5ee81f11638ed601e3999de06f4ab2b6999be7e7ee7fa5
    • Instruction Fuzzy Hash: DDE10533B497594BD314ADAD88C025EB6D2ABC8784F19873CDD649B780FB75DC0A86C2
    Function 6CC1BC20 Relevance: .5, Instructions: 462COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 94422fc7bad676a5082d9c6bcb2d908fdee04c800160c98db8d534a0c87ae310
    • Instruction ID: e7658258bde5e560c8e9789d492df094a2c6e34b02d2693b03d61d943732ed02
    • Opcode Fuzzy Hash: 94422fc7bad676a5082d9c6bcb2d908fdee04c800160c98db8d534a0c87ae310
    • Instruction Fuzzy Hash: 44028E7560C3568FD324DE69C08065EF7E1BF89308F148A7DE9998BB51E734E809DB82
    Function 6CBEBB10 Relevance: .5, Instructions: 462COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 0a1fc01af86e82c24a2690c313f2cf0e61fde9b689937a46cef61efd93bbb306
    • Instruction ID: ecab201dd9234ca4ff25fef790b49df72af5fad4058b1285c88cdb80ad7a2aab
    • Opcode Fuzzy Hash: 0a1fc01af86e82c24a2690c313f2cf0e61fde9b689937a46cef61efd93bbb306
    • Instruction Fuzzy Hash: 8CE1C433E2472507D3149E58CC80249B6D3ABC8670F4EC72DED95AB781EAB4ED5987C2
    Function 6CBD80A0 Relevance: .4, Instructions: 378COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 1a94e35f6593c6ea2464ef82fd9b8d73f4eb9927b67b59de7de52f938ff1888d
    • Instruction ID: 521a31ccb77ca08c7efb6cd0fd882d8643841604d48786562dfe1b7c4122d99a
    • Opcode Fuzzy Hash: 1a94e35f6593c6ea2464ef82fd9b8d73f4eb9927b67b59de7de52f938ff1888d
    • Instruction Fuzzy Hash: 9BC1C232B093154FC709DE6DC89060EB7E2ABC8304F49863DE8599B7A5E775ED0987C2
    Function 6CC1D6E0 Relevance: .4, Instructions: 368COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 84fd96155f0b1f66a3427e3dbbbaca7e5ed24dc19be600931b1f09302c5ed3b8
    • Instruction ID: 349bbad5e945498c737905cc04adfd1d08b578141223b16d6aaa90e320059a2b
    • Opcode Fuzzy Hash: 84fd96155f0b1f66a3427e3dbbbaca7e5ed24dc19be600931b1f09302c5ed3b8
    • Instruction Fuzzy Hash: F5E1D33160D3568FC315DF29C4C096EFBE1AF8A204F044A7DE8958BB92E734E945DB92
    Function 6CBFE240 Relevance: .3, Instructions: 331COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ceaab98dea8800dafbcbbbc29c3b601cbfd96e68b173929fb1c6df68e6306090
    • Instruction ID: 90725cee9885dc26dc54e9802b529cee00577a9c36016441a12b7f4ebc8215d9
    • Opcode Fuzzy Hash: ceaab98dea8800dafbcbbbc29c3b601cbfd96e68b173929fb1c6df68e6306090
    • Instruction Fuzzy Hash: 2AF1C27460D7908FD364CF29C490B5FBBE1BBC9204F54892EE9D887751EB31A849CB52
    Function 6CBEC6D0 Relevance: .3, Instructions: 285COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 7099e13b5af9e5f19af27839411497dda8e95d2269081f0865d4ad4b6f18c959
    • Instruction ID: 1e37f2f7b2c81a6fbfa032c422fdc3be86428d0394e008d5a08ceb44204a5097
    • Opcode Fuzzy Hash: 7099e13b5af9e5f19af27839411497dda8e95d2269081f0865d4ad4b6f18c959
    • Instruction Fuzzy Hash: 369179326093594FC319EE9DC4D051EBBE2FBC8788F58473CD9690B780EB759909C682
    Function 6CBECA30 Relevance: .3, Instructions: 281COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 20660ae35d67ed051b5fe91141bd4ef6db36c639dd40e4db4de762af31e795fc
    • Instruction ID: 55f65b13b9dd8ed5cc6a8f22883681d2121ea912a8e0b4bb0feda23bef90989a
    • Opcode Fuzzy Hash: 20660ae35d67ed051b5fe91141bd4ef6db36c639dd40e4db4de762af31e795fc
    • Instruction Fuzzy Hash: C68124367493794FD311EDA888D024E3A92EBC8798F19473CD9748B7C5FBB5980582C2
    Function 6CBEAD50 Relevance: .3, Instructions: 276COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b20766ab3dc7502dab787efa6de840498fff7ddb46034e4909725741133dedf3
    • Instruction ID: c42c1d9e904de8c0943437cbe2ab60cac465d46b5d969d2456ef720bfcb64526
    • Opcode Fuzzy Hash: b20766ab3dc7502dab787efa6de840498fff7ddb46034e4909725741133dedf3
    • Instruction Fuzzy Hash: C191C876A147184BD304DE59CCC0259B3E2BBC8764F49C63CE8A897745E674EE49CB82
    Function 6CBC32A0 Relevance: .2, Instructions: 219COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 6e6df898f5583dda36bf1dec91ded43eedcdfc2e4071004e02a3734219c526d9
    • Instruction ID: c502f8a6d957f917e6e06b7407a734ef308ebbd9a5b4b9d52b7bffa7798444ac
    • Opcode Fuzzy Hash: 6e6df898f5583dda36bf1dec91ded43eedcdfc2e4071004e02a3734219c526d9
    • Instruction Fuzzy Hash: EC8108B2A183508FC314DF29D88095AF7E2BFC9748F46892DF988D7711E771E9158B82
    Function 6CBE9030 Relevance: .2, Instructions: 193COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: fa8f5b1d4096bc6167df662caa78752cac598b2283f7a18071a3a5fd69bb725f
    • Instruction ID: d591a2b48cfba310134bf36629816df47d7d3c61c88cbb006ffba05d5caee5ff
    • Opcode Fuzzy Hash: fa8f5b1d4096bc6167df662caa78752cac598b2283f7a18071a3a5fd69bb725f
    • Instruction Fuzzy Hash: 1391AEB49093459FC308DF28C090A5ABBF1FF89748F508A6EE89997751D730E949CF46
    Function 6CBC2CA6 Relevance: .2, Instructions: 161COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: aaac1fa95927537056fa748d1ed80cb4c36531cfe69fe86e380ee050db7f54d2
    • Instruction ID: 742ef73739e4ebf12590b231fb7567caf38ce85300f8d8603a0c59aef9f7be93
    • Opcode Fuzzy Hash: aaac1fa95927537056fa748d1ed80cb4c36531cfe69fe86e380ee050db7f54d2
    • Instruction Fuzzy Hash: 1A51753090C3A44AE3159F6F48D412EFFE1AFC6301F884A6EF5E443392D5B89515DBAA
