Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
VgABl5OHWd.dll

Overview

General Information

Sample name:VgABl5OHWd.dll
renamed because original name is a hash value
Original sample name:be9a28ccd089b684187a96e3b4db60ffc3e69ef38bd7222db8d62b604894039f.dll
Analysis ID:1544815
MD5:1189b769816d204c828cf0430e53b776
SHA1:f18477eccdebeb7d16d696f82f2d14e22d16ac47
SHA256:be9a28ccd089b684187a96e3b4db60ffc3e69ef38bd7222db8d62b604894039f
Tags:2024bankerdllgolangloadermekotiouser-johnk3r
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to detect virtual machines (SLDT)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5160 cmdline: loaddll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 6152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2556 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 3060 cmdline: rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • WerFault.exe (PID: 6516 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 844 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 2780 cmdline: rundll32.exe C:\Users\user\Desktop\VgABl5OHWd.dll,BarCreate MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 4564 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 856 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 5144 cmdline: rundll32.exe C:\Users\user\Desktop\VgABl5OHWd.dll,BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 4396 cmdline: rundll32.exe C:\Users\user\Desktop\VgABl5OHWd.dll,BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6804 cmdline: rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",BarCreate MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 728 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6804 -s 824 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 6848 cmdline: rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6388 cmdline: rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 2876 cmdline: rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",_cgo_dummy_export MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5568 cmdline: rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",SpellSpell MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 3856 cmdline: rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",SpellInit MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 2820 cmdline: rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",SpellFree MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1292 cmdline: rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",SignalInitializeCrashReporting MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1784 cmdline: rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",GetInstallDetailsPayload MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6524 cmdline: rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",BarRecognize MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.9% probability

Bitcoin Miner

barindex
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC11830 4_2_6CC11830
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C861830 13_2_6C861830
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C861830 17_2_6C861830
Source: VgABl5OHWd.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: VgABl5OHWd.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax4_2_6CBE2CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax4_2_6CBE2CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx4_2_6CBFCEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh4_2_6CC09030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh4_2_6CC0A360
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax13_2_6C832CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax13_2_6C832CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx13_2_6C84CEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh13_2_6C859030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh13_2_6C85A360
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax17_2_6C832CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax17_2_6C832CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx17_2_6C84CEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh17_2_6C859030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh17_2_6C85A360
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC12A90 NtCreateWaitCompletionPacket,4_2_6CC12A90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC11A70 NtCreateWaitCompletionPacket,4_2_6CC11A70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC11570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,4_2_6CC11570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC111F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,4_2_6CC111F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C862A90 NtCreateWaitCompletionPacket,13_2_6C862A90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C861A70 NtCreateWaitCompletionPacket,13_2_6C861A70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C861570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,13_2_6C861570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C8611F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,13_2_6C8611F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C862A90 NtCreateWaitCompletionPacket,17_2_6C862A90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C861A70 NtCreateWaitCompletionPacket,17_2_6C861A70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C861570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,17_2_6C861570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C8611F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,17_2_6C8611F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBE2CA64_2_6CBE2CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBE2CA04_2_6CBE2CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC3BC204_2_6CC3BC20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC66C204_2_6CC66C20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC0AD504_2_6CC0AD50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC64D204_2_6CC64D20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC35ED04_2_6CC35ED0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBEBE904_2_6CBEBE90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC5CEF04_2_6CC5CEF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC72E704_2_6CC72E70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC1CF904_2_6CC1CF90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC74F304_2_6CC74F30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC4A8724_2_6CC4A872
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC0D9C54_2_6CC0D9C5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC659D04_2_6CC659D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBF59F04_2_6CBF59F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBF0AF04_2_6CBF0AF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC0CA304_2_6CC0CA30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBEFBC04_2_6CBEFBC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC0BB104_2_6CC0BB10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC014404_2_6CC01440
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC264704_2_6CC26470
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC034004_2_6CC03400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC695A04_2_6CC695A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC625604_2_6CC62560
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC385704_2_6CC38570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC0C6D04_2_6CC0C6D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC3D6E04_2_6CC3D6E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC066304_2_6CC06630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC5E7404_2_6CC5E740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC667404_2_6CC66740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBF80A04_2_6CBF80A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC0C0804_2_6CC0C080
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBE90F04_2_6CBE90F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC0D0404_2_6CC0D040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC160104_2_6CC16010
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC0B2D04_2_6CC0B2D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBE32A04_2_6CBE32A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC472804_2_6CC47280
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC1E2404_2_6CC1E240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC732304_2_6CC73230
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC093F04_2_6CC093F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC1A3204_2_6CC1A320
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC4332F4_2_6CC4332F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C832CA013_2_6C832CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C832CA613_2_6C832CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C88BC2013_2_6C88BC20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C8B6C2013_2_6C8B6C20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C8B4D2013_2_6C8B4D20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C85AD5013_2_6C85AD50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C83BE9013_2_6C83BE90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C885ED013_2_6C885ED0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C8ACEF013_2_6C8ACEF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C8C2E7013_2_6C8C2E70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C86CF9013_2_6C86CF90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C8C4F3013_2_6C8C4F30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C89A87213_2_6C89A872
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C85D9C513_2_6C85D9C5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C8B59D013_2_6C8B59D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C8459F013_2_6C8459F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C840AF013_2_6C840AF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C85CA3013_2_6C85CA30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C83FBC013_2_6C83FBC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C85BB1013_2_6C85BB10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C85340013_2_6C853400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C85144013_2_6C851440
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C87647013_2_6C876470
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C8B95A013_2_6C8B95A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C8B256013_2_6C8B2560
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C88857013_2_6C888570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C85C6D013_2_6C85C6D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C88D6E013_2_6C88D6E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C85663013_2_6C856630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C8AE74013_2_6C8AE740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C8B674013_2_6C8B6740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C85C08013_2_6C85C080
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C8480A013_2_6C8480A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C8390F013_2_6C8390F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C86601013_2_6C866010
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C85D04013_2_6C85D040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C89728013_2_6C897280
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C8332A013_2_6C8332A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C85B2D013_2_6C85B2D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C8C323013_2_6C8C3230
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C86E24013_2_6C86E240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C8593F013_2_6C8593F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C86A32013_2_6C86A320
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C89332F13_2_6C89332F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C832CA017_2_6C832CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C832CA617_2_6C832CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C88BC2017_2_6C88BC20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C8B6C2017_2_6C8B6C20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C8B4D2017_2_6C8B4D20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C85AD5017_2_6C85AD50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C83BE9017_2_6C83BE90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C885ED017_2_6C885ED0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C8ACEF017_2_6C8ACEF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C8C2E7017_2_6C8C2E70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C86CF9017_2_6C86CF90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C8C4F3017_2_6C8C4F30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C89A87217_2_6C89A872
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C85D9C517_2_6C85D9C5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C8B59D017_2_6C8B59D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C8459F017_2_6C8459F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C840AF017_2_6C840AF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C85CA3017_2_6C85CA30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C83FBC017_2_6C83FBC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C85BB1017_2_6C85BB10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C85340017_2_6C853400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C85144017_2_6C851440
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C87647017_2_6C876470
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C8B95A017_2_6C8B95A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C8B256017_2_6C8B2560
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C88857017_2_6C888570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C85C6D017_2_6C85C6D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C88D6E017_2_6C88D6E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C85663017_2_6C856630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C8AE74017_2_6C8AE740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C8B674017_2_6C8B6740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C85C08017_2_6C85C080
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C8480A017_2_6C8480A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C8390F017_2_6C8390F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C86601017_2_6C866010
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C85D04017_2_6C85D040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C89728017_2_6C897280
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C8332A017_2_6C8332A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C85B2D017_2_6C85B2D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C8C323017_2_6C8C3230
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C86E24017_2_6C86E240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C8593F017_2_6C8593F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C86A32017_2_6C86A320
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C89332F17_2_6C89332F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CC46A90 appears 481 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6C896A90 appears 962 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6C863B30 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6C895740 appears 40 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6C867410 appears 1386 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6C865080 appears 46 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6C832C30 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CC17410 appears 693 times
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 856
Source: VgABl5OHWd.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: classification engineClassification label: mal48.mine.winDLL@35/0@0/0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC75B30 GetLastError,FormatMessageA,fprintf,LocalFree,4_2_6CC75B30
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6152:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\b826d8fd-12db-44da-b33f-df35cd54f9ebJump to behavior
Source: VgABl5OHWd.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\VgABl5OHWd.dll,BarCreate
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\VgABl5OHWd.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 856
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 844
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\VgABl5OHWd.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\VgABl5OHWd.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",_cgo_dummy_export
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6804 -s 824
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",SpellSpell
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\VgABl5OHWd.dll,BarCreateJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\VgABl5OHWd.dll,BarDestroyJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\VgABl5OHWd.dll,BarFreeRecJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",BarCreateJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",BarDestroyJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",BarFreeRecJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",_cgo_dummy_exportJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",SpellSpellJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",SpellInitJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",SpellFreeJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",SignalInitializeCrashReportingJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",GetInstallDetailsPayloadJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",BarRecognizeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: VgABl5OHWd.dllStatic PE information: Image base 0x6d8c0000 > 0x60000000
Source: VgABl5OHWd.dllStatic file information: File size 1368576 > 1048576
Source: VgABl5OHWd.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBE13E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,4_2_6CBE13E0
Source: VgABl5OHWd.dllStatic PE information: real checksum: 0x1567d9 should be: 0x1547e0
Source: VgABl5OHWd.dllStatic PE information: section name: .eh_fram
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC55094 pushad ; ret 4_2_6CC55095
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC5509D pushad ; ret 4_2_6CC5509E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0483AF60 push eax; retf 5_2_0483AF61
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0443D24C push edi; iretd 11_2_0443D27A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0443D315 push esi; retf 12_2_0443D316
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0443AF38 push eax; retf 12_2_0443AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_044808FF push 00000036h; retf 12_2_0448090D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C8A509D pushad ; ret 13_2_6C8A509E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C8A5094 pushad ; ret 13_2_6C8A5095
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C8A509D pushad ; ret 17_2_6C8A509E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C8A5094 pushad ; ret 17_2_6C8A5095
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_0443AF60 push eax; retf 19_2_0443AF61
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_04C3BF60 push eax; retf 20_2_04C3BF61
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_04C80E1C push esi; iretd 20_2_04C80E22
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_04C80910 push edx; iretd 20_2_04C8091C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0483C369 push esi; retf 21_2_0483C36A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0483AF38 push eax; retf 21_2_0483AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04880456 push eax; ret 21_2_04880457
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_0503D7F5 push ebp; retf 22_2_0503D7F8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_0503AF38 push eax; retf 22_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_0483AF38 push eax; retf 23_2_0483AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_0483D29F push ecx; retf 23_2_0483D2A8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0483AF38 push eax; retf 24_2_0483AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0488039D pushfd ; iretd 24_2_048803A7
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC4C0C0 rdtscp 4_2_6CC4C0C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_04480000 sldt word ptr [eax]16_2_04480000
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 1.3 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC4C0C0 rdtscp 4_2_6CC4C0C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBE13E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,4_2_6CBE13E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC74E50 free,free,GetProcessHeap,HeapFree,4_2_6CC74E50
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC762FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,4_2_6CC762FC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC76300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,4_2_6CC76300
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C8C62FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,13_2_6C8C62FC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6C8C6300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,13_2_6C8C6300
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C8C62FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,17_2_6C8C62FC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6C8C6300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,17_2_6C8C6300
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC76250 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,4_2_6CC76250
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CC11C90 RtlGetVersion,RtlGetCurrentPeb,4_2_6CC11C90

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		11
Process Injection		21
Virtualization/Sandbox Evasion		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		Boot or Logon Initialization Scripts1
DLL Side-Loading		11
Process Injection		LSASS Memory3
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS3
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Rundll32		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544815 Sample: VgABl5OHWd.dll Startdate: 29/10/2024 Architecture: WINDOWS Score: 48 27 AI detected suspicious sample 2->27 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 12 other processes 8->17 signatures5 29 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 10->29 19 WerFault.exe 2 10->19         started        21 rundll32.exe 13->21         started        23 WerFault.exe 2 15->23         started        process6 process7 25 WerFault.exe 2 21->25         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
VgABl5OHWd.dll5%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1544815
Start date and time:2024-10-29 19:27:52 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 6m 42s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:27
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:VgABl5OHWd.dll
renamed because original name is a hash value
Original Sample Name:be9a28ccd089b684187a96e3b4db60ffc3e69ef38bd7222db8d62b604894039f.dll
Detection:MAL
Classification:mal48.mine.winDLL@35/0@0/0
EGA Information:
  • Successful, ratio: 20%
HCA Information:
  • Successful, ratio: 67%
  • Number of executed functions: 6
  • Number of non-executed functions: 118
Cookbook Comments:
  • Found application associated with file extension: .dll

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Execution Graph export aborted for target loaddll32.exe, PID 5160 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 1292 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 1784 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 2820 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 3060 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 3856 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 4396 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 5144 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 5568 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 6388 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 6524 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 6848 because there are no executed function
  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: VgABl5OHWd.dll

Simulations

Behavior and APIs

TimeTypeDescription
14:28:53API Interceptor1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):6.270388420977325
TrID:
  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
  • Generic Win/DOS Executable (2004/3) 0.20%
  • DOS Executable Generic (2002/1) 0.20%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:VgABl5OHWd.dll
File size:1'368'576 bytes
MD5:1189b769816d204c828cf0430e53b776
SHA1:f18477eccdebeb7d16d696f82f2d14e22d16ac47
SHA256:be9a28ccd089b684187a96e3b4db60ffc3e69ef38bd7222db8d62b604894039f
SHA512:f11f6a13666dc56ed84777f51a61f35c07816ca980fe6f42a6accae98e9a4b5d8c59a24124095cfc3a28e9115445423d49e7c89d9ad2ddeae51a2a2403a9281b
SSDEEP:24576:YmenGywFnfLb4SafpnDrLSMETyDvn6e6/E4lezS02nMYm:YrpJVyc1mL
TLSH:AA550800FD8784F1E403263285ABA2AF6325AD195F31CBC7FB44B779F9776954832286
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....d.......H.................m.................................g....@... .........................-..

File Icon

Icon Hash:7ae282899bbab082

Static PE Info

General

Entrypoint:0x6d8c1380
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x6d8c0000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:0x6d9563e0, 0x6d956390
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:1
File Version Major:6
File Version Minor:1
Subsystem Version Major:6
Subsystem Version Minor:1
Import Hash:47d9e8363ec498a9360ee0a7da269805

Entrypoint Preview

Instruction
sub esp, 1Ch
mov dword ptr [6DA2C730h], 00000000h
mov edx, dword ptr [esp+24h]
cmp edx, 01h
je 00007F86A8B9DE8Ch
mov ecx, dword ptr [esp+28h]
mov eax, dword ptr [esp+20h]
call 00007F86A8B9DCF2h
add esp, 1Ch
retn 000Ch
lea esi, dword ptr [esi+00000000h]
mov dword ptr [esp+0Ch], edx
call 00007F86A8C32D0Ch
mov edx, dword ptr [esp+0Ch]
jmp 00007F86A8B9DE49h
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], 6DA08000h
mov dword ptr [esp+04h], eax
call 00007F86A8C33B5Eh
add esp, 1Ch
ret
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 6D95F000h
call dword ptr [6DA2E21Ch]
sub esp, 04h
test eax, eax
je 00007F86A8B9DEE5h
mov ebx, eax
mov dword ptr [esp], 6D95F000h
call dword ptr [6DA2E264h]
mov edi, dword ptr [6DA2E224h]
sub esp, 04h
mov dword ptr [6DA2C764h], eax
mov dword ptr [esp+04h], 6D95F013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 6D95F029h
mov dword ptr [esp], ebx
call edi
mov dword ptr [6D958000h], eax
sub esp, 08h
test esi, esi
je 00007F86A8B9DE83h
mov dword ptr [esp+00h], 00000000h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x16d0000x12d.edata
IMAGE_DIRECTORY_ENTRY_IMPORT0x16e0000xb78.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x1710000x868c.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x144fb00x18.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x16e1cc0x190.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x962a80x9640012a1fe44b18d076461e3df02973a0b0fFalse0.46979805792429286data6.281990615706926IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0x980000x67c80x6800be0e0b599a3abfdfb037ad8d2f30e967False0.42037259615384615data4.444523591435989IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata0x9f0000xa63800xa6400ff1023ef2e9898d7f57124ba27a99adcFalse0.4318050986842105data5.5909929104581675IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.eh_fram0x1460000x12740x140085e22b3e84813337ea1a67b904c6bbcdFalse0.3369140625data4.565839626312234IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss0x1480000x2477c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata0x16d0000x12d0x20067859e1c9d81f1d2bdf6b531a2016f52False0.44921875data3.400613123216997IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.idata0x16e0000xb780xc00cb8eb4a241279d6fed66c3ea8ecac795False0.3961588541666667data5.12056831676781IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT0x16f0000x2c0x200db151290603a2662b590a75b7e0b0988False0.0546875data0.2069200177871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls0x1700000x80x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc0x1710000x868c0x8800080e7c6a736ad990f4b0b87da171f60dFalse0.6670209099264706data6.630610538731408IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLLImport
KERNEL32.dllAddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateIoCompletionPort, CreateThread, CreateWaitableTimerExW, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FormatMessageA, FreeEnvironmentStringsW, FreeLibrary, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetLastError, GetModuleHandleA, GetNativeSystemInfo, GetProcAddress, GetProcessAffinityMask, GetProcessHeap, GetQueuedCompletionStatusEx, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadLocale, GetTickCount, HeapAlloc, HeapFree, InitializeCriticalSection, IsBadReadPtr, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, LoadLibraryW, LocalFree, PostQueuedCompletionStatus, QueryPerformanceCounter, RaiseFailFastException, ResumeThread, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessPriorityBoost, SetThreadContext, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TerminateProcess, TlsAlloc, TlsGetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WriteConsoleW, WriteFile, lstrlenA
msvcrt.dll_amsg_exit, _beginthread, _errno, _initterm, _iob, _lock, _unlock, _wcsnicmp, abort, bsearch, calloc, fprintf, free, fwrite, malloc, mbstowcs, memcpy, memset, qsort, realloc, strcmp, strlen, strncmp, strtol, vfprintf, wcstombs

Exports

NameOrdinalAddress
BarCreate10x6d9545d0
BarDestroy20x6d954850
BarFreeRec30x6d954800
BarRecognize40x6d9547b0
GetInstallDetailsPayload50x6d954710
SignalInitializeCrashReporting60x6d954760
SpellFree70x6d954620
SpellInit80x6d954670
SpellSpell90x6d9546c0
_cgo_dummy_export100x6da2c768

Network Behavior

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Oct 29, 2024 19:29:04.012818098 CET53596401.1.1.1192.168.2.5

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:14:28:43
Start date:29/10/2024
Path:C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):true
Commandline:loaddll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll"
Imagebase:0x1000000
File size:126'464 bytes
MD5 hash:51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:1
Start time:14:28:43
Start date:29/10/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff6d64d0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:3
Start time:14:28:43
Start date:29/10/2024
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",#1
Imagebase:0x790000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:4
Start time:14:28:43
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\VgABl5OHWd.dll,BarCreate
Imagebase:0x3b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:5
Start time:14:28:43
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",#1
Imagebase:0x3b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:9
Start time:14:28:44
Start date:29/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 856
Imagebase:0x4c0000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:10
Start time:14:28:44
Start date:29/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 844
Imagebase:0x4c0000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:11
Start time:14:28:46
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\VgABl5OHWd.dll,BarDestroy
Imagebase:0x3b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:12
Start time:14:28:49
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\VgABl5OHWd.dll,BarFreeRec
Imagebase:0x3b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:13
Start time:14:28:52
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",BarCreate
Imagebase:0x3b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:14
Start time:14:28:52
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",BarDestroy
Imagebase:0x3b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:16
Start time:14:28:52
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",BarFreeRec
Imagebase:0x3b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:17
Start time:14:28:52
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",_cgo_dummy_export
Imagebase:0x3b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:18
Start time:14:28:52
Start date:29/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6804 -s 824
Imagebase:0x4c0000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:19
Start time:14:28:52
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",SpellSpell
Imagebase:0x3b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:20
Start time:14:28:52
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",SpellInit
Imagebase:0x3b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:21
Start time:14:28:53
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",SpellFree
Imagebase:0x3b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:22
Start time:14:28:53
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",SignalInitializeCrashReporting
Imagebase:0x3b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:23
Start time:14:28:53
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",GetInstallDetailsPayload
Imagebase:0x3b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:24
Start time:14:28:53
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\VgABl5OHWd.dll",BarRecognize
Imagebase:0x3b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:0%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:11
    Total number of Limit Nodes:1
    execution_graph 52855 6cc4cea0 52856 6cc4cec8 WriteFile 52855->52856 52857 6cc4ceb9 52855->52857 52857->52856 52858 6cc75fb0 52859 6cc75fc7 _beginthread 52858->52859 52860 6cc76012 52859->52860 52861 6cc75fe1 _errno 52859->52861 52862 6cc76020 Sleep 52861->52862 52863 6cc75fe8 _errno 52861->52863 52862->52859 52864 6cc76034 52862->52864 52865 6cc75ff9 fprintf abort 52863->52865 52864->52863 52865->52860

