Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
A5r0ypOR77.dll

Overview

General Information

Sample name:A5r0ypOR77.dll
renamed because original name is a hash value
Original sample name:d8317f94e3cb97069214163f7d5de3591571e0e607f0629c6c985998f2702422.dll
Analysis ID:1544816
MD5:7e3af38131464ec77c3305b057034fc2
SHA1:3bef744c86fe6f93ec7527251e50d83bae11ada7
SHA256:d8317f94e3cb97069214163f7d5de3591571e0e607f0629c6c985998f2702422
Tags:2024bankerdllgolangloadermekotiouser-johnk3r
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
PE file contains an invalid checksum
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 3420 cmdline: loaddll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 3784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6140 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 7020 cmdline: rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • WerFault.exe (PID: 5076 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7020 -s 856 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 3040 cmdline: rundll32.exe C:\Users\user\Desktop\A5r0ypOR77.dll,BarCreate MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 5356 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 824 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 5196 cmdline: rundll32.exe C:\Users\user\Desktop\A5r0ypOR77.dll,_cgo_dummy_export MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5920 cmdline: rundll32.exe C:\Users\user\Desktop\A5r0ypOR77.dll,acidulavamBelchior MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5388 cmdline: rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",BarCreate MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 5536 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 832 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 1916 cmdline: rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",_cgo_dummy_export MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6524 cmdline: rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",acidulavamBelchior MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5128 cmdline: rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",ziguezagueemosPiaremos MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7100 cmdline: rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",vitalizeiAglomerarmo MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7008 cmdline: rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",renuncieDesembocava MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5676 cmdline: rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",refreasseisFestejarieis MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5960 cmdline: rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",problematizastesForcaram MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 500 cmdline: rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",paralisaremoEmborcaveis MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 4892 cmdline: rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",lastimareisConfiscara MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1672 cmdline: rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",imprevisivelRecondicionaveis MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 2012 cmdline: rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",franzasDoutrinasses MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 2632 cmdline: rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",entristecendoControlar MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5956 cmdline: rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",ensebaveisApaixonaste MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6976 cmdline: rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",desconsiderassemBordejam MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1880 cmdline: rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",compensacoesRefroes MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5192 cmdline: rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",bacanerrimoEsquecido MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7188 cmdline: rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",assentidoRefreava MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7228 cmdline: rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",aprendizDesmistificarmo MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.5% probability

Bitcoin Miner

barindex
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D0E1420 3_2_6D0E1420
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D0E1420 10_2_6D0E1420
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D071420 12_2_6D071420
Source: A5r0ypOR77.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: A5r0ypOR77.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh3_2_6D0D9D00
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov ebp, edi3_2_6D0B2F60
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov ebp, edi3_2_6D0B2F66
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh3_2_6D0D89B0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx3_2_6D0CCAC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov ecx, dword ptr [esp+5Ch]3_2_6D11E520
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh10_2_6D0D9D00
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov ebp, edi10_2_6D0B2F60
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov ebp, edi10_2_6D0B2F66
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh10_2_6D0D89B0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx10_2_6D0CCAC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov ecx, dword ptr [esp+5Ch]10_2_6D11E520
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh12_2_6D069D00
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov ebp, edi12_2_6D042F66
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov ebp, edi12_2_6D042F60
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh12_2_6D0689B0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx12_2_6D05CAC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov ecx, dword ptr [esp+5Ch]12_2_6D0AE520
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D0C7D303_2_6D0C7D30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D0D8D703_2_6D0D8D70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D0BBDAF3_2_6D0BBDAF
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D0ECDA03_2_6D0ECDA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D0DAC603_2_6D0DAC60
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D0B2F603_2_6D0B2F60
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D0B2F663_2_6D0B2F66
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D0EDFA03_2_6D0EDFA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D0E5FA03_2_6D0E5FA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D0D2FF03_2_6D0D2FF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D124E203_2_6D124E20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D1299703_2_6D129970
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D0BC9C03_2_6D0BC9C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D11E9C03_2_6D11E9C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D0DC9D03_2_6D0DC9D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D10F8923_2_6D10F892
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D0DBA103_2_6D0DBA10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D11DA503_2_6D11DA50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D127A703_2_6D127A70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D11E5203_2_6D11E520
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D0B35803_2_6D0B3580
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D1275E03_2_6D1275E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D1294903_2_6D129490
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D0DD4853_2_6D0DD485
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D0DB4A03_2_6D0DB4A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D1287203_2_6D128720
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D0C57803_2_6D0C5780
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D0C07903_2_6D0C0790
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D0F66903_2_6D0F6690
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D0DA6F03_2_6D0DA6F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D1081103_2_6D108110
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D0D61003_2_6D0D6100
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D1351703_2_6D135170
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D11E1F03_2_6D11E1F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D11D0303_2_6D11D030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D0D10303_2_6D0D1030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D0DC0603_2_6D0DC060
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D0DC3C03_2_6D0DC3C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D0B92403_2_6D0B9240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D0C7D3010_2_6D0C7D30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D0D8D7010_2_6D0D8D70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D0BBDAF10_2_6D0BBDAF
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D0ECDA010_2_6D0ECDA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D0DAC6010_2_6D0DAC60
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D0B2F6010_2_6D0B2F60
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D0B2F6610_2_6D0B2F66
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D0EDFA010_2_6D0EDFA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D0E5FA010_2_6D0E5FA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D0D2FF010_2_6D0D2FF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D124E2010_2_6D124E20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D12997010_2_6D129970
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D0BC9C010_2_6D0BC9C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D11E9C010_2_6D11E9C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D0DC9D010_2_6D0DC9D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D10F89210_2_6D10F892
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D0DBA1010_2_6D0DBA10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D11DA5010_2_6D11DA50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D127A7010_2_6D127A70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D11E52010_2_6D11E520
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D0B358010_2_6D0B3580
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D1275E010_2_6D1275E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D12949010_2_6D129490
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D0DD48510_2_6D0DD485
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D0DB4A010_2_6D0DB4A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D12872010_2_6D128720
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D0C578010_2_6D0C5780
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D0C079010_2_6D0C0790
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D0F669010_2_6D0F6690
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D0DA6F010_2_6D0DA6F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D10811010_2_6D108110
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D0D610010_2_6D0D6100
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D13517010_2_6D135170
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D11E1F010_2_6D11E1F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D11D03010_2_6D11D030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D0D103010_2_6D0D1030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D0DC06010_2_6D0DC060
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D0DC3C010_2_6D0DC3C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D0B924010_2_6D0B9240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D057D3012_2_6D057D30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D068D7012_2_6D068D70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D07CDA012_2_6D07CDA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D04BDAF12_2_6D04BDAF
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D06AC6012_2_6D06AC60
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D042F6612_2_6D042F66
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D042F6012_2_6D042F60
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D07DFA012_2_6D07DFA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D075FA012_2_6D075FA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D062FF012_2_6D062FF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D0B4E2012_2_6D0B4E20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D0B997012_2_6D0B9970
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D04C9C012_2_6D04C9C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D0AE9C012_2_6D0AE9C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D06C9D012_2_6D06C9D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D09F89212_2_6D09F892
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D06BA1012_2_6D06BA10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D0ADA5012_2_6D0ADA50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D0B7A7012_2_6D0B7A70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D0AE52012_2_6D0AE520
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D04358012_2_6D043580
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D0B75E012_2_6D0B75E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D06D48512_2_6D06D485
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D0B949012_2_6D0B9490
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D06B4A012_2_6D06B4A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D0B872012_2_6D0B8720
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D05578012_2_6D055780
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D05079012_2_6D050790
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D08669012_2_6D086690
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D06A6F012_2_6D06A6F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D06610012_2_6D066100
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D09811012_2_6D098110
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D0C517012_2_6D0C5170
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D0AE1F012_2_6D0AE1F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D06103012_2_6D061030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D0AD03012_2_6D0AD030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D06C06012_2_6D06C060
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D06C3C012_2_6D06C3C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D04924012_2_6D049240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D135FB0 appears 36 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D0E4F30 appears 922 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D0773B0 appears 685 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D0E73B0 appears 1370 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D0BF430 appears 36 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D0E3580 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D0E5000 appears 38 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D0B2EF0 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D074F30 appears 461 times
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 824
Source: A5r0ypOR77.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: classification engineClassification label: mal48.mine.winDLL@53/0@0/0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D135D70 GetLastError,FormatMessageA,LocalFree,3_2_6D135D70
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3784:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\99abf9b2-658f-4593-8af8-33293fb3c298Jump to behavior
Source: A5r0ypOR77.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A5r0ypOR77.dll,BarCreate
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A5r0ypOR77.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 824
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7020 -s 856
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A5r0ypOR77.dll,_cgo_dummy_export
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A5r0ypOR77.dll,acidulavamBelchior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",_cgo_dummy_export
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",acidulavamBelchior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",ziguezagueemosPiaremos
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 832
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",vitalizeiAglomerarmo
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",renuncieDesembocava
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",refreasseisFestejarieis
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",problematizastesForcaram
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",paralisaremoEmborcaveis
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",lastimareisConfiscara
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",imprevisivelRecondicionaveis
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",franzasDoutrinasses
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",entristecendoControlar
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",ensebaveisApaixonaste
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",desconsiderassemBordejam
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",compensacoesRefroes
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",bacanerrimoEsquecido
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",assentidoRefreava
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",aprendizDesmistificarmo
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A5r0ypOR77.dll,BarCreateJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A5r0ypOR77.dll,_cgo_dummy_exportJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A5r0ypOR77.dll,acidulavamBelchiorJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",BarCreateJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",_cgo_dummy_exportJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",acidulavamBelchiorJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",ziguezagueemosPiaremosJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",vitalizeiAglomerarmoJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",renuncieDesembocavaJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",refreasseisFestejarieisJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",problematizastesForcaramJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",paralisaremoEmborcaveisJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",lastimareisConfiscaraJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",imprevisivelRecondicionaveisJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",franzasDoutrinassesJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",entristecendoControlarJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",ensebaveisApaixonasteJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",desconsiderassemBordejamJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",compensacoesRefroesJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",bacanerrimoEsquecidoJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",assentidoRefreavaJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",aprendizDesmistificarmoJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: A5r0ypOR77.dllStatic PE information: Image base 0x6d8c0000 > 0x60000000
Source: A5r0ypOR77.dllStatic file information: File size 1213952 > 1048576
Source: A5r0ypOR77.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: A5r0ypOR77.dllStatic PE information: real checksum: 0x12aadd should be: 0x134c4f
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_014803C7 push ebx; retf 0_2_014803D3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D118096 pushad ; retf 3_2_6D118097
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D11808D pushad ; retf 3_2_6D11808E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D1173E2 pushad ; ret 3_2_6D1173E3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D118096 pushad ; retf 10_2_6D118097
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D11808D pushad ; retf 10_2_6D11808E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D1173E2 pushad ; ret 10_2_6D1173E3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0443AEDF push ecx; ret 11_2_0443B428
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D0A808D pushad ; retf 12_2_6D0A808E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D0A8096 pushad ; retf 12_2_6D0A8097
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D0A73E2 pushad ; ret 12_2_6D0A73E3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D0A73F1 pushad ; ret 12_2_6D0A73F2
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0443B4EC push cs; retf 13_2_0443B985
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0443B4FC push cs; retf 13_2_0443B985
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04480001 push 00000004h; iretd 13_2_04480393
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_0543AEE2 push ebx; retf 16_2_0543AEF6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_0543AF1E push esi; ret 16_2_0543AF27
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_05480001 push es; ret 16_2_054803D7
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_04C38F4F push es; ret 18_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_04C38F3B push es; ret 18_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_0503A3DA push 15CE8943h; iretd 20_2_0503A40F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04C38F4F push es; ret 21_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04C38F3B push es; ret 21_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04C3A9B9 push esi; ret 21_2_04C3A9BB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04C803BE push 00000022h; retf 21_2_04C803D4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0543A418 push ecx; iretd 24_2_0543A438
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0543BAAE push esi; retf 24_2_0543BAAF
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 25_2_0543A91A push edi; retf 25_2_0543A942
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 27_2_0503B9CA push esp; retf 27_2_0503B9CB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 27_2_0503AF14 pushfd ; ret 27_2_0503AF13
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 27_2_0503AEDC pushfd ; ret 27_2_0503AF13
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D1110E0 rdtscp 3_2_6D1110E0
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 1.3 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: rundll32.exe, 0000001F.00000002.2261161419.0000000002D7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;
Source: rundll32.exe, 00000016.00000002.2252154580.00000000004AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
Source: loaddll32.exe, 00000000.00000002.2265356262.0000000000A2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
Source: rundll32.exe, 00000004.00000002.2156162399.000000000329A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg
Source: rundll32.exe, 00000003.00000002.2156228001.000000000327A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.2213462157.000000000086A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.2248101246.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.2246865013.000000000067A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2248522596.000000000338A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2249290831.000000000080A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000002.2251125196.00000000030DA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2252025975.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2253787761.000000000042A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.2255765049.00000000033CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.2258269716.00000000034EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: rundll32.exe, 0000000D.00000002.2245871499.00000000007DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
Source: rundll32.exe, 00000012.00000002.2248598007.0000000000A7A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001B.00000002.2260515894.000000000314A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllrr
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D1110E0 rdtscp 3_2_6D1110E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D135170 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,memcpy,memset,IsBadReadPtr,realloc,SetLastError,SetLastError,SetLastError,SetLastError,SetLastError,memcpy,SetLastError,SetLastError,SetLastError,SetLastError,3_2_6D135170
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D1364D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,3_2_6D1364D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D1364CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,3_2_6D1364CC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D1364D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,10_2_6D1364D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_6D1364CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,10_2_6D1364CC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D0C64CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,12_2_6D0C64CC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_6D0C64D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,12_2_6D0C64D0
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D136420 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,3_2_6D136420