    Function 6CBC2CA0 Relevance: .2, Instructions: 160COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 272e95a2e8b5fe4e3c1bd1ca3ed72525b176b188f2fefa5a8ad79b88aa85a3fb
    • Instruction ID: 7631c59b3a8980df2e90739b8d11ff7c130af9ec535f8c516fe4de7754e2529e
    • Opcode Fuzzy Hash: 272e95a2e8b5fe4e3c1bd1ca3ed72525b176b188f2fefa5a8ad79b88aa85a3fb
    • Instruction Fuzzy Hash: 7351557090C3A44AE3159F6F48D402AFFE1ABC6301F884A6EF5E443392D5B89515DBAA
    Function 6CBED9C5 Relevance: .1, Instructions: 134COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 85d0cd2b4268e348907ad58339b5c3bf2721623310771fec8e465966ae2bc838
    • Instruction ID: b4ab71fb05610ec14120b6d351fd90d932198f400d487185e61dd2d75d209661
    • Opcode Fuzzy Hash: 85d0cd2b4268e348907ad58339b5c3bf2721623310771fec8e465966ae2bc838
    • Instruction Fuzzy Hash: 40516AB56093228FD318DF69C490A1AB7E0FF88A44F05867CDD599B391E771E846CBC2
    Function 6CBCBE90 Relevance: .1, Instructions: 116COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 1b83f628b4a2d815fea37dfb3f46b2844ce99749977855ecca530945c6bf8daf
    • Instruction ID: 3e1cdec6f11e7224d28a81b2a0cc4785bd8ff9d36df2e9d7d37bfc7bd47614dd
    • Opcode Fuzzy Hash: 1b83f628b4a2d815fea37dfb3f46b2844ce99749977855ecca530945c6bf8daf
    • Instruction Fuzzy Hash: E641B471A08B448FC306DF79C49021AB3E5FFCA384F54872DE94A6B752EB359846CB42
    Function 6CBCFBC0 Relevance: .1, Instructions: 97COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 60623e1a2689efe9e02d257ee7e8f0bdb6e0ca9269f6193efd5d45937623837c
    • Instruction ID: b6952e644b49dd8ad9da27a4c234264bd87de194cbea3374a2a46875e6033be5
    • Opcode Fuzzy Hash: 60623e1a2689efe9e02d257ee7e8f0bdb6e0ca9269f6193efd5d45937623837c
    • Instruction Fuzzy Hash: A931547391975D8BD300AF498C40249F7E2AFD0B20F5E8A5ED99457701EBB0AA15CBC7
    Function 6CBC90F0 Relevance: .1, Instructions: 76COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 22e9f94e6b07229623e1911694295697fc55129611c4866871330fd94b03d0e5
    • Instruction ID: bfe6c61f0dad655d4d3247aa24dca291df25c3b4c461c0cd59da91b81b2fa038
    • Opcode Fuzzy Hash: 22e9f94e6b07229623e1911694295697fc55129611c4866871330fd94b03d0e5
    • Instruction Fuzzy Hash: 0021C531B442518BE708CF39C8D112AB7F3EBCA714B45856CD555C7B64EA34A80AC747
    Function 6CBF1C90 Relevance: .0, Instructions: 46COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: be2e70c7bf0aae330f00d2dcf17b518dbd595471bcd1465edc0497c742519a5c
    • Instruction ID: b3bf0bda73f3273ddf36b49f79995c5894263dc9cb7ea8f8c1b8cc3f17a76538
    • Opcode Fuzzy Hash: be2e70c7bf0aae330f00d2dcf17b518dbd595471bcd1465edc0497c742519a5c
    • Instruction Fuzzy Hash: 42116DB46083808FD705CF24C4A06A9BBB5EF86308F484C5CD5A95BB91D779985ECB52
    Function 6CC27280 Relevance: .0, Instructions: 46COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ab66757eb0852dd57cae4b81c339f91581d33917df794fc82efff6dc9bb045a7
    • Instruction ID: 43a714c968565d3465eafd0772ef4d6aafe20f8d9fb433fd8b7222eb15348d99
    • Opcode Fuzzy Hash: ab66757eb0852dd57cae4b81c339f91581d33917df794fc82efff6dc9bb045a7
    • Instruction Fuzzy Hash: 7311EDB4700B118FD398DF59C0D4E65B3E1FB8C200B4A81BDDB0E8B766D670A855DB85
    Function 6CC2C0C0 Relevance: .0, Instructions: 10COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 07f8059239d5ae3978bf221770c22c555b6134e53790376c1a3bb4381fddbc3e
    • Instruction ID: 5385253f27970c2f06557cdfe76a5fa30fd391ad1625c6639ea36b89c0d03652
    • Opcode Fuzzy Hash: 07f8059239d5ae3978bf221770c22c555b6134e53790376c1a3bb4381fddbc3e
    • Instruction Fuzzy Hash: 75C08CB080A352ADF310CB1CC10030AFEE09B81300F80C089A28842600D23CC2808704
    Function 6CC564A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Strings
    • Address %p has no image-section, xrefs: 6CC565DB
    • @, xrefs: 6CC56578
    • VirtualProtect failed with code 0x%x, xrefs: 6CC5659A
    • VirtualQuery failed for %d bytes at address %p, xrefs: 6CC565C7
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID: QueryVirtual
    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
    • API String ID: 1804819252-1098444051
    • Opcode ID: 8b9cc24857357d50a010a36592756a24508d54ec3270d599ff08ad69ee3564fc
    • Instruction ID: fd04c84bbcc6d70f8bd9fc2cc852e626488a9bc08ed56fd09dc83d2356f01eba
    • Opcode Fuzzy Hash: 8b9cc24857357d50a010a36592756a24508d54ec3270d599ff08ad69ee3564fc
    • Instruction Fuzzy Hash: F34180B2A057018FE700EF69D48464AFBF4FF85314F958629DA888B714E734E864CB96
    Function 6CC55CB0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON
    Download Yara Rule
    APIs
    • CreateEventA.KERNEL32 ref: 6CC55CD2
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CC55D89), ref: 6CC55CEB
    • fwrite.MSVCRT ref: 6CC55D20
    • abort.MSVCRT ref: 6CC55D25
    Strings
    • =, xrefs: 6CC55D05
    • runtime: failed to create runtime initialization wait event., xrefs: 6CC55D19
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID: CreateCriticalEventInitializeSectionabortfwrite
    • String ID: =$runtime: failed to create runtime initialization wait event.