    Executed Functions

    Function 6CC75FB0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • runtime: failed to create new OS thread (%d), xrefs: 6CC75FF9
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID: _errno$Sleep_beginthreadabortfprintf
    • String ID: runtime: failed to create new OS thread (%d)
    • API String ID: 1261927973-3231778263
    • Opcode ID: 09682c62d15728224c0a1991b88565ae44c8ba6760ef6997f38cc36f758d497e
    • Instruction ID: af0cd14cd41c6aaae972905200f836d7967071469d829399c701c8d776a48034
    • Opcode Fuzzy Hash: 09682c62d15728224c0a1991b88565ae44c8ba6760ef6997f38cc36f758d497e
    • Instruction Fuzzy Hash: EE0128B5509714AFD610BF69C88851EFBB8EB86328F05851DE68583A50E7349444AAB3
    Function 6CC4CEA0 Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 8 6cc4cea0-6cc4ceb7 9 6cc4cec8-6cc4cee0 WriteFile 8->9 10 6cc4ceb9-6cc4cec6 8->10 10->9
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID: FileWrite
    • String ID:
    • API String ID: 3934441357-0
    • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction ID: 7f1a100b51c49d68e5a6472d340583573aa298f0e6936cb61c1de616dbaeacd8
    • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction Fuzzy Hash: 46E0E571505600CFDB15DF18C2C1706BBE1EB48A00F0485A8DE098FB4AE734ED10CB92