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		11
Process Injection		1
Rundll32		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		11
Virtualization/Sandbox Evasion		LSASS Memory31
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager11
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS2
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
Obfuscated Files or Information		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544816 Sample: A5r0ypOR77.dll Startdate: 29/10/2024 Architecture: WINDOWS Score: 48 27 AI detected suspicious sample 2->27 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 21 other processes 8->17 signatures5 29 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 10->29 19 WerFault.exe 2 10->19         started        21 rundll32.exe 13->21         started        23 WerFault.exe 2 15->23         started        process6 process7 25 WerFault.exe 2 21->25         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
A5r0ypOR77.dll11%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1544816
Start date and time:2024-10-29 19:28:38 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 7m 1s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:35
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:A5r0ypOR77.dll
renamed because original name is a hash value
Original Sample Name:d8317f94e3cb97069214163f7d5de3591571e0e607f0629c6c985998f2702422.dll
Detection:MAL
Classification:mal48.mine.winDLL@53/0@0/0
EGA Information:
  • Successful, ratio: 12.5%
HCA Information:
  • Successful, ratio: 55%
  • Number of executed functions: 6
  • Number of non-executed functions: 93
Cookbook Comments:
  • Found application associated with file extension: .dll

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
  • Execution Graph export aborted for target loaddll32.exe, PID 3420 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 1672 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 1880 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 1916 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 2012 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 2632 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 4892 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 500 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 5128 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 5192 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 5676 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 5920 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 5956 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 5960 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 6524 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 6976 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 7008 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 7020 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 7100 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 7188 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 7228 because there are no executed function
  • Not all processes where analyzed, report is missing behavior information
  • Report size exceeded maximum capacity and may have missing behavior information.
  • VT rate limit hit for: A5r0ypOR77.dll

Simulations

Behavior and APIs

TimeTypeDescription
14:29:42API Interceptor1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):6.273040921986917
TrID:
  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
  • Generic Win/DOS Executable (2004/3) 0.20%
  • DOS Executable Generic (2002/1) 0.20%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:A5r0ypOR77.dll
File size:1'213'952 bytes
MD5:7e3af38131464ec77c3305b057034fc2
SHA1:3bef744c86fe6f93ec7527251e50d83bae11ada7
SHA256:d8317f94e3cb97069214163f7d5de3591571e0e607f0629c6c985998f2702422
SHA512:1fc6acd0e28b9ed7eaae0809941aac40cb4a8d6748fdc2093d0ddc15dfe15cb8ffb1ef9dfc8987255cd57e1e3f6110d5cdd01c16223b046f5f4bbc854ca12b43
SSDEEP:24576:gRocUQfLpxh2OF6yKQR+THKF7O0W3/jZLtQq5C3t1c3w:gDxh5h+bDsvc
TLSH:9E452901FDC758F2E807167258AB62AF27366E064F318BC7FA54B639F6732D51832285
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....f.......F.................m.........................0............@... ......................p.....

File Icon

Icon Hash:7ae282899bbab082

Static PE Info

General

Entrypoint:0x6d8c1380
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x6d8c0000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:0x6d9465b0, 0x6d946560
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:1
File Version Major:6
File Version Minor:1
Subsystem Version Major:6
Subsystem Version Minor:1
Import Hash:27fe541d47e56a864bb4b218ed9e7eca

Entrypoint Preview

Instruction
sub esp, 1Ch
mov dword ptr [6DA26530h], 00000000h
mov edx, dword ptr [esp+24h]
cmp edx, 01h
je 00007FC698BF17FCh
mov ecx, dword ptr [esp+28h]
mov eax, dword ptr [esp+20h]
call 00007FC698BF1662h
add esp, 1Ch
retn 000Ch
lea esi, dword ptr [esi+00000000h]
mov dword ptr [esp+0Ch], edx
call 00007FC698C7684Ch
mov edx, dword ptr [esp+0Ch]
jmp 00007FC698BF17B9h
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], 6D9E2000h
mov dword ptr [esp+04h], eax
call 00007FC698C776AEh
add esp, 1Ch
ret
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
sub esp, 18h
mov dword ptr [esp], 6D8C1400h
call 00007FC698BF17B3h
leave
ret
lea esi, dword ptr [esi+00000000h]
lea edi, dword ptr [edi+00000000h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
mov eax, dword ptr [esp]
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ecx, dword ptr [esp]
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov edx, dword ptr [esp]
ret
int3
int3
int3

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x1670000x289.edata
IMAGE_DIRECTORY_ENTRY_IMPORT0x1680000xb74.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x16b0000x7428.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x121b2c0x18.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x1681cc0x190.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x864880x86600bee08326158f9de1d487cea4fd492f99False0.47328488372093025data6.2739440197752625IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0x880000x70c80x72007097cc42200438a07f06b9aafc2a80d7False0.43520422149122806data5.138188864674546IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata0x900000x91efc0x92000b6d7de77a88906393d62f127325fb0c8False0.4363595622859589data5.580083456424622IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss0x1220000x445780x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata0x1670000x2890x4003acd9af8922fdc9deff7ef3490d4fb01False0.4404296875data3.724243344760155IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.idata0x1680000xb740xc0024136e10238d3a4bfab197131d273104False0.3948567708333333data5.095302825790896IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT0x1690000x2c0x20016944f3124a56554d6f3672b4dbacb12False0.0546875data0.2069200177871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls0x16a0000x80x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc0x16b0000x74280x760006ced1b3543688bf755fd52063385fa9False0.6875data6.617903156369671IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLLImport
KERNEL32.dllAddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateFileA, CreateIoCompletionPort, CreateThread, CreateWaitableTimerExW, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FormatMessageA, FreeEnvironmentStringsW, FreeLibrary, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetLastError, GetNativeSystemInfo, GetProcAddress, GetProcessAffinityMask, GetProcessHeap, GetQueuedCompletionStatusEx, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadLocale, GetTickCount, HeapAlloc, HeapFree, InitializeCriticalSection, IsBadReadPtr, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, LoadLibraryW, LocalFree, PostQueuedCompletionStatus, QueryPerformanceCounter, RaiseFailFastException, ResumeThread, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessPriorityBoost, SetThreadContext, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TerminateProcess, TlsAlloc, TlsGetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WriteConsoleW, WriteFile, lstrlenA
msvcrt.dll_amsg_exit, _beginthread, _errno, _initterm, _iob, _lock, _unlock, _wcsnicmp, abort, bsearch, calloc, fprintf, free, fwrite, malloc, mbstowcs, memcpy, memset, qsort, realloc, strcmp, strlen, strncmp, strtol, vfprintf, wcstombs

Exports

NameOrdinalAddress
BarCreate10x6d944a90
_cgo_dummy_export20x6da26564
acidulavamBelchior30x6d944860
aprendizDesmistificarmo40x6d944a40
assentidoRefreava50x6d9446d0
bacanerrimoEsquecido60x6d944900
compensacoesRefroes70x6d944950
desconsiderassemBordejam80x6d9449f0
ensebaveisApaixonaste90x6d944540
entristecendoControlar100x6d944810
franzasDoutrinasses110x6d9448b0
imprevisivelRecondicionaveis120x6d9445e0
lastimareisConfiscara130x6d9449a0
paralisaremoEmborcaveis140x6d944590
problematizastesForcaram150x6d944720
refreasseisFestejarieis160x6d944680
renuncieDesembocava170x6d944770
vitalizeiAglomerarmo180x6d9447c0
ziguezagueemosPiaremos190x6d944630

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:14:29:31
Start date:29/10/2024
Path:C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):true
Commandline:loaddll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll"
Imagebase:0x410000
File size:126'464 bytes
MD5 hash:51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:1
Start time:14:29:31
Start date:29/10/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff66e660000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:2
Start time:14:29:31
Start date:29/10/2024
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",#1
Imagebase:0x1c0000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:3
Start time:14:29:31
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\A5r0ypOR77.dll,BarCreate
Imagebase:0xd50000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:4
Start time:14:29:31
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",#1
Imagebase:0xd50000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:8
Start time:14:29:32
Start date:29/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 824
Imagebase:0x7f0000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:9
Start time:14:29:32
Start date:29/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7020 -s 856
Imagebase:0x7f0000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:10
Start time:14:29:34
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\A5r0ypOR77.dll,_cgo_dummy_export
Imagebase:0xd50000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:11
Start time:14:29:37
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\A5r0ypOR77.dll,acidulavamBelchior
Imagebase:0xd50000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:12
Start time:14:29:40
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",BarCreate
Imagebase:0xd50000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:13
Start time:14:29:40
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",_cgo_dummy_export
Imagebase:0xd50000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:14
Start time:14:29:40
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",acidulavamBelchior
Imagebase:0xd50000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:16
Start time:14:29:40
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",ziguezagueemosPiaremos
Imagebase:0xd50000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:17
Start time:14:29:41
Start date:29/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 832
Imagebase:0x7f0000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:18
Start time:14:29:41
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",vitalizeiAglomerarmo
Imagebase:0xd50000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:19
Start time:14:29:41
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",renuncieDesembocava
Imagebase:0xd50000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:20
Start time:14:29:41
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",refreasseisFestejarieis
Imagebase:0xd50000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:21
Start time:14:29:41
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",problematizastesForcaram
Imagebase:0xd50000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:22
Start time:14:29:41
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",paralisaremoEmborcaveis
Imagebase:0xd50000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:23
Start time:14:29:41
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",lastimareisConfiscara
Imagebase:0xd50000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:24
Start time:14:29:41
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",imprevisivelRecondicionaveis
Imagebase:0xd50000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:25
Start time:14:29:41
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",franzasDoutrinasses
Imagebase:0xd50000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:26
Start time:14:29:41
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",entristecendoControlar
Imagebase:0xd50000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:27
Start time:14:29:42
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",ensebaveisApaixonaste
Imagebase:0xd50000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:28
Start time:14:29:42
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",desconsiderassemBordejam
Imagebase:0xd50000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:29
Start time:14:29:42
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",compensacoesRefroes
Imagebase:0xd50000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:30
Start time:14:29:42
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",bacanerrimoEsquecido
Imagebase:0xd50000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:31
Start time:14:29:42
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",assentidoRefreava
Imagebase:0xd50000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:32
Start time:14:29:42
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\A5r0ypOR77.dll",aprendizDesmistificarmo
Imagebase:0xd50000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:0%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:11
    Total number of Limit Nodes:1
    execution_graph 47008 6d111ea0 47009 6d111eb9 47008->47009 47010 6d111ec8 WriteFile 47008->47010 47009->47010 47011 6d136180 47012 6d136197 _beginthread 47011->47012 47013 6d1361e2 47012->47013 47014 6d1361b1 _errno 47012->47014 47015 6d1361f0 Sleep 47014->47015 47016 6d1361b8 _errno 47014->47016 47015->47012 47017 6d136204 47015->47017 47018 6d1361c9 fprintf abort 47016->47018 47017->47016 47018->47013

    Executed Functions

    Function 6D136180 Relevance: 9.0, APIs: 6, Instructions: 40sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID: _errno$Sleep_beginthreadabortfprintf
    • String ID:
    • API String ID: 1261927973-0
    • Opcode ID: cbc0e8097d1684d5fb3086414daff78151b2d4febf17fb925d5ed409ac5702bf
    • Instruction ID: a4741ff360a694e3f56998614ae3a14eeaafc55dddc5e0b99c289787aa33bc4c
    • Opcode Fuzzy Hash: cbc0e8097d1684d5fb3086414daff78151b2d4febf17fb925d5ed409ac5702bf
    • Instruction Fuzzy Hash: D2016DB5408325DFC7006F68D8C822EFBF4EF86324F42895DE59943215C7B09484DAA3
    Function 6D111EA0 Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 8 6d111ea0-6d111eb7 9 6d111eb9-6d111ec6 8->9 10 6d111ec8-6d111ee0 WriteFile 8->10 9->10
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID: FileWrite
    • String ID:
    • API String ID: 3934441357-0
    • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction ID: 14c74c889be09ffabe4db2dee0c4235c6b533b8cbac67c43d789b71dbad2fea1
    • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction Fuzzy Hash: B2E0E571505600CFCB15DF18C2C1716BBE1EB48A00F0485A8DE098F74AD774ED10CB92