    • API String ID: 2455830200-3519180978
    • Opcode ID: d802ac2bf98aa3c1dc657b51362b74c4f53417787c04e8fd4ba48706cc2a3196
    • Instruction ID: c15f7c8184fdb659ef75978eb8d3f992151a4ee9f21d20db96ddb60c99a44add
    • Opcode Fuzzy Hash: d802ac2bf98aa3c1dc657b51362b74c4f53417787c04e8fd4ba48706cc2a3196
    • Instruction Fuzzy Hash: C3F019B15043019FF700BF68C10931ABAF4BF81308F81885DD99886650E7BDD4A88B93
    Function 6CBC1020 Relevance: 9.1, APIs: 6, Instructions: 112sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,6CBC12E0,?,?,?,?,?,?,6CBC13A3), ref: 6CBC1057
    • _amsg_exit.MSVCRT ref: 6CBC1085
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID: Sleep_amsg_exit
    • String ID:
    • API String ID: 1015461914-0
    • Opcode ID: 9740576ceb414a539968085d64a6f2a9dbc44c4ffc288682d224dff31de7e19e
    • Instruction ID: 726477a6bbfef752440c11a0654211ab3e417f77c43b4e99939df7c814639bb2
    • Opcode Fuzzy Hash: 9740576ceb414a539968085d64a6f2a9dbc44c4ffc288682d224dff31de7e19e
    • Instruction Fuzzy Hash: F4418FB17092808BF700BF6DC98175AB7F8EB82348F54852ED6849BB04D779C894CB83
    Function 6CC570C0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID: _lock_unlockcalloc
    • String ID:
    • API String ID: 3876498383-0
    • Opcode ID: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction ID: 10c9be62959cbef18b1064826691bfe1a393e1b78623210a4f235f578aeecb9d
    • Opcode Fuzzy Hash: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction Fuzzy Hash: F2117C70124200CFE7009F28C88075A7BE0BF85314F94CA69E898CBB84FB78D8B5DB56
    Function 6CC55DE0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32 ref: 6CC55E10
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CC545D9), ref: 6CC55E1C
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CC545D9), ref: 6CC55E2E
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6CC545D9), ref: 6CC55E3E
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6CC545D9), ref: 6CC55E50
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$ObjectSingleWait
    • String ID:
    • API String ID: 1755037574-0
    • Opcode ID: 7c9bbb3886b85fe59f9060dec525bfdc5e313cf0b6e8d44d66b42da333a8414b
    • Instruction ID: 8354057257834e3e9f46b398b591050de2ac8e3cac2c2fb40d13873a00ac9274
    • Opcode Fuzzy Hash: 7c9bbb3886b85fe59f9060dec525bfdc5e313cf0b6e8d44d66b42da333a8414b
    • Instruction Fuzzy Hash: BB015271604304CFEB00BF79958551ABBB8BF86214F410969DA9047750E735E878CB93
    Function 6CC57220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • Mingw-w64 runtime failure:, xrefs: 6CC57248
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID: abortfwritevfprintf
    • String ID: Mingw-w64 runtime failure:
    • API String ID: 3176311984-2889761391
    • Opcode ID: 54634b9a39d585648a2f2b541c0dad25e95fedd872b6a8bceb16b38ed53b6ab4
    • Instruction ID: 842e688759cc172f8808559582d4b960c77456677456ff2de5455b7fe58609a5
    • Opcode Fuzzy Hash: 54634b9a39d585648a2f2b541c0dad25e95fedd872b6a8bceb16b38ed53b6ab4
    • Instruction Fuzzy Hash: 62E0C2B0418304DED300AF68C58529EBBE4AF85348F81CA1CE0C847B51E77984A9AB57
    Function 6CC565F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CBC12A5), ref: 6CC56709
    Strings
    • Unknown pseudo relocation bit size %d., xrefs: 6CC56799
    • Unknown pseudo relocation protocol version %d., xrefs: 6CC56864
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
    • API String ID: 544645111-395989641
    • Opcode ID: 9421155623fe2b39b31341538ac9808467cae6a34e540451aae3c3c14c78e0e3
    • Instruction ID: 0588385f77d58738a7d8d1dc52377f799b9feca201706a4da0e2e883c614543a
    • Opcode Fuzzy Hash: 9421155623fe2b39b31341538ac9808467cae6a34e540451aae3c3c14c78e0e3
    • Instruction Fuzzy Hash: 4E61DB71B0060A8FDB04DFA8C480659B7B9FB85318BA5826DD944DBB50F730E8268B89
    Function 6CC56870 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.1693073604.000000006CBC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBC0000, based on PE: true
    • Associated: 00000003.00000002.1693037124.000000006CBC0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693184432.000000006CC58000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693269852.000000006CC59000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693288710.000000006CC5A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693369371.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693496426.000000006CD08000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD0E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1693688251.000000006CD13000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694097196.000000006CD26000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694198985.000000006CD2D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694232224.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.1694259577.000000006CD31000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6cbc0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterErrorLastLeaveValue
    • String ID:
    • API String ID: 682475483-0
    • Opcode ID: 9f79f2f9ea21018963c12a8c17e4b630f26bfb427a90b16f4876f5825573c316
    • Instruction ID: b8b8b83d08b75bab09dc1f299fb271c38880bbc1509bf39fa17d227ad98de952
    • Opcode Fuzzy Hash: 9f79f2f9ea21018963c12a8c17e4b630f26bfb427a90b16f4876f5825573c316
    • Instruction Fuzzy Hash: 17F0A472A006048FFB107F7DC48991B7BB8EE85258B050528DF858B715E734E828CBE3

    Execution Graph

    Execution Coverage:0%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:3
    Total number of Limit Nodes:0
    execution_graph 41718 6cebcea0 41719 6cebceb9 41718->41719 41720 6cebcec8 WriteFile 41718->41720 41719->41720

    Executed Functions

    Function 6CEBCEA0 Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 6cebcea0-6cebceb7 1 6cebceb9-6cebcec6 0->1 2 6cebcec8-6cebcee0 WriteFile 0->2 1->2
    APIs
    Memory Dump Source
    • Source File: 0000000C.00000002.1789793745.000000006CE51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CE50000, based on PE: true
    • Associated: 0000000C.00000002.1789707181.000000006CE50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1789986192.000000006CEE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790056074.000000006CEE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790193963.000000006CEEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790400231.000000006CEEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790591621.000000006CF98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790649870.000000006CF9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790649870.000000006CFA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790770097.000000006CFB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790821486.000000006CFBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790957309.000000006CFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1791079702.000000006CFC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6ce50000_rundll32.jbxd
    Similarity
    • API ID: FileWrite
    • String ID:
    • API String ID: 3934441357-0
    • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction ID: cc1fd6f89c73f8a98e1b2069f6d4417007aaf94528f940ba60e9211019e91e5c
    • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction Fuzzy Hash: 12E0E571505600CFCB15DF18C2C1316BBF1EB48A00F1485A8DE099FB4AD734ED10CB92

    Non-executed Functions

    Function 6CEE6300 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6CEE634F
    • UnhandledExceptionFilter.KERNEL32 ref: 6CEE635F
    • GetCurrentProcess.KERNEL32 ref: 6CEE6368
    • TerminateProcess.KERNEL32 ref: 6CEE6379
    • abort.MSVCRT ref: 6CEE6382
    Memory Dump Source
    • Source File: 0000000C.00000002.1789793745.000000006CE51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CE50000, based on PE: true