    Non-executed Functions

    Function 6CC74F30 Relevance: 33.8, APIs: 17, Strings: 2, Instructions: 564memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 305 6cc74f30-6cc74f42 306 6cc75350-6cc7536e SetLastError 305->306 307 6cc74f48-6cc74f54 305->307 308 6cc75330-6cc7533f SetLastError 307->308 309 6cc74f5a-6cc74f71 307->309 310 6cc75342-6cc7534e 308->310 309->306 311 6cc74f77-6cc74f88 309->311 311->308 312 6cc74f8e-6cc74f98 311->312 312->308 313 6cc74f9e-6cc74fa7 312->313 313->308 314 6cc74fad-6cc74fbb 313->314 315 6cc74fc1-6cc74fc3 314->315 316 6cc75710-6cc75712 314->316 317 6cc74fc5-6cc74fe3 315->317 317->317 318 6cc74fe5-6cc7500f GetNativeSystemInfo 317->318 318->308 319 6cc75015-6cc75047 318->319 321 6cc75370-6cc753a3 319->321 322 6cc7504d-6cc75073 GetProcessHeap HeapAlloc 319->322 321->322 328 6cc753a9-6cc753bb SetLastError 321->328 323 6cc75731-6cc7576a SetLastError 322->323 324 6cc75079-6cc750e4 322->324 323->310 326 6cc753c0-6cc753cd SetLastError 324->326 327 6cc750ea-6cc7515c memcpy 324->327 329 6cc753d0-6cc753e6 call 6cc74e50 326->329 333 6cc75162-6cc75164 327->333 334 6cc751ea-6cc751f5 327->334 328->310 336 6cc75166-6cc7516b 333->336 337 6cc75660-6cc7566a 334->337 338 6cc751fb-6cc7520a 334->338 339 6cc75171-6cc7517a 336->339 340 6cc753f0-6cc753fc 336->340 341 6cc7566c-6cc75680 337->341 342 6cc756eb-6cc756ee 337->342 343 6cc75472-6cc7549a 338->343 344 6cc75210-6cc7521e 338->344 347 6cc751ce-6cc751dc 339->347 348 6cc7517c-6cc751a8 339->348 340->326 349 6cc753fe-6cc75426 340->349 350 6cc756e6 341->350 351 6cc75682-6cc7568e 341->351 345 6cc754b0-6cc754c8 343->345 346 6cc7549c-6cc7549f 343->346 352 6cc75220-6cc7523a IsBadReadPtr 344->352 355 6cc757a6-6cc757aa 345->355 356 6cc754ce-6cc754e6 345->356 353 6cc754a5-6cc754a8 346->353 354 6cc756ff-6cc75704 346->354 347->336 357 6cc751de-6cc751e6 347->357 348->329 370 6cc751ae-6cc751c9 memset 348->370 349->329 373 6cc75428-6cc75455 memcpy 349->373 350->342 358 6cc75690-6cc7569b 351->358 359 6cc75470 352->359 360 6cc75240-6cc75249 352->360 353->345 361 6cc754aa-6cc754af 353->361 354->345 369 6cc757b3-6cc757c3 SetLastError 355->369 363 6cc75541-6cc7554d 356->363 357->334 365 6cc756d2-6cc756dc 358->365 366 6cc7569d-6cc7569f 358->366 359->343 360->359 367 6cc7524f-6cc75264 360->367 361->345 371 6cc7554f-6cc75555 363->371 372 6cc7555a-6cc7555e 363->372 365->358 368 6cc756de-6cc756e2 365->368 374 6cc756a0-6cc756ad 366->374 382 6cc7576f-6cc7577f SetLastError 367->382 383 6cc7526a-6cc75285 realloc 367->383 368->350 369->329 370->347 375 6cc75557 371->375 376 6cc755a0-6cc755a6 371->376 380 6cc75560-6cc75568 372->380 381 6cc7556a-6cc7557b 372->381 377 6cc756c3-6cc756d0 374->377 378 6cc756af-6cc756c0 374->378 375->372 376->372 387 6cc755a8-6cc755ab 376->387 377->365 377->374 378->377 380->381 384 6cc754f0-6cc754ff call 6cc749e0 380->384 385 6cc75585 381->385 386 6cc7557d-6cc75583 381->386 382->329 388 6cc75784-6cc757a1 SetLastError 383->388 389 6cc7528b-6cc752b5 383->389 400 6cc75505-6cc75514 384->400 401 6cc75720-6cc75724 384->401 390 6cc7558a-6cc75596 385->390 386->385 386->390 387->372 388->329 392 6cc752b7 389->392 393 6cc752e8-6cc752f4 389->393 394 6cc75518-6cc75530 390->394 397 6cc75460-6cc75465 392->397 398 6cc752f6-6cc75307 393->398 399 6cc752c0-6cc752d6 393->399 402 6cc75532-6cc7553d 394->402 403 6cc755b0-6cc755c9 call 6cc749e0 394->403 397->352 408 6cc75309-6cc75326 SetLastError 398->408 409 6cc752d8-6cc752e2 398->409 399->408 399->409 400->394 401->329 402->363 403->329 410 6cc755cf-6cc755d9 403->410 408->329 409->393 409->397 411 6cc75613-6cc75618 410->411 412 6cc755db-6cc755e4 410->412 413 6cc756f3-6cc756fa 411->413 414 6cc7561e-6cc75629 411->414 412->411 415 6cc755e6-6cc755ea 412->415 413->310 417 6cc7562f-6cc75649 414->417 418 6cc75729-6cc7572c 414->418 415->411 419 6cc755ec 415->419 417->369 423 6cc7564f-6cc75656 417->423 418->310 420 6cc755f0-6cc7560f 419->420 424 6cc75611 420->424 423->310 424->411
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID: ErrorHeapLast$AllocInfoNativeProcessReadSystemmemcpymemsetrealloc
    • String ID: ?$@
    • API String ID: 2257136212-1463999369
    • Opcode ID: 345fbaf34514424e775c6377136250598ec77e182a3baeb001561a9c62b347f7
    • Instruction ID: bc4a0ce4c842515edd2b15d6885cd027b89a24a6c23cea272b72535abf7a0a30
    • Opcode Fuzzy Hash: 345fbaf34514424e775c6377136250598ec77e182a3baeb001561a9c62b347f7
    • Instruction Fuzzy Hash: 974212B46097059FD720DF29C584A1AFBF0FF88308F548A2DE99987B50E774E854CB92
    Function 6CBF59F0 Relevance: 18.5, Strings: 14, Instructions: 1019COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1122 6cbf59f0-6cbf5a05 1123 6cbf5a0b-6cbf5a31 call 6cc50980 1122->1123 1124 6cbf6c61-6cbf6c66 call 6cc4ae50 1122->1124 1129 6cbf5a3a-6cbf5a3d 1123->1129 1130 6cbf5a33-6cbf5a38 1123->1130 1124->1122 1131 6cbf5a40-6cbf5aa7 call 6cc509b0 call 6cc4cff0 1129->1131 1130->1131 1136 6cbf5aa9-6cbf5ab1 call 6cc4c260 1131->1136 1137 6cbf5ab3-6cbf5b83 call 6cc19e30 call 6cc4ad60 * 2 call 6cc19a20 1131->1137 1136->1137 1148 6cbf5b8b-6cbf5b93 call 6cc39ba0 1137->1148 1149 6cbf5b85-6cbf5b89 1137->1149 1150 6cbf5b97-6cbf5b99 1148->1150 1149->1150 1153 6cbf5bcf-6cbf5be5 1150->1153 1154 6cbf5b9b-6cbf5bca call 6cc3a140 call 6cc39cd0 1150->1154 1155 6cbf5be7-6cbf5bef call 6cc4c260 1153->1155 1156 6cbf5bf1-6cbf5c00 1153->1156 1154->1153 1155->1156 1160 6cbf6c4a-6cbf6c60 call 6cc46a90 1156->1160 1161 6cbf5c06-6cbf5f1c call 6cc509b0 call 6cc4ad60 call 6cc4cff0 call 6cc4d050 call 6cc509d0 * 2 call 6cc0fc30 call 6cc3f810 * 2 call 6cc507f0 * 3 1156->1161 1160->1124 1190 6cbf5f1e 1161->1190 1191 6cbf5f24-6cbf5fc2 call 6cbea4e0 call 6cc1ed60 call 6cbea700 call 6cc01f00 call 6cbf85c0 call 6cc0ce30 call 6cc029f0 1161->1191 1190->1191 1206 6cbf5fc4-6cbf5fc6 1191->1206 1207 6cbf5fd0-6cbf5fd2 1191->1207 1208 6cbf5fcc-6cbf5fce 1206->1208 1209 6cbf6c34-6cbf6c45 call 6cc46a90 1206->1209 1210 6cbf6c1e-6cbf6c2f call 6cc46a90 1207->1210 1211 6cbf5fd8-6cbf6095 call 6cc4c476 call 6cc4c94a call 6cc4ad60 call 6cc0d3f0 call 6cc05470 call 6cc4ad60 * 2 1207->1211 1208->1207 1208->1211 1209->1160 1210->1209 1228 6cbf6097-6cbf60af call 6cc02a70 1211->1228 1229 6cbf60b4-6cbf60bc 1211->1229 1228->1229 1231 6cbf6abf-6cbf6b05 call 6cbea4e0 1229->1231 1232 6cbf60c2-6cbf6130 call 6cc4c47a call 6cc16bb0 call 6cc3fa50 1229->1232 1237 6cbf6b07-6cbf6b12 call 6cc4c260 1231->1237 1238 6cbf6b14-6cbf6b30 call 6cbea700 1231->1238 1250 6cbf6140-6cbf615e 1232->1250 1237->1238 1247 6cbf6b55-6cbf6b5e 1238->1247 1248 6cbf6b32-6cbf6b54 call 6cbe43c0 1247->1248 1249 6cbf6b60-6cbf6b8b call 6cbfed90 1247->1249 1248->1247 1263 6cbf6b8d-6cbf6b96 call 6cc4ad60 1249->1263 1264 6cbf6b9b-6cbf6bf2 call 6cc28b70 * 2 1249->1264 1253 6cbf6169-6cbf61ec 1250->1253 1254 6cbf6160-6cbf6163 1250->1254 1255 6cbf6c14-6cbf6c19 call 6cc4c2e0 1253->1255 1256 6cbf61f2-6cbf61fc 1253->1256 1254->1253 1259 6cbf6216-6cbf621c 1254->1259 1255->1210 1261 6cbf620f-6cbf6211 1256->1261 1262 6cbf61fe-6cbf620a 1256->1262 1265 6cbf6c0a-6cbf6c0f call 6cc4c2e0 1259->1265 1266 6cbf6222-6cbf63bc call 6cc47ed0 call 6cc16bb0 call 6cc17410 call 6cc17100 call 6cc17410 * 3 call 6cc17230 call 6cc17410 call 6cc16c10 call 6cc4c47a 1259->1266 1267 6cbf6132-6cbf613e 1261->1267 1262->1267 1263->1264 1279 6cbf6bf4-6cbf6bfa 1264->1279 1280 6cbf6c03-6cbf6c09 1264->1280 1265->1255 1299 6cbf645e-6cbf6461 1266->1299 1267->1250 1279->1280 1282 6cbf6bfc 1279->1282 1282->1280 1300 6cbf64e7-6cbf6690 call 6cc16bb0 call 6cc17410 call 6cc16c10 call 6cc50830 * 4 call 6cc4c476 1299->1300 1301 6cbf6467-6cbf6484 1299->1301 1336 6cbf6717-6cbf671a 1300->1336 1303 6cbf648a-6cbf64e2 call 6cc16bb0 call 6cc17410 call 6cc16c10 1301->1303 1304 6cbf63c1-6cbf6457 call 6cbf80a0 call 6cc47ed0 call 6cc16bb0 call 6cc17410 call 6cc16c10 1301->1304 1303->1304 1304->1299 1337 6cbf67c0-6cbf6a5a call 6cc509b0 * 2 call 6cc16bb0 call 6cc17410 call 6cc17100 call 6cc17410 call 6cc17100 call 6cc17410 call 6cc17100 call 6cc17410 call 6cc17100 call 6cc17410 call 6cc17100 call 6cc17410 call 6cc17100 call 6cc17410 call 6cc17230 call 6cc17410 call 6cc16c10 1336->1337 1338 6cbf6720-6cbf6744 1336->1338 1404 6cbf6a7c-6cbf6aad call 6cc16bb0 call 6cc16db0 call 6cc16c10 1337->1404 1405 6cbf6a5c-6cbf6a77 call 6cc16bb0 call 6cc17410 call 6cc16c10 1337->1405 1339 6cbf674b-6cbf6779 call 6cc16bb0 call 6cc17410 call 6cc16c10 1338->1339 1340 6cbf6746-6cbf6749 1338->1340 1348 6cbf6695-6cbf6716 call 6cbf80a0 call 6cc47ed0 call 6cc16bb0 call 6cc17410 call 6cc16c10 1339->1348 1340->1339 1342 6cbf677e-6cbf6780 1340->1342 1347 6cbf6786-6cbf67bb call 6cc16bb0 call 6cc17410 call 6cc16c10 1342->1347 1342->1348 1347->1348 1348->1336 1404->1231 1417 6cbf6aaf-6cbf6aba call 6cbea700 1404->1417 1405->1404 1417->1231
    Strings
    • MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, xrefs: 6CBF6A06
    • @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12, xrefs: 6CBF62C7
    • ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACE, xrefs: 6CBF64EC
    • +:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08, xrefs: 6CBF64A4, 6CBF678B
    • ., xrefs: 6CBF61FE
    • gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket, xrefs: 6CBF6C4A
    • 5, xrefs: 6CBF6C27
    • , xrefs: 6CBF606A
    • gc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltadxaesshaavxfmaintma, xrefs: 6CBF629A
    • failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre, xrefs: 6CBF6C34
    • MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc=, xrefs: 6CBF699C
    • non-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class bo, xrefs: 6CBF6C1E
    • ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ gp.goid, xrefs: 6CBF68DC
    • gcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= , xrefs: 6CBF5ABA
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12$ MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:$ MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc=$ ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACE$ ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ gp.goid$+:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08$.$5$failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre$gc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltadxaesshaavxfmaintma$gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket$gcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= $non-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class bo
    • API String ID: 0-2575422049
    • Opcode ID: d956316ea8971d302e576415919d1b7e8dab95602e7ac75b9a80925ed02b7a83
    • Instruction ID: 476c68591db4fb62a3184d739e2746599433a546e138dbb9ef4b6d6ce6d82418
    • Opcode Fuzzy Hash: d956316ea8971d302e576415919d1b7e8dab95602e7ac75b9a80925ed02b7a83
    • Instruction Fuzzy Hash: 39B217746097808FD724DF29C49069EBBF5FB8A304F01892EDA89C7750E734A849DF52
    Function 6CC093F0 Relevance: 16.9, Strings: 13, Instructions: 643COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1419 6cc093f0-6cc09402 1420 6cc09f94-6cc09f99 call 6cc4ae50 1419->1420 1421 6cc09408-6cc09450 1419->1421 1420->1419 1423 6cc09476-6cc0947d 1421->1423 1424 6cc09483-6cc094ed 1423->1424 1425 6cc0957b-6cc09581 1423->1425 1427 6cc094f3-6cc094f5 1424->1427 1428 6cc09f8c-6cc09f93 call 6cc4c320 1424->1428 1429 6cc09587-6cc095b3 call 6cc0c5d0 1425->1429 1430 6cc097f9-6cc09800 call 6cc4c2f0 1425->1430 1432 6cc09f85-6cc09f87 call 6cc4c340 1427->1432 1433 6cc094fb-6cc09545 1427->1433 1428->1420 1444 6cc09621-6cc09631 1429->1444 1445 6cc095b5-6cc09620 call 6cc09360 1429->1445 1436 6cc09805-6cc0980c 1430->1436 1432->1428 1437 6cc09552-6cc09556 1433->1437 1438 6cc09547-6cc09550 1433->1438 1442 6cc09810-6cc09812 1436->1442 1443 6cc09558-6cc09576 1437->1443 1438->1443 1448 6cc09818 1442->1448 1449 6cc099fd 1442->1449 1443->1442 1446 6cc097f4 call 6cc4c2e0 1444->1446 1447 6cc09637-6cc09648 1444->1447 1446->1430 1450 6cc097e1-6cc097e9 1447->1450 1451 6cc0964e-6cc09653 1447->1451 1452 6cc09f7e-6cc09f80 call 6cc4c2e0 1448->1452 1453 6cc0981e-6cc0984c 1448->1453 1456 6cc09a01-6cc09a0a 1449->1456 1450->1446 1459 6cc097c6-6cc097d6 1451->1459 1460 6cc09659-6cc09666 1451->1460 1452->1432 1462 6cc09856-6cc098af 1453->1462 1463 6cc0984e-6cc09854 1453->1463 1457 6cc09a10-6cc09a16 1456->1457 1458 6cc09d72-6cc09de0 call 6cc09360 1456->1458 1465 6cc09d53-6cc09d71 1457->1465 1466 6cc09a1c-6cc09a26 1457->1466 1478 6cc09ee5-6cc09eeb 1458->1478 1459->1450 1467 6cc097b8-6cc097c1 1460->1467 1468 6cc0966c-6cc097b3 call 6cc16bb0 call 6cc17410 call 6cc17230 call 6cc17410 call 6cc17230 call 6cc17410 call 6cc17100 call 6cc17410 call 6cc17100 call 6cc17410 call 6cc17100 call 6cc17410 call 6cc16c10 call 6cc16bb0 call 6cc17410 call 6cc17100 call 6cc16db0 call 6cc16c10 call 6cc46a90 1460->1468 1479 6cc098b1-6cc098bd 1462->1479 1480 6cc098bf-6cc098c8 1462->1480 1463->1436 1471 6cc09a41-6cc09a55 1466->1471 1472 6cc09a28-6cc09a3f 1466->1472 1468->1467 1476 6cc09a5c 1471->1476 1472->1476 1481 6cc09a71-6cc09a91 1476->1481 1482 6cc09a5e-6cc09a6f 1476->1482 1485 6cc09f68-6cc09f79 call 6cc46a90 1478->1485 1486 6cc09eed-6cc09f02 1478->1486 1484 6cc098ce-6cc098e0 1479->1484 1480->1484 1488 6cc09a98 1481->1488 1482->1488 1490 6cc098e6-6cc098eb 1484->1490 1491 6cc099c8-6cc099ca 1484->1491 1485->1452 1492 6cc09f04-6cc09f09 1486->1492 1493 6cc09f0b-6cc09f1d 1486->1493 1495 6cc09aa1-6cc09aa4 1488->1495 1496 6cc09a9a-6cc09a9f 1488->1496 1500 6cc098f4-6cc09908 1490->1500 1501 6cc098ed-6cc098f2 1490->1501 1498 6cc099e2 1491->1498 1499 6cc099cc-6cc099e0 1491->1499 1494 6cc09f1f 1492->1494 1493->1494 1503 6cc09f21-6cc09f26 1494->1503 1504 6cc09f28-6cc09f40 1494->1504 1505 6cc09aaa-6cc09d4e call 6cc16bb0 call 6cc17410 call 6cc17230 call 6cc17410 call 6cc17230 call 6cc17410 call 6cc17100 call 6cc17410 call 6cc17100 call 6cc17410 call 6cc17100 call 6cc16db0 call 6cc16c10 call 6cc16bb0 call 6cc17410 call 6cc17230 call 6cc17410 call 6cc17100 call 6cc17410 call 6cc17230 call 6cc16db0 call 6cc16c10 call 6cc16bb0 call 6cc17410 call 6cc172a0 call 6cc17410 call 6cc17230 call 6cc16db0 call 6cc16c10 call 6cc16bb0 call 6cc17410 call 6cc17100 call 6cc17410 call 6cc17100 call 6cc16db0 call 6cc16c10 1495->1505 1496->1505 1507 6cc099e6-6cc099fb 1498->1507 1499->1507 1502 6cc0990f-6cc09911 1500->1502 1501->1502 1508 6cc09452-6cc0946f 1502->1508 1509 6cc09917-6cc09919 1502->1509 1510 6cc09f42-6cc09f4e 1503->1510 1504->1510 1505->1478 1507->1456 1508->1423 1513 6cc09922-6cc0993d 1509->1513 1514 6cc0991b-6cc09920 1509->1514 1515 6cc09f50-6cc09f55 1510->1515 1516 6cc09f5a-6cc09f5d 1510->1516 1520 6cc099a7-6cc099c3 1513->1520 1521 6cc0993f-6cc09944 1513->1521 1519 6cc0994b 1514->1519 1516->1485 1524 6cc0994d-6cc0995c 1519->1524 1525 6cc0995e-6cc0996d 1519->1525 1520->1436 1521->1519 1528 6cc09970-6cc099a2 1524->1528 1525->1528 1528->1436
    Strings
    • , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST, xrefs: 6CC096F7, 6CC09721, 6CC09B44, 6CC09B6E
    • , npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by short writeProcessPrngMoveFileExWNetShar, xrefs: 6CC09BD7
    • ] = pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheapt, xrefs: 6CC09B1A
    • runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket, xrefs: 6CC09CE8
    • , i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base stringGetACPSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13rdtscppopcntuint16uint32uint64structcmd/gonetdnsCommonCopySidWSARecvWSASendconnectconsoleforcegcallocmWc, xrefs: 6CC09C88
    • ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc, xrefs: 6CC096CD
    • ][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13C, xrefs: 6CC096A4, 6CC09AED
    • bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6CC097A2, 6CC09F68
    • runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSruntime: mp.lockedInt = runqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard , xrefs: 6CC09C5B
    • runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 6CC0967A, 6CC09AB3
    • runtime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupQuerySer, xrefs: 6CC0976B
    • , levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime:, xrefs: 6CC09D15
    • , j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type float32float64\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_Dltavx512finvaliduintptros/execruntimetls3descensurarno anodeCancelIoReadFileAcceptExWSA, xrefs: 6CC09C04
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST$, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base stringGetACPSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13rdtscppopcntuint16uint32uint64structcmd/gonetdnsCommonCopySidWSARecvWSASendconnectconsoleforcegcallocmWc$, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type float32float64\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_Dltavx512finvaliduintptros/execruntimetls3descensurarno anodeCancelIoReadFileAcceptExWSA$, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime:$, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by short writeProcessPrngMoveFileExWNetShar$] = pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheapt$] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc$][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13C$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket$runtime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupQuerySer$runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSruntime: mp.lockedInt = runqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard $runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
    • API String ID: 0-2756730639
    • Opcode ID: 3b9fcf69773c355036b04349877bb0a9f389eb744465df15ffe6282aea0ec56f
    • Instruction ID: 1ca8aeb1f19b60edfcf6d6337180e6358e79016d3c664f1e7add4b0898913eac
    • Opcode Fuzzy Hash: 3b9fcf69773c355036b04349877bb0a9f389eb744465df15ffe6282aea0ec56f
    • Instruction Fuzzy Hash: DD5248756097048FD320DF69C48079EB7F1FF89308F11892DE99887B40E775A949EB92
    Function 6CC11570 Relevance: 16.4, Strings: 13, Instructions: 150COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1779 6cc11570-6cc1157e 1780 6cc11584-6cc115b6 call 6cc132a0 1779->1780 1781 6cc1181e-6cc11823 call 6cc4ae50 1779->1781 1786 6cc11807-6cc1181d call 6cc46a90 1780->1786 1787 6cc115bc-6cc115ea call 6cc11470 1780->1787 1781->1779 1786->1781 1792 6cc115fc-6cc11631 call 6cc132a0 1787->1792 1793 6cc115ec-6cc115f9 call 6cc4c270 1787->1793 1798 6cc117f1-6cc11802 call 6cc46a90 1792->1798 1799 6cc11637-6cc11669 call 6cc11470 1792->1799 1793->1792 1798->1786 1803 6cc1167b-6cc11683 1799->1803 1804 6cc1166b-6cc11678 call 6cc4c270 1799->1804 1805 6cc11689-6cc116bb call 6cc11470 1803->1805 1806 6cc1172d-6cc1175f call 6cc11470 1803->1806 1804->1803 1815 6cc116cd-6cc116d5 1805->1815 1816 6cc116bd-6cc116ca call 6cc4c270 1805->1816 1813 6cc11771-6cc117a9 call 6cc11470 1806->1813 1814 6cc11761-6cc1176e call 6cc4c270 1806->1814 1827 6cc117bb-6cc117c4 1813->1827 1828 6cc117ab-6cc117b8 call 6cc4c270 1813->1828 1814->1813 1820 6cc117db-6cc117ec call 6cc46a90 1815->1820 1821 6cc116db-6cc1170d call 6cc11470 1815->1821 1816->1815 1820->1798 1831 6cc1171f-6cc11727 1821->1831 1832 6cc1170f-6cc1171c call 6cc4c270 1821->1832 1828->1827 1831->1806 1835 6cc117c5-6cc117d6 call 6cc46a90 1831->1835 1832->1831 1835->1820
    Strings
    • NtCreateWaitCompletionPacket, xrefs: 6CC1163E
    • bcryptprimitives.dll, xrefs: 6CC1158D
    • RtlGetVersion, xrefs: 6CC1177E
    • NtAssociateWaitCompletionPacket, xrefs: 6CC11690
    • , xrefs: 6CC1169A
    • bcryptprimitives.dll not foundpanic called with nil argumentcheckdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer found on stack locals stack map entries for abi mismatch detected between runtime: impossible , xrefs: 6CC11807
    • NtCreateWaitCompletionPacket exists but NtCancelWaitCompletionPacket does notcannot convert slice with length %y to array or pointer to array with length %xNtCreateWaitCompletionPacket exists but NtAssociateWaitCompletionPacket does notcgocheck > 1 mode is no , xrefs: 6CC117C5
    • , xrefs: 6CC116A2
    • NtCancelWaitCompletionPacket, xrefs: 6CC116E2
    • ProcessPrng, xrefs: 6CC115BF
    • RtlGetCurrentPeb, xrefs: 6CC11734
    • ntdll.dll, xrefs: 6CC11608
    • P, xrefs: 6CC117E4
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ $NtAssociateWaitCompletionPacket$NtCancelWaitCompletionPacket$NtCreateWaitCompletionPacket$NtCreateWaitCompletionPacket exists but NtCancelWaitCompletionPacket does notcannot convert slice with length %y to array or pointer to array with length %xNtCreateWaitCompletionPacket exists but NtAssociateWaitCompletionPacket does notcgocheck > 1 mode is no $P$ProcessPrng$RtlGetCurrentPeb$RtlGetVersion$bcryptprimitives.dll$bcryptprimitives.dll not foundpanic called with nil argumentcheckdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer found on stack locals stack map entries for abi mismatch detected between runtime: impossible $ntdll.dll
    • API String ID: 0-2332038095
    • Opcode ID: 2f553ca13368f0cb0015912a81df6cfddfb15d94036bb8893c59d717e97c76e0
    • Instruction ID: 09a0808f85e1936fcc076e13e2b01ec00514965e85ed232c23966a3a0754d4b1
    • Opcode Fuzzy Hash: 2f553ca13368f0cb0015912a81df6cfddfb15d94036bb8893c59d717e97c76e0
    • Instruction Fuzzy Hash: C97106B4209702DFEB04DF69C180A5ABBF0BB8A748F00C82DE59983B50E778D448DF52
    Function 6CC03400 Relevance: 14.6, Strings: 11, Instructions: 876COMMON
    Download Yara Rule
    Strings
    • mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6CC03CE2, 6CC04156
    • mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification, xrefs: 6CC03D16
    • previous allocCount=, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:, xrefs: 6CC03DAB
    • sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine LockFileExWSASocketWunixpacket, xrefs: 6CC03CB8, 6CC0412C
    • nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMo, xrefs: 6CC03D81
    • sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executiontraceSto, xrefs: 6CC03C4F
    • mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdea, xrefs: 6CC0418A
    • , xrefs: 6CC03E12
    • swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 6CC03C65
    • sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = NtAssociateWaitCompletionPacket, xrefs: 6CC03E09
    • mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1, xrefs: 6CC041A9
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$ nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMo$ previous allocCount=, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:$ sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine LockFileExWSASocketWunixpacket$mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification$mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdea$mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1$sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = NtAssociateWaitCompletionPacket$sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executiontraceSto$swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
    • API String ID: 0-893999930
    • Opcode ID: 0b56443e7e3749a5a5cddbe86eaeaf1cfed4096d959792c88c9c675cd1c83e95
    • Instruction ID: 1240facea01823e31330763ecb09e620eb6421cf6c01e603639d3d6ba607a21e
    • Opcode Fuzzy Hash: 0b56443e7e3749a5a5cddbe86eaeaf1cfed4096d959792c88c9c675cd1c83e95
    • Instruction Fuzzy Hash: D382477460D7948FC350DF25C080A9ABBF1BF89708F44896DE8C88B791E735D949DB92
    Function 6CC12A90 Relevance: 14.0, Strings: 11, Instructions: 253COMMON
    Download Yara Rule
    Strings
    • CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplet, xrefs: 6CC12E7B, 6CC12ED6
    • runtime: NtCreateWaitCompletionPacket failed; errno=casfrom_Gscanstatus: gp->status is not in scan statenon-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS thr, xrefs: 6CC12DEC
    • runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] wi, xrefs: 6CC12EFD
    • runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] with length %ypanicwrap: unexpected string afte, xrefs: 6CC12E47, 6CC12EA2
    • ,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12, xrefs: 6CC12D29
    • runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:, xrefs: 6CC12D95
    • %, xrefs: 6CC12F3A
    • runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!internal error: unknown network type godebug: unexpected IncNonDefault of b, xrefs: 6CC12F31
    • NtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a cor, xrefs: 6CC12E20
    • bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timersOpenServiceWRevertToSelfCreateEventWGetConsoleCPUnlockFi, xrefs: 6CC12D6E
    • VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notunexpected runtime.netpoll error: network dropped connec, xrefs: 6CC12DC9
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: %$,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12$CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplet$NtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a cor$VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notunexpected runtime.netpoll error: network dropped connec$bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timersOpenServiceWRevertToSelfCreateEventWGetConsoleCPUnlockFi$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] wi$runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!internal error: unknown network type godebug: unexpected IncNonDefault of b$runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] with length %ypanicwrap: unexpected string afte$runtime: NtCreateWaitCompletionPacket failed; errno=casfrom_Gscanstatus: gp->status is not in scan statenon-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS thr$runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:
    • API String ID: 0-2809656213
    • Opcode ID: c3f89903cd5742b1c9cf266d19a2402bb138cd35dfb604f8d321161cec9f27cb
    • Instruction ID: 04221b278c09d02c8305804ffb91d520caeef6da820fb83607f00e2742d54396
    • Opcode Fuzzy Hash: c3f89903cd5742b1c9cf266d19a2402bb138cd35dfb604f8d321161cec9f27cb
    • Instruction Fuzzy Hash: EEC1C0B46097018FD700EF69C19879ABBF4EF8A708F00896CE48887B40E7759949EF52
    Function 6CBE13E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleLibraryLoadModule
    • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
    • API String ID: 384173800-1835852900
    • Opcode ID: 3f1d2fe9923bf5efc9a53ee52f5c8753dfc3126c2411e7aec159ff92f16ea3bc
    • Instruction ID: 6ec7c7bf2b8425bb403924cb69f69bdb382859c5f095450060a3a28852216982