    Non-executed Functions

    Function 6D135170 Relevance: 33.8, APIs: 17, Strings: 2, Instructions: 564memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 305 6d135170-6d135182 306 6d135590-6d1355ae SetLastError 305->306 307 6d135188-6d135194 305->307 308 6d135570-6d13557f SetLastError 307->308 309 6d13519a-6d1351b1 307->309 311 6d135582-6d13558e 308->311 309->306 310 6d1351b7-6d1351c8 309->310 310->308 312 6d1351ce-6d1351d8 310->312 312->308 313 6d1351de-6d1351e7 312->313 313->308 314 6d1351ed-6d1351fb 313->314 315 6d135201-6d135203 314->315 316 6d135950-6d135952 314->316 317 6d135205-6d135223 315->317 317->317 318 6d135225-6d13524f GetNativeSystemInfo 317->318 318->308 319 6d135255-6d135287 318->319 321 6d1355b0-6d1355e3 319->321 322 6d13528d-6d1352b3 GetProcessHeap HeapAlloc 319->322 321->322 329 6d1355e9-6d1355fb SetLastError 321->329 323 6d135971-6d1359aa SetLastError 322->323 324 6d1352b9-6d135324 322->324 323->311 325 6d135600-6d13560d SetLastError 324->325 326 6d13532a-6d13539c memcpy 324->326 330 6d135610-6d135626 call 6d135090 325->330 333 6d1353a2-6d1353a4 326->333 334 6d13542a-6d135435 326->334 329->311 336 6d1353a6-6d1353ab 333->336 337 6d1358a0-6d1358aa 334->337 338 6d13543b-6d13544a 334->338 341 6d1353b1-6d1353ba 336->341 342 6d135630-6d13563c 336->342 339 6d13592b-6d13592e 337->339 340 6d1358ac-6d1358c0 337->340 343 6d1356b2-6d1356da 338->343 344 6d135450-6d13545e 338->344 345 6d1358c2-6d1358ce 340->345 346 6d135926 340->346 349 6d13540e-6d13541c 341->349 350 6d1353bc-6d1353e8 341->350 342->325 351 6d13563e-6d135666 342->351 347 6d1356f0-6d135708 343->347 348 6d1356dc-6d1356df 343->348 352 6d135460-6d13547a IsBadReadPtr 344->352 355 6d1358d0-6d1358db 345->355 346->339 358 6d1359e6-6d1359ea 347->358 359 6d13570e-6d135726 347->359 356 6d1356e5-6d1356e8 348->356 357 6d13593f-6d135944 348->357 349->336 360 6d13541e-6d135426 349->360 350->330 373 6d1353ee-6d135409 memset 350->373 351->330 374 6d135668-6d135695 memcpy 351->374 353 6d1356b0 352->353 354 6d135480-6d135489 352->354 353->343 354->353 361 6d13548f-6d1354a4 354->361 362 6d135912-6d13591c 355->362 363 6d1358dd-6d1358df 355->363 356->347 364 6d1356ea-6d1356ef 356->364 357->316 357->347 375 6d1359f3-6d135a03 SetLastError 358->375 367 6d135781-6d13578d 359->367 368 6d135730-6d13573f call 6d134c20 359->368 360->334 387 6d1354aa-6d1354c5 realloc 361->387 388 6d1359af-6d1359bf SetLastError 361->388 362->355 376 6d13591e-6d135922 362->376 370 6d1358e0-6d1358ed 363->370 364->347 371 6d13579a-6d13579e 367->371 372 6d13578f-6d135795 367->372 385 6d135960-6d135964 368->385 386 6d135745-6d135754 368->386 379 6d135903-6d135910 370->379 380 6d1358ef-6d135900 370->380 383 6d1357a0-6d1357a8 371->383 384 6d1357aa-6d1357bb 371->384 381 6d1357e0-6d1357e6 372->381 382 6d135797 372->382 373->349 375->330 376->346 379->362 379->370 380->379 381->371 389 6d1357e8-6d1357eb 381->389 382->371 383->368 383->384 390 6d1357c5 384->390 391 6d1357bd-6d1357c3 384->391 385->330 392 6d135758-6d135770 386->392 393 6d1359c4-6d1359e1 SetLastError 387->393 394 6d1354cb-6d1354f5 387->394 388->330 389->371 395 6d1357ca-6d1357d6 390->395 391->390 391->395 396 6d135772-6d13577d 392->396 397 6d1357f0-6d135809 call 6d134c20 392->397 393->330 398 6d1354f7 394->398 399 6d135528-6d135534 394->399 395->392 396->367 397->330 406 6d13580f-6d135819 397->406 401 6d135500-6d135516 398->401 404 6d1356a0-6d1356a5 398->404 399->401 402 6d135536-6d135547 399->402 411 6d135549-6d135566 SetLastError 401->411 412 6d135518-6d135522 401->412 402->411 402->412 404->352 409 6d135853-6d135858 406->409 410 6d13581b-6d135824 406->410 414 6d135933-6d13593a 409->414 415 6d13585e-6d135869 409->415 410->409 413 6d135826-6d13582a 410->413 411->330 412->399 412->404 413->409 416 6d13582c 413->416 414->311 418 6d135969-6d13596c 415->418 419 6d13586f-6d135889 415->419 420 6d135830-6d13584f 416->420 418->311 419->375 423 6d13588f-6d135896 419->423 424 6d135851 420->424 423->311 423->337 424->409
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID: ErrorHeapLast$AllocInfoNativeProcessReadSystemmemcpymemsetrealloc
    • String ID: ?$@
    • API String ID: 2257136212-1463999369
    • Opcode ID: ac58bd44efe2009e455d0713837dae55bf134b5c0185b1b6cc27222fc727d119
    • Instruction ID: 660f3aa89e417ee56b3eb35c9d424be44dd1608ebbcb60acb3ef82a1ff460869
    • Opcode Fuzzy Hash: ac58bd44efe2009e455d0713837dae55bf134b5c0185b1b6cc27222fc727d119
    • Instruction Fuzzy Hash: AA4216B4608712DFE710DF29C58462AFBF1BF88714F42892DE99987304E7B4E954CB82
    Function 6D0C5780 Relevance: 19.8, Strings: 15, Instructions: 1007COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 903 6d0c5780-6d0c5795 904 6d0c579b-6d0c57c1 call 6d0b2cb0 903->904 905 6d0c6a06-6d0c6a0b call 6d10fe70 903->905 910 6d0c57ca-6d0c57cd 904->910 911 6d0c57c3-6d0c57c8 904->911 905->903 912 6d0c57d0-6d0c5837 call 6d0b2ce0 call 6d111ff0 910->912 911->912 917 6d0c5839-6d0c5841 call 6d111280 912->917 918 6d0c5843-6d0c5954 call 6d0e98d0 call 6d10fd80 * 2 call 6d0e98d0 call 6d103e30 912->918 917->918 931 6d0c5986-6d0c599c 918->931 932 6d0c5956-6d0c5981 call 6d104310 call 6d103f40 918->932 934 6d0c599e-6d0c59a6 call 6d111280 931->934 935 6d0c59a8-6d0c59b7 931->935 932->931 934->935 936 6d0c59bd-6d0c5cc8 call 6d0b2ce0 call 6d10fd80 call 6d111ff0 call 6d112050 call 6d0b2d00 * 2 call 6d0dfaf0 call 6d10c200 * 2 call 6d0b2b20 * 3 935->936 937 6d0c69ef-6d0c6a05 call 6d0e4f30 935->937 968 6d0c5cca 936->968 969 6d0c5cd0-6d0c5d6e call 6d0ba5a0 call 6d0eeab0 call 6d0ba7c0 call 6d0d1af0 call 6d0c8250 call 6d0dc7c0 call 6d0d25e0 936->969 937->905 968->969 984 6d0c5d7c-6d0c5d7e 969->984 985 6d0c5d70-6d0c5d72 969->985 988 6d0c5d84-6d0c5e64 call 6d11147a call 6d10fd80 call 6d0dcd80 call 6d0d4fa0 call 6d10fd80 * 2 984->988 989 6d0c69c3-6d0c69d4 call 6d0e4f30 984->989 986 6d0c5d78-6d0c5d7a 985->986 987 6d0c69d9-6d0c69ea call 6d0e4f30 985->987 986->984 986->988 987->937 1004 6d0c5e66-6d0c5e7e call 6d0d2660 988->1004 1005 6d0c5e83-6d0c5e8b 988->1005 989->987 1004->1005 1007 6d0c6864-6d0c68aa call 6d0ba5a0 1005->1007 1008 6d0c5e91-6d0c5eff call 6d11147a call 6d0e6b40 call 6d10c440 1005->1008 1014 6d0c68ac-6d0c68b7 call 6d111280 1007->1014 1015 6d0c68b9-6d0c68d5 call 6d0ba7c0 1007->1015 1024 6d0c5f0f-6d0c5f2d 1008->1024 1014->1015 1023 6d0c68fa-6d0c6903 1015->1023 1025 6d0c6905-6d0c6930 call 6d0ce950 1023->1025 1026 6d0c68d7-6d0c68f9 call 6d0b4390 1023->1026 1028 6d0c5f2f-6d0c5f32 1024->1028 1029 6d0c5f38-6d0c5fbb 1024->1029 1039 6d0c6940-6d0c6997 call 6d0f7dd0 * 2 1025->1039 1040 6d0c6932-6d0c693b call 6d10fd80 1025->1040 1026->1023 1028->1029 1032 6d0c5fe5-6d0c5feb 1028->1032 1033 6d0c69b9-6d0c69be call 6d111300 1029->1033 1034 6d0c5fc1-6d0c5fcb 1029->1034 1041 6d0c69af-6d0c69b4 call 6d111300 1032->1041 1042 6d0c5ff1-6d0c618b call 6d0fd970 call 6d0e6b40 call 6d0e73b0 call 6d0e70a0 call 6d0e73b0 * 3 call 6d0e71d0 call 6d0e73b0 call 6d0e6ba0 call 6d11147a 1032->1042 1033->989 1037 6d0c5fcd-6d0c5fd9 1034->1037 1038 6d0c5fde-6d0c5fe0 1034->1038 1044 6d0c5f01-6d0c5f0d 1037->1044 1038->1044 1055 6d0c69a8-6d0c69ae 1039->1055 1056 6d0c6999-6d0c699f 1039->1056 1040->1039 1041->1033 1075 6d0c622d-6d0c6230 1042->1075 1044->1024 1056->1055 1058 6d0c69a1 1056->1058 1058->1055 1076 6d0c62b6-6d0c6435 call 6d0e6b40 call 6d0e73b0 call 6d0e6ba0 call 6d0b2b60 * 4 call 6d111476 1075->1076 1077 6d0c6236-6d0c6253 1075->1077 1112 6d0c64bc-6d0c64bf 1076->1112 1078 6d0c6259-6d0c62b1 call 6d0e6b40 call 6d0e73b0 call 6d0e6ba0 1077->1078 1079 6d0c6190-6d0c6226 call 6d0c7d30 call 6d0fd970 call 6d0e6b40 call 6d0e73b0 call 6d0e6ba0 1077->1079 1078->1079 1079->1075 1113 6d0c6565-6d0c67ff call 6d0b2ce0 * 2 call 6d0e6b40 call 6d0e73b0 call 6d0e70a0 call 6d0e73b0 call 6d0e70a0 call 6d0e73b0 call 6d0e70a0 call 6d0e73b0 call 6d0e70a0 call 6d0e73b0 call 6d0e70a0 call 6d0e73b0 call 6d0e70a0 call 6d0e73b0 call 6d0e71d0 call 6d0e73b0 call 6d0e6ba0 1112->1113 1114 6d0c64c5-6d0c64e9 1112->1114 1180 6d0c6821-6d0c6852 call 6d0e6b40 call 6d0e6d50 call 6d0e6ba0 1113->1180 1181 6d0c6801-6d0c681c call 6d0e6b40 call 6d0e73b0 call 6d0e6ba0 1113->1181 1115 6d0c64eb-6d0c64ee 1114->1115 1116 6d0c64f0-6d0c651e call 6d0e6b40 call 6d0e73b0 call 6d0e6ba0 1114->1116 1115->1116 1118 6d0c6523-6d0c6525 1115->1118 1123 6d0c643a-6d0c64bb call 6d0c7d30 call 6d0fd970 call 6d0e6b40 call 6d0e73b0 call 6d0e6ba0 1116->1123 1118->1123 1124 6d0c652b-6d0c6560 call 6d0e6b40 call 6d0e73b0 call 6d0e6ba0 1118->1124 1123->1112 1124->1123 1180->1007 1193 6d0c6854-6d0c685f call 6d0ba7c0 1180->1193 1181->1180 1193->1007
    Strings
    • MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, xrefs: 6D0C67AB
    • 5, xrefs: 6D0C69CC
    • , xrefs: 6D0C5E39
    • gc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltadxaesshaavxfmaintmapbindfile, xrefs: 6D0C6069
    • MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException , xrefs: 6D0C6741
    • ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32, xrefs: 6D0C62BB
    • gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foun, xrefs: 6D0C69EF
    • +:(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+1, xrefs: 6D0C6273, 6D0C6530
    • failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre, xrefs: 6D0C69D9
    • gcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= , xrefs: 6D0C584A
    • non-concurrent sweep failed to drain all sweep queuescompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not enabledno goroutines (main called runtime.Goexit) - d, xrefs: 6D0C69C3
    • @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-0, xrefs: 6D0C6096
    • ., xrefs: 6D0C5FCD
    • ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ lockedm, xrefs: 6D0C6681
    • /]+:(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT, xrefs: 6D0C64F5
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-0$ MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:$ MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException $ ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32$ ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ lockedm$+:(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+1$.$/]+:(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT$5$failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre$gc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltadxaesshaavxfmaintmapbindfile$gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foun$gcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= $non-concurrent sweep failed to drain all sweep queuescompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not enabledno goroutines (main called runtime.Goexit) - d