    • Associated: 0000000C.00000002.1789707181.000000006CE50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1789986192.000000006CEE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790056074.000000006CEE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790193963.000000006CEEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790400231.000000006CEEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790591621.000000006CF98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790649870.000000006CF9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790649870.000000006CFA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790770097.000000006CFB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790821486.000000006CFBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790957309.000000006CFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1791079702.000000006CFC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6ce50000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: 3b7654b83c75ac53d661f006c5af1b88b835997dc3444485bd9f28f3e30cffc9
    • Instruction ID: c01115e0885c00cd184b16fc268a86b7522e78174af1159d00ae36f0470d0b4e
    • Opcode Fuzzy Hash: 3b7654b83c75ac53d661f006c5af1b88b835997dc3444485bd9f28f3e30cffc9
    • Instruction Fuzzy Hash: 291113B5E04705CFCB80EF69C18971ABBF0FB4A344F108969E988C7350E73499448F96
    Function 6CE51020 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 112sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,6CE512E0,?,?,?,?,?,?,6CE513A3), ref: 6CE51057
    • _amsg_exit.MSVCRT ref: 6CE51085
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1789793745.000000006CE51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CE50000, based on PE: true
    • Associated: 0000000C.00000002.1789707181.000000006CE50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1789986192.000000006CEE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790056074.000000006CEE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790193963.000000006CEEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790400231.000000006CEEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790591621.000000006CF98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790649870.000000006CF9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790649870.000000006CFA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790770097.000000006CFB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790821486.000000006CFBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790957309.000000006CFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1791079702.000000006CFC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6ce50000_rundll32.jbxd
    Similarity
    • API ID: Sleep_amsg_exit
    • String ID: cl
    • API String ID: 1015461914-3294154526
    • Opcode ID: 105f4ab4b984f6677e7ef37609b74566e95a611b511b0e55999915560b970f04
    • Instruction ID: 034096a6772501d96a07f07996debac76ff4f777cc6a4c15796b8aa2b2d1c7fc
    • Opcode Fuzzy Hash: 105f4ab4b984f6677e7ef37609b74566e95a611b511b0e55999915560b970f04
    • Instruction Fuzzy Hash: E141C372B18240CBEB81AFAEC58174B77F0EB82388FB0456ED9448B704D736C491CB92
    Function 6CEE64A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Strings
    • VirtualProtect failed with code 0x%x, xrefs: 6CEE659A
    • @, xrefs: 6CEE6578
    • VirtualQuery failed for %d bytes at address %p, xrefs: 6CEE65C7
    • Address %p has no image-section, xrefs: 6CEE65DB
    Memory Dump Source
    • Source File: 0000000C.00000002.1789793745.000000006CE51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CE50000, based on PE: true
    • Associated: 0000000C.00000002.1789707181.000000006CE50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1789986192.000000006CEE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790056074.000000006CEE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790193963.000000006CEEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790400231.000000006CEEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790591621.000000006CF98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790649870.000000006CF9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790649870.000000006CFA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790770097.000000006CFB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790821486.000000006CFBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790957309.000000006CFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1791079702.000000006CFC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6ce50000_rundll32.jbxd
    Similarity
    • API ID: QueryVirtual
    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
    • API String ID: 1804819252-1098444051
    • Opcode ID: 5ff91f0c9b6148873dd2d671024b80ef246915b2c42c1634c3f438b3972dab32
    • Instruction ID: dd3f0d7ed7e687160b8016fc1e31df1c50635f46e8aa1651c8ccc606db051bf9
    • Opcode Fuzzy Hash: 5ff91f0c9b6148873dd2d671024b80ef246915b2c42c1634c3f438b3972dab32
    • Instruction Fuzzy Hash: E1418DB2A053058FDB00DF69D4C464AFBF4FB89358F258A6DD9988B714E730E409CB92
    Function 6CE513E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1789793745.000000006CE51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CE50000, based on PE: true
    • Associated: 0000000C.00000002.1789707181.000000006CE50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1789986192.000000006CEE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790056074.000000006CEE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790193963.000000006CEEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790400231.000000006CEEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790591621.000000006CF98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790649870.000000006CF9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790649870.000000006CFA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790770097.000000006CFB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790821486.000000006CFBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790957309.000000006CFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1791079702.000000006CFC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6ce50000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleLibraryLoadModule
    • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
    • API String ID: 384173800-1835852900
    • Opcode ID: c3659649ce7009242c75df2d62695a6eb2535277adac0d8632141cab2de32a8c
    • Instruction ID: 749d889f86ff93c408eba43b8ccd5c815ce1620b9e78d04d6e7c74fc5168a41f
    • Opcode Fuzzy Hash: c3659649ce7009242c75df2d62695a6eb2535277adac0d8632141cab2de32a8c
    • Instruction Fuzzy Hash: F6019AB2D093008BDB50BFB8AA4731EBFF4AB46284F22492DD88887714D7319414CBA3
    Function 6CEE5CB0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON
    Download Yara Rule
    APIs
    • CreateEventA.KERNEL32 ref: 6CEE5CD2
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CEE5D89), ref: 6CEE5CEB
    • fwrite.MSVCRT ref: 6CEE5D20
    • abort.MSVCRT ref: 6CEE5D25
    Strings
    • runtime: failed to create runtime initialization wait event., xrefs: 6CEE5D19
    • =, xrefs: 6CEE5D05
    Memory Dump Source
    • Source File: 0000000C.00000002.1789793745.000000006CE51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CE50000, based on PE: true
    • Associated: 0000000C.00000002.1789707181.000000006CE50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1789986192.000000006CEE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790056074.000000006CEE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790193963.000000006CEEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790400231.000000006CEEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790591621.000000006CF98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790649870.000000006CF9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790649870.000000006CFA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790770097.000000006CFB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790821486.000000006CFBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790957309.000000006CFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1791079702.000000006CFC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6ce50000_rundll32.jbxd
    Similarity
    • API ID: CreateCriticalEventInitializeSectionabortfwrite
    • String ID: =$runtime: failed to create runtime initialization wait event.