    • Opcode Fuzzy Hash: 3f1d2fe9923bf5efc9a53ee52f5c8753dfc3126c2411e7aec159ff92f16ea3bc
    • Instruction Fuzzy Hash: 6D01B1B29093409FD710BF78964A31EBFF8FB46699F05852DCA8987B11E7309404CBA3
    Function 6CC4332F Relevance: 12.0, Strings: 9, Instructions: 757COMMON
    Download Yara Rule
    Strings
    • p, xrefs: 6CC43D5E
    • 2, xrefs: 6CC43D50
    • malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]mo, xrefs: 6CC43D31
    • mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential, xrefs: 6CC43D47
    • malloc during signalclose of nil channelnotetsleep not on g0bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not empty, xrefs: 6CC43D1B
    • mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= , xrefs: 6CC43D05
    • 3-, xrefs: 6CC43D58
    • !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 6CC436FF
    • 4, xrefs: 6CC43D0E
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC$2$4$malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]mo$malloc during signalclose of nil channelnotetsleep not on g0bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not empty$mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential$mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= $3-$p
    • API String ID: 0-234616912
    • Opcode ID: ba18cbe705b0629d2d2b4c0ea8c9d73ff7ffd637ff51c931fa3e6039a00643cc
    • Instruction ID: e6756760af55d1611ea57fbd03d55eff57d85eab56df037e464571f3142eddae
    • Opcode Fuzzy Hash: ba18cbe705b0629d2d2b4c0ea8c9d73ff7ffd637ff51c931fa3e6039a00643cc
    • Instruction Fuzzy Hash: 536299706083518FD704DF29C090A6ABBF1BFC9718F18C96DE9998B792E735D849CB42
    Function 6CC5CEF0 Relevance: 10.8, Strings: 8, Instructions: 756COMMON
    Download Yara Rule
    Strings
    • invalid pattern syntax: resource deadlock avoidedoperation now in progressno buffer space availableno such device or addresssocket type not supportedinvalid cross-device linkGetFinalPathNameByHandleWGetQueuedCompletionStatusUpdateProcThreadAttributegoroutine p, xrefs: 6CC5CF75, 6CC5D068, 6CC5D138, 6CC5D6F4, 6CC5D816, 6CC5D8A7, 6CC5D938, 6CC5D9CD
    • n, xrefs: 6CC5D1B1
    • !, xrefs: 6CC5D0EC
    • y: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KS, xrefs: 6CC5D1C5
    • invalid pattern syntax (+ after -): cannot exec a shared library directlyvalue too large for defined data typeruntime: allocation size out of range) is smaller than minimum page size (/cpu/classes/gc/mark/idle:cpu-secondssetprofilebucket: profile already setfa, xrefs: 6CC5D663
    • pattern bits too long: runtime: C malloc failedconnection reset by peerlevel 2 not synchronizedlink number out of rangeout of streams resourcesfunction not implementedstructure needs cleaningnot supported by windowsCertFreeCertificateChainCreateToolhelp32Snaps, xrefs: 6CC5D785
    • $, xrefs: 6CC5D66D
    • v, xrefs: 6CC5D025
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !$$$invalid pattern syntax (+ after -): cannot exec a shared library directlyvalue too large for defined data typeruntime: allocation size out of range) is smaller than minimum page size (/cpu/classes/gc/mark/idle:cpu-secondssetprofilebucket: profile already setfa$invalid pattern syntax: resource deadlock avoidedoperation now in progressno buffer space availableno such device or addresssocket type not supportedinvalid cross-device linkGetFinalPathNameByHandleWGetQueuedCompletionStatusUpdateProcThreadAttributegoroutine p$n$pattern bits too long: runtime: C malloc failedconnection reset by peerlevel 2 not synchronizedlink number out of rangeout of streams resourcesfunction not implementedstructure needs cleaningnot supported by windowsCertFreeCertificateChainCreateToolhelp32Snaps$v$y: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KS
    • API String ID: 0-3686076665
    • Opcode ID: 6d3875fe57cd261a0b0176be1191d609fa9341d9a504ffdc61e0c6b6541b4212
    • Instruction ID: c19d67fdc0933845bde655fb50c0f359f416b28f4566e5198530fca3c033630b
    • Opcode Fuzzy Hash: 6d3875fe57cd261a0b0176be1191d609fa9341d9a504ffdc61e0c6b6541b4212
    • Instruction Fuzzy Hash: EB7247B4A083458FC724DF69C18065AFBF1BB89704F94CA2DE99887750EB74D858CF86
    Function 6CC62560 Relevance: 10.5, Strings: 7, Instructions: 1779COMMON
    Download Yara Rule
    Strings
    • %!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMoveFileWWriteFileWSASendTod.nx != 0timerSendpollCacheprofBlockstackpoolhchanLeafwbufSpansGC (idle)mSpanDeadinittracescavtracepanicwaitchan sendpreemptedcoroutinecopystac, xrefs: 6CC63FD9, 6CC642BB
    • 0, xrefs: 6CC630B1
    • 0, xrefs: 6CC63150
    • 0, xrefs: 6CC63344
    • %!Weekday(complex128execerrdothttp2debugcrypto/tlsMessageBoxWbroken pipebad messagefile existsbad addressRegCloseKeyCloseHandleCreateFileWDeleteFileWExitProcessFreeLibraryGetFileTypeOpenProcessSetFileTimeVirtualLockWSARecvFromclosesocketgetpeernamegetsocknamec, xrefs: 6CC63BCA, 6CC63E95
    • 0, xrefs: 6CC63267
    • )]+:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+, xrefs: 6CC63BE4, 6CC63EAF, 6CC63FF3, 6CC642D5
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: %!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMoveFileWWriteFileWSASendTod.nx != 0timerSendpollCacheprofBlockstackpoolhchanLeafwbufSpansGC (idle)mSpanDeadinittracescavtracepanicwaitchan sendpreemptedcoroutinecopystac$%!Weekday(complex128execerrdothttp2debugcrypto/tlsMessageBoxWbroken pipebad messagefile existsbad addressRegCloseKeyCloseHandleCreateFileWDeleteFileWExitProcessFreeLibraryGetFileTypeOpenProcessSetFileTimeVirtualLockWSARecvFromclosesocketgetpeernamegetsocknamec$)]+:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+$0$0$0$0
    • API String ID: 0-3084215349
    • Opcode ID: db57979dd640b71409a10966bbd9c00c0136140db7e8adf5b9dfd35fefe29b09
    • Instruction ID: b944dad15a4e1fb64b9c36064767d0da6a7a6ca8c9e394aa5ea1a945c75b3c7b
    • Opcode Fuzzy Hash: db57979dd640b71409a10966bbd9c00c0136140db7e8adf5b9dfd35fefe29b09
    • Instruction Fuzzy Hash: 1703F574A093818FC324CF19C19069EFBE1BFC9314F14892EE99997B51E770A949CB93
    Function 6CC35ED0 Relevance: 10.5, Strings: 8, Instructions: 512COMMON
    Download Yara Rule
    Strings
    • non-Go function at pc=RtlLookupFunctionEntryCreateEnvironmentBlockWSAGetOverlappedResultSao Tome Standard TimeAleutian Standard TimeParaguay Standard TimeMountain Standard TimeAtlantic Standard TimePakistan Standard TimeSakhalin Standard TimeGeorgian Standard , xrefs: 6CC366C5
    • fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit, xrefs: 6CC36539
    • pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptrace, xrefs: 6CC36593
    • , xrefs: 6CC36031
    • :(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08I, xrefs: 6CC363FD
    • sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (us, xrefs: 6CC36566
    • (1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08ID, xrefs: 6CC36320
    • , xrefs: 6CC36039
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ $ fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit$ pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptrace$ sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (us$(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08ID$:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08I$non-Go function at pc=RtlLookupFunctionEntryCreateEnvironmentBlockWSAGetOverlappedResultSao Tome Standard TimeAleutian Standard TimeParaguay Standard TimeMountain Standard TimeAtlantic Standard TimePakistan Standard TimeSakhalin Standard TimeGeorgian Standard
    • API String ID: 0-3830612415
    • Opcode ID: 1bb8441a2fc88ff81fdf3802dabb7168f61c677c16aa24ecbd2d36fb6f513963
    • Instruction ID: 03c72e290a741443633bb0c3c3cd2d94f1284b785a25854964bfaad1de71e97a
    • Opcode Fuzzy Hash: 1bb8441a2fc88ff81fdf3802dabb7168f61c677c16aa24ecbd2d36fb6f513963
    • Instruction Fuzzy Hash: 2432D37460D7918FC364DF65C180B9ABBE1BF89308F05892DE8CC87B51EB34A849DB52
    Function 6CC11A70 Relevance: 8.9, Strings: 7, Instructions: 116COMMON
    Download Yara Rule
    Strings
    • timeEndPeriod, xrefs: 6CC11B73
    • runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already connectedmismatched count during itab ta, xrefs: 6CC11BD9
    • winmm.dll, xrefs: 6CC11AF3
    • timeBeginPeriod, xrefs: 6CC11B29
    • timeBegin/EndPeriod not foundruntime: sudog with non-nil centersyscall inconsistent bp entersyscall inconsistent sp gfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon, xrefs: 6CC11C0D
    • runtime: LoadLibraryExW failed; errno=runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already co, xrefs: 6CC11C34
    • &, xrefs: 6CC11C3D
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: &$runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already connectedmismatched count during itab ta$runtime: LoadLibraryExW failed; errno=runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already co$timeBegin/EndPeriod not foundruntime: sudog with non-nil centersyscall inconsistent bp entersyscall inconsistent sp gfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon$timeBeginPeriod$timeEndPeriod$winmm.dll
    • API String ID: 0-424793872
    • Opcode ID: 6782ed070ba7eb9e1087c104e61fb8164f5dd5be60a46984d2cf2044f4698e51
    • Instruction ID: d1597a997c07168106b28bb1f8203645b82cc7afb74b51332326b0a84ca24b79
    • Opcode Fuzzy Hash: 6782ed070ba7eb9e1087c104e61fb8164f5dd5be60a46984d2cf2044f4698e51
    • Instruction Fuzzy Hash: 2B51B3B06097019FE704EF6AC19475ABBF4FB96708F00C81DE59983B50E778D548EB52
    Function 6CC75B30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID: ErrorFormatFreeLastLocalMessagefprintf
    • String ID: Erro: %s
    • API String ID: 659079672-2412703935
    • Opcode ID: 37db1161ce90ac48d243e7b9f78a4d10b7bf4114b4f249dcb4b4cdd65ad84b22
    • Instruction ID: 7acd319cb2b73bce6bdf1b140a7865124793e3eb5c4f63c370a0e207a9d06d4d
    • Opcode Fuzzy Hash: 37db1161ce90ac48d243e7b9f78a4d10b7bf4114b4f249dcb4b4cdd65ad84b22
    • Instruction Fuzzy Hash: 5C014DB15093019FE700EF68C59971BFBF4EB88349F00891DEA9896650E77982498FA3
    Function 6CC1CF90 Relevance: 8.6, Strings: 6, Instructions: 1093COMMON
    Download Yara Rule
    Strings
    • !, xrefs: 6CC1E0DE
    • findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a corrupted shared librarylfstack node a, xrefs: 6CC1E0A9
    • findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of r, xrefs: 6CC1E0D5
    • findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionAdjustTokenPrivilegesLookupPrivilegeValueWNetUserGetLocalGroupsGetProfi, xrefs: 6CC1E0EB
    • findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for [origina, xrefs: 6CC1E0BF
    • global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/metadata/mspan/free:bytesruntime.SetFinaliz, xrefs: 6CC1E093
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !$findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of r$findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for [origina$findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a corrupted shared librarylfstack node a$findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionAdjustTokenPrivilegesLookupPrivilegeValueWNetUserGetLocalGroupsGetProfi$global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/metadata/mspan/free:bytesruntime.SetFinaliz
    • API String ID: 0-3518981815
    • Opcode ID: d4ecc1cefb96afbb338ad9a267f91f966ed2c5032dc1f368020d5842cecb6da5
    • Instruction ID: d808b29db2fe01a23669a51939806e27a27a84cdaff6852cd3b2c9afddab9f90
    • Opcode Fuzzy Hash: d4ecc1cefb96afbb338ad9a267f91f966ed2c5032dc1f368020d5842cecb6da5
    • Instruction Fuzzy Hash: D9A2D17460D3418FD714DF6AC090B9ABBF5BF89748F04892DE98987B80EB35D848DB52
    Function 6CC111F0 Relevance: 7.6, Strings: 6, Instructions: 133COMMON
    Download Yara Rule
    Strings
    • runtime: NtAssociateWaitCompletionPacket failed; errno= runtime: checkmarks found unexpected unmarked object obj=tried to trace goroutine with invalid or unsupported statusmanual span allocation called with non-manually-managed typeaddr range base and limit ar, xrefs: 6CC11369
    • runtime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not , xrefs: 6CC11417
    • d, xrefs: 6CC11276
    • runtime: SetWaitableTimer failed; errno= stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classe, xrefs: 6CC113C4
    • runtime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocresize: invalid argspan has no free stacksstack growth after forkshrinkstack at bad timereflect.methodValueCallDestroy, xrefs: 6CC1139D, 6CC113F8, 6CC1144B
    • 5, xrefs: 6CC11420
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: 5$d$runtime: NtAssociateWaitCompletionPacket failed; errno= runtime: checkmarks found unexpected unmarked object obj=tried to trace goroutine with invalid or unsupported statusmanual span allocation called with non-manually-managed typeaddr range base and limit ar$runtime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not $runtime: SetWaitableTimer failed; errno= stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classe$runtime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocresize: invalid argspan has no free stacksstack growth after forkshrinkstack at bad timereflect.methodValueCallDestroy
    • API String ID: 0-2414937731
    • Opcode ID: 155cb88e13032d64e706c4e47f115a25a51ab9dcf4f06e2a53090e6fcc7b9412
    • Instruction ID: 059142f6f608b1bab6d36a77f3fc3556c40aac154d27c5b780e1bc5796894087
    • Opcode Fuzzy Hash: 155cb88e13032d64e706c4e47f115a25a51ab9dcf4f06e2a53090e6fcc7b9412
    • Instruction Fuzzy Hash: DC51AEB460D7009FD740EF6AC19479ABBF4EB89748F00882DE49987B50E774D948EB62
    Function 6CC76250 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON
    Download Yara Rule
    APIs
    • GetSystemTimeAsFileTime.KERNEL32 ref: 6CC76289
    • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CBE13B9), ref: 6CC7629A
    • GetCurrentThreadId.KERNEL32 ref: 6CC762A2
    • GetTickCount.KERNEL32 ref: 6CC762AA
    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CBE13B9), ref: 6CC762B9
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
    • String ID:
    • API String ID: 1445889803-0
    • Opcode ID: 5b4821674a71174c5d5db20cb78c37e551a02981f5c731caec4ff053ac1098c5
    • Instruction ID: 11eaa8d8565453ca456e23cf69c0b3d5d03ac5a606b3e5015327d8c45f36384b
    • Opcode Fuzzy Hash: 5b4821674a71174c5d5db20cb78c37e551a02981f5c731caec4ff053ac1098c5
    • Instruction Fuzzy Hash: 82114CB66053108FDB10EF79E48868BBBF9FB89259F054D39E644C6610EA35D4488BE2
    Function 6CC76300 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6CC7634F
    • UnhandledExceptionFilter.KERNEL32 ref: 6CC7635F
    • GetCurrentProcess.KERNEL32 ref: 6CC76368
    • TerminateProcess.KERNEL32 ref: 6CC76379
    • abort.MSVCRT ref: 6CC76382
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: 20247c843860fc97a500c161ccae153f6dcbcdc813d466e2a91d77a38194c07e
    • Instruction ID: 09be45977176481360858157741f7dda5930e9dde75dfeff4dcca7287bc534c1
    • Opcode Fuzzy Hash: 20247c843860fc97a500c161ccae153f6dcbcdc813d466e2a91d77a38194c07e
    • Instruction Fuzzy Hash: 8A11D7B5A052059FEB00FF79C14565ABBF4FB85308F00C56DEA8887750E7349948CF92
    Function 6CC762FC Relevance: 7.5, APIs: 5, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6CC7634F
    • UnhandledExceptionFilter.KERNEL32 ref: 6CC7635F
    • GetCurrentProcess.KERNEL32 ref: 6CC76368
    • TerminateProcess.KERNEL32 ref: 6CC76379
    • abort.MSVCRT ref: 6CC76382
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: b946eb50ab1f13898e330eed58c7e76c56a7282eb4aa5555dad07b7ca7273f3d
    • Instruction ID: 99aefb335c74638793c412ece2960feed1d8a93e3beac21a531b91b7db750574
    • Opcode Fuzzy Hash: b946eb50ab1f13898e330eed58c7e76c56a7282eb4aa5555dad07b7ca7273f3d
    • Instruction Fuzzy Hash: 2111B7B5A052059FEB00FF79C24965A7BF8FB46308F018559EB4887750E774A948CF92
    Function 6CC01440 Relevance: 5.5, Strings: 4, Instructions: 494COMMON
    Download Yara Rule
    Strings
    • !, xrefs: 6CC01A18
    • min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=dalTLDpSugct?GetTempPath2WModule32NextW, xrefs: 6CC019C0
    • runtime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame ts set in timertraceback stuckrunti, xrefs: 6CC0198C, 6CC019DB
    • min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce, xrefs: 6CC01A0F
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !$min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce$min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=dalTLDpSugct?GetTempPath2WModule32NextW$runtime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame ts set in timertraceback stuckrunti
    • API String ID: 0-967014423
    • Opcode ID: b594239d04d638fb530b6426e165f443e0f1775950c6359b8a764ff4f1fee1b0
    • Instruction ID: 2a4fecbd832a96aff4f0be8563c50fa6d48b7241edc58e5ab4b8746c340361c8
    • Opcode Fuzzy Hash: b594239d04d638fb530b6426e165f443e0f1775950c6359b8a764ff4f1fee1b0
    • Instruction Fuzzy Hash: DCF1DF367097258FD705DE9D84C064EB7E2BBC8308F158A3CD9959B781FB72E909C682
    Function 6CC1A320 Relevance: 5.4, Strings: 4, Instructions: 352COMMON
    Download Yara Rule
    Strings
    • stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classes/gc/mark/dedicated:cpu-seconds/memory/cl, xrefs: 6CC1A690
    • stopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/met, xrefs: 6CC1A7EB
    • stopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a , xrefs: 6CC1A843
    • stopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executionruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base pointer out of rangeattempting to link in too many, xrefs: 6CC1A7B0
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: stopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/met$stopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a $stopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executionruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base pointer out of rangeattempting to link in too many$stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classes/gc/mark/dedicated:cpu-seconds/memory/cl
    • API String ID: 0-2039697367
    • Opcode ID: 991fdd1ef05af041e956a873a02490ce76ea078d2527d0f1b2d623cd8af79405
    • Instruction ID: 2e03a5afcd195f1a0b5deeaed8cf6acc6c8de2dcd3b92e59e022c259b4ca7b5e
    • Opcode Fuzzy Hash: 991fdd1ef05af041e956a873a02490ce76ea078d2527d0f1b2d623cd8af79405
    • Instruction Fuzzy Hash: 67F1E17460D3408FD304DF6AC19069ABBF1BBC9708F54892EE99887B51E734E949DF42
    Function 6CC74E50 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID: Heapfree$FreeProcess
    • String ID:
    • API String ID: 3425746932-0
    • Opcode ID: e97bf009741dae50f98ab75447b47483e3faace85da665acc2838f2cba5bd681
    • Instruction ID: 013c1de2c5d6c8b8aab429aeb82a6d04cbeb3ea0fc9ed4ce9828525ca2223cd1
    • Opcode Fuzzy Hash: e97bf009741dae50f98ab75447b47483e3faace85da665acc2838f2cba5bd681
    • Instruction Fuzzy Hash: 9621E3B56056008BDB10EF29D1C871ABBE5FF84218F15C96CE8888B709E734D845CFA2
    Function 6CC11830 Relevance: 5.1, Strings: 4, Instructions: 57COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: '$'$PowerRegisterSuspendResumeNotification$powrprof.dll
    • API String ID: 0-4026319467
    • Opcode ID: c183ee8c7ef89fb9afb786c588b9190056f6f46c3569a87da0c5aefe62645226
    • Instruction ID: 1dafcfd010a25875e9da24e4e953f8cede73756e8231fc4ababfdb8109c68e60
    • Opcode Fuzzy Hash: c183ee8c7ef89fb9afb786c588b9190056f6f46c3569a87da0c5aefe62645226
    • Instruction Fuzzy Hash: 8021A3B46083419FD704DF2AC09465ABBF0BB99758F40C91DE49987B50E778DA48CF93
    Function 6CC26470 Relevance: 4.2, Strings: 3, Instructions: 451COMMON
    Download Yara Rule
    Strings
    • runtime: malformed profBuf buffer - tag and data out of syncabiRegArgsType needs GC Prog, update methodValueCallFrameObjsfound bad pointer in Go heap (incorrect use of unsafe or cgo?)limiterEvent.stop: found wrong event in p's limiter event slotruntime: intern, xrefs: 6CC26A04
    • <, xrefs: 6CC26A0D
    • runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplete multibyte or wide characterslice bounds out of range [::%x] with capacity %yinvalid memory add, xrefs: 6CC269D7
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: <$runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplete multibyte or wide characterslice bounds out of range [::%x] with capacity %yinvalid memory add$runtime: malformed profBuf buffer - tag and data out of syncabiRegArgsType needs GC Prog, update methodValueCallFrameObjsfound bad pointer in Go heap (incorrect use of unsafe or cgo?)limiterEvent.stop: found wrong event in p's limiter event slotruntime: intern
    • API String ID: 0-450027851
    • Opcode ID: 7d5184cb25914829ccc29aca3f29bdaf6664bfb405196445e0991a0fcb956dd5
    • Instruction ID: d32d0342dbdb1e24c925d70e6742900f08cdf3a844e0600442ba6facc4971117
    • Opcode Fuzzy Hash: 7d5184cb25914829ccc29aca3f29bdaf6664bfb405196445e0991a0fcb956dd5
    • Instruction Fuzzy Hash: D7027D70A08B058FD714DF29C19065EBBE1BFC4708F54C92DE99987B50EB75E849CB82
    Function 6CC16010 Relevance: 4.1, Strings: 3, Instructions: 313COMMON
    Download Yara Rule
    Strings
    • invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:DuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "[bisect-match 0xpermission deniedwro, xrefs: 6CC1648D
    • ', xrefs: 6CC164AC
    • suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function traceRegion: alloc with concurrent drop2006-01-02 15:04:05.999999999 -0700 MSTaddress family not support, xrefs: 6CC164A3
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: '$invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:DuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "[bisect-match 0xpermission deniedwro$suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function traceRegion: alloc with concurrent drop2006-01-02 15:04:05.999999999 -0700 MSTaddress family not support
    • API String ID: 0-3278438963
    • Opcode ID: b9f76412caea4d364dd7df64a20b007ee7dbc303e16aa0835d32a38d23056b9d
    • Instruction ID: a444b041a9253df4de3b5a141d34abb79527077bf471ab325b1c65b375855140
    • Opcode Fuzzy Hash: b9f76412caea4d364dd7df64a20b007ee7dbc303e16aa0835d32a38d23056b9d
    • Instruction Fuzzy Hash: 95D1217460D7808FC704CF2AC090A5ABBF2EF8A718F54886DE8C597B51E735E944EB42
    Function 6CC06630 Relevance: 3.0, Strings: 2, Instructions: 499COMMON
    Download Yara Rule
    Strings
    • grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me, xrefs: 6CC06D4E
    • +, xrefs: 6CC06D57
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: +$grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me
    • API String ID: 0-3347251187
    • Opcode ID: aa0bc28107813cd632b995b5721791d2d2f0686e0bebaeb5464e9075a8a09f87
    • Instruction ID: e7a5a5fbb35c322ac9b68efca7cc48662c84da0e139b0041f67acd35bb9a892b
    • Opcode Fuzzy Hash: aa0bc28107813cd632b995b5721791d2d2f0686e0bebaeb5464e9075a8a09f87
    • Instruction Fuzzy Hash: 3B22FF746097818FD314DF29C090A5ABBF1BF89748F14892DE9D9C7750EB36D888CB42
    Function 6CC0B2D0 Relevance: 2.8, Strings: 2, Instructions: 264COMMON
    Download Yara Rule
    Strings
    • @, xrefs: 6CC0B4FB
    • bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6CC0B60F
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: @$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod
    • API String ID: 0-1191861649
    • Opcode ID: 3b755b1f98e62e968f2870380409e2f56f344517cc141466d9d900f8cf3e8c5e
    • Instruction ID: da4775167eeec08099b67dfa7a7d7a56ec102bde460a2d3f98d474d05f99a994
    • Opcode Fuzzy Hash: 3b755b1f98e62e968f2870380409e2f56f344517cc141466d9d900f8cf3e8c5e
    • Instruction Fuzzy Hash: FEA1E47560871A8FC304DF18C88065AB7E1FFC8318F44CA2DE9959B751EB34E94ACB82
    Function 6CC4A872 Relevance: 2.6, Strings: 2, Instructions: 137COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $@
    • API String ID: 0-1077428164
    • Opcode ID: 50cbac9630afa192b561595bc32749f98743e6b1eb9b424f612ab7a48af9ac3b
    • Instruction ID: cd4ac0a0b1916bb66f8e429a4919533bd1ca66a71bc1bff0d4ca52e17edd09ec
    • Opcode Fuzzy Hash: 50cbac9630afa192b561595bc32749f98743e6b1eb9b424f612ab7a48af9ac3b
    • Instruction Fuzzy Hash: D4519510C1CF5B65E6330BBEC4026667B206EB3144B01D76FFED6B58B2E7126940BA22
    Function 6CBFCEC0 Relevance: 2.6, Strings: 2, Instructions: 88COMMON
    Download Yara Rule
    Strings
    • gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackcannot send after transport endpoint shu, xrefs: 6CBFCFA1
    • ,, xrefs: 6CBFCFAA
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: ,$gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackcannot send after transport endpoint shu
    • API String ID: 0-27675022
    • Opcode ID: 8919f2c1efaeca2415e4c1d95d30ab94729d4bdb689b62009dcd987280c8990e
    • Instruction ID: bebf623ffce2f7993ec229c43c1abaaf85d8fd799742f22ca6805012b48598b6
    • Opcode Fuzzy Hash: 8919f2c1efaeca2415e4c1d95d30ab94729d4bdb689b62009dcd987280c8990e
    • Instruction Fuzzy Hash: 1B318F75A493968FD305DF14C490A59B7F1FB86608F4885BDDD884F383DB31A84ACB85
    Function 6CC659D0 Relevance: 1.9, Strings: 1, Instructions: 607COMMON
    Download Yara Rule
    Strings
    • ,M3.2.0,M11.1.0jstmpllitinterptarinsecurepathx509keypairleafx509usepolicieszipinsecurepathRegCreateKeyExWRegDeleteValueWstring too large0123456789abcdefinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePoint, xrefs: 6CC65B6E
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: ,M3.2.0,M11.1.0jstmpllitinterptarinsecurepathx509keypairleafx509usepolicieszipinsecurepathRegCreateKeyExWRegDeleteValueWstring too large0123456789abcdefinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePoint
    • API String ID: 0-1364986362
    • Opcode ID: d2dfae657506394129a0debb7fa29be64e7ac198cdf4db064b958c0dfd0b3f1b
    • Instruction ID: 798a44f1939ca1485cfa075e6804ea83b8a71996454fdcbe80501d035a74f07b
    • Opcode Fuzzy Hash: d2dfae657506394129a0debb7fa29be64e7ac198cdf4db064b958c0dfd0b3f1b
    • Instruction Fuzzy Hash: C25216B1A083858FD334CF19C5903DEFBE1ABD5308F44892DD9D89B791E7B599488B82
    Function 6CC38570 Relevance: 1.8, Strings: 1, Instructions: 543COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: 4
    • API String ID: 0-4088798008
    • Opcode ID: 51d6b782f7316466cd136c10bee1d77bffd61ed1f65a950894586ed7c000d3a9
    • Instruction ID: 626ef1b0b0ceec3a934584020308e6f16121547c5eb4d0865f0563999bfeb860
    • Opcode Fuzzy Hash: 51d6b782f7316466cd136c10bee1d77bffd61ed1f65a950894586ed7c000d3a9
    • Instruction Fuzzy Hash: 7F22B17560D3568BC720DF59D4C4A9EB7E1BFC5308F148A2ED99D8BB51EB30A805CB82