    • API String ID: 0-4142148823
    • Opcode ID: a92c6c0cc861d5cadd9b798996f9b4c9c1cbc6d975ce8565ce0984b451bbb062
    • Instruction ID: 5f1527934284486d5a3a445809f75f16c03f363676b4cf17afc6c609f97d4919
    • Opcode Fuzzy Hash: a92c6c0cc861d5cadd9b798996f9b4c9c1cbc6d975ce8565ce0984b451bbb062
    • Instruction Fuzzy Hash: D8B203B460D3418FD724DF28D594BAEBBF0FB89308F41892ED99987351EB749844CB92
    Function 6D0D8D70 Relevance: 16.9, Strings: 13, Instructions: 645COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1483 6d0d8d70-6d0d8d82 1484 6d0d8d88-6d0d8de6 1483->1484 1485 6d0d992a-6d0d992f call 6d10fe70 1483->1485 1487 6d0d8e0c-6d0d8e13 1484->1487 1485->1483 1489 6d0d8e19-6d0d8e83 1487->1489 1490 6d0d8f11-6d0d8f17 1487->1490 1493 6d0d8e89-6d0d8e8b 1489->1493 1494 6d0d9922-6d0d9929 call 6d111340 1489->1494 1491 6d0d8f1d-6d0d8f49 call 6d0dbf60 1490->1491 1492 6d0d918f-6d0d9196 call 6d111310 1490->1492 1507 6d0d8f4b-6d0d8fb6 call 6d0d8ce0 1491->1507 1508 6d0d8fb7-6d0d8fc7 1491->1508 1503 6d0d919b-6d0d91a2 1492->1503 1498 6d0d991b-6d0d991d call 6d111360 1493->1498 1499 6d0d8e91-6d0d8edb 1493->1499 1494->1485 1498->1494 1504 6d0d8edd-6d0d8ee6 1499->1504 1505 6d0d8ee8-6d0d8eec 1499->1505 1509 6d0d91a6-6d0d91a8 1503->1509 1506 6d0d8eee-6d0d8f0c 1504->1506 1505->1506 1506->1509 1510 6d0d8fcd-6d0d8fde 1508->1510 1511 6d0d918a call 6d111300 1508->1511 1512 6d0d91ae 1509->1512 1513 6d0d9393 1509->1513 1519 6d0d8fe4-6d0d8fe9 1510->1519 1520 6d0d9177-6d0d917f 1510->1520 1511->1492 1514 6d0d9914-6d0d9916 call 6d111300 1512->1514 1515 6d0d91b4-6d0d91e2 1512->1515 1518 6d0d9397-6d0d93a0 1513->1518 1514->1498 1522 6d0d91ec-6d0d9245 1515->1522 1523 6d0d91e4-6d0d91ea 1515->1523 1525 6d0d9708-6d0d9776 call 6d0d8ce0 1518->1525 1526 6d0d93a6-6d0d93ac 1518->1526 1527 6d0d915c-6d0d916c 1519->1527 1528 6d0d8fef-6d0d8ffc 1519->1528 1520->1511 1541 6d0d9255-6d0d925e 1522->1541 1542 6d0d9247-6d0d9253 1522->1542 1523->1503 1531 6d0d96e9-6d0d9707 1526->1531 1532 6d0d93b2-6d0d93bc 1526->1532 1527->1520 1533 6d0d914e-6d0d9157 1528->1533 1534 6d0d9002-6d0d9149 call 6d0e6b40 call 6d0e73b0 call 6d0e71d0 call 6d0e73b0 call 6d0e71d0 call 6d0e73b0 call 6d0e70a0 call 6d0e73b0 call 6d0e70a0 call 6d0e73b0 call 6d0e70a0 call 6d0e73b0 call 6d0e6ba0 call 6d0e6b40 call 6d0e73b0 call 6d0e70a0 call 6d0e6d50 call 6d0e6ba0 call 6d0e4f30 1528->1534 1537 6d0d93be-6d0d93d5 1532->1537 1538 6d0d93d7-6d0d93eb 1532->1538 1534->1533 1543 6d0d93f2 1537->1543 1538->1543 1547 6d0d9264-6d0d9276 1541->1547 1542->1547 1544 6d0d93f4-6d0d9405 1543->1544 1545 6d0d9407-6d0d9427 1543->1545 1548 6d0d942e 1544->1548 1545->1548 1550 6d0d927c-6d0d9281 1547->1550 1551 6d0d935e-6d0d9360 1547->1551 1552 6d0d9437-6d0d943a 1548->1552 1553 6d0d9430-6d0d9435 1548->1553 1557 6d0d928a-6d0d929e 1550->1557 1558 6d0d9283-6d0d9288 1550->1558 1555 6d0d9378 1551->1555 1556 6d0d9362-6d0d9376 1551->1556 1559 6d0d9440-6d0d9881 call 6d0e6b40 call 6d0e73b0 call 6d0e71d0 call 6d0e73b0 call 6d0e71d0 call 6d0e73b0 call 6d0e70a0 call 6d0e73b0 call 6d0e70a0 call 6d0e73b0 call 6d0e70a0 call 6d0e6d50 call 6d0e6ba0 call 6d0e6b40 call 6d0e73b0 call 6d0e71d0 call 6d0e73b0 call 6d0e70a0 call 6d0e73b0 call 6d0e71d0 call 6d0e6d50 call 6d0e6ba0 call 6d0e6b40 call 6d0e73b0 call 6d0e7240 call 6d0e73b0 call 6d0e71d0 call 6d0e6d50 call 6d0e6ba0 call 6d0e6b40 call 6d0e73b0 call 6d0e70a0 call 6d0e73b0 call 6d0e70a0 call 6d0e6d50 call 6d0e6ba0 1552->1559 1553->1559 1561 6d0d937c-6d0d9391 1555->1561 1556->1561 1562 6d0d92a5-6d0d92a7 1557->1562 1558->1562 1677 6d0d98fe-6d0d990f call 6d0e4f30 1559->1677 1678 6d0d9883-6d0d9898 1559->1678 1561->1518 1565 6d0d92ad-6d0d92af 1562->1565 1566 6d0d8de8-6d0d8e05 1562->1566 1569 6d0d92b8-6d0d92d3 1565->1569 1570 6d0d92b1-6d0d92b6 1565->1570 1566->1487 1574 6d0d933d-6d0d9359 1569->1574 1575 6d0d92d5-6d0d92da 1569->1575 1573 6d0d92e1 1570->1573 1576 6d0d92f4-6d0d9303 1573->1576 1577 6d0d92e3-6d0d92f2 1573->1577 1574->1503 1575->1573 1580 6d0d9306-6d0d9338 1576->1580 1577->1580 1580->1503 1677->1514 1679 6d0d989a-6d0d989f 1678->1679 1680 6d0d98a1-6d0d98b3 1678->1680 1682 6d0d98b5 1679->1682 1680->1682 1683 6d0d98be-6d0d98d6 1682->1683 1684 6d0d98b7-6d0d98bc 1682->1684 1685 6d0d98d8-6d0d98e4 1683->1685 1684->1685 1686 6d0d98e6-6d0d98eb 1685->1686 1687 6d0d98f0-6d0d98f3 1685->1687 1687->1677
    Strings
    • ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc, xrefs: 6D0D9063
    • , npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by ProcessPrngMoveFileExWNetShar, xrefs: 6D0D956D
    • runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 6D0D9010, 6D0D9449
    • , j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type TuesdayJanuaryOctoberMUI_StdMUI_Dltavx512finvaliduintptrfloat32float64no anodeCancelIoReadFileAcceptExWSAIoctlshutdownnil PoolscavengepollDes, xrefs: 6D0D959A
    • , i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= (...) m=nil base GetACPSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13rdtscppopcntuint16uint32uint64stringstructCommonCopySidWSARecvWSASendconnectconsole\\.\UNCforcegcallocmWcpuprofalloc, xrefs: 6D0D961E
    • runtime: npages = runtime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupQueryServiceStatusGetCompu, xrefs: 6D0D9101
    • ] = pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleep, xrefs: 6D0D94B0
    • , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+1, xrefs: 6D0D908D, 6D0D90B7, 6D0D94DA, 6D0D9504
    • , levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime:, xrefs: 6D0D96AB
    • runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSrunqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard TimeSA Western Standard , xrefs: 6D0D95F1
    • ][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CET, xrefs: 6D0D903A, 6D0D9483
    • bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6D0D9138, 6D0D98FE
    • runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foundruntime: sudog with non-nil cgfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon, xrefs: 6D0D967E
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+1$, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= (...) m=nil base GetACPSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13rdtscppopcntuint16uint32uint64stringstructCommonCopySidWSARecvWSASendconnectconsole\\.\UNCforcegcallocmWcpuprofalloc$, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type TuesdayJanuaryOctoberMUI_StdMUI_Dltavx512finvaliduintptrfloat32float64no anodeCancelIoReadFileAcceptExWSAIoctlshutdownnil PoolscavengepollDes$, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime:$, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by ProcessPrngMoveFileExWNetShar$] = pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleep$] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc$][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CET$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foundruntime: sudog with non-nil cgfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon$runtime: npages = runtime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupQueryServiceStatusGetCompu$runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSrunqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard TimeSA Western Standard $runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
    • API String ID: 0-646748546
    • Opcode ID: ab39a9f9b7fac51d387802ccc67f41d29b175eb4726b64db42343675a947bc8e
    • Instruction ID: 2160c1d8c5e6ccb82008c22abd6ccac90f72e32245dd0b008eb25a7526634a63
    • Opcode Fuzzy Hash: ab39a9f9b7fac51d387802ccc67f41d29b175eb4726b64db42343675a947bc8e
    • Instruction Fuzzy Hash: E25257B5A0C7448FE360DF68D48075EB7F1BF89344F52892DEA9887341EB74A944CB92
    Function 6D0D2FF0 Relevance: 14.6, Strings: 11, Instructions: 823COMMON
    Download Yara Rule
    Strings
    • sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine LockFileEx, xrefs: 6D0D38D5, 6D0D3C7F
    • sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executionattempte, xrefs: 6D0D386C
    • swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 6D0D3882
    • mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6D0D38FF, 6D0D3CA9
    • mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1, xrefs: 6D0D3CFC
    • sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = WSAGetOverlappedResult not found_cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevrunt, xrefs: 6D0D3A26
    • mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification, xrefs: 6D0D3933
    • previous allocCount=, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:, xrefs: 6D0D39C8
    • , xrefs: 6D0D3A2F
    • nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(avx512bwavx512vlencasulesFindCloseLocalFreeMoveFileWWriteFileWSASendTontdll.dlld.nx != 0prof, xrefs: 6D0D399E
    • mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcinternal lockOSThread errorruntime: checkdea, xrefs: 6D0D3CDD
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$ nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(avx512bwavx512vlencasulesFindCloseLocalFreeMoveFileWWriteFileWSASendTontdll.dlld.nx != 0prof$ previous allocCount=, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:$ sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine LockFileEx$mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification$mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcinternal lockOSThread errorruntime: checkdea$mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1$sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = WSAGetOverlappedResult not found_cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevrunt$sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executionattempte$swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
    • API String ID: 0-588878711
    • Opcode ID: 8628db92e8b906d70b53a4acf07fe830c6db954fe3cb34029796ef77de2db1f3
    • Instruction ID: e12db96c725f3b62f606dbc2b363d3f40e87b0658ad8275b2357a529b8dc7a9b
    • Opcode Fuzzy Hash: 8628db92e8b906d70b53a4acf07fe830c6db954fe3cb34029796ef77de2db1f3
    • Instruction Fuzzy Hash: 638226B450C3958FD394DF24C09076EBBE1BF89708F41896EE9D88B342DB749945CB92
    Function 6D0BBDAF Relevance: 12.0, Strings: 9, Instructions: 703COMMON
    Download Yara Rule
    Strings
    • mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential, xrefs: 6D0BC710
    • mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= , xrefs: 6D0BC6CE
    • unexpected malloc header in delayed zeroing of large objectmanual span allocation called with non-manually-managed typeaddr range base and limit are not in the same memory segmentruntime: netpoll: PostQueuedCompletionStatus failed (errno= runtime: GetQueuedCom, xrefs: 6D0BC674