    • API String ID: 2455830200-3519180978
    • Opcode ID: 34fe00138458d92a0e18d9eecd174d7b12014dcb14060c6c5c1026fb1df6c5e4
    • Instruction ID: 4986bece4cc691b4b1a71c31cf8788a6580613f8f90560d96e221195fc361204
    • Opcode Fuzzy Hash: 34fe00138458d92a0e18d9eecd174d7b12014dcb14060c6c5c1026fb1df6c5e4
    • Instruction Fuzzy Hash: 30F037B09053019FE780BF68C10931FBBF0BF45348FA5885CE8988B641EB7980488FA3
    Function 6CEE70C0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000C.00000002.1789793745.000000006CE51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CE50000, based on PE: true
    • Associated: 0000000C.00000002.1789707181.000000006CE50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1789986192.000000006CEE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790056074.000000006CEE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790193963.000000006CEEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790400231.000000006CEEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790591621.000000006CF98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790649870.000000006CF9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790649870.000000006CFA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790770097.000000006CFB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790821486.000000006CFBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790957309.000000006CFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1791079702.000000006CFC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6ce50000_rundll32.jbxd
    Similarity
    • API ID: _lock_unlockcalloc
    • String ID:
    • API String ID: 3876498383-0
    • Opcode ID: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction ID: f03b32aafdbb97f0a4340052635349fa9c27d485feb15ae646d5711ce8eaa0b8
    • Opcode Fuzzy Hash: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction Fuzzy Hash: DD110AB11053018BE7409F68D98075A7BF4FF4E398F248A6DE498CBB86EB74D845CB52
    Function 6CEE6250 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON
    Download Yara Rule
    APIs
    • GetSystemTimeAsFileTime.KERNEL32 ref: 6CEE6289
    • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CE513B9), ref: 6CEE629A
    • GetCurrentThreadId.KERNEL32 ref: 6CEE62A2
    • GetTickCount.KERNEL32 ref: 6CEE62AA
    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CE513B9), ref: 6CEE62B9
    Memory Dump Source
    • Source File: 0000000C.00000002.1789793745.000000006CE51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CE50000, based on PE: true
    • Associated: 0000000C.00000002.1789707181.000000006CE50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1789986192.000000006CEE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790056074.000000006CEE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790193963.000000006CEEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790400231.000000006CEEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790591621.000000006CF98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790649870.000000006CF9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790649870.000000006CFA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790770097.000000006CFB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790821486.000000006CFBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790957309.000000006CFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1791079702.000000006CFC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6ce50000_rundll32.jbxd
    Similarity
    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
    • String ID:
    • API String ID: 1445889803-0
    • Opcode ID: 85c9013e550e1c3c051574f932a939cdabc9ad8df0fb485dbef277777bb35981
    • Instruction ID: 2fdcfd6ff609a7306806e8929d6327c1631fd6df9a0cafeb04d322d71649104b
    • Opcode Fuzzy Hash: 85c9013e550e1c3c051574f932a939cdabc9ad8df0fb485dbef277777bb35981
    • Instruction Fuzzy Hash: D91166B1A157008BCB40DF79E48864BBBF4FB8D2A4F040D3AE544C7300EB3494488BC2
    Function 6CEE5DE0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32 ref: 6CEE5E10
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CEE45D9), ref: 6CEE5E1C
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CEE45D9), ref: 6CEE5E2E
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6CEE45D9), ref: 6CEE5E3E
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6CEE45D9), ref: 6CEE5E50
    Memory Dump Source
    • Source File: 0000000C.00000002.1789793745.000000006CE51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CE50000, based on PE: true
    • Associated: 0000000C.00000002.1789707181.000000006CE50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1789986192.000000006CEE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790056074.000000006CEE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790193963.000000006CEEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790400231.000000006CEEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790591621.000000006CF98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790649870.000000006CF9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790649870.000000006CFA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790770097.000000006CFB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790821486.000000006CFBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790957309.000000006CFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1791079702.000000006CFC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6ce50000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$ObjectSingleWait
    • String ID:
    • API String ID: 1755037574-0
    • Opcode ID: 89f2d760b6b3e3c61e758d4c95ea8142a1d38195142a944f80a0562bceb4d234
    • Instruction ID: d1077880f0be8df8cb907f49e7655166975a3c06af03fc2d89a3f22a4ab04403
    • Opcode Fuzzy Hash: 89f2d760b6b3e3c61e758d4c95ea8142a1d38195142a944f80a0562bceb4d234
    • Instruction Fuzzy Hash: 0A015271A14308CFDA00BF79998551FBBB4BF46354FA5052DE8D447260D731A468CBA3
    Function 6CEE7220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • Mingw-w64 runtime failure:, xrefs: 6CEE7248
    Memory Dump Source
    • Source File: 0000000C.00000002.1789793745.000000006CE51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CE50000, based on PE: true
    • Associated: 0000000C.00000002.1789707181.000000006CE50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1789986192.000000006CEE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790056074.000000006CEE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790193963.000000006CEEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790400231.000000006CEEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790591621.000000006CF98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790649870.000000006CF9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790649870.000000006CFA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790770097.000000006CFB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790821486.000000006CFBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790957309.000000006CFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1791079702.000000006CFC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6ce50000_rundll32.jbxd
    Similarity
    • API ID: abortfwritevfprintf
    • String ID: Mingw-w64 runtime failure:
    • API String ID: 3176311984-2889761391
    • Opcode ID: db2d2f6114ded74b73d37f739c8502e8544595bf1583ba452133edaae905304d
    • Instruction ID: d64e8135094fc225e4d916ad623738d8736837200b3cb8f775c5e8ccfaebaf13
    • Opcode Fuzzy Hash: db2d2f6114ded74b73d37f739c8502e8544595bf1583ba452133edaae905304d
    • Instruction Fuzzy Hash: 65E0C2B000C3049FD300AF64C08529EBBF4AF89388F61891CE0C84BB56D77984898B53
    Function 6CEE65F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CE512A5), ref: 6CEE6709
    Strings
    • Unknown pseudo relocation bit size %d., xrefs: 6CEE6799
    • Unknown pseudo relocation protocol version %d., xrefs: 6CEE6864
    Memory Dump Source
    • Source File: 0000000C.00000002.1789793745.000000006CE51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CE50000, based on PE: true