    Function 6CBF0AF0 Relevance: 1.6, Strings: 1, Instructions: 306COMMON
    Download Yara Rule
    Strings
    • span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor, xrefs: 6CBF0D52
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor
    • API String ID: 0-1712010102
    • Opcode ID: c2062324298e9f8f43f1c8f182e8134e80707c082449a00771b111a81bfce846
    • Instruction ID: 2e770be18dba787c85814b85aae836b154e6fb418d83fb878d2f741ba0541f5a
    • Opcode Fuzzy Hash: c2062324298e9f8f43f1c8f182e8134e80707c082449a00771b111a81bfce846
    • Instruction Fuzzy Hash: 0DD144746093859FC744DF28D09066EBBE0FF89708F00892EE8E987B51E735D94ACB52
    Function 6CC0D040 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
    Download Yara Rule
    Strings
    • runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin, xrefs: 6CC0D3CB
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin
    • API String ID: 0-429552053
    • Opcode ID: f379e98b39681af0bd7f947ddb9ffb0f6cbdca109c1b3652b12e240ad486fee3
    • Instruction ID: f3ac284c6086ea4c90c4e3a3a9473f4db8dc8a09d46232146e68e229f68db07e
    • Opcode Fuzzy Hash: f379e98b39681af0bd7f947ddb9ffb0f6cbdca109c1b3652b12e240ad486fee3
    • Instruction Fuzzy Hash: D9B102786093458FC704DF68C08082ABBF1BF8A758F51892DE99987711E736ED49CF82
    Function 6CC695A0 Relevance: 1.5, Strings: 1, Instructions: 278COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: ;
    • API String ID: 0-1661535913
    • Opcode ID: 8b746527a605a4f0d6a6f11762ba21e9438ba0b8964668e2d097bb5f60902d66
    • Instruction ID: 132ac352b8ba4d6d4fc378ee461a260a1ecc762395d8f08732e554eb02639bc1
    • Opcode Fuzzy Hash: 8b746527a605a4f0d6a6f11762ba21e9438ba0b8964668e2d097bb5f60902d66
    • Instruction Fuzzy Hash: D0A17371B083054FD70CDF5ED99131ABAE2ABC8304F05CA3DE589DB7A4E634D9098B86
    Function 6CC0A360 Relevance: 1.5, Strings: 1, Instructions: 213COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: @
    • API String ID: 0-2766056989
    • Opcode ID: e3733e1467697873d15e2d99967d4b4d8c65c9052157e7aa64d32832599edfef
    • Instruction ID: 15b84517215060d89cf61d66d58d2d7d6bf001ff0e53d9771f6c4e05ab2c0ce5
    • Opcode Fuzzy Hash: e3733e1467697873d15e2d99967d4b4d8c65c9052157e7aa64d32832599edfef
    • Instruction Fuzzy Hash: 4D91F0B5A093059FC344DF28C08065ABBE1FFC8748F509A2EE89997751E735D989CF82
    Function 6CC5E740 Relevance: .9, Instructions: 941COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 75ecbc12eaa19e7d77f2ac52b29d0ec3e19e6366a7bf4c9700d9b0b288b3ce89
    • Instruction ID: 5159324cd7b4b5adfad1d3a607e424d7ef3d948dce7a63061998db6248111c4e
    • Opcode Fuzzy Hash: 75ecbc12eaa19e7d77f2ac52b29d0ec3e19e6366a7bf4c9700d9b0b288b3ce89
    • Instruction Fuzzy Hash: 02825D71A093548BC728CF0EC49069AF7F2BBCD300F95892ED59E93750E774A925CB86
    Function 6CC66C20 Relevance: .6, Instructions: 601COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 14a7ced070177e16072fd69285848b2efd48db9da2c137abea3556212ecbb03c
    • Instruction ID: e7441d26128db73100bcd3c70810cb9fbfa97aac763e7d0faa4a0862f340a97e
    • Opcode Fuzzy Hash: 14a7ced070177e16072fd69285848b2efd48db9da2c137abea3556212ecbb03c
    • Instruction Fuzzy Hash: 43226D72A0C7458FD724CF66C6D035BF7E2BB85304F55882DD9898BB50FB7198099B82
    Function 6CC64D20 Relevance: .5, Instructions: 530COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: bf379578992b3c01070ad6a1252b224f7d3ca785abb42b8c6e9f17fd49915df8
    • Instruction ID: 39dde78aa001b6a39c8b15cb8951dbaedffd892db42460fc74e18f867c467e33
    • Opcode Fuzzy Hash: bf379578992b3c01070ad6a1252b224f7d3ca785abb42b8c6e9f17fd49915df8
    • Instruction Fuzzy Hash: 4E129972A087498FC324DE5DC98124AF7E6BBC4304F55CA3DD9588B755EB70E909CB82
    Function 6CC0C080 Relevance: .5, Instructions: 477COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: cbe9d0d5458d2a035db46e5512e730228f54c0c8697ba6b62366f420b1b4576d
    • Instruction ID: e01b508bb22bdabb43e74904d8ec8ceadb5dce626079324948f636021f575942
    • Opcode Fuzzy Hash: cbe9d0d5458d2a035db46e5512e730228f54c0c8697ba6b62366f420b1b4576d
    • Instruction Fuzzy Hash: D8E12733B497194BD314EDADC8C025EB2D2ABC8344F19873CDD649B781FA76D80A86D2
    Function 6CC3BC20 Relevance: .5, Instructions: 462COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c1e14a6ba1ce9afa1df4ebbfa554553ba7a09022ef73de42dae3f31bab2e15a0
    • Instruction ID: 77e2534f535a9a33042b7c5b9fa969d2d827ba4c3ea19444368ef8b0de6cfb91
    • Opcode Fuzzy Hash: c1e14a6ba1ce9afa1df4ebbfa554553ba7a09022ef73de42dae3f31bab2e15a0
    • Instruction Fuzzy Hash: C40293356087668FC324DF69D48065EF7E1BF89308F148A2DE9998B751E735E809CB82
    Function 6CC0BB10 Relevance: .5, Instructions: 462COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 990e4070710d7eb93a3e183cab6ea07ed0385e0b6e9ed243f858a9a864ef57dd
    • Instruction ID: a1795f0b70600109a9b3d1f22f8dce8166ad6fe14ec5b5aa304c9dcb1350c1cd
    • Opcode Fuzzy Hash: 990e4070710d7eb93a3e183cab6ea07ed0385e0b6e9ed243f858a9a864ef57dd
    • Instruction Fuzzy Hash: 1BE1C333F2472507D3149E58CC80249B2D2ABC8670F4EC72DED95AB781EAB5ED5986C2
    Function 6CC66740 Relevance: .4, Instructions: 408COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: abd7cc7145271344947b9f7e1bb1bbc9661e7d3b7a8af525d6eb076ad8c5349c
    • Instruction ID: 6530f7f4e6d9d84cb28ab1ec6adcb6c365e812e600de813883acd6ce6a102c3d
    • Opcode Fuzzy Hash: abd7cc7145271344947b9f7e1bb1bbc9661e7d3b7a8af525d6eb076ad8c5349c
    • Instruction Fuzzy Hash: 98E1B172A4CB558BC305CF2B859021FFBE2BBC5704F49892DE895CBB41E7719849CB82
    Function 6CBF80A0 Relevance: .4, Instructions: 378COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5e19bb8c56820d9b935c6d1277e2ed1b7cc76388acb75db5d90a10b464152ea7
    • Instruction ID: 9a9e54831c886d40271893fdf2b52e51559b10c28363798684a73453b8eb2c24
    • Opcode Fuzzy Hash: 5e19bb8c56820d9b935c6d1277e2ed1b7cc76388acb75db5d90a10b464152ea7
    • Instruction Fuzzy Hash: 67C1E532B083154FC714DE6DC89064EB7D2ABC8304F49863DE865DB7A5E7B5ED0A8781
    Function 6CC3D6E0 Relevance: .4, Instructions: 368COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d02625bdd677d35d82e1236759276ee80ed2fc6ddb3e1f26eed0743eca90ec7a
    • Instruction ID: 83df5b312c20a9d0ec38bf9bb837f33690b1765a09950ef012ed3e6b5656caeb
    • Opcode Fuzzy Hash: d02625bdd677d35d82e1236759276ee80ed2fc6ddb3e1f26eed0743eca90ec7a
    • Instruction Fuzzy Hash: 5EE1B77151D3668FC315DF19C4C056EFBE1AF89208F04897DE8998B792E730E949CB92
    Function 6CC1E240 Relevance: .3, Instructions: 331COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: fcb76af0ea1626cfb4e70afe21e4b18bde84422a9d112212837dc1b5525c337d
    • Instruction ID: b66555dcc82be6347f25ee572d33e31aadd91361dd846476f83313420e577139
    • Opcode Fuzzy Hash: fcb76af0ea1626cfb4e70afe21e4b18bde84422a9d112212837dc1b5525c337d
    • Instruction Fuzzy Hash: B3F1D37460D3908FD364CF2AC090B5BBBE1BBC9204F54892EE9D887B51EB35A845DB52
    Function 6CC72E70 Relevance: .3, Instructions: 286COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 7f7b91d6ed4bbe64ce26b02261ace8004e963b7c44200d1a603040cb4215581a
    • Instruction ID: 68a6fb846fc6fe16cbeae90c0303908731132b28efdd879785282cad531fff67
    • Opcode Fuzzy Hash: 7f7b91d6ed4bbe64ce26b02261ace8004e963b7c44200d1a603040cb4215581a
    • Instruction Fuzzy Hash: 69C1627060432A4FC251CE5EDCC0A6A73D1AB8821DF91867D9644CF7C3DA3AF46B97A4
    Function 6CC73230 Relevance: .3, Instructions: 286COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b157872882913c7c5b57f7f69325d731311a0c24d7dbd2be80d38fc368b2f65b
    • Instruction ID: 62d87fc3e3b407261a393916af3330bfc408da3e7fe986f79404431e89166257
    • Opcode Fuzzy Hash: b157872882913c7c5b57f7f69325d731311a0c24d7dbd2be80d38fc368b2f65b
    • Instruction Fuzzy Hash: 3FC1627060432A4FC251CE5EDCC0A6A73D1AB8821DF91867D9644CF7C3DA3AF46B97A4
    Function 6CC0C6D0 Relevance: .3, Instructions: 285COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a70154d7e3650ec6aa99355209c9fc4ba86aef0bacf6e2812c277e0a388d3c71
    • Instruction ID: 970a6a9478da37171026f3417eca225b218906c1f1d3cdcffe8433ec07193379
    • Opcode Fuzzy Hash: a70154d7e3650ec6aa99355209c9fc4ba86aef0bacf6e2812c277e0a388d3c71
    • Instruction Fuzzy Hash: CC9144327097254FC719EE9DC4D051EB3E2FBC8348F58873CD9694B780EB7699098692
    Function 6CC0CA30 Relevance: .3, Instructions: 281COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 234ed294364ccb2f3379bbad67270fce510b5a0a1f37f7e889761d2ac5f71896
    • Instruction ID: f4731e52ffb2a0645fda90a9b95a109269a91dbbb1e0a21f5e54e570f927c003
    • Opcode Fuzzy Hash: 234ed294364ccb2f3379bbad67270fce510b5a0a1f37f7e889761d2ac5f71896
    • Instruction Fuzzy Hash: BA814637B497394FD711EEA988D024E3692ABC8358F19473CD9748B7C1FB72990982D2
    Function 6CC0AD50 Relevance: .3, Instructions: 276COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ed1e42ced05367a1c4af3f1f27638f466fd074a6a3df82a879707312f1801ef2
    • Instruction ID: 8bbb503fcf84dd3e940c76981c52043fe1680e5bf170159eeda8ec2cf33f1223
    • Opcode Fuzzy Hash: ed1e42ced05367a1c4af3f1f27638f466fd074a6a3df82a879707312f1801ef2
    • Instruction Fuzzy Hash: CC91C676B187184BD304DE59CCC0259B3D2BBC8724F49C63CE8A89B745E674EE59CB81
    Function 6CBE32A0 Relevance: .2, Instructions: 219COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 4d31df37a5449ffd1e24cf60742108c0e968a4867a6f255182e8c74dfb28f839
    • Instruction ID: ba592bffccc5f938087c53a8da5205d3f8b8befd62f5fa13a30ae9a74bb66179
    • Opcode Fuzzy Hash: 4d31df37a5449ffd1e24cf60742108c0e968a4867a6f255182e8c74dfb28f839
    • Instruction Fuzzy Hash: DC81F8B2A183508FC314DF29D88095AF7E2BFC8748F46892DF988D7711E771E9158B82
    Function 6CC09030 Relevance: .2, Instructions: 193COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d67e93ab81595d94d9a185c48878bebd3b717f366a9f9609864a47466b7cf34e
    • Instruction ID: c736c6bfb652ac92b748a48ac85901f7e8d4a7ed4ebf0947c6b8ecb1c3d3f20c
    • Opcode Fuzzy Hash: d67e93ab81595d94d9a185c48878bebd3b717f366a9f9609864a47466b7cf34e
    • Instruction Fuzzy Hash: 3691BFB4A093459FC308DF28C090A1ABBF1FF89748F408A6EE89997751E731E945CF46
    Function 6CBE2CA6 Relevance: .2, Instructions: 161COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: aaac1fa95927537056fa748d1ed80cb4c36531cfe69fe86e380ee050db7f54d2
    • Instruction ID: 263810026bfd8c5a3f909d1a00ab27c1adb8c1ce2c4652efc9bc4bea7745938f
    • Opcode Fuzzy Hash: aaac1fa95927537056fa748d1ed80cb4c36531cfe69fe86e380ee050db7f54d2
    • Instruction Fuzzy Hash: E851767090C3A44AE3158F6F48D402EFFE16FCA341F884A6EF5E443392D6B89515DB6A
    Function 6CBE2CA0 Relevance: .2, Instructions: 160COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: cb712fc12d0c3a302ab8381bb20f1cd90c4982061281d8ef487a26e102f4ff13
    • Instruction ID: ebc80e806e1612e3013357d37cc1dedacc47453b00c14368be1058e09b7b8804
    • Opcode Fuzzy Hash: cb712fc12d0c3a302ab8381bb20f1cd90c4982061281d8ef487a26e102f4ff13
    • Instruction Fuzzy Hash: 6D51663090C3A44AE3158F6F48D402AFFE16BCA301F884A6EF5E443392D5B89515DB6A
    Function 6CC0D9C5 Relevance: .1, Instructions: 134COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a9f464cbf3d7f996ec7793c710d6ed5ab18b72a8a66bfdcc3d5d6f8547079e79
    • Instruction ID: 3dd0bdbc8db62064ba07da9169abdd6904c0d7d8dedf26f8977c4c0fab33d095
    • Opcode Fuzzy Hash: a9f464cbf3d7f996ec7793c710d6ed5ab18b72a8a66bfdcc3d5d6f8547079e79
    • Instruction Fuzzy Hash: 6B514B756093228FD318DF69C590A1AB7E0FF88604F05897CED599B391E771E846CBC2
    Function 6CBEBE90 Relevance: .1, Instructions: 116COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 4846899ca4cacdb733c780e8b14fffa8d342a29b7e33763930ddfd7416de9c4d
    • Instruction ID: 7f854787ce5df51c6369a59cf04e19bdd08a1377754239c0be857f589b426c42
    • Opcode Fuzzy Hash: 4846899ca4cacdb733c780e8b14fffa8d342a29b7e33763930ddfd7416de9c4d
    • Instruction Fuzzy Hash: 6F41B270904B448FC306DF79C49021AB7E5FFCA784F14CB2DE94A6B752EB319846CA42
    Function 6CBEFBC0 Relevance: .1, Instructions: 97COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 8ffddfa3501b94ad1a9dc9c92ba822dc140ca5dfe708a92e01d4c7edf4fecf63
    • Instruction ID: c29c23675932b2f577483b32ce723e5ddfc0ba56e3f6c649fd947386076b48f7
    • Opcode Fuzzy Hash: 8ffddfa3501b94ad1a9dc9c92ba822dc140ca5dfe708a92e01d4c7edf4fecf63
    • Instruction Fuzzy Hash: F3316FB381975D8BD300AF499C40149F7E2ABC0B20F5E8A5ED9A457701EBB0AA15CBC7
    Function 6CBE90F0 Relevance: .1, Instructions: 76COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 94e963e2d470d33658b6c5064ae85787a8c5a7e46912f7c0f52610d8dbad2873
    • Instruction ID: 132d5d1921c10d151d2cf4202ea4ec6d347d1c18c1bfa7c59c5f2c94897b588f
    • Opcode Fuzzy Hash: 94e963e2d470d33658b6c5064ae85787a8c5a7e46912f7c0f52610d8dbad2873
    • Instruction Fuzzy Hash: 4321D331B442518BD708CF29C8D052AB7E3ABCAB14B45C52CD546C7B64E634A80AC747
    Function 6CC11C90 Relevance: .0, Instructions: 46COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5bd50f2546f233935da9e54c46ff2c225a1727279af8f65791523b85fd5fa8dc
    • Instruction ID: 4e91543b30a8cbf4be24bdd613924eb94ac7ef858d867a5d200b89ee18e1e1b3
    • Opcode Fuzzy Hash: 5bd50f2546f233935da9e54c46ff2c225a1727279af8f65791523b85fd5fa8dc
    • Instruction Fuzzy Hash: 41119D706083418FD705DF25C0A06A9B7B1FF96708F44889CD5964BF91E7799809DF42
    Function 6CC47280 Relevance: .0, Instructions: 46COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 8a682bfe345b85ae8219c217be6b3d31521fc44bd280c6eeb9f259e1fccf9e53
    • Instruction ID: e4686ea793b25fe24c9495b3f5a794bf8e188be6dae71433cb9d64dd7bb7c900
    • Opcode Fuzzy Hash: 8a682bfe345b85ae8219c217be6b3d31521fc44bd280c6eeb9f259e1fccf9e53
    • Instruction Fuzzy Hash: 2111DBB4700B118FD398DF59C0D4A65B3E1FB8C200B4A85BDDB0A8B766D670A855DB85
    Function 6CC4C0C0 Relevance: .0, Instructions: 10COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 7657997af9b3c6ff0cdd607bf7fbd3f37a4f3df91a54b28ef87b58c3f3a6c392
    • Instruction ID: b93d7a1484a02ea91de906d8dd43be857310bed5d79bb1104902ff4c77d5a966
    • Opcode Fuzzy Hash: 7657997af9b3c6ff0cdd607bf7fbd3f37a4f3df91a54b28ef87b58c3f3a6c392
    • Instruction Fuzzy Hash: C5C08CB080A352AEF700DB2C8140306BEE09B81305F80C089A24843610D234C1888704
    Function 6CC75E79 Relevance: 21.0, APIs: 9, Strings: 3, Instructions: 49fileCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • unexpected cgo_bindm on Windows, xrefs: 6CC75EA4
    • ;, xrefs: 6CC75F18
    • runtime: failed to signal runtime initialization complete., xrefs: 6CC75F2C
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeaveabortfwrite$Event
    • String ID: ;$runtime: failed to signal runtime initialization complete.$unexpected cgo_bindm on Windows
    • API String ID: 3057923235-924395932
    • Opcode ID: b2bdcd36724ac81c6956511c37e5e93c06a559d92ab09fc349e2d1d66837ca2f
    • Instruction ID: c4018ed76230a5e58227d7b7e08ebb767fd332cd735569a6605f940e9d68dffd
    • Opcode Fuzzy Hash: b2bdcd36724ac81c6956511c37e5e93c06a559d92ab09fc349e2d1d66837ca2f
    • Instruction Fuzzy Hash: 2111C7B2504300DFEB10BF78C10E25EBAB4FB81308F41895CEA9547A10E77A9159CBA3
    Function 6CC764A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Strings
    • VirtualProtect failed with code 0x%x, xrefs: 6CC7659A
    • @, xrefs: 6CC76578
    • VirtualQuery failed for %d bytes at address %p, xrefs: 6CC765C7
    • Address %p has no image-section, xrefs: 6CC765DB
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID: QueryVirtual
    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
    • API String ID: 1804819252-1098444051
    • Opcode ID: 629b367e60efe68f549d1b6800464ce086dd6bd349a20554f12934b9942389d9
    • Instruction ID: f6f827474849bd1839ef8a2f7909878d79f48efc934cf3d4ec06ac965351b6a5
    • Opcode Fuzzy Hash: 629b367e60efe68f549d1b6800464ce086dd6bd349a20554f12934b9942389d9
    • Instruction Fuzzy Hash: 92416EB2A057019FD710EF69D484A4AFBF4FB85318F15CA29DA588B714E730E458CBA2
    Function 6CC74AF0 Relevance: 12.2, APIs: 8, Instructions: 156stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast_wcsnicmpfreelstrlenmallocmbstowcsstrlenstrtol
    • String ID:
    • API String ID: 533997002-0
    • Opcode ID: e884518330496f7dc46e3bbb5070dc0128ec878960fd082cac232583b88bdf5d
    • Instruction ID: 40044279f366fb2df0f9dc5670a52bd890b36af728a8485366658ae370cad6ff
    • Opcode Fuzzy Hash: e884518330496f7dc46e3bbb5070dc0128ec878960fd082cac232583b88bdf5d
    • Instruction Fuzzy Hash: D551BD76A083158FD710DF29D48069AB7E5FBC8308F15892EE998C7600F775D94ACFA2
    Function 6CC76060 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66fileCOMMON
    Download Yara Rule
    APIs
    • malloc.MSVCRT ref: 6CC7606F
    • fwrite.MSVCRT ref: 6CC760BD
    • abort.MSVCRT ref: 6CC760C2
    • free.MSVCRT ref: 6CC760E5
      • Part of subcall function 6CC75FB0: _beginthread.MSVCRT ref: 6CC75FD6
      • Part of subcall function 6CC75FB0: _errno.MSVCRT ref: 6CC75FE1
      • Part of subcall function 6CC75FB0: _errno.MSVCRT ref: 6CC75FE8
      • Part of subcall function 6CC75FB0: fprintf.MSVCRT ref: 6CC76008
      • Part of subcall function 6CC75FB0: abort.MSVCRT ref: 6CC7600D
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID: _errnoabort$_beginthreadfprintffreefwritemalloc
    • String ID: +$runtime/cgo: out of memory in thread_start
    • API String ID: 2633710936-1802439445
    • Opcode ID: 3d700e67ce2c8e04a68d010f43d548c8930947da3a00a931366f3352aef294f6
    • Instruction ID: 7938d6242570648899bbdcdcefdc4e8767a9ec3da46ed55308400a93c4ea46cf
    • Opcode Fuzzy Hash: 3d700e67ce2c8e04a68d010f43d548c8930947da3a00a931366f3352aef294f6
    • Instruction Fuzzy Hash: 5C2138B5504700CFC710EF28C48894AFBF4FF89304F41899DE9888B725E3399845CBA2
    Function 6CC75CB0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON
    Download Yara Rule
    APIs
    • CreateEventA.KERNEL32 ref: 6CC75CD2
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CC75D89), ref: 6CC75CEB
    • fwrite.MSVCRT ref: 6CC75D20
    • abort.MSVCRT ref: 6CC75D25
    Strings
    • runtime: failed to create runtime initialization wait event., xrefs: 6CC75D19
    • =, xrefs: 6CC75D05
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID: CreateCriticalEventInitializeSectionabortfwrite
    • String ID: =$runtime: failed to create runtime initialization wait event.
    • API String ID: 2455830200-3519180978
    • Opcode ID: a12e34c1a5177c0cbab01f0d5b31964fdd2a711c9aaead802558846d2e5eff28
    • Instruction ID: e1d8be3b9d5f222bb80a9be0c97408aeec3eabcab4e331402652359a14cf8dca
    • Opcode Fuzzy Hash: a12e34c1a5177c0cbab01f0d5b31964fdd2a711c9aaead802558846d2e5eff28
    • Instruction Fuzzy Hash: 17F0C9B15053019FE700BF68C50D35ABAF4FB81308F91C85DDA9886650E77A90588FA3
    Function 6CBE1020 Relevance: 9.1, APIs: 6, Instructions: 112sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,6CBE12E0,?,?,?,?,?,?,6CBE13A3), ref: 6CBE1057
    • _amsg_exit.MSVCRT ref: 6CBE1085
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID: Sleep_amsg_exit
    • String ID:
    • API String ID: 1015461914-0
    • Opcode ID: 819a395c5ff33b930fef84704b8db01ddbb8d6497f8488f44142b84f815975e5
    • Instruction ID: 1c93ef746ee638863ceb8710946513af1d9e323fbbbb643c89e019abc2bd3443
    • Opcode Fuzzy Hash: 819a395c5ff33b930fef84704b8db01ddbb8d6497f8488f44142b84f815975e5
    • Instruction Fuzzy Hash: 0B4194717052848BFB00BF29C58174AB7F8EB86788F24852DD7448BB02D775D484DB93
    Function 6CC7655C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualQuery.KERNEL32 ref: 6CC7652D
    • VirtualProtect.KERNEL32 ref: 6CC76587
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CD25388), ref: 6CC76594
      • Part of subcall function 6CC77220: fwrite.MSVCRT ref: 6CC7724F
      • Part of subcall function 6CC77220: vfprintf.MSVCRT ref: 6CC7726F
      • Part of subcall function 6CC77220: abort.MSVCRT ref: 6CC77274
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID: Virtual$ErrorLastProtectQueryabortfwritevfprintf
    • String ID: VirtualProtect failed with code 0x%x$@
    • API String ID: 1616349570-2953866262
    • Opcode ID: 124655772269cbdf78cbb8d491a1edd1b257e55a9acd7f5dd09f1863e1c83dc0
    • Instruction ID: 5d1ffcc33e741857c22d4a17b666e967d25d8e55fa7ec9343667ce05910c7557
    • Opcode Fuzzy Hash: 124655772269cbdf78cbb8d491a1edd1b257e55a9acd7f5dd09f1863e1c83dc0
    • Instruction Fuzzy Hash: 262138B29057018FE710EF28C48464AFBF0FF85318F15CA29DA98C7668E334D508DBA2
    Function 6CC74D00 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
    Download Yara Rule
    APIs
    • bsearch.MSVCRT ref: 6CC74D5F
    • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6CC75BEF), ref: 6CC74D9A
    • malloc.MSVCRT ref: 6CC74DC8
    • qsort.MSVCRT ref: 6CC74E16
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLastbsearchmallocqsort
    • String ID:
    • API String ID: 1451747280-0
    • Opcode ID: 4913508f9e27b98fc48ac952fcc4753c8721d815d8682e1e5283f74a54279470
    • Instruction ID: a2b43f5d52c1b6dd6dab305bbc0306edee83492f5c8ec812e1773121a8777dcd
    • Opcode Fuzzy Hash: 4913508f9e27b98fc48ac952fcc4753c8721d815d8682e1e5283f74a54279470
    • Instruction Fuzzy Hash: C54149756083018FD720DF29D580A1ABBF5FF98318F15896DE88987B14E774E858CFA2
    Function 6CC75850 Relevance: 7.6, APIs: 5, Instructions: 79threadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$LocaleThread
    • String ID:
    • API String ID: 2451566642-0
    • Opcode ID: c828761f6e6036b4a15c6a90c8c788ad6c1394d646c0e777398894383487fb44
    • Instruction ID: 0f50e7d305ec1d854e1cfb02ad9c295a290727ae40c3626eeb306ec983f3d4a2
    • Opcode Fuzzy Hash: c828761f6e6036b4a15c6a90c8c788ad6c1394d646c0e777398894383487fb44
    • Instruction Fuzzy Hash: 28216471704204CBD710EF39C885657B7F5FF45328F158928E5A9CB680FA35E849CB62
    Function 6CC770C0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID: _lock_unlockcalloc
    • String ID:
    • API String ID: 3876498383-0
    • Opcode ID: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction ID: 69b96475150ed48dbae7e82d0d797250b8923cf80347e7d40f09b99b9f085535
    • Opcode Fuzzy Hash: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction Fuzzy Hash: F7118E70104204CFE7229F28C88075A7BE4FF45354F248A69E498CBB84FB78D845DBB2
    Function 6CC75DE0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32 ref: 6CC75E10
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CC745D9), ref: 6CC75E1C
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CC745D9), ref: 6CC75E2E
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6CC745D9), ref: 6CC75E3E
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6CC745D9), ref: 6CC75E50
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$ObjectSingleWait
    • String ID:
    • API String ID: 1755037574-0
    • Opcode ID: 98e03e713f3646e1aede2597600576354328d486cff43e03e7390480749e8db7
    • Instruction ID: 3cb629b931db64af8ccf1276576a6f186ba28f67b4c32329add78924aa85cb88
    • Opcode Fuzzy Hash: 98e03e713f3646e1aede2597600576354328d486cff43e03e7390480749e8db7
    • Instruction Fuzzy Hash: E8015271504304CFEA10FF79998951ABBB9FF82214F518529DA9447750D732A46CCBA3
    Function 6CC77220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • Mingw-w64 runtime failure:, xrefs: 6CC77248
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID: abortfwritevfprintf
    • String ID: Mingw-w64 runtime failure:
    • API String ID: 3176311984-2889761391
    • Opcode ID: f962e27e01f473ec7c8587a54af9e8dcb5c4199359ac55c01ebf0c5a970dd92d
    • Instruction ID: 18220919a6bfec43c5ddb18a76adb5c8fe9465db7ce043c8ac6982a2cb2a2d46
    • Opcode Fuzzy Hash: f962e27e01f473ec7c8587a54af9e8dcb5c4199359ac55c01ebf0c5a970dd92d
    • Instruction Fuzzy Hash: 9FE0C2B0008308DED321AF64C18929EBAE4EF89348F01891CE0D847B51E7788489EB63
    Function 6CC765F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CBE12A5), ref: 6CC76709
    Strings
    • Unknown pseudo relocation bit size %d., xrefs: 6CC76799
    • Unknown pseudo relocation protocol version %d., xrefs: 6CC76864
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
    • API String ID: 544645111-395989641
    • Opcode ID: d87d9c96e23206d89857156248ab1c0c2648d3e97e50f09b8c45abd7143245e0
    • Instruction ID: eb099d110a6c194fc5f590aa924381b13718c9e40b94d35e9a4c322a15b1ebe5
    • Opcode Fuzzy Hash: d87d9c96e23206d89857156248ab1c0c2648d3e97e50f09b8c45abd7143245e0
    • Instruction Fuzzy Hash: 2A611171A006098FCB24EFA8C4C0A59B7B5FB8536CF648669DA14DBB15F734E805CBA1
    Function 6CC75BC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID: bsearchfprintffwrite
    • String ID: $
    • API String ID: 1110293247-3993045852
    • Opcode ID: 9947dc63d0da0f8417cd163efa63c1950e3fcfa44f2c5a03ff416105a853f6a1
    • Instruction ID: d0eb1ab7dc9d04d42c9b8dccde2a1a5b325877171988d3da62f79b3b7a96b3ef
    • Opcode Fuzzy Hash: 9947dc63d0da0f8417cd163efa63c1950e3fcfa44f2c5a03ff416105a853f6a1
    • Instruction Fuzzy Hash: E101C2B58093109FE710AF68954929AFBE4EF48318F51892EE8C897751E7798444CBA2
    Function 6CC76870 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.2065306719.000000006CBE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CBE0000, based on PE: true
    • Associated: 00000004.00000002.2065285389.000000006CBE0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065371668.000000006CC78000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065389780.000000006CC79000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065459511.000000006CC7A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065482497.000000006CC7F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065558222.000000006CD28000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD2E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065587041.000000006CD33000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065762428.000000006CD46000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065854164.000000006CD4D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065877430.000000006CD4E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.2065900398.000000006CD51000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6cbe0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterErrorLastLeaveValue
    • String ID:
    • API String ID: 682475483-0
    • Opcode ID: 1dea66eedd4d9a282b13399d483e2844223caf3a0856e1d5c6db1d2b963e5880
    • Instruction ID: 71e42cd21e4d4d91aae2da39487098e81d132c0948ec927edcc5bac553974529
    • Opcode Fuzzy Hash: 1dea66eedd4d9a282b13399d483e2844223caf3a0856e1d5c6db1d2b963e5880
    • Instruction Fuzzy Hash: DEF0A472A006048FEB10BF7DC4C991BBBB8EA85358B054669DF4497715E730A418CBE3