    • 2, xrefs: 6D0BC719
    • malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no , xrefs: 6D0BC6FA
    • malloc during signalclose of nil channelnotetsleep not on g0bad system page size to unallocated spanp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitws2_32.dll not found, xrefs: 6D0BC6E4
    • 4, xrefs: 6D0BC6D7
    • !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 6D0BC179
    • delayed zeroing on data that may contain pointerssweeper left outstanding across sweep generationsfully empty unfreed span set block found in resetcasgstatus: waiting for Gwaiting but is Grunnablecrypto/cipher: incorrect nonce length given to GCMcgo argument h, xrefs: 6D0BC68A
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC$2$4$delayed zeroing on data that may contain pointerssweeper left outstanding across sweep generationsfully empty unfreed span set block found in resetcasgstatus: waiting for Gwaiting but is Grunnablecrypto/cipher: incorrect nonce length given to GCMcgo argument h$malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no $malloc during signalclose of nil channelnotetsleep not on g0bad system page size to unallocated spanp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitws2_32.dll not found$mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential$mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= $unexpected malloc header in delayed zeroing of large objectmanual span allocation called with non-manually-managed typeaddr range base and limit are not in the same memory segmentruntime: netpoll: PostQueuedCompletionStatus failed (errno= runtime: GetQueuedCom
    • API String ID: 0-2728388793
    • Opcode ID: 9faf7612defdcf82675057a91551b4a8ebc2b39ed7142e1a0e8a02d5bfec4bd5
    • Instruction ID: 913d25361d642e19553db460430d9761506d353317ac044203e2341296f59383
    • Opcode Fuzzy Hash: 9faf7612defdcf82675057a91551b4a8ebc2b39ed7142e1a0e8a02d5bfec4bd5
    • Instruction Fuzzy Hash: BB529B7060C3458FE314CF2AC09072ABBF1BF89708F45896DE9A98B391D776D949CB46
    Function 6D124E20 Relevance: 10.5, Strings: 7, Instructions: 1779COMMON
    Download Yara Rule
    Strings
    • %!Weekday(complex128broken pipebad messagefile existsbad addressRegCloseKeyCloseHandleCreateFileWDeleteFileWExitProcessFreeLibraryGetFileTypeOpenProcessSetFileTimeVirtualLockWSARecvFromclosesocketgetpeernamegetsocknamecrypt32.dllmswsock.dllsecur32.dllshell32.d, xrefs: 6D12648A, 6D126755
    • 0, xrefs: 6D125B27
    • %!Month(avx512bwavx512vlencasulesFindCloseLocalFreeMoveFileWWriteFileWSASendTontdll.dlld.nx != 0profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedcoroutinecopystackinterface ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s, xrefs: 6D126899, 6D126B7B
    • 0, xrefs: 6D125C04
    • )./]+:(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08I, xrefs: 6D1264A4, 6D12676F, 6D1268B3, 6D126B95
    • 0, xrefs: 6D125A10
    • 0, xrefs: 6D125971
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: %!Month(avx512bwavx512vlencasulesFindCloseLocalFreeMoveFileWWriteFileWSASendTontdll.dlld.nx != 0profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedcoroutinecopystackinterface ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s$%!Weekday(complex128broken pipebad messagefile existsbad addressRegCloseKeyCloseHandleCreateFileWDeleteFileWExitProcessFreeLibraryGetFileTypeOpenProcessSetFileTimeVirtualLockWSARecvFromclosesocketgetpeernamegetsocknamecrypt32.dllmswsock.dllsecur32.dllshell32.d$)./]+:(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08I$0$0$0$0
    • API String ID: 0-3113762378
    • Opcode ID: f255903ebfd5c0eb6991c263f2e90a78e5f3e9b1426c6a7005cc83b2e8b1b65a
    • Instruction ID: 9229b1caacb6c1c91060422021716e55a9323624110fbc0a86e8b94047c667b3
    • Opcode Fuzzy Hash: f255903ebfd5c0eb6991c263f2e90a78e5f3e9b1426c6a7005cc83b2e8b1b65a
    • Instruction Fuzzy Hash: 60030374A0C3868FD329CF18D09069EF7E1BFC8310F11892EE99997355D7B1A985CB92
    Function 6D108110 Relevance: 10.5, Strings: 8, Instructions: 515COMMON
    Download Yara Rule
    Strings
    • non-Go function at pc=RtlLookupFunctionEntryCreateEnvironmentBlockSao Tome Standard TimeAleutian Standard TimeParaguay Standard TimeMountain Standard TimeAtlantic Standard TimePakistan Standard TimeSakhalin Standard TimeGeorgian Standard TimeCaucasus Standard , xrefs: 6D108913
    • , xrefs: 6D10827F
    • sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit , xrefs: 6D1087B4
    • :(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12, xrefs: 6D10864B
    • fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault an, xrefs: 6D108787
    • pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleepgcin, xrefs: 6D1087E1
    • , xrefs: 6D108287
    • (=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12P, xrefs: 6D10856E
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $ $ fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault an$ pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleepgcin$ sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit $(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12P$:(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12$non-Go function at pc=RtlLookupFunctionEntryCreateEnvironmentBlockSao Tome Standard TimeAleutian Standard TimeParaguay Standard TimeMountain Standard TimeAtlantic Standard TimePakistan Standard TimeSakhalin Standard TimeGeorgian Standard TimeCaucasus Standard
    • API String ID: 0-1565611637
    • Opcode ID: 9b3e4d739d44743e459ddc69e0fab9e1c6e5754dca90262993b1ffb91e4610a3
    • Instruction ID: 7b83c379efff385d827b5617a8ef42ec1c0624e88dfb82f9f8df4584abab4fe1
    • Opcode Fuzzy Hash: 9b3e4d739d44743e459ddc69e0fab9e1c6e5754dca90262993b1ffb91e4610a3
    • Instruction Fuzzy Hash: E132D174A0C3818FD365EF65C190B9EBBE1AFC9304F41882EEAC997345DB749845CB92
    Function 6D0ECDA0 Relevance: 8.6, Strings: 6, Instructions: 1065COMMON
    Download Yara Rule
    Strings
    • findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a corrupted shared librarylfstack node a, xrefs: 6D0EDE0C
    • global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsruntime: typeBitsBulkBarrier without typeruntime.SetFinalizer: second argument is gcSweep being done but phase is not GCoffobjects added out, xrefs: 6D0EDDF6
    • findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionunsupported operationAdjustTokenPrivilegesLookupPrivilegeValueWNetUserG, xrefs: 6D0EDE4E
    • !, xrefs: 6D0EDE41
    • findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for traceReg, xrefs: 6D0EDE22
    • findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of r, xrefs: 6D0EDE38
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !$findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of r$findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for traceReg$findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a corrupted shared librarylfstack node a$findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionunsupported operationAdjustTokenPrivilegesLookupPrivilegeValueWNetUserG$global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsruntime: typeBitsBulkBarrier without typeruntime.SetFinalizer: second argument is gcSweep being done but phase is not GCoffobjects added out
    • API String ID: 0-2870099503
    • Opcode ID: 5e405c24b39e6a3bc7952d84e18ea01b00a0b0f4be660b68a9211d99f83b03de
    • Instruction ID: a1b836a57181848074349ec9714f00452f5e856dd99cb6fcddd6c4a1054daff8
    • Opcode Fuzzy Hash: 5e405c24b39e6a3bc7952d84e18ea01b00a0b0f4be660b68a9211d99f83b03de
    • Instruction Fuzzy Hash: 3DA2DC7460D7819FE724DF29C190B6ABBE0AFCA784F41882DE9D887350EB75D844CB52
    Function 6D136420 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON
    Download Yara Rule
    APIs
    • GetSystemTimeAsFileTime.KERNEL32 ref: 6D136459
    • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D0B13B9), ref: 6D13646A
    • GetCurrentThreadId.KERNEL32 ref: 6D136472
    • GetTickCount.KERNEL32 ref: 6D13647A
    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D0B13B9), ref: 6D136489
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
    • String ID:
    • API String ID: 1445889803-0
    • Opcode ID: f87fe4a6b80a12ac53b3005fb0e0e6db3cfc277c2a84144a80a238458c21beed
    • Instruction ID: 576720da7317a4ef2c7eac6241b0b89bda2644c251e95bf4bc9f2369febccaa6
    • Opcode Fuzzy Hash: f87fe4a6b80a12ac53b3005fb0e0e6db3cfc277c2a84144a80a238458c21beed
    • Instruction Fuzzy Hash: 8D1188B9A043008BCB10DF79E88874BBBF1FB89268F02483AE554C7200EB75D448CB92
    Function 6D1364D0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6D13651F
    • UnhandledExceptionFilter.KERNEL32 ref: 6D13652F
    • GetCurrentProcess.KERNEL32 ref: 6D136538
    • TerminateProcess.KERNEL32 ref: 6D136549
    • abort.MSVCRT ref: 6D136552
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: 07f1f2b312b20a9a3997e5da1fb01066cc850e5789f2bf199413eb7383587379
    • Instruction ID: 7815274e10f22bd5a1ea7b1200c475780953d0498259abe3a6a51ec972e20764
    • Opcode Fuzzy Hash: 07f1f2b312b20a9a3997e5da1fb01066cc850e5789f2bf199413eb7383587379
    • Instruction Fuzzy Hash: 19112BB5905304DFCB00EF68C98A71EBBF0BB55309F018529EA9887304EBB5D544CF92
    Function 6D1364CC Relevance: 7.5, APIs: 5, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6D13651F
    • UnhandledExceptionFilter.KERNEL32 ref: 6D13652F
    • GetCurrentProcess.KERNEL32 ref: 6D136538
    • TerminateProcess.KERNEL32 ref: 6D136549
    • abort.MSVCRT ref: 6D136552
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: 4255b67cdf89ee2ad5c7c9ddda5869fcc46bc2e0dabb3c5f7e484b2685d06a71
    • Instruction ID: 0f48aede050555a9a6a7ffc5fcb89d60d46ba2765efa6f0a3c16f8227450d8d5
    • Opcode Fuzzy Hash: 4255b67cdf89ee2ad5c7c9ddda5869fcc46bc2e0dabb3c5f7e484b2685d06a71
    • Instruction Fuzzy Hash: 48111BB5905315DFDB00EFB9C98A71E7BF0BB06309F018529EA6897304EBB49444CF92
    Function 6D0D1030 Relevance: 5.5, Strings: 4, Instructions: 494COMMON
    Download Yara Rule
    Strings
    • min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce, xrefs: 6D0D15FF
    • runtime: min = runtime: inUse=runtime: max = bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame runtimer: bad ptraceback stuckruntime.gopanicImper, xrefs: 6D0D157C, 6D0D15CB
    • !, xrefs: 6D0D1608
    • min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= runtime: pid=: unknown pc called from dalTLDpSugct?GetTempPath2WModule32NextW, xrefs: 6D0D15B0