    • Associated: 0000000C.00000002.1789707181.000000006CE50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1789986192.000000006CEE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790056074.000000006CEE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790193963.000000006CEEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790400231.000000006CEEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790591621.000000006CF98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790649870.000000006CF9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790649870.000000006CFA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790770097.000000006CFB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790821486.000000006CFBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790957309.000000006CFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1791079702.000000006CFC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6ce50000_rundll32.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
    • API String ID: 544645111-395989641
    • Opcode ID: b699733f6c2b48a57f39da52a8f185667d3e17522307924164891d8a921b402c
    • Instruction ID: bd5e82d00150ed844f1a53ff568093abfa399a0358551f36e7d1a2ab595e5716
    • Opcode Fuzzy Hash: b699733f6c2b48a57f39da52a8f185667d3e17522307924164891d8a921b402c
    • Instruction Fuzzy Hash: BD61E471E1420EDFCF48DF68C5C0A49B7BAFB89358F748629DA04DBB04D371A9468B81
    Function 6CEE6870 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000C.00000002.1789793745.000000006CE51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CE50000, based on PE: true
    • Associated: 0000000C.00000002.1789707181.000000006CE50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1789986192.000000006CEE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790056074.000000006CEE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790193963.000000006CEEA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790400231.000000006CEEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790591621.000000006CF98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790649870.000000006CF9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790649870.000000006CFA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790770097.000000006CFB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790821486.000000006CFBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1790957309.000000006CFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.1791079702.000000006CFC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6ce50000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterErrorLastLeaveValue
    • String ID:
    • API String ID: 682475483-0
    • Opcode ID: 57572d4b1d39fdfd145aeab56f9f852edcfb0268e6818d6a2a21bda2b53b5ba3
    • Instruction ID: 80489019cb455db9818c951ea9861145c0516c5c39a042d66ba5a27ed17846f3
    • Opcode Fuzzy Hash: 57572d4b1d39fdfd145aeab56f9f852edcfb0268e6818d6a2a21bda2b53b5ba3
    • Instruction Fuzzy Hash: 28F0A476E006088FDB007F7DC4C9A1B7BB8EA49398B150668DE4487305E730A418CBE7

    Execution Graph

    Execution Coverage:0%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:3
    Total number of Limit Nodes:0
    execution_graph 41718 6cebcea0 41719 6cebceb9 41718->41719 41720 6cebcec8 VirtualAlloc 41718->41720 41719->41720

    Executed Functions

    Function 6CEBCEA0 Relevance: 1.3, APIs: 1, Instructions: 21memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 6cebcea0-6cebceb7 1 6cebceb9-6cebcec6 0->1 2 6cebcec8-6cebcee0 VirtualAlloc 0->2 1->2
    APIs
    Memory Dump Source
    • Source File: 0000000F.00000002.1785682159.000000006CE51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CE50000, based on PE: true
    • Associated: 0000000F.00000002.1785580350.000000006CE50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786030618.000000006CEE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786134351.000000006CEE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786232243.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786334506.000000006CEEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786939023.000000006CF98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787128216.000000006CF9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787128216.000000006CFA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787391940.000000006CFB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787474243.000000006CFBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787585495.000000006CFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787684115.000000006CFC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_15_2_6ce50000_rundll32.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction ID: cc1fd6f89c73f8a98e1b2069f6d4417007aaf94528f940ba60e9211019e91e5c
    • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction Fuzzy Hash: 12E0E571505600CFCB15DF18C2C1316BBF1EB48A00F1485A8DE099FB4AD734ED10CB92

    Non-executed Functions

    Function 6CEE6300 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6CEE634F
    • UnhandledExceptionFilter.KERNEL32 ref: 6CEE635F
    • GetCurrentProcess.KERNEL32 ref: 6CEE6368
    • TerminateProcess.KERNEL32 ref: 6CEE6379
    • abort.MSVCRT ref: 6CEE6382
    Memory Dump Source
    • Source File: 0000000F.00000002.1785682159.000000006CE51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CE50000, based on PE: true
    • Associated: 0000000F.00000002.1785580350.000000006CE50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786030618.000000006CEE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786134351.000000006CEE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786232243.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786334506.000000006CEEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786939023.000000006CF98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787128216.000000006CF9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787128216.000000006CFA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787391940.000000006CFB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787474243.000000006CFBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787585495.000000006CFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787684115.000000006CFC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_15_2_6ce50000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: 3b7654b83c75ac53d661f006c5af1b88b835997dc3444485bd9f28f3e30cffc9
    • Instruction ID: c01115e0885c00cd184b16fc268a86b7522e78174af1159d00ae36f0470d0b4e
    • Opcode Fuzzy Hash: 3b7654b83c75ac53d661f006c5af1b88b835997dc3444485bd9f28f3e30cffc9
    • Instruction Fuzzy Hash: 291113B5E04705CFCB80EF69C18971ABBF0FB4A344F108969E988C7350E73499448F96
    Function 6CE51020 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 112sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,6CE512E0,?,?,?,?,?,?,6CE513A3), ref: 6CE51057
    • _amsg_exit.MSVCRT ref: 6CE51085
    Strings
    Memory Dump Source
    • Source File: 0000000F.00000002.1785682159.000000006CE51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CE50000, based on PE: true
    • Associated: 0000000F.00000002.1785580350.000000006CE50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786030618.000000006CEE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786134351.000000006CEE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786232243.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786334506.000000006CEEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786939023.000000006CF98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787128216.000000006CF9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787128216.000000006CFA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787391940.000000006CFB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787474243.000000006CFBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787585495.000000006CFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787684115.000000006CFC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_15_2_6ce50000_rundll32.jbxd
    Similarity
    • API ID: Sleep_amsg_exit
    • String ID: cl
    • API String ID: 1015461914-3294154526
    • Opcode ID: 105f4ab4b984f6677e7ef37609b74566e95a611b511b0e55999915560b970f04
    • Instruction ID: 034096a6772501d96a07f07996debac76ff4f777cc6a4c15796b8aa2b2d1c7fc
    • Opcode Fuzzy Hash: 105f4ab4b984f6677e7ef37609b74566e95a611b511b0e55999915560b970f04