    Execution Graph

    Execution Coverage:0%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:11
    Total number of Limit Nodes:1
    execution_graph 52851 6c89cea0 52852 6c89ceb9 52851->52852 52853 6c89cec8 WriteFile 52851->52853 52852->52853 52854 6c8c5fb0 52855 6c8c5fc7 _beginthread 52854->52855 52856 6c8c5fe1 _errno 52855->52856 52857 6c8c6012 52855->52857 52858 6c8c5fe8 _errno 52856->52858 52859 6c8c6020 Sleep 52856->52859 52861 6c8c5ff9 fprintf abort 52858->52861 52859->52855 52860 6c8c6034 52859->52860 52860->52858 52861->52857

    Executed Functions

    Function 6C8C5FB0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • runtime: failed to create new OS thread (%d), xrefs: 6C8C5FF9
    Memory Dump Source
    • Source File: 0000000D.00000002.2149347720.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 0000000D.00000002.2149263137.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149643261.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149731215.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149812209.000000006C8CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149892317.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150175816.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150391183.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150445537.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150496043.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150547249.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: _errno$Sleep_beginthreadabortfprintf
    • String ID: runtime: failed to create new OS thread (%d)
    • API String ID: 1261927973-3231778263
    • Opcode ID: 855da4e23410b58552588cfab0ac69e4db576a70ce69336520842a74ae9d2c8e
    • Instruction ID: 731f6fef711d05baf94ba4f666918ffb2f1c20f49c089b129eebee400d8d4a5b
    • Opcode Fuzzy Hash: 855da4e23410b58552588cfab0ac69e4db576a70ce69336520842a74ae9d2c8e
    • Instruction Fuzzy Hash: C0016DB56093149FCB207F69CA8852EBBB4FF46324F15492DE58583751C730D444EBA3
    Function 6C89CEA0 Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 8 6c89cea0-6c89ceb7 9 6c89ceb9-6c89cec6 8->9 10 6c89cec8-6c89cee0 WriteFile 8->10 9->10
    APIs
    Memory Dump Source
    • Source File: 0000000D.00000002.2149347720.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 0000000D.00000002.2149263137.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149643261.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149731215.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149812209.000000006C8CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149892317.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150175816.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150391183.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150445537.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150496043.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150547249.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: FileWrite
    • String ID:
    • API String ID: 3934441357-0
    • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction ID: 3c159bfa57a39a15dc833cda1bb032258ea62bfa470e60545e76b36b0305bb6c
    • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction Fuzzy Hash: 28E0E571505600CFCB15DF18C2C130ABBE1EB48A00F0489A8DE098FB4AD734ED10CB92