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: !$min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce$min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= runtime: pid=: unknown pc called from dalTLDpSugct?GetTempPath2WModule32NextW$runtime: min = runtime: inUse=runtime: max = bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame runtimer: bad ptraceback stuckruntime.gopanicImper
    • API String ID: 0-1474820873
    • Opcode ID: aca69eb7c7545936de546c98c4694de47660b518f60946dc73f979a700356071
    • Instruction ID: 48aa5f78d19eb4ddc9c2c2d4dc93a9b8b45d2a322cf5028b8809b22e4296f8dc
    • Opcode Fuzzy Hash: aca69eb7c7545936de546c98c4694de47660b518f60946dc73f979a700356071
    • Instruction Fuzzy Hash: F8F1FF3260D7268FE741CE58C4C071EB7E2ABC8344F558A3DD9958B385EBB5E845C682
    Function 6D0E1420 Relevance: 5.1, Strings: 4, Instructions: 57COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: '$'$PowerRegisterSuspendResumeNotification$powrprof.dll
    • API String ID: 0-4026319467
    • Opcode ID: 66a7fe8481caebca94ba7b5d21919121ffa85a6eb235363480367f7c4a56d6ef
    • Instruction ID: 1ee5b0da168ef9401c0e2de3a4ad0fb2fca9f99f1fa4bc3fd554c74660a9da11
    • Opcode Fuzzy Hash: 66a7fe8481caebca94ba7b5d21919121ffa85a6eb235363480367f7c4a56d6ef
    • Instruction Fuzzy Hash: E4219CB4908306DFE704DF25D19476ABBE0BB89748F41891EE49987350EBB9D648CF83
    Function 6D135D70 Relevance: 4.5, APIs: 3, Instructions: 21windowCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID: ErrorFormatFreeLastLocalMessage
    • String ID:
    • API String ID: 1365068426-0
    • Opcode ID: 6ba9f6e83d2523cf507b5da7b274150f10a9c1685e5552891900db94246b960a
    • Instruction ID: cb09cdad1043a715e521dbe3f5186c5670831a15691275382f7a7da9f8906079
    • Opcode Fuzzy Hash: 6ba9f6e83d2523cf507b5da7b274150f10a9c1685e5552891900db94246b960a
    • Instruction Fuzzy Hash: 37F06CB44083419FE700EF69C55931BBBF0BB84749F41891DE9A896254EBB982498F93
    Function 6D11D030 Relevance: 4.1, Strings: 3, Instructions: 328COMMON
    Download Yara Rule
    Strings
    • cipher: the nonce can't have zero length, or the security of the key will be immediately compromisedcgocheck > 1 mode is no longer supported at runtime. Use GOEXPERIMENT=cgocheck2 at build time instead.0001020304050607080910111213141516171819202122232425262728, xrefs: 6D11D2C6
    • cipher: NewGCM requires 128-bit block cipherspan on userArena.faultList has invalid sizeout of memory allocating heap arena metadatagcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbi, xrefs: 6D11D24B
    • cipher: incorrect tag size given to GCMinternal error: exit hook invoked panicmismatched count during itab table copyout of memory allocating heap arena mapmspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResume, xrefs: 6D11D309
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: cipher: NewGCM requires 128-bit block cipherspan on userArena.faultList has invalid sizeout of memory allocating heap arena metadatagcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbi$cipher: incorrect tag size given to GCMinternal error: exit hook invoked panicmismatched count during itab table copyout of memory allocating heap arena mapmspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResume$cipher: the nonce can't have zero length, or the security of the key will be immediately compromisedcgocheck > 1 mode is no longer supported at runtime. Use GOEXPERIMENT=cgocheck2 at build time instead.0001020304050607080910111213141516171819202122232425262728
    • API String ID: 0-979699402
    • Opcode ID: 2b1ce54757b7af863a6be0f2fa1513d4f42ef3500e75bd402f5d249c65de6ce8
    • Instruction ID: 2d70de74813218c8f55801fcb0f5ffbfeae1ec2a4c258c851763977eee9dce15
    • Opcode Fuzzy Hash: 2b1ce54757b7af863a6be0f2fa1513d4f42ef3500e75bd402f5d249c65de6ce8
    • Instruction Fuzzy Hash: 16D168B59087158FD304DF59C88461AFBF1BFC8300F468A6DE9984B392DBB4E845CB96
    Function 6D0E5FA0 Relevance: 4.1, Strings: 3, Instructions: 316COMMON
    Download Yara Rule
    Strings
    • invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:DuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "permission deniedwrong medium typeno, xrefs: 6D0E6424
    • ', xrefs: 6D0E6443
    • suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function 2006-01-02 15:04:05.999999999 -0700 MSTaddress family not supported by protocolinvalid span in heapArena, xrefs: 6D0E643A
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: '$invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:DuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "permission deniedwrong medium typeno$suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function 2006-01-02 15:04:05.999999999 -0700 MSTaddress family not supported by protocolinvalid span in heapArena
    • API String ID: 0-536681504
    • Opcode ID: 64fb12b0591d0476c6fe06db5164c316f3253b398addf3fc668f2f3db52851b2
    • Instruction ID: cdb46c6a075b619bcc64f382bf45e529d61a9916a41d1b6783eff20db8a7f480
    • Opcode Fuzzy Hash: 64fb12b0591d0476c6fe06db5164c316f3253b398addf3fc668f2f3db52851b2
    • Instruction Fuzzy Hash: CCD1207420D3518FD705CF29D090A2EBBF1AF8A788F85886DEAD487352D735E944CB92
    Function 6D0D6100 Relevance: 3.0, Strings: 2, Instructions: 472COMMON
    Download Yara Rule
    Strings
    • grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me, xrefs: 6D0D67A0
    • +, xrefs: 6D0D67A9
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: +$grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me
    • API String ID: 0-3347251187
    • Opcode ID: 0b34a45ca9d00ca5b796afc9f78c5c39a35d369c8c10bec2821ade83b22b9a81
    • Instruction ID: f2a95619975ebfff3d7d46436ffa80d6d3815ac8d50c08a0d78b04010a347bc8
    • Opcode Fuzzy Hash: 0b34a45ca9d00ca5b796afc9f78c5c39a35d369c8c10bec2821ade83b22b9a81
    • Instruction Fuzzy Hash: FA22EE7460C7468FE394DF68C190B2ABBE1BF89744F55882EE6D887350DB35E844CB82
    Function 6D0DAC60 Relevance: 2.8, Strings: 2, Instructions: 280COMMON
    Download Yara Rule
    Strings
    • @, xrefs: 6D0DAECE
    • bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6D0DAFE5
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: @$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod
    • API String ID: 0-1191861649
    • Opcode ID: f143406db5fc93f83b05e8a215b26a490033693a9fd7a5af49e3581cdc1d9632
    • Instruction ID: 9aa68b2f20dfa0610d0130b26004a5666c998caa0b4e4455729a078fd81f6157
    • Opcode Fuzzy Hash: f143406db5fc93f83b05e8a215b26a490033693a9fd7a5af49e3581cdc1d9632
    • Instruction Fuzzy Hash: 93B19E756087058FD308CF64C88061AB7F1FFC8318F548A2DE9999B391DB74E94ACB82
    Function 6D10F892 Relevance: 2.6, Strings: 2, Instructions: 137COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: $@
    • API String ID: 0-1077428164
    • Opcode ID: b0a16501f107e8d955a70e8bfbbe9d4dd2e60af5d3d5c748448fb249634602e4
    • Instruction ID: decff390dab60889fe5cf247875683311ec0d49115384ee6d92f57cc730f4884
    • Opcode Fuzzy Hash: b0a16501f107e8d955a70e8bfbbe9d4dd2e60af5d3d5c748448fb249634602e4
    • Instruction Fuzzy Hash: 90517324C1CF5B65E6331ABEC4036623B206EB7144B01D76FFDD6B54B2EB536940BA22
    Function 6D0CCAC0 Relevance: 2.6, Strings: 2, Instructions: 88COMMON
    Download Yara Rule
    Strings
    • ,, xrefs: 6D0CCBAA
    • gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackunsafe.Slice: ptr is nil and len is not , xrefs: 6D0CCBA1
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: ,$gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackunsafe.Slice: ptr is nil and len is not
    • API String ID: 0-2682900153
    • Opcode ID: 32b079295f7d0c5346f0719fb639ce6946412bc56f3718dbe1ed3c8c3e3f5ce9
    • Instruction ID: 42a9ac89e20afa4c9f062c14a68477264e4c608f980a8a8e357637fb9f4d9c87
    • Opcode Fuzzy Hash: 32b079295f7d0c5346f0719fb639ce6946412bc56f3718dbe1ed3c8c3e3f5ce9
    • Instruction Fuzzy Hash: 39318C75A093568FD305DF14C490B6ABBF1AB86608F4985BDCD884F383CB31A84ACB85
    Function 6D128720 Relevance: 1.9, Strings: 1, Instructions: 607COMMON
    Download Yara Rule
    Strings
    • ,M3.2.0,M11.1.0RegCreateKeyExWRegDeleteValueWstring too largeinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePointerExOpenProcessTokenRegQueryInfoKeyWRegQueryValueExWDnsNameCompare_WCreateDirectoryWFlushFi, xrefs: 6D1288BE
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: ,M3.2.0,M11.1.0RegCreateKeyExWRegDeleteValueWstring too largeinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePointerExOpenProcessTokenRegQueryInfoKeyWRegQueryValueExWDnsNameCompare_WCreateDirectoryWFlushFi
    • API String ID: 0-1914418853
    • Opcode ID: e7c72c757ed69705f51ab77809146921792344330c7bc751f5116eafc8cb5069
    • Instruction ID: de65dc9001ffd46474d8963407f91c7d357a479d82889fd0bd2e67eb2a222130
    • Opcode Fuzzy Hash: e7c72c757ed69705f51ab77809146921792344330c7bc751f5116eafc8cb5069
    • Instruction Fuzzy Hash: B95216B5A083858FD338CF19C55039FFBE1ABD8304F45892DDAD897385EBB599448B82
    Function 6D0DC9D0 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
    Download Yara Rule
    Strings
    • runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pagespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinning: not a spinning mentersyscallblock inconsistent runtime: spl, xrefs: 6D0DCD5B
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pagespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinning: not a spinning mentersyscallblock inconsistent runtime: spl
    • API String ID: 0-3032229779
    • Opcode ID: 8e3d1b891fbfe3ce3fc2ca48fae8cd4bc351061b5b41f5ea66d6d1cc3ce055cd
    • Instruction ID: 3f1e589d0bc9419140b525a29b9fae555da5635630bb1e93a225b71391468b04
    • Opcode Fuzzy Hash: 8e3d1b891fbfe3ce3fc2ca48fae8cd4bc351061b5b41f5ea66d6d1cc3ce055cd
    • Instruction Fuzzy Hash: C6B1247460C306DFD794DF68C080A2ABBF1BB89754F42882EEA9587350E735E845CF96
    Function 6D1275E0 Relevance: 1.5, Strings: 1, Instructions: 278COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: ;
    • API String ID: 0-1661535913
    • Opcode ID: c8485024732732b03ab50a38c6928af3891e7ea6ce162d685b3d78dde67d44ba
    • Instruction ID: 526e3f8f4f21ddf76ea45b9f62bc32e88b5f82879e7bfc3ff2d595bf6ecdcab7
    • Opcode Fuzzy Hash: c8485024732732b03ab50a38c6928af3891e7ea6ce162d685b3d78dde67d44ba
    • Instruction Fuzzy Hash: 1FA18271B083054FD70CDE6DD99131AFAE2ABC8304F05CA3DE588DB7A8E675D9058B86
    Function 6D0D9D00 Relevance: 1.5, Strings: 1, Instructions: 216COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: @
    • API String ID: 0-2766056989
    • Opcode ID: e7216c9c4b6d076ed144586adcd5a5eead34ee1e11d4d401ccdff144cb60ec82
    • Instruction ID: 02ab6318cd0f8f9e8b5869379b1486cf918d8115d9c853238c43f79a5e419365