    • Instruction Fuzzy Hash: E141C372B18240CBEB81AFAEC58174B77F0EB82388FB0456ED9448B704D736C491CB92
    Function 6CEE64A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Strings
    • VirtualQuery failed for %d bytes at address %p, xrefs: 6CEE65C7
    • VirtualProtect failed with code 0x%x, xrefs: 6CEE659A
    • @, xrefs: 6CEE6578
    • Address %p has no image-section, xrefs: 6CEE65DB
    Memory Dump Source
    • Source File: 0000000F.00000002.1785682159.000000006CE51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CE50000, based on PE: true
    • Associated: 0000000F.00000002.1785580350.000000006CE50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786030618.000000006CEE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786134351.000000006CEE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786232243.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786334506.000000006CEEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786939023.000000006CF98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787128216.000000006CF9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787128216.000000006CFA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787391940.000000006CFB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787474243.000000006CFBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787585495.000000006CFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787684115.000000006CFC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_15_2_6ce50000_rundll32.jbxd
    Similarity
    • API ID: QueryVirtual
    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
    • API String ID: 1804819252-1098444051
    • Opcode ID: 5ff91f0c9b6148873dd2d671024b80ef246915b2c42c1634c3f438b3972dab32
    • Instruction ID: dd3f0d7ed7e687160b8016fc1e31df1c50635f46e8aa1651c8ccc606db051bf9
    • Opcode Fuzzy Hash: 5ff91f0c9b6148873dd2d671024b80ef246915b2c42c1634c3f438b3972dab32
    • Instruction Fuzzy Hash: E1418DB2A053058FDB00DF69D4C464AFBF4FB89358F258A6DD9988B714E730E409CB92
    Function 6CE513E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000F.00000002.1785682159.000000006CE51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CE50000, based on PE: true
    • Associated: 0000000F.00000002.1785580350.000000006CE50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786030618.000000006CEE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786134351.000000006CEE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786232243.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786334506.000000006CEEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786939023.000000006CF98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787128216.000000006CF9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787128216.000000006CFA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787391940.000000006CFB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787474243.000000006CFBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787585495.000000006CFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787684115.000000006CFC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_15_2_6ce50000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleLibraryLoadModule
    • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
    • API String ID: 384173800-1835852900
    • Opcode ID: c3659649ce7009242c75df2d62695a6eb2535277adac0d8632141cab2de32a8c
    • Instruction ID: 749d889f86ff93c408eba43b8ccd5c815ce1620b9e78d04d6e7c74fc5168a41f
    • Opcode Fuzzy Hash: c3659649ce7009242c75df2d62695a6eb2535277adac0d8632141cab2de32a8c
    • Instruction Fuzzy Hash: F6019AB2D093008BDB50BFB8AA4731EBFF4AB46284F22492DD88887714D7319414CBA3
    Function 6CEE5CB0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON
    Download Yara Rule
    APIs
    • CreateEventA.KERNEL32 ref: 6CEE5CD2
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CEE5D89), ref: 6CEE5CEB
    • fwrite.MSVCRT ref: 6CEE5D20
    • abort.MSVCRT ref: 6CEE5D25
    Strings
    • runtime: failed to create runtime initialization wait event., xrefs: 6CEE5D19
    • =, xrefs: 6CEE5D05
    Memory Dump Source
    • Source File: 0000000F.00000002.1785682159.000000006CE51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CE50000, based on PE: true
    • Associated: 0000000F.00000002.1785580350.000000006CE50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786030618.000000006CEE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786134351.000000006CEE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786232243.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786334506.000000006CEEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786939023.000000006CF98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787128216.000000006CF9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787128216.000000006CFA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787391940.000000006CFB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787474243.000000006CFBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787585495.000000006CFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787684115.000000006CFC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_15_2_6ce50000_rundll32.jbxd
    Similarity
    • API ID: CreateCriticalEventInitializeSectionabortfwrite
    • String ID: =$runtime: failed to create runtime initialization wait event.
    • API String ID: 2455830200-3519180978
    • Opcode ID: 34fe00138458d92a0e18d9eecd174d7b12014dcb14060c6c5c1026fb1df6c5e4
    • Instruction ID: 4986bece4cc691b4b1a71c31cf8788a6580613f8f90560d96e221195fc361204
    • Opcode Fuzzy Hash: 34fe00138458d92a0e18d9eecd174d7b12014dcb14060c6c5c1026fb1df6c5e4
    • Instruction Fuzzy Hash: 30F037B09053019FE780BF68C10931FBBF0BF45348FA5885CE8988B641EB7980488FA3
    Function 6CEE70C0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000F.00000002.1785682159.000000006CE51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CE50000, based on PE: true
    • Associated: 0000000F.00000002.1785580350.000000006CE50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786030618.000000006CEE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786134351.000000006CEE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786232243.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786334506.000000006CEEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786939023.000000006CF98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787128216.000000006CF9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787128216.000000006CFA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787391940.000000006CFB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787474243.000000006CFBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787585495.000000006CFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787684115.000000006CFC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_15_2_6ce50000_rundll32.jbxd
    Similarity
    • API ID: _lock_unlockcalloc
    • String ID:
    • API String ID: 3876498383-0
    • Opcode ID: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction ID: f03b32aafdbb97f0a4340052635349fa9c27d485feb15ae646d5711ce8eaa0b8
    • Opcode Fuzzy Hash: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction Fuzzy Hash: DD110AB11053018BE7409F68D98075A7BF4FF4E398F248A6DE498CBB86EB74D845CB52
    Function 6CEE6250 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON
    Download Yara Rule
    APIs
    • GetSystemTimeAsFileTime.KERNEL32 ref: 6CEE6289
    • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CE513B9), ref: 6CEE629A
    • GetCurrentThreadId.KERNEL32 ref: 6CEE62A2
    • GetTickCount.KERNEL32 ref: 6CEE62AA
    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CE513B9), ref: 6CEE62B9
    Memory Dump Source
    • Source File: 0000000F.00000002.1785682159.000000006CE51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CE50000, based on PE: true