    Non-executed Functions

    Function 6C8C6300 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6C8C634F
    • UnhandledExceptionFilter.KERNEL32 ref: 6C8C635F
    • GetCurrentProcess.KERNEL32 ref: 6C8C6368
    • TerminateProcess.KERNEL32 ref: 6C8C6379
    • abort.MSVCRT ref: 6C8C6382
    Memory Dump Source
    • Source File: 0000000D.00000002.2149347720.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 0000000D.00000002.2149263137.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149643261.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149731215.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149812209.000000006C8CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149892317.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150175816.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150391183.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150445537.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150496043.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150547249.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: 391509d5c7d4aeae0abae535ef25b58720faffeeae19fffbeb96658a44a43bd7
    • Instruction ID: 9b42e3bfa2fe413810233624ce3befd591f8a998cad818217ef0221e696ddc64
    • Opcode Fuzzy Hash: 391509d5c7d4aeae0abae535ef25b58720faffeeae19fffbeb96658a44a43bd7
    • Instruction Fuzzy Hash: 0D1116B5A08241CFCB00EF69C64962E7BF0BB46305F288929E948C7350E7359954CF93
    Function 6C8C62FC Relevance: 7.5, APIs: 5, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6C8C634F
    • UnhandledExceptionFilter.KERNEL32 ref: 6C8C635F
    • GetCurrentProcess.KERNEL32 ref: 6C8C6368
    • TerminateProcess.KERNEL32 ref: 6C8C6379
    • abort.MSVCRT ref: 6C8C6382
    Memory Dump Source
    • Source File: 0000000D.00000002.2149347720.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 0000000D.00000002.2149263137.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149643261.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149731215.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149812209.000000006C8CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149892317.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150175816.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150391183.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150445537.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150496043.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150547249.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: b90f0402ac232c8fda967911d6bcc0d36a7c794ffd8fc03ab744f65e724e3832
    • Instruction ID: 0697ffe6033874c7fe17aa8205861a6744998b051d60ba9a0fa67e57df2dae9f
    • Opcode Fuzzy Hash: b90f0402ac232c8fda967911d6bcc0d36a7c794ffd8fc03ab744f65e724e3832
    • Instruction Fuzzy Hash: 321102B6A09241CFDB00EF79C64A62D7BF0BB06305F288928E94887340E7359914CF93
    Function 6C8C5E79 Relevance: 21.0, APIs: 9, Strings: 3, Instructions: 49fileCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • ;, xrefs: 6C8C5F18
    • unexpected cgo_bindm on Windows, xrefs: 6C8C5EA4
    • runtime: failed to signal runtime initialization complete., xrefs: 6C8C5F2C
    Memory Dump Source
    • Source File: 0000000D.00000002.2149347720.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 0000000D.00000002.2149263137.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149643261.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149731215.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149812209.000000006C8CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149892317.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150175816.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150391183.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150445537.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150496043.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150547249.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeaveabortfwrite$Event
    • String ID: ;$runtime: failed to signal runtime initialization complete.$unexpected cgo_bindm on Windows
    • API String ID: 3057923235-924395932
    • Opcode ID: 52e82fefe723c7d4040ce24b18f2ffb9f0231a839fb20fc85f3a1651bf5e0e53
    • Instruction ID: c953100c7baab1b0a90c4366bf674eb11ab4f7ec95a1c0b5b3f3da420c6ad427
    • Opcode Fuzzy Hash: 52e82fefe723c7d4040ce24b18f2ffb9f0231a839fb20fc85f3a1651bf5e0e53
    • Instruction Fuzzy Hash: 7611D6B2508340CFDB10BF78C50A26EBBB0BB42304F55892CE88947A11D776A168CF93
    Function 6C8C64A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Strings
    • @, xrefs: 6C8C6578
    • Address %p has no image-section, xrefs: 6C8C65DB
    • VirtualQuery failed for %d bytes at address %p, xrefs: 6C8C65C7
    • VirtualProtect failed with code 0x%x, xrefs: 6C8C659A
    Memory Dump Source
    • Source File: 0000000D.00000002.2149347720.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 0000000D.00000002.2149263137.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149643261.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149731215.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149812209.000000006C8CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149892317.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150175816.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150391183.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150445537.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150496043.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150547249.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: QueryVirtual
    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
    • API String ID: 1804819252-1098444051
    • Opcode ID: 38d274c70c342c65d79e497dd1ab3b3e6246a9fa8a1506f8a4d2aa7d69f9f4bd
    • Instruction ID: 7fa30cea3ba32207e30b9636b85bd703af6d0e4988095bd4904d86d64e3133af
    • Opcode Fuzzy Hash: 38d274c70c342c65d79e497dd1ab3b3e6246a9fa8a1506f8a4d2aa7d69f9f4bd
    • Instruction Fuzzy Hash: 6A415CB2A093019FC720DF69D98465AFBF0FF85714F298A69D8588B714E730E544CBA2
    Function 6C8313E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.2149347720.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 0000000D.00000002.2149263137.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149643261.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149731215.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149812209.000000006C8CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149892317.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150175816.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150391183.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150445537.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150496043.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150547249.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleLibraryLoadModule
    • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
    • API String ID: 384173800-1835852900
    • Opcode ID: 9f558aa6d6ff7eb28dce8753d8d3eb253e0249bf92394f7ebe326139a8ab770b
    • Instruction ID: 0eff03ebef42680e65a9ac1ef6c66761ae818ede508cc19e48741cad37bc7591
    • Opcode Fuzzy Hash: 9f558aa6d6ff7eb28dce8753d8d3eb253e0249bf92394f7ebe326139a8ab770b
    • Instruction Fuzzy Hash: F2015EB2A093148BDB20BFB8A70631EBFF4BB42A55F11592DD88987610D730D408CBE3
    Function 6C8C4AF0 Relevance: 12.2, APIs: 8, Instructions: 156stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000D.00000002.2149347720.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 0000000D.00000002.2149263137.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149643261.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149731215.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149812209.000000006C8CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149892317.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150175816.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150391183.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150445537.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150496043.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150547249.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast_wcsnicmpfreelstrlenmallocmbstowcsstrlenstrtol
    • String ID:
    • API String ID: 533997002-0
    • Opcode ID: 33d39072f6f3fe898b1f5bfafc7bdb8ff69741a441a43977684afc695787e3b9
    • Instruction ID: 54207b1d79ebe807f58a3bee9b4357da7cab20561db8d5750f909d5f22db07b2
    • Opcode Fuzzy Hash: 33d39072f6f3fe898b1f5bfafc7bdb8ff69741a441a43977684afc695787e3b9
    • Instruction Fuzzy Hash: 6251BC76B083148FD7109F29D5802AAB7E5FBC8304F158D3EE998C7610E775D9898B93
    Function 6C8C6060 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66fileCOMMON
    Download Yara Rule
    APIs
    • malloc.MSVCRT ref: 6C8C606F
    • fwrite.MSVCRT ref: 6C8C60BD
    • abort.MSVCRT ref: 6C8C60C2
    • free.MSVCRT ref: 6C8C60E5
      • Part of subcall function 6C8C5FB0: _beginthread.MSVCRT ref: 6C8C5FD6
      • Part of subcall function 6C8C5FB0: _errno.MSVCRT ref: 6C8C5FE1
      • Part of subcall function 6C8C5FB0: _errno.MSVCRT ref: 6C8C5FE8
      • Part of subcall function 6C8C5FB0: fprintf.MSVCRT ref: 6C8C6008
      • Part of subcall function 6C8C5FB0: abort.MSVCRT ref: 6C8C600D
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.2149347720.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 0000000D.00000002.2149263137.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149643261.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149731215.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149812209.000000006C8CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149892317.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150175816.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150391183.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150445537.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150496043.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150547249.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: _errnoabort$_beginthreadfprintffreefwritemalloc
    • String ID: +$runtime/cgo: out of memory in thread_start
    • API String ID: 2633710936-1802439445
    • Opcode ID: 93d5b19c3bd986b5ddfd6c19532d3d1d4a21395983ebb8c16e7b5af187f778fb
    • Instruction ID: 3e791b07262cee886237a2d7b6f1bd82dbdfe1bb25663ee620cb981e6e2cf00b
    • Opcode Fuzzy Hash: 93d5b19c3bd986b5ddfd6c19532d3d1d4a21395983ebb8c16e7b5af187f778fb
    • Instruction Fuzzy Hash: D921E3B5608700CFC710AF28C68595ABBF4FF89304F5589ADE9888B726D339D844CB93
    Function 6C8C5CB0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON
    Download Yara Rule
    APIs
    • CreateEventA.KERNEL32 ref: 6C8C5CD2
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C8C5D89), ref: 6C8C5CEB
    • fwrite.MSVCRT ref: 6C8C5D20
    • abort.MSVCRT ref: 6C8C5D25
    Strings
    • =, xrefs: 6C8C5D05
    • runtime: failed to create runtime initialization wait event., xrefs: 6C8C5D19
    Memory Dump Source
    • Source File: 0000000D.00000002.2149347720.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 0000000D.00000002.2149263137.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149643261.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149731215.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149812209.000000006C8CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149892317.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150175816.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150391183.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150445537.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150496043.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150547249.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: CreateCriticalEventInitializeSectionabortfwrite
    • String ID: =$runtime: failed to create runtime initialization wait event.
    • API String ID: 2455830200-3519180978
    • Opcode ID: d0c1b437a09bf3f33ad6bb62829d70e5807be381e53d50d2640d3897a72e4311
    • Instruction ID: ff080ac2eb2b48bd26620c2aa2eeaeb7a08aaac42cdc78e3f1d9fbdd5a239649
    • Opcode Fuzzy Hash: d0c1b437a09bf3f33ad6bb62829d70e5807be381e53d50d2640d3897a72e4311
    • Instruction Fuzzy Hash: D4F0FFB16093019FE710BF68C50A31EBBF0BF41309F95896DD89986641DB7AC158CF93
    Function 6C831020 Relevance: 9.1, APIs: 6, Instructions: 112sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,6C8312E0,?,?,?,?,?,?,6C8313A3), ref: 6C831057
    • _amsg_exit.MSVCRT ref: 6C831085
    Memory Dump Source
    • Source File: 0000000D.00000002.2149347720.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 0000000D.00000002.2149263137.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149643261.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149731215.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149812209.000000006C8CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149892317.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150175816.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150391183.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150445537.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150496043.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150547249.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: Sleep_amsg_exit
    • String ID:
    • API String ID: 1015461914-0
    • Opcode ID: c8e161d0c219b26141ee6cb8bef896bf2ed5754c6ff363d1ba0f236b03822d9c
    • Instruction ID: 0a4ded4d8f630b00a5ebc720aba39d139147e07328c4e5bfe4ffad9d84dcd2c3
    • Opcode Fuzzy Hash: c8e161d0c219b26141ee6cb8bef896bf2ed5754c6ff363d1ba0f236b03822d9c
    • Instruction Fuzzy Hash: F141A27270D254CBE710AFADCA8175AB7F4EB42B48F24692ED5488B740D735C480CBD2
    Function 6C8C655C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualQuery.KERNEL32 ref: 6C8C652D
    • VirtualProtect.KERNEL32 ref: 6C8C6587
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C975388), ref: 6C8C6594
      • Part of subcall function 6C8C7220: fwrite.MSVCRT ref: 6C8C724F
      • Part of subcall function 6C8C7220: vfprintf.MSVCRT ref: 6C8C726F
      • Part of subcall function 6C8C7220: abort.MSVCRT ref: 6C8C7274
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.2149347720.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 0000000D.00000002.2149263137.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149643261.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149731215.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149812209.000000006C8CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149892317.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150175816.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150391183.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150445537.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150496043.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150547249.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: Virtual$ErrorLastProtectQueryabortfwritevfprintf
    • String ID: VirtualProtect failed with code 0x%x$@
    • API String ID: 1616349570-2953866262
    • Opcode ID: 92de3875d7676567251df61bd9fe47b8ef32f41e82e7891ee90ad1ab726b80f3
    • Instruction ID: ba009bcdca0525624c0e0bda44f908be6b14c0c3c6df4793ae792ae48ba5925b
    • Opcode Fuzzy Hash: 92de3875d7676567251df61bd9fe47b8ef32f41e82e7891ee90ad1ab726b80f3
    • Instruction Fuzzy Hash: CF2137B2A093018FD710DF28DA8465AFBF0FF84318F298A69D998C7654E334D545CBA2
    Function 6C8C5B30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.2149347720.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 0000000D.00000002.2149263137.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149643261.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149731215.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149812209.000000006C8CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149892317.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150175816.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150391183.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150445537.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150496043.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150547249.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: ErrorFormatFreeLastLocalMessagefprintf
    • String ID: Erro: %s
    • API String ID: 659079672-2412703935
    • Opcode ID: b9f619f93c94314cda6b5c475cde7861a40e99f690c99cc0cdc6a4359a2c319f
    • Instruction ID: 176e1d50b2f557b0733af32f5cf885265bf8c20e36d2b82cc0749a744e4bf55c
    • Opcode Fuzzy Hash: b9f619f93c94314cda6b5c475cde7861a40e99f690c99cc0cdc6a4359a2c319f
    • Instruction Fuzzy Hash: 1A019DB05093019FDB00AF68C58931EBBF0BB88349F10892DE89896250D77992488FD7
    Function 6C8C4D00 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
    Download Yara Rule
    APIs
    • bsearch.MSVCRT ref: 6C8C4D5F
    • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6C8C5BEF), ref: 6C8C4D9A
    • malloc.MSVCRT ref: 6C8C4DC8
    • qsort.MSVCRT ref: 6C8C4E16
    Memory Dump Source
    • Source File: 0000000D.00000002.2149347720.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 0000000D.00000002.2149263137.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149643261.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149731215.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149812209.000000006C8CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149892317.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150175816.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150391183.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150445537.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150496043.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150547249.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: ErrorLastbsearchmallocqsort
    • String ID:
    • API String ID: 1451747280-0
    • Opcode ID: 3a0ef1f11dcbd327f430bdae5cde82d0ee040acbfe163ab996132495b5ea2fb4
    • Instruction ID: ad9b4cc2e8c76d3314d404e151bc8460611901a5b5712a66cc6a2a29e522b86a
    • Opcode Fuzzy Hash: 3a0ef1f11dcbd327f430bdae5cde82d0ee040acbfe163ab996132495b5ea2fb4
    • Instruction Fuzzy Hash: 674126756083018BD720EF29D68062AB7F1FFC8315F158D2DE98987B14E774E888CB92
    Function 6C8C5850 Relevance: 7.6, APIs: 5, Instructions: 79threadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000D.00000002.2149347720.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 0000000D.00000002.2149263137.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149643261.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149731215.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149812209.000000006C8CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149892317.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150175816.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150391183.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150445537.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150496043.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150547249.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$LocaleThread
    • String ID:
    • API String ID: 2451566642-0
    • Opcode ID: 57e696d7857e8e7c4428cb4d7d8b360067e5baf45234708185bc99874ce93379
    • Instruction ID: f50df0b8b631d0a313c296359a14d0bd70bce37b24d5dd7cd229aea1a17a1edf
    • Opcode Fuzzy Hash: 57e696d7857e8e7c4428cb4d7d8b360067e5baf45234708185bc99874ce93379
    • Instruction Fuzzy Hash: 7C218270708304CBDB10AF39DA8465777F5FF89318F198928E4A9CB280EA35E849DB53
    Function 6C8C70C0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000D.00000002.2149347720.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 0000000D.00000002.2149263137.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149643261.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149731215.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149812209.000000006C8CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149892317.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150175816.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150391183.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150445537.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150496043.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150547249.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: _lock_unlockcalloc
    • String ID:
    • API String ID: 3876498383-0
    • Opcode ID: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction ID: 5f05ac7a7e81952d8446e7523296e0bfe423d5ebce0c342793987de7266a1021
    • Opcode Fuzzy Hash: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction Fuzzy Hash: BF110A702052018FE7609F6CDA8075ABBE4BF45354F148E6AE498CBB85EB74D844CB53
    Function 6C8C6250 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON
    Download Yara Rule
    APIs
    • GetSystemTimeAsFileTime.KERNEL32 ref: 6C8C6289
    • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C8313B9), ref: 6C8C629A
    • GetCurrentThreadId.KERNEL32 ref: 6C8C62A2
    • GetTickCount.KERNEL32 ref: 6C8C62AA
    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C8313B9), ref: 6C8C62B9
    Memory Dump Source
    • Source File: 0000000D.00000002.2149347720.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 0000000D.00000002.2149263137.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149643261.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149731215.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149812209.000000006C8CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149892317.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150175816.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150391183.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150445537.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150496043.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150547249.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
    • String ID:
    • API String ID: 1445889803-0
    • Opcode ID: 87afdb3329a7e1f84169b4bb3c4e3e342e52a34666ed18fc6bfda296d8527591
    • Instruction ID: f6093d76cda026a7acdf533a4a74f201d0d3a8e4b3f69f625e5a2062b954af10
    • Opcode Fuzzy Hash: 87afdb3329a7e1f84169b4bb3c4e3e342e52a34666ed18fc6bfda296d8527591
    • Instruction Fuzzy Hash: 8C119AB1B093408BCB10DF78E58855BBBF4FB89269F180D3AE444C6600EA31D958CBC3
    Function 6C8C5DE0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32 ref: 6C8C5E10
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C8C45D9), ref: 6C8C5E1C
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C8C45D9), ref: 6C8C5E2E
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6C8C45D9), ref: 6C8C5E3E
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6C8C45D9), ref: 6C8C5E50
    Memory Dump Source
    • Source File: 0000000D.00000002.2149347720.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 0000000D.00000002.2149263137.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149643261.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149731215.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149812209.000000006C8CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149892317.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150175816.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150391183.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150445537.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150496043.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150547249.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$ObjectSingleWait
    • String ID:
    • API String ID: 1755037574-0
    • Opcode ID: 3dc21da638aedd6cb4fedee88127278ed548b99119d7c450747df12083f45ef4
    • Instruction ID: 728c360b0ae5510e806d2d12572816d116b7c97f82ec02786e8a546bfa00da67
    • Opcode Fuzzy Hash: 3dc21da638aedd6cb4fedee88127278ed548b99119d7c450747df12083f45ef4
    • Instruction Fuzzy Hash: 8F0171B1608308CFDB10BF79D98651ABBB8BF42210F55093DE89447A50D732E468CFA3
    Function 6C8C7220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • Mingw-w64 runtime failure:, xrefs: 6C8C7248
    Memory Dump Source
    • Source File: 0000000D.00000002.2149347720.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 0000000D.00000002.2149263137.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149643261.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149731215.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149812209.000000006C8CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149892317.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150175816.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150391183.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150445537.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150496043.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150547249.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: abortfwritevfprintf
    • String ID: Mingw-w64 runtime failure:
    • API String ID: 3176311984-2889761391
    • Opcode ID: 59e5b0e9be459ca7677b2e133d4a44919d08d749e8c2b979357e7b7d21d5dce1
    • Instruction ID: 6e2485aff7368f53723f15c8b0f798071da22ae49c4a49a7ccb54b188f691252
    • Opcode Fuzzy Hash: 59e5b0e9be459ca7677b2e133d4a44919d08d749e8c2b979357e7b7d21d5dce1
    • Instruction Fuzzy Hash: 49E0C2B11093049ED320AF68C2852AEFAE4AF85348F018D2CE0C847B51C778C4888F63
    Function 6C8C65F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C8312A5), ref: 6C8C6709
    Strings
    • Unknown pseudo relocation protocol version %d., xrefs: 6C8C6864
    • Unknown pseudo relocation bit size %d., xrefs: 6C8C6799
    Memory Dump Source
    • Source File: 0000000D.00000002.2149347720.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 0000000D.00000002.2149263137.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149643261.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149731215.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149812209.000000006C8CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149892317.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150175816.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150391183.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150445537.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150496043.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150547249.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
    • API String ID: 544645111-395989641
    • Opcode ID: 529c20d7e191623581b1ba79349137692363756b117e5978c9146e2234407abc
    • Instruction ID: 027e4987da9a3fa04746712d53b7040c49ae3a82a6a4715fa23e19736cebf0b1
    • Opcode Fuzzy Hash: 529c20d7e191623581b1ba79349137692363756b117e5978c9146e2234407abc
    • Instruction Fuzzy Hash: 6361B171B05319CFCB24DF68D6C0669B7B1FB45318B648A39D818DBF11D374E8058BA2
    Function 6C8C5BC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.2149347720.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 0000000D.00000002.2149263137.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149643261.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149731215.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149812209.000000006C8CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149892317.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150175816.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150391183.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150445537.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150496043.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150547249.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: bsearchfprintffwrite
    • String ID: $
    • API String ID: 1110293247-3993045852
    • Opcode ID: 019fddca43d85369589e6f762f8e7f5ef323bd833324e9cb43c42eb338f898ed
    • Instruction ID: 40b5805d91647ee61411b7d356860549d106c73abb6a1791fab33b1d27874a66
    • Opcode Fuzzy Hash: 019fddca43d85369589e6f762f8e7f5ef323bd833324e9cb43c42eb338f898ed
    • Instruction Fuzzy Hash: 17011BB56093009BDB10AF28D64925AFBE0AF89318F418D2EE8C897701E774C584DF93
    Function 6C8C4E50 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000D.00000002.2149347720.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 0000000D.00000002.2149263137.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149643261.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149731215.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149812209.000000006C8CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149892317.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150175816.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150391183.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150445537.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150496043.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150547249.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: Heapfree$FreeProcess
    • String ID:
    • API String ID: 3425746932-0
    • Opcode ID: 9ee0731458213656d6f252609c309573118af7bd4662403b40e097998f34f25b
    • Instruction ID: 6534ee426c02a58e7ba8da30e10367150a73868a9245eb6b96535f9a5aa484b6
    • Opcode Fuzzy Hash: 9ee0731458213656d6f252609c309573118af7bd4662403b40e097998f34f25b
    • Instruction Fuzzy Hash: 6E21E5B5A052408BDB14DF29D2C471ABBF1BFC4314F16C96CE8888B709D735D884CB92
    Function 6C8C6870 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000D.00000002.2149347720.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 0000000D.00000002.2149263137.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149643261.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149731215.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149812209.000000006C8CA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2149892317.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150175816.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150252858.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150391183.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150445537.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150496043.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000D.00000002.2150547249.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterErrorLastLeaveValue
    • String ID:
    • API String ID: 682475483-0
    • Opcode ID: 3c4c453e0f861b2a960b24769dca5c8c4b5fd29c4743e0419a51348e4e22be88
    • Instruction ID: 2f28936a47ad210a4982ebf7fce09fcb76be6a66e970171e40f2dc74b56d3c88
    • Opcode Fuzzy Hash: 3c4c453e0f861b2a960b24769dca5c8c4b5fd29c4743e0419a51348e4e22be88
    • Instruction Fuzzy Hash: E7F08172A042149BDB107F6D89C992E7BB4FB46654B1D0938DD4487205E730E5598BE3

    Non-executed Functions

    Function 04480000 Relevance: .1, Instructions: 88COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000010.00000002.2147400851.0000000004480000.00000004.00001000.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_4480000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c5e3cb73091d8ad6b75e80d324739e0b5d19a085c1488876a5a92d56edb1f2c6
    • Instruction ID: 9dc017a72a2626fc5683509f50b4ea66eadb55b00e07b924c6cf5fd6cffecb28
    • Opcode Fuzzy Hash: c5e3cb73091d8ad6b75e80d324739e0b5d19a085c1488876a5a92d56edb1f2c6
    • Instruction Fuzzy Hash: 52F0489644EBC04FD307977899A56903FB0AE17224B1F80DBC085CF0B3E058584ADB32

    Execution Graph

    Execution Coverage:0%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:11
    Total number of Limit Nodes:1
    execution_graph 52851 6c89cea0 52852 6c89ceb9 52851->52852 52853 6c89cec8 VirtualAlloc 52851->52853 52852->52853 52854 6c8c5fb0 52855 6c8c5fc7 _beginthread 52854->52855 52856 6c8c5fe1 _errno 52855->52856 52857 6c8c6012 52855->52857 52858 6c8c5fe8 _errno 52856->52858 52859 6c8c6020 Sleep 52856->52859 52861 6c8c5ff9 fprintf abort 52858->52861 52859->52855 52860 6c8c6034 52859->52860 52860->52858 52861->52857

    Executed Functions

    Function 6C8C5FB0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • runtime: failed to create new OS thread (%d), xrefs: 6C8C5FF9
    Memory Dump Source
    • Source File: 00000011.00000002.2146715533.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 00000011.00000002.2146618983.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147075044.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147173651.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147279483.000000006C8CD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147387259.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147785556.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148102905.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148197633.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148279253.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148367824.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: _errno$Sleep_beginthreadabortfprintf
    • String ID: runtime: failed to create new OS thread (%d)
    • API String ID: 1261927973-3231778263
    • Opcode ID: 855da4e23410b58552588cfab0ac69e4db576a70ce69336520842a74ae9d2c8e
    • Instruction ID: 731f6fef711d05baf94ba4f666918ffb2f1c20f49c089b129eebee400d8d4a5b
    • Opcode Fuzzy Hash: 855da4e23410b58552588cfab0ac69e4db576a70ce69336520842a74ae9d2c8e
    • Instruction Fuzzy Hash: C0016DB56093149FCB207F69CA8852EBBB4FF46324F15492DE58583751C730D444EBA3
    Function 6C89CEA0 Relevance: 1.3, APIs: 1, Instructions: 21memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 8 6c89cea0-6c89ceb7 9 6c89ceb9-6c89cec6 8->9 10 6c89cec8-6c89cee0 VirtualAlloc 8->10 9->10
    APIs
    Memory Dump Source
    • Source File: 00000011.00000002.2146715533.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 00000011.00000002.2146618983.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147075044.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147173651.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147279483.000000006C8CD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147387259.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147785556.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148102905.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148197633.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148279253.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148367824.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction ID: 3c159bfa57a39a15dc833cda1bb032258ea62bfa470e60545e76b36b0305bb6c
    • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction Fuzzy Hash: 28E0E571505600CFCB15DF18C2C130ABBE1EB48A00F0489A8DE098FB4AD734ED10CB92