    • Opcode Fuzzy Hash: e7216c9c4b6d076ed144586adcd5a5eead34ee1e11d4d401ccdff144cb60ec82
    • Instruction Fuzzy Hash: EA910EB5A093059FD384CF28C09065EFBF1FB88744F459A2EE99897341E774E985CB82
    Function 6D129970 Relevance: .6, Instructions: 601COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 7f78cc8868eae3f69b5f924a655880a577b3300954af1d0ddc4799e3bb8a53bd
    • Instruction ID: 2a2743f2d896057c62784167333c8c50fc426c77dc1fc2240e4f9e18d15d2ee2
    • Opcode Fuzzy Hash: 7f78cc8868eae3f69b5f924a655880a577b3300954af1d0ddc4799e3bb8a53bd
    • Instruction Fuzzy Hash: 2322B371A5C7458FD714CF69C4A035BF7E2BBD5304F45C82CD98987248EBF2A9898B82
    Function 6D127A70 Relevance: .5, Instructions: 530COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 7dee039fa31bfeca6fcef5ddb8341a3df86bc53424f23fb6152ff2050dac176f
    • Instruction ID: 9895f4269881c314f3e514773864a1a611da6f20dde646ea7bbdca8c782c0b5d
    • Opcode Fuzzy Hash: 7dee039fa31bfeca6fcef5ddb8341a3df86bc53424f23fb6152ff2050dac176f
    • Instruction Fuzzy Hash: CC129A72A087498FC314DE6DC98124AF7E6BBC4300F55CA3ED9548B359EBB1E945CB82
    Function 6D0DBA10 Relevance: .5, Instructions: 477COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c16a7b00864c57c6de468724f63f6aac5d7f6e498a17e2434894574509e2319a
    • Instruction ID: f124e0ea90ceeb4771a2a90102a0317209ba5a1606ea6c8dc0b06266b804c390
    • Opcode Fuzzy Hash: c16a7b00864c57c6de468724f63f6aac5d7f6e498a17e2434894574509e2319a
    • Instruction Fuzzy Hash: 73E13733B5971A4BE355DDAD88C035EB2E2ABC8354F09863DDD649B380FA75DC0986C1
    Function 6D0DB4A0 Relevance: .5, Instructions: 462COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: bf6157440063b2357561b96703af7082fa8aff77cd404679ad77a86a9a9ae077
    • Instruction ID: 087a32829c496931099db15da79255de8a22d3a92a897df1a9d84d65d0e92324
    • Opcode Fuzzy Hash: bf6157440063b2357561b96703af7082fa8aff77cd404679ad77a86a9a9ae077
    • Instruction Fuzzy Hash: C0E1C533E2472507D3149E58CC80249B2D3ABC8670F4EC72EDD959B781E9B4ED5987C2
    Function 6D129490 Relevance: .4, Instructions: 408COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 76da25073532f62d1107db845264d2aa8f012aa2cdee20cff417c99dde1572a3
    • Instruction ID: 12a4f9926aab2306cc2a4abed7f9db1b2c91c72054e2a5c9f98eafa71922ba08
    • Opcode Fuzzy Hash: 76da25073532f62d1107db845264d2aa8f012aa2cdee20cff417c99dde1572a3
    • Instruction Fuzzy Hash: 23E1C372A8C3568BC705CF2984A031FF7E2BBC5700F45892DE9958B349E7B6D945CB82
    Function 6D0C7D30 Relevance: .4, Instructions: 378COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 8f001f049c3f6b8bab7f0cf30ef5aaae40aa68bf8749d07612fae9d428972754
    • Instruction ID: 8496ca54285575f0b1dc71275d7ea6eef510b717c230c1479ddb96076cb7402b
    • Opcode Fuzzy Hash: 8f001f049c3f6b8bab7f0cf30ef5aaae40aa68bf8749d07612fae9d428972754
    • Instruction Fuzzy Hash: E4C1B132B083164BD709DE6DC89071EF7E2ABC8344F49863CE9559B3A5E7B4DD058782
    Function 6D11E520 Relevance: .3, Instructions: 340COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a736642d207111b90fb2bf8a5a00d5040c2a3cdfe13d42b6487511b966e04b34
    • Instruction ID: 7551ce37874dcbc0eba00df7966ca85af702ce2656f9815c956133dc48a02ea2
    • Opcode Fuzzy Hash: a736642d207111b90fb2bf8a5a00d5040c2a3cdfe13d42b6487511b966e04b34
    • Instruction Fuzzy Hash: 68D1C030A0875A8FC710DF6DC89012AF7E2FFC9340F95892DE6949B64AC774E945CB91
    Function 6D0EDFA0 Relevance: .3, Instructions: 329COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a6adefb52b1bd974241cff84bfea5f9981345dde7ec73f4eba20e64bcd4550b4
    • Instruction ID: 6c8e8e7bc6c136dd082791fc7fd1d6b2c31488cccaad793e5d1d07408a17b62f
    • Opcode Fuzzy Hash: a6adefb52b1bd974241cff84bfea5f9981345dde7ec73f4eba20e64bcd4550b4
    • Instruction Fuzzy Hash: ECF1CF7460D3858FD364CF29C090B5FBBE2BBC9244F54892EE9E887352DB71A845CB52
    Function 6D0DC060 Relevance: .3, Instructions: 285COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 348792368aa8953de16e58c13bef4b7336c66dc05c5dc4ee048e30160c4edb0c
    • Instruction ID: da63bfce0767e913fc16214e4beec89ec71a3db2d60b9dabf8a66752b48aaa19
    • Opcode Fuzzy Hash: 348792368aa8953de16e58c13bef4b7336c66dc05c5dc4ee048e30160c4edb0c
    • Instruction Fuzzy Hash: 1191983260872A4FD359CE9CC8D062EB7E2FBCC344F58873DE9650B384EB7599098685
    Function 6D0DC3C0 Relevance: .3, Instructions: 281COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: fd053207278058244105f4cebe51bfa9646d3e040639e6257c2f3dde548185fb
    • Instruction ID: aade0c70e5adac44a284b70330744e1fe3ec307fd84e943130b7f7e275f8c76c
    • Opcode Fuzzy Hash: fd053207278058244105f4cebe51bfa9646d3e040639e6257c2f3dde548185fb
    • Instruction Fuzzy Hash: 56814737A4872A4FE752CDA888D036E72D2ABCC314F46463ED9749B3C5EFB5980582C5
    Function 6D0DA6F0 Relevance: .3, Instructions: 276COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9b2738e93752c691bb57d705d4f35684e8bcaf87781d766b1db34b9238d24ab9
    • Instruction ID: 9121c246caa155c807ece73c4f71134058fd72ddf5fe22fa7983ad74db2894e4
    • Opcode Fuzzy Hash: 9b2738e93752c691bb57d705d4f35684e8bcaf87781d766b1db34b9238d24ab9
    • Instruction Fuzzy Hash: B491F876A187184BD304DE59CCC0659B3E2BBC8724F59C63DECA89B341E674EE49CB81
    Function 6D11E9C0 Relevance: .2, Instructions: 231COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: edf4916e8aec03ce0c68cb681a57b0d2565a33d8940d5beaaa908760268dd6cb
    • Instruction ID: fa12cefd721140cb9a768e3e64f6e619b0d071d9b6f7f86e2c3c98bcf76a38f1
    • Opcode Fuzzy Hash: edf4916e8aec03ce0c68cb681a57b0d2565a33d8940d5beaaa908760268dd6cb
    • Instruction Fuzzy Hash: F0812931A0C7264FD710DF9CCC90229F7E2BFC6340F464978D9959B64AE7B0AA45CB91
    Function 6D0B3580 Relevance: .2, Instructions: 219COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5b9617d8e44748b74e3e1f866b7af10dbf43a40281ebaf58214d4d565bcbb63a
    • Instruction ID: 09c61dc9817ed5b776c76869674852ec4e50d3a288e344949456853756a31c54
    • Opcode Fuzzy Hash: 5b9617d8e44748b74e3e1f866b7af10dbf43a40281ebaf58214d4d565bcbb63a
    • Instruction Fuzzy Hash: F781E9B2A183508FC314DF29D88095AF7E2BFC8748F56892DF988D7311E771E9158B86
    Function 6D0D89B0 Relevance: .2, Instructions: 193COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 16c194bf503372e85839586bd15f56ccdb3eb5d4b4e87085c12115a8be96f5ac
    • Instruction ID: dbb11b19a65c325f05a34b3933583d57ed1f91909a91501a57d4b8c00e797255
    • Opcode Fuzzy Hash: 16c194bf503372e85839586bd15f56ccdb3eb5d4b4e87085c12115a8be96f5ac
    • Instruction Fuzzy Hash: 7991ABB49093459FD348CF28C090A1ABBF0FF89748F419A6EE9A997351D730E945CF46
    Function 6D0B2F66 Relevance: .2, Instructions: 172COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: efac44f0c282f331f221dfa5e25fa2ef44973caa0000e7d92bc545e24e540032
    • Instruction ID: fc6d667a30eacf2c134440ed4e420fdad71e56cf14545bb8bc58e4253f07f8f6
    • Opcode Fuzzy Hash: efac44f0c282f331f221dfa5e25fa2ef44973caa0000e7d92bc545e24e540032
    • Instruction Fuzzy Hash: 9A61A97090C3A44AE31D9F6E44A503EFFE19BC9701F444E6EF5E603382D9B49505DBAA
    Function 6D0B2F60 Relevance: .2, Instructions: 171COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 252f3847da09fa9a7840a828bc8c5790971a4e15d4e313c3a64686ef587b6250
    • Instruction ID: 9ab38117879d4efd6a8e7b9a90a87dec3bd26978bfe2924bf8dbc57648913d89
    • Opcode Fuzzy Hash: 252f3847da09fa9a7840a828bc8c5790971a4e15d4e313c3a64686ef587b6250
    • Instruction Fuzzy Hash: E661A97090C3A44AE30D9F6E44A503EFFE19BC9701F444E6EF5E603382D9B49505DBAA
    Function 6D11E1F0 Relevance: .2, Instructions: 151COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b3c298cccee4305b1a9893ed79af11afe74e559c5a64f3df17d994f1bb625300
    • Instruction ID: 1e0f0887d19aed9a2ed5cf98e0029b3c6fd4dea1eb450f4d606403b1db13d042
    • Opcode Fuzzy Hash: b3c298cccee4305b1a9893ed79af11afe74e559c5a64f3df17d994f1bb625300
    • Instruction Fuzzy Hash: AD511171A0D3569FD305CF69C88050EFBE1ABC8744F818A2EE99887356D7B0E905CBC6
    Function 6D0DD485 Relevance: .1, Instructions: 134COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 80c64c3df1f12f55f5fd3c1dcc95a63ff73f8ca1239f7b2c6699aab04057cacc
    • Instruction ID: f3783533a6006156a8fc1841e557b37fa5e7dfc0597dfe1281dcbf5edf0a8946
    • Opcode Fuzzy Hash: 80c64c3df1f12f55f5fd3c1dcc95a63ff73f8ca1239f7b2c6699aab04057cacc
    • Instruction Fuzzy Hash: 8051ABB5B493229FD318CF65C590A1AB7E0FF88604F05857DE9998B382DB70E845CBC2
    Function 6D0BC9C0 Relevance: .1, Instructions: 116COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d140494d76ef5e8ca3c4b4605952bce05caaab061bce9b47f3ee7b422ed8ccb2
    • Instruction ID: 107eeb70ce1c734489bef7edb9c1c30117b2223e13d9f059cf545649c5d9ae4d
    • Opcode Fuzzy Hash: d140494d76ef5e8ca3c4b4605952bce05caaab061bce9b47f3ee7b422ed8ccb2
    • Instruction Fuzzy Hash: 5441D271918B058FD306DE79C49031AB3E1FFDA384F50872EE94AAB352EB719842CA41
    Function 6D11DA50 Relevance: .1, Instructions: 115COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b89647aca96349ae93783c0e35dbf9220d1ace0284e9d541afea9d32c3c7cacc
    • Instruction ID: 02df77b7ccd9002f00cabe83d8d78c5521a57b153609e617f781e404c194731e
    • Opcode Fuzzy Hash: b89647aca96349ae93783c0e35dbf9220d1ace0284e9d541afea9d32c3c7cacc
    • Instruction Fuzzy Hash: D74103B16083468F9340CF19C48041AFBF2FBC9354F958A6DE5A98B315D770E945CB86
    Function 6D0C0790 Relevance: .1, Instructions: 97COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 6e72a257381044808b76c19d10c167c9512c2083e200c6f2e539716d475ea54d
    • Instruction ID: 1681ad52182aacb18a39254b08efb0ec6e03c757461bd1d46c686cefeb8906f2
    • Opcode Fuzzy Hash: 6e72a257381044808b76c19d10c167c9512c2083e200c6f2e539716d475ea54d
    • Instruction Fuzzy Hash: 783143B391971D8BD300AF498C40259F7E2AAD0B20F5ECA5ED9A417701DBB0AA15CBC7
    Function 6D0B9240 Relevance: .1, Instructions: 76COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 57693c228ea0537c145b4275e63f7c01e8c2d3180fd16a6be2c7138aec723a70
    • Instruction ID: 0efa71435073e2141168952f507fcde934dfc1ad6579400d600d02e6a4a6a799
    • Opcode Fuzzy Hash: 57693c228ea0537c145b4275e63f7c01e8c2d3180fd16a6be2c7138aec723a70
    • Instruction Fuzzy Hash: 9121C531B082018BEB0CCF3AD8D122AB7E2BBCA200759856DD655C7654DA35A809C746
    Function 6D0F6690 Relevance: .0, Instructions: 46COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d5b4f23a8ea9537c72d05bdfb49745a01a8215ba19f68b241b150f1c9cdbc3a6
    • Instruction ID: edc8e83b65985ab9fa2348b8ac7ffaf1e48b17e638650d1c52e0abf526b20327
    • Opcode Fuzzy Hash: d5b4f23a8ea9537c72d05bdfb49745a01a8215ba19f68b241b150f1c9cdbc3a6
    • Instruction Fuzzy Hash: 7D115BB4740B128FD348DF5AC1D4966B3E1FBCD210B4681BDDB4A8B766CB70A811DB84