    • Associated: 0000000F.00000002.1785580350.000000006CE50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786030618.000000006CEE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786134351.000000006CEE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786232243.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786334506.000000006CEEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786939023.000000006CF98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787128216.000000006CF9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787128216.000000006CFA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787391940.000000006CFB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787474243.000000006CFBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787585495.000000006CFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787684115.000000006CFC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_15_2_6ce50000_rundll32.jbxd
    Similarity
    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
    • String ID:
    • API String ID: 1445889803-0
    • Opcode ID: 85c9013e550e1c3c051574f932a939cdabc9ad8df0fb485dbef277777bb35981
    • Instruction ID: 2fdcfd6ff609a7306806e8929d6327c1631fd6df9a0cafeb04d322d71649104b
    • Opcode Fuzzy Hash: 85c9013e550e1c3c051574f932a939cdabc9ad8df0fb485dbef277777bb35981
    • Instruction Fuzzy Hash: D91166B1A157008BCB40DF79E48864BBBF4FB8D2A4F040D3AE544C7300EB3494488BC2
    Function 6CEE5DE0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32 ref: 6CEE5E10
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CEE45D9), ref: 6CEE5E1C
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CEE45D9), ref: 6CEE5E2E
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6CEE45D9), ref: 6CEE5E3E
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6CEE45D9), ref: 6CEE5E50
    Memory Dump Source
    • Source File: 0000000F.00000002.1785682159.000000006CE51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CE50000, based on PE: true
    • Associated: 0000000F.00000002.1785580350.000000006CE50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786030618.000000006CEE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786134351.000000006CEE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786232243.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786334506.000000006CEEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786939023.000000006CF98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787128216.000000006CF9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787128216.000000006CFA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787391940.000000006CFB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787474243.000000006CFBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787585495.000000006CFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787684115.000000006CFC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_15_2_6ce50000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$ObjectSingleWait
    • String ID:
    • API String ID: 1755037574-0
    • Opcode ID: 89f2d760b6b3e3c61e758d4c95ea8142a1d38195142a944f80a0562bceb4d234
    • Instruction ID: d1077880f0be8df8cb907f49e7655166975a3c06af03fc2d89a3f22a4ab04403
    • Opcode Fuzzy Hash: 89f2d760b6b3e3c61e758d4c95ea8142a1d38195142a944f80a0562bceb4d234
    • Instruction Fuzzy Hash: 0A015271A14308CFDA00BF79998551FBBB4BF46354FA5052DE8D447260D731A468CBA3
    Function 6CEE7220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • Mingw-w64 runtime failure:, xrefs: 6CEE7248
    Memory Dump Source
    • Source File: 0000000F.00000002.1785682159.000000006CE51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CE50000, based on PE: true
    • Associated: 0000000F.00000002.1785580350.000000006CE50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786030618.000000006CEE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786134351.000000006CEE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786232243.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786334506.000000006CEEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786939023.000000006CF98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787128216.000000006CF9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787128216.000000006CFA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787391940.000000006CFB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787474243.000000006CFBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787585495.000000006CFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787684115.000000006CFC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_15_2_6ce50000_rundll32.jbxd
    Similarity
    • API ID: abortfwritevfprintf
    • String ID: Mingw-w64 runtime failure:
    • API String ID: 3176311984-2889761391
    • Opcode ID: db2d2f6114ded74b73d37f739c8502e8544595bf1583ba452133edaae905304d
    • Instruction ID: d64e8135094fc225e4d916ad623738d8736837200b3cb8f775c5e8ccfaebaf13
    • Opcode Fuzzy Hash: db2d2f6114ded74b73d37f739c8502e8544595bf1583ba452133edaae905304d
    • Instruction Fuzzy Hash: 65E0C2B000C3049FD300AF64C08529EBBF4AF89388F61891CE0C84BB56D77984898B53
    Function 6CEE65F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CE512A5), ref: 6CEE6709
    Strings
    • Unknown pseudo relocation bit size %d., xrefs: 6CEE6799
    • Unknown pseudo relocation protocol version %d., xrefs: 6CEE6864
    Memory Dump Source
    • Source File: 0000000F.00000002.1785682159.000000006CE51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CE50000, based on PE: true
    • Associated: 0000000F.00000002.1785580350.000000006CE50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786030618.000000006CEE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786134351.000000006CEE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786232243.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786334506.000000006CEEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786939023.000000006CF98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787128216.000000006CF9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787128216.000000006CFA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787391940.000000006CFB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787474243.000000006CFBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787585495.000000006CFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787684115.000000006CFC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_15_2_6ce50000_rundll32.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
    • API String ID: 544645111-395989641
    • Opcode ID: b699733f6c2b48a57f39da52a8f185667d3e17522307924164891d8a921b402c
    • Instruction ID: bd5e82d00150ed844f1a53ff568093abfa399a0358551f36e7d1a2ab595e5716
    • Opcode Fuzzy Hash: b699733f6c2b48a57f39da52a8f185667d3e17522307924164891d8a921b402c
    • Instruction Fuzzy Hash: BD61E471E1420EDFCF48DF68C5C0A49B7BAFB89358F748629DA04DBB04D371A9468B81
    Function 6CEE6870 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000F.00000002.1785682159.000000006CE51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CE50000, based on PE: true
    • Associated: 0000000F.00000002.1785580350.000000006CE50000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786030618.000000006CEE8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786134351.000000006CEE9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786232243.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786334506.000000006CEEF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1786939023.000000006CF98000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787128216.000000006CF9E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787128216.000000006CFA3000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787391940.000000006CFB6000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787474243.000000006CFBD000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787585495.000000006CFBE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000F.00000002.1787684115.000000006CFC1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_15_2_6ce50000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterErrorLastLeaveValue
    • String ID:
    • API String ID: 682475483-0
    • Opcode ID: 57572d4b1d39fdfd145aeab56f9f852edcfb0268e6818d6a2a21bda2b53b5ba3
    • Instruction ID: 80489019cb455db9818c951ea9861145c0516c5c39a042d66ba5a27ed17846f3
    • Opcode Fuzzy Hash: 57572d4b1d39fdfd145aeab56f9f852edcfb0268e6818d6a2a21bda2b53b5ba3
    • Instruction Fuzzy Hash: 28F0A476E006088FDB007F7DC4C9A1B7BB8EA49398B150668DE4487305E730A418CBE7