    Non-executed Functions

    Function 6C8C6300 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6C8C634F
    • UnhandledExceptionFilter.KERNEL32 ref: 6C8C635F
    • GetCurrentProcess.KERNEL32 ref: 6C8C6368
    • TerminateProcess.KERNEL32 ref: 6C8C6379
    • abort.MSVCRT ref: 6C8C6382
    Memory Dump Source
    • Source File: 00000011.00000002.2146715533.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 00000011.00000002.2146618983.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147075044.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147173651.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147279483.000000006C8CD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147387259.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147785556.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148102905.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148197633.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148279253.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148367824.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: 391509d5c7d4aeae0abae535ef25b58720faffeeae19fffbeb96658a44a43bd7
    • Instruction ID: 9b42e3bfa2fe413810233624ce3befd591f8a998cad818217ef0221e696ddc64
    • Opcode Fuzzy Hash: 391509d5c7d4aeae0abae535ef25b58720faffeeae19fffbeb96658a44a43bd7
    • Instruction Fuzzy Hash: 0D1116B5A08241CFCB00EF69C64962E7BF0BB46305F288929E948C7350E7359954CF93
    Function 6C8C62FC Relevance: 7.5, APIs: 5, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6C8C634F
    • UnhandledExceptionFilter.KERNEL32 ref: 6C8C635F
    • GetCurrentProcess.KERNEL32 ref: 6C8C6368
    • TerminateProcess.KERNEL32 ref: 6C8C6379
    • abort.MSVCRT ref: 6C8C6382
    Memory Dump Source
    • Source File: 00000011.00000002.2146715533.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 00000011.00000002.2146618983.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147075044.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147173651.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147279483.000000006C8CD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147387259.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147785556.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148102905.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148197633.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148279253.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148367824.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: b90f0402ac232c8fda967911d6bcc0d36a7c794ffd8fc03ab744f65e724e3832
    • Instruction ID: 0697ffe6033874c7fe17aa8205861a6744998b051d60ba9a0fa67e57df2dae9f
    • Opcode Fuzzy Hash: b90f0402ac232c8fda967911d6bcc0d36a7c794ffd8fc03ab744f65e724e3832
    • Instruction Fuzzy Hash: 321102B6A09241CFDB00EF79C64A62D7BF0BB06305F288928E94887340E7359914CF93
    Function 6C8C5E79 Relevance: 21.0, APIs: 9, Strings: 3, Instructions: 49fileCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • ;, xrefs: 6C8C5F18
    • unexpected cgo_bindm on Windows, xrefs: 6C8C5EA4
    • runtime: failed to signal runtime initialization complete., xrefs: 6C8C5F2C
    Memory Dump Source
    • Source File: 00000011.00000002.2146715533.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 00000011.00000002.2146618983.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147075044.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147173651.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147279483.000000006C8CD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147387259.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147785556.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148102905.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148197633.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148279253.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148367824.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeaveabortfwrite$Event
    • String ID: ;$runtime: failed to signal runtime initialization complete.$unexpected cgo_bindm on Windows
    • API String ID: 3057923235-924395932
    • Opcode ID: 52e82fefe723c7d4040ce24b18f2ffb9f0231a839fb20fc85f3a1651bf5e0e53
    • Instruction ID: c953100c7baab1b0a90c4366bf674eb11ab4f7ec95a1c0b5b3f3da420c6ad427
    • Opcode Fuzzy Hash: 52e82fefe723c7d4040ce24b18f2ffb9f0231a839fb20fc85f3a1651bf5e0e53
    • Instruction Fuzzy Hash: 7611D6B2508340CFDB10BF78C50A26EBBB0BB42304F55892CE88947A11D776A168CF93
    Function 6C8C64A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Strings
    • VirtualProtect failed with code 0x%x, xrefs: 6C8C659A
    • Address %p has no image-section, xrefs: 6C8C65DB
    • @, xrefs: 6C8C6578
    • VirtualQuery failed for %d bytes at address %p, xrefs: 6C8C65C7
    Memory Dump Source
    • Source File: 00000011.00000002.2146715533.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 00000011.00000002.2146618983.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147075044.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147173651.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147279483.000000006C8CD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147387259.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147785556.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148102905.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148197633.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148279253.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148367824.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: QueryVirtual
    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
    • API String ID: 1804819252-1098444051
    • Opcode ID: 38d274c70c342c65d79e497dd1ab3b3e6246a9fa8a1506f8a4d2aa7d69f9f4bd
    • Instruction ID: 7fa30cea3ba32207e30b9636b85bd703af6d0e4988095bd4904d86d64e3133af
    • Opcode Fuzzy Hash: 38d274c70c342c65d79e497dd1ab3b3e6246a9fa8a1506f8a4d2aa7d69f9f4bd
    • Instruction Fuzzy Hash: 6A415CB2A093019FC720DF69D98465AFBF0FF85714F298A69D8588B714E730E544CBA2
    Function 6C8313E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000011.00000002.2146715533.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 00000011.00000002.2146618983.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147075044.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147173651.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147279483.000000006C8CD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147387259.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147785556.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148102905.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148197633.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148279253.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148367824.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$HandleLibraryLoadModule
    • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
    • API String ID: 384173800-1835852900
    • Opcode ID: 9f558aa6d6ff7eb28dce8753d8d3eb253e0249bf92394f7ebe326139a8ab770b
    • Instruction ID: 0eff03ebef42680e65a9ac1ef6c66761ae818ede508cc19e48741cad37bc7591
    • Opcode Fuzzy Hash: 9f558aa6d6ff7eb28dce8753d8d3eb253e0249bf92394f7ebe326139a8ab770b
    • Instruction Fuzzy Hash: F2015EB2A093148BDB20BFB8A70631EBFF4BB42A55F11592DD88987610D730D408CBE3
    Function 6C8C4AF0 Relevance: 12.2, APIs: 8, Instructions: 156stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000011.00000002.2146715533.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 00000011.00000002.2146618983.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147075044.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147173651.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147279483.000000006C8CD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147387259.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147785556.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148102905.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148197633.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148279253.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148367824.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast_wcsnicmpfreelstrlenmallocmbstowcsstrlenstrtol
    • String ID:
    • API String ID: 533997002-0
    • Opcode ID: 33d39072f6f3fe898b1f5bfafc7bdb8ff69741a441a43977684afc695787e3b9
    • Instruction ID: 54207b1d79ebe807f58a3bee9b4357da7cab20561db8d5750f909d5f22db07b2
    • Opcode Fuzzy Hash: 33d39072f6f3fe898b1f5bfafc7bdb8ff69741a441a43977684afc695787e3b9
    • Instruction Fuzzy Hash: 6251BC76B083148FD7109F29D5802AAB7E5FBC8304F158D3EE998C7610E775D9898B93
    Function 6C8C6060 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66fileCOMMON
    Download Yara Rule
    APIs
    • malloc.MSVCRT ref: 6C8C606F
    • fwrite.MSVCRT ref: 6C8C60BD
    • abort.MSVCRT ref: 6C8C60C2
    • free.MSVCRT ref: 6C8C60E5
      • Part of subcall function 6C8C5FB0: _beginthread.MSVCRT ref: 6C8C5FD6
      • Part of subcall function 6C8C5FB0: _errno.MSVCRT ref: 6C8C5FE1
      • Part of subcall function 6C8C5FB0: _errno.MSVCRT ref: 6C8C5FE8
      • Part of subcall function 6C8C5FB0: fprintf.MSVCRT ref: 6C8C6008
      • Part of subcall function 6C8C5FB0: abort.MSVCRT ref: 6C8C600D
    Strings
    Memory Dump Source
    • Source File: 00000011.00000002.2146715533.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 00000011.00000002.2146618983.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147075044.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147173651.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147279483.000000006C8CD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147387259.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147785556.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148102905.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148197633.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148279253.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148367824.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: _errnoabort$_beginthreadfprintffreefwritemalloc
    • String ID: +$runtime/cgo: out of memory in thread_start
    • API String ID: 2633710936-1802439445
    • Opcode ID: 93d5b19c3bd986b5ddfd6c19532d3d1d4a21395983ebb8c16e7b5af187f778fb
    • Instruction ID: 3e791b07262cee886237a2d7b6f1bd82dbdfe1bb25663ee620cb981e6e2cf00b
    • Opcode Fuzzy Hash: 93d5b19c3bd986b5ddfd6c19532d3d1d4a21395983ebb8c16e7b5af187f778fb
    • Instruction Fuzzy Hash: D921E3B5608700CFC710AF28C68595ABBF4FF89304F5589ADE9888B726D339D844CB93
    Function 6C8C5CB0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON
    Download Yara Rule
    APIs
    • CreateEventA.KERNEL32 ref: 6C8C5CD2
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C8C5D89), ref: 6C8C5CEB
    • fwrite.MSVCRT ref: 6C8C5D20
    • abort.MSVCRT ref: 6C8C5D25
    Strings
    • runtime: failed to create runtime initialization wait event., xrefs: 6C8C5D19
    • =, xrefs: 6C8C5D05
    Memory Dump Source
    • Source File: 00000011.00000002.2146715533.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 00000011.00000002.2146618983.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147075044.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147173651.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147279483.000000006C8CD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147387259.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147785556.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148102905.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148197633.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148279253.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148367824.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: CreateCriticalEventInitializeSectionabortfwrite
    • String ID: =$runtime: failed to create runtime initialization wait event.
    • API String ID: 2455830200-3519180978
    • Opcode ID: d0c1b437a09bf3f33ad6bb62829d70e5807be381e53d50d2640d3897a72e4311
    • Instruction ID: ff080ac2eb2b48bd26620c2aa2eeaeb7a08aaac42cdc78e3f1d9fbdd5a239649
    • Opcode Fuzzy Hash: d0c1b437a09bf3f33ad6bb62829d70e5807be381e53d50d2640d3897a72e4311
    • Instruction Fuzzy Hash: D4F0FFB16093019FE710BF68C50A31EBBF0BF41309F95896DD89986641DB7AC158CF93
    Function 6C831020 Relevance: 9.1, APIs: 6, Instructions: 112sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,6C8312E0,?,?,?,?,?,?,6C8313A3), ref: 6C831057
    • _amsg_exit.MSVCRT ref: 6C831085
    Memory Dump Source
    • Source File: 00000011.00000002.2146715533.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 00000011.00000002.2146618983.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147075044.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147173651.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147279483.000000006C8CD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147387259.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147785556.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148102905.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148197633.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148279253.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148367824.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: Sleep_amsg_exit
    • String ID:
    • API String ID: 1015461914-0
    • Opcode ID: c8e161d0c219b26141ee6cb8bef896bf2ed5754c6ff363d1ba0f236b03822d9c
    • Instruction ID: 0a4ded4d8f630b00a5ebc720aba39d139147e07328c4e5bfe4ffad9d84dcd2c3
    • Opcode Fuzzy Hash: c8e161d0c219b26141ee6cb8bef896bf2ed5754c6ff363d1ba0f236b03822d9c
    • Instruction Fuzzy Hash: F141A27270D254CBE710AFADCA8175AB7F4EB42B48F24692ED5488B740D735C480CBD2
    Function 6C8C655C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualQuery.KERNEL32 ref: 6C8C652D
    • VirtualProtect.KERNEL32 ref: 6C8C6587
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C975388), ref: 6C8C6594
      • Part of subcall function 6C8C7220: fwrite.MSVCRT ref: 6C8C724F
      • Part of subcall function 6C8C7220: vfprintf.MSVCRT ref: 6C8C726F
      • Part of subcall function 6C8C7220: abort.MSVCRT ref: 6C8C7274
    Strings
    Memory Dump Source
    • Source File: 00000011.00000002.2146715533.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 00000011.00000002.2146618983.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147075044.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147173651.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147279483.000000006C8CD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147387259.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147785556.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148102905.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148197633.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148279253.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148367824.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: Virtual$ErrorLastProtectQueryabortfwritevfprintf
    • String ID: VirtualProtect failed with code 0x%x$@
    • API String ID: 1616349570-2953866262
    • Opcode ID: 92de3875d7676567251df61bd9fe47b8ef32f41e82e7891ee90ad1ab726b80f3
    • Instruction ID: ba009bcdca0525624c0e0bda44f908be6b14c0c3c6df4793ae792ae48ba5925b
    • Opcode Fuzzy Hash: 92de3875d7676567251df61bd9fe47b8ef32f41e82e7891ee90ad1ab726b80f3
    • Instruction Fuzzy Hash: CF2137B2A093018FD710DF28DA8465AFBF0FF84318F298A69D998C7654E334D545CBA2
    Function 6C8C5B30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000011.00000002.2146715533.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 00000011.00000002.2146618983.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147075044.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147173651.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147279483.000000006C8CD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147387259.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147785556.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148102905.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148197633.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148279253.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148367824.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: ErrorFormatFreeLastLocalMessagefprintf
    • String ID: Erro: %s
    • API String ID: 659079672-2412703935
    • Opcode ID: b9f619f93c94314cda6b5c475cde7861a40e99f690c99cc0cdc6a4359a2c319f
    • Instruction ID: 176e1d50b2f557b0733af32f5cf885265bf8c20e36d2b82cc0749a744e4bf55c
    • Opcode Fuzzy Hash: b9f619f93c94314cda6b5c475cde7861a40e99f690c99cc0cdc6a4359a2c319f
    • Instruction Fuzzy Hash: 1A019DB05093019FDB00AF68C58931EBBF0BB88349F10892DE89896250D77992488FD7
    Function 6C8C4D00 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
    Download Yara Rule
    APIs
    • bsearch.MSVCRT ref: 6C8C4D5F
    • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6C8C5BEF), ref: 6C8C4D9A
    • malloc.MSVCRT ref: 6C8C4DC8
    • qsort.MSVCRT ref: 6C8C4E16
    Memory Dump Source
    • Source File: 00000011.00000002.2146715533.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 00000011.00000002.2146618983.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147075044.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147173651.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147279483.000000006C8CD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147387259.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147785556.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148102905.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148197633.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148279253.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148367824.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: ErrorLastbsearchmallocqsort
    • String ID:
    • API String ID: 1451747280-0
    • Opcode ID: 3a0ef1f11dcbd327f430bdae5cde82d0ee040acbfe163ab996132495b5ea2fb4
    • Instruction ID: ad9b4cc2e8c76d3314d404e151bc8460611901a5b5712a66cc6a2a29e522b86a
    • Opcode Fuzzy Hash: 3a0ef1f11dcbd327f430bdae5cde82d0ee040acbfe163ab996132495b5ea2fb4
    • Instruction Fuzzy Hash: 674126756083018BD720EF29D68062AB7F1FFC8315F158D2DE98987B14E774E888CB92
    Function 6C8C5850 Relevance: 7.6, APIs: 5, Instructions: 79threadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000011.00000002.2146715533.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 00000011.00000002.2146618983.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147075044.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147173651.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147279483.000000006C8CD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147387259.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147785556.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148102905.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148197633.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148279253.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148367824.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$LocaleThread
    • String ID:
    • API String ID: 2451566642-0
    • Opcode ID: 57e696d7857e8e7c4428cb4d7d8b360067e5baf45234708185bc99874ce93379
    • Instruction ID: f50df0b8b631d0a313c296359a14d0bd70bce37b24d5dd7cd229aea1a17a1edf
    • Opcode Fuzzy Hash: 57e696d7857e8e7c4428cb4d7d8b360067e5baf45234708185bc99874ce93379
    • Instruction Fuzzy Hash: 7C218270708304CBDB10AF39DA8465777F5FF89318F198928E4A9CB280EA35E849DB53
    Function 6C8C70C0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000011.00000002.2146715533.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 00000011.00000002.2146618983.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147075044.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147173651.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147279483.000000006C8CD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147387259.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147785556.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148102905.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148197633.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148279253.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148367824.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: _lock_unlockcalloc
    • String ID:
    • API String ID: 3876498383-0
    • Opcode ID: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction ID: 5f05ac7a7e81952d8446e7523296e0bfe423d5ebce0c342793987de7266a1021
    • Opcode Fuzzy Hash: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
    • Instruction Fuzzy Hash: BF110A702052018FE7609F6CDA8075ABBE4BF45354F148E6AE498CBB85EB74D844CB53
    Function 6C8C6250 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON
    Download Yara Rule
    APIs
    • GetSystemTimeAsFileTime.KERNEL32 ref: 6C8C6289
    • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C8313B9), ref: 6C8C629A
    • GetCurrentThreadId.KERNEL32 ref: 6C8C62A2
    • GetTickCount.KERNEL32 ref: 6C8C62AA
    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C8313B9), ref: 6C8C62B9
    Memory Dump Source
    • Source File: 00000011.00000002.2146715533.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 00000011.00000002.2146618983.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147075044.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147173651.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147279483.000000006C8CD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147387259.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147785556.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148102905.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148197633.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148279253.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148367824.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
    • String ID:
    • API String ID: 1445889803-0
    • Opcode ID: 87afdb3329a7e1f84169b4bb3c4e3e342e52a34666ed18fc6bfda296d8527591
    • Instruction ID: f6093d76cda026a7acdf533a4a74f201d0d3a8e4b3f69f625e5a2062b954af10
    • Opcode Fuzzy Hash: 87afdb3329a7e1f84169b4bb3c4e3e342e52a34666ed18fc6bfda296d8527591
    • Instruction Fuzzy Hash: 8C119AB1B093408BCB10DF78E58855BBBF4FB89269F180D3AE444C6600EA31D958CBC3
    Function 6C8C5DE0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32 ref: 6C8C5E10
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C8C45D9), ref: 6C8C5E1C
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C8C45D9), ref: 6C8C5E2E
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6C8C45D9), ref: 6C8C5E3E
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6C8C45D9), ref: 6C8C5E50
    Memory Dump Source
    • Source File: 00000011.00000002.2146715533.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 00000011.00000002.2146618983.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147075044.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147173651.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147279483.000000006C8CD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147387259.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147785556.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148102905.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148197633.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148279253.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148367824.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$ObjectSingleWait
    • String ID:
    • API String ID: 1755037574-0
    • Opcode ID: 3dc21da638aedd6cb4fedee88127278ed548b99119d7c450747df12083f45ef4
    • Instruction ID: 728c360b0ae5510e806d2d12572816d116b7c97f82ec02786e8a546bfa00da67
    • Opcode Fuzzy Hash: 3dc21da638aedd6cb4fedee88127278ed548b99119d7c450747df12083f45ef4
    • Instruction Fuzzy Hash: 8F0171B1608308CFDB10BF79D98651ABBB8BF42210F55093DE89447A50D732E468CFA3
    Function 6C8C7220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • Mingw-w64 runtime failure:, xrefs: 6C8C7248
    Memory Dump Source
    • Source File: 00000011.00000002.2146715533.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 00000011.00000002.2146618983.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147075044.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147173651.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147279483.000000006C8CD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147387259.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147785556.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148102905.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148197633.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148279253.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148367824.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: abortfwritevfprintf
    • String ID: Mingw-w64 runtime failure:
    • API String ID: 3176311984-2889761391
    • Opcode ID: 59e5b0e9be459ca7677b2e133d4a44919d08d749e8c2b979357e7b7d21d5dce1
    • Instruction ID: 6e2485aff7368f53723f15c8b0f798071da22ae49c4a49a7ccb54b188f691252
    • Opcode Fuzzy Hash: 59e5b0e9be459ca7677b2e133d4a44919d08d749e8c2b979357e7b7d21d5dce1
    • Instruction Fuzzy Hash: 49E0C2B11093049ED320AF68C2852AEFAE4AF85348F018D2CE0C847B51C778C4888F63
    Function 6C8C65F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C8312A5), ref: 6C8C6709
    Strings
    • Unknown pseudo relocation bit size %d., xrefs: 6C8C6799
    • Unknown pseudo relocation protocol version %d., xrefs: 6C8C6864
    Memory Dump Source
    • Source File: 00000011.00000002.2146715533.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 00000011.00000002.2146618983.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147075044.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147173651.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147279483.000000006C8CD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147387259.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147785556.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148102905.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148197633.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148279253.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148367824.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
    • API String ID: 544645111-395989641
    • Opcode ID: 529c20d7e191623581b1ba79349137692363756b117e5978c9146e2234407abc
    • Instruction ID: 027e4987da9a3fa04746712d53b7040c49ae3a82a6a4715fa23e19736cebf0b1
    • Opcode Fuzzy Hash: 529c20d7e191623581b1ba79349137692363756b117e5978c9146e2234407abc
    • Instruction Fuzzy Hash: 6361B171B05319CFCB24DF68D6C0669B7B1FB45318B648A39D818DBF11D374E8058BA2
    Function 6C8C5BC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000011.00000002.2146715533.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 00000011.00000002.2146618983.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147075044.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147173651.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147279483.000000006C8CD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147387259.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147785556.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148102905.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148197633.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148279253.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148367824.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: bsearchfprintffwrite
    • String ID: $
    • API String ID: 1110293247-3993045852
    • Opcode ID: 019fddca43d85369589e6f762f8e7f5ef323bd833324e9cb43c42eb338f898ed
    • Instruction ID: 40b5805d91647ee61411b7d356860549d106c73abb6a1791fab33b1d27874a66
    • Opcode Fuzzy Hash: 019fddca43d85369589e6f762f8e7f5ef323bd833324e9cb43c42eb338f898ed
    • Instruction Fuzzy Hash: 17011BB56093009BDB10AF28D64925AFBE0AF89318F418D2EE8C897701E774C584DF93
    Function 6C8C4E50 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000011.00000002.2146715533.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 00000011.00000002.2146618983.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147075044.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147173651.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147279483.000000006C8CD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147387259.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147785556.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148102905.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148197633.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148279253.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148367824.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: Heapfree$FreeProcess
    • String ID:
    • API String ID: 3425746932-0
    • Opcode ID: 9ee0731458213656d6f252609c309573118af7bd4662403b40e097998f34f25b
    • Instruction ID: 6534ee426c02a58e7ba8da30e10367150a73868a9245eb6b96535f9a5aa484b6
    • Opcode Fuzzy Hash: 9ee0731458213656d6f252609c309573118af7bd4662403b40e097998f34f25b
    • Instruction Fuzzy Hash: 6E21E5B5A052408BDB14DF29D2C471ABBF1BFC4314F16C96CE8888B709D735D884CB92
    Function 6C8C6870 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000011.00000002.2146715533.000000006C831000.00000020.00000001.01000000.00000003.sdmp, Offset: 6C830000, based on PE: true
    • Associated: 00000011.00000002.2146618983.000000006C830000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147075044.000000006C8C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147173651.000000006C8C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147279483.000000006C8CD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147387259.000000006C8CF000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147785556.000000006C978000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C97E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2147901289.000000006C983000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148102905.000000006C996000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148197633.000000006C99D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148279253.000000006C99E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000011.00000002.2148367824.000000006C9A1000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_6c830000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterErrorLastLeaveValue
    • String ID:
    • API String ID: 682475483-0
    • Opcode ID: 3c4c453e0f861b2a960b24769dca5c8c4b5fd29c4743e0419a51348e4e22be88
    • Instruction ID: 2f28936a47ad210a4982ebf7fce09fcb76be6a66e970171e40f2dc74b56d3c88
    • Opcode Fuzzy Hash: 3c4c453e0f861b2a960b24769dca5c8c4b5fd29c4743e0419a51348e4e22be88
    • Instruction Fuzzy Hash: E7F08172A042149BDB107F6D89C992E7BB4FB46654B1D0938DD4487205E730E5598BE3