    Function 6D1110E0 Relevance: .0, Instructions: 10COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d19ca4979d829d80c45d935188db17b312cb8da332b3ed544405907a5b998c3e
    • Instruction ID: 8bc96c8beff997971bf6520231069801ffc994247b75390d76a37967a7787a70
    • Opcode Fuzzy Hash: d19ca4979d829d80c45d935188db17b312cb8da332b3ed544405907a5b998c3e
    • Instruction Fuzzy Hash: 31C08CB0C0E3A39EE300CB988A00306FEE09B91300F80C0A9A24842108C3B681C09609
    Function 6D136049 Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 49fileCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeaveabortfwrite$Event
    • String ID: ;
    • API String ID: 3057923235-1661535913
    • Opcode ID: 55b3f2728b6f4b9e24a67581d6c6b429888ccdefce1e2ace7de560db88fe9c6a
    • Instruction ID: 0096919901f72ffc59eb1b4ec466a4f9d47ee09f19cdc90e12ff82e4fb333689
    • Opcode Fuzzy Hash: 55b3f2728b6f4b9e24a67581d6c6b429888ccdefce1e2ace7de560db88fe9c6a
    • Instruction Fuzzy Hash: 1711EAB1808655DFEB00BFB8D54E31EBBF0BB42309F42891CDA9557205DBB59548CBA3
    Function 6D134D30 Relevance: 12.2, APIs: 8, Instructions: 156stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast_wcsnicmpfreelstrlenmallocmbstowcsstrlenstrtol
    • String ID:
    • API String ID: 533997002-0
    • Opcode ID: eb56d20676e1f49b03e5538db3b2dd04e35e911311dde8d626221e5cd879d5e8
    • Instruction ID: c9d015824299b3fb9f3a95b893b8f224784f7c18d1447e1d9cf9803e55981839
    • Opcode Fuzzy Hash: eb56d20676e1f49b03e5538db3b2dd04e35e911311dde8d626221e5cd879d5e8
    • Instruction Fuzzy Hash: B9518376A083258FD700DF29D48026AF7E5FBC8304F56893EE998D7204E7B5D949CB92
    Function 6D0B1020 Relevance: 9.1, APIs: 6, Instructions: 112sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,6D0B12E0,?,?,?,?,?,?,6D0B13A3), ref: 6D0B1057
    • _amsg_exit.MSVCRT ref: 6D0B1085
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID: Sleep_amsg_exit
    • String ID:
    • API String ID: 1015461914-0
    • Opcode ID: 7b507062d7c2e60e7c720d76be35d2b3222c5c4b941d517de41b6d6e2fd94c79
    • Instruction ID: 554ea7dc938220f407306ccdddaa9b3cee0f1a41f3f7ad60da4ea32bc5e8392f
    • Opcode Fuzzy Hash: 7b507062d7c2e60e7c720d76be35d2b3222c5c4b941d517de41b6d6e2fd94c79
    • Instruction Fuzzy Hash: 5041A1B1A1D241CBF7119F68D98571FB7F0FB81384F81892AD6648B248DBB68480CBD3
    Function 6D136230 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66fileCOMMON
    Download Yara Rule
    APIs
    • malloc.MSVCRT ref: 6D13623F
    • fwrite.MSVCRT ref: 6D13628D
    • abort.MSVCRT ref: 6D136292
    • free.MSVCRT ref: 6D1362B5
      • Part of subcall function 6D136180: _beginthread.MSVCRT ref: 6D1361A6
      • Part of subcall function 6D136180: _errno.MSVCRT ref: 6D1361B1
      • Part of subcall function 6D136180: _errno.MSVCRT ref: 6D1361B8
      • Part of subcall function 6D136180: fprintf.MSVCRT ref: 6D1361D8
      • Part of subcall function 6D136180: abort.MSVCRT ref: 6D1361DD
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID: _errnoabort$_beginthreadfprintffreefwritemalloc
    • String ID: +
    • API String ID: 2633710936-2126386893
    • Opcode ID: b2841f6b22a4637709774a6d753ef77ef8b34d9741355607bd7dd826d0cbfd9a
    • Instruction ID: 52bc9a57de02f3e8f7a6b1bb2312ed985d161016d1d43fb8ea7dc4a0a2ffc3ca
    • Opcode Fuzzy Hash: b2841f6b22a4637709774a6d753ef77ef8b34d9741355607bd7dd826d0cbfd9a
    • Instruction Fuzzy Hash: 43210BB4908714CFC700EF68D58951ABBF0FF89304F46899DE9888B329D7B5D880CB92
    Function 6D135E80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29fileCOMMON
    Download Yara Rule
    APIs
    • CreateEventA.KERNEL32 ref: 6D135EA2
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D135F59), ref: 6D135EBB
    • fwrite.MSVCRT ref: 6D135EF0
    • abort.MSVCRT ref: 6D135EF5
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID: CreateCriticalEventInitializeSectionabortfwrite
    • String ID: =
    • API String ID: 2455830200-2322244508
    • Opcode ID: 19656969490620cfa7116fbf4c07eff6b58a47c59c04fed491e06a7f804bdefe
    • Instruction ID: 5fc3639ff2d7f990cdcc01a4e1fa4bccacb5e94ee2dffcef56396b2be050705d
    • Opcode Fuzzy Hash: 19656969490620cfa7116fbf4c07eff6b58a47c59c04fed491e06a7f804bdefe
    • Instruction Fuzzy Hash: 4FF0CDB14087519FE740AF68C54D35FBBF0AB41309F82C85DD59586245DBB99044CB93
    Function 6D134F40 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
    Download Yara Rule
    APIs
    • bsearch.MSVCRT ref: 6D134F9F
    • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6D135E0F), ref: 6D134FDA
    • malloc.MSVCRT ref: 6D135008
    • qsort.MSVCRT ref: 6D135056
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLastbsearchmallocqsort
    • String ID:
    • API String ID: 1451747280-0
    • Opcode ID: b9c6b0c3bfc4c7b0625efed98b5b7536344ba2c490b8ac7fd3eb5cb3f78c2336
    • Instruction ID: 7ec7a1ed5051809786fb24dbf084e66479a0a49ad41a221d233741d656f18a25
    • Opcode Fuzzy Hash: b9c6b0c3bfc4c7b0625efed98b5b7536344ba2c490b8ac7fd3eb5cb3f78c2336
    • Instruction Fuzzy Hash: EF418C756083218FD310DF29D48062BB7F5FF89314F0A892DE99987318D7B5E858CB92
    Function 6D135A90 Relevance: 7.6, APIs: 5, Instructions: 79threadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$LocaleThread
    • String ID:
    • API String ID: 2451566642-0
    • Opcode ID: b190498cdef721e7f7d017568cff2155dfeebea58c20246468becf32d830595e
    • Instruction ID: 3cf132821f8391b7fedd3c5a812960fb5a0c27545f1dc75d85b2a995e25324ae
    • Opcode Fuzzy Hash: b190498cdef721e7f7d017568cff2155dfeebea58c20246468becf32d830595e
    • Instruction Fuzzy Hash: E221A7706182158FE7009F38D889667B7F5BF45354F07C928E6A5CB288EBB5E805CB51
    Function 6D1372A0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID: _lock_unlockcalloc
    • String ID:
    • API String ID: 3876498383-0
    • Opcode ID: abf89457b4ab2571923629326531c7e76d384adab28384de11d3b51bd2a4809e
    • Instruction ID: eccb082a78abce1370a9c60cb452e195490c9b5dfba0e01268232d5b13ec6786
    • Opcode Fuzzy Hash: abf89457b4ab2571923629326531c7e76d384adab28384de11d3b51bd2a4809e
    • Instruction Fuzzy Hash: F8112171908221CFD7409F6CC58075ABBE4FF45364F17866AE898CB389DBB4D445CB52
    Function 6D135FB0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32 ref: 6D135FE0
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D134549), ref: 6D135FEC
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D134549), ref: 6D135FFE
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6D134549), ref: 6D13600E
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D134549), ref: 6D136020
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$ObjectSingleWait
    • String ID:
    • API String ID: 1755037574-0
    • Opcode ID: 4c62771d551cc29dd79d0c74c30833720d7b5fded0f6d2a072451d35523d2ccd
    • Instruction ID: f339d627e5b8d126e3556c7a732b4ddfdd4a4b0b7463ebb29911ecf75b2afd2f
    • Opcode Fuzzy Hash: 4c62771d551cc29dd79d0c74c30833720d7b5fded0f6d2a072451d35523d2ccd
    • Instruction Fuzzy Hash: 090144715083498FEB00BFB999CA51FFBF8AF82215F024529DA9447345DB719458CBE3
    Function 6D136670 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID: QueryVirtual
    • String ID: @
    • API String ID: 1804819252-2766056989
    • Opcode ID: 8b1ec9d4ea2298521fb7c7e9775eec42014c4f4e383cc5888d89c9c83515d6b0
    • Instruction ID: 7c451a0920947dbd0a57f20ea0b5bd5fc955be2088b71e69241b6ff61cd6e07d
    • Opcode Fuzzy Hash: 8b1ec9d4ea2298521fb7c7e9775eec42014c4f4e383cc5888d89c9c83515d6b0
    • Instruction Fuzzy Hash: EA417BB69043159BCB00DF69D8C965AFBF0FB85758F46C929DA9887208E770E444CBD2
    Function 6D13672C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualQuery.KERNEL32 ref: 6D1366FD
    • VirtualProtect.KERNEL32 ref: 6D136757
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6D1D1F04), ref: 6D136764
      • Part of subcall function 6D137400: fwrite.MSVCRT ref: 6D13742F
      • Part of subcall function 6D137400: vfprintf.MSVCRT ref: 6D13744F
      • Part of subcall function 6D137400: abort.MSVCRT ref: 6D137454
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID: Virtual$ErrorLastProtectQueryabortfwritevfprintf
    • String ID: @
    • API String ID: 1616349570-2766056989
    • Opcode ID: bb9db7cef30e1de0562a8e77011642a03a65070ffeb648a0d60329e0dbe4294e
    • Instruction ID: ac775a3018f10064d6edeebc259f288c5afcf58ee7770b3d7d3ca14afa335806
    • Opcode Fuzzy Hash: bb9db7cef30e1de0562a8e77011642a03a65070ffeb648a0d60329e0dbe4294e
    • Instruction Fuzzy Hash: D5214FB58047159FDB00DF28D88975AFBF0BF44318F46CA29DAA887218E774D404CF92
    Function 6D135090 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID: Heapfree$FreeProcess
    • String ID:
    • API String ID: 3425746932-0
    • Opcode ID: c274282d029b54c164222cc4966fbe08e15f179ff660029d08d68aeb2525763f
    • Instruction ID: d2aa389b4b98bb9e91246be51a5a87aaf4f13a3f42bba92cd3c3dbaecc9df095
    • Opcode Fuzzy Hash: c274282d029b54c164222cc4966fbe08e15f179ff660029d08d68aeb2525763f
    • Instruction Fuzzy Hash: 182105B4A086118BEB009F68D4C872ABBF0BF94604F16C96CE8898B209D775D844CF82
    Function 6D136A40 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.2157087496.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 00000003.00000002.2157067782.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157169303.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157421538.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157437915.000000006D13C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157452631.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157513295.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157529281.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157559975.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157577011.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157598665.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000003.00000002.2157637638.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterErrorLastLeaveValue
    • String ID:
    • API String ID: 682475483-0
    • Opcode ID: 0c40cf7338932a9863fa2acdb325587b4a6dcc0f04b71b9159f35c63752502ce
    • Instruction ID: 3b6773ff309feba9383642e9aedeefac1789fe02f2f93c3ed1b4d5e2e4f0439b
    • Opcode Fuzzy Hash: 0c40cf7338932a9863fa2acdb325587b4a6dcc0f04b71b9159f35c63752502ce
    • Instruction Fuzzy Hash: 9AF0A4B65046599FCB007F78C8CA62BBBB4BB55244B068568DE5457208EB30E815CBE3

    Execution Graph

    Execution Coverage:0%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:11
    Total number of Limit Nodes:1
    execution_graph 47008 6d111ea0 47009 6d111eb9 47008->47009 47010 6d111ec8 VirtualAlloc 47008->47010 47009->47010 47011 6d136180 47012 6d136197 _beginthread 47011->47012 47013 6d1361e2 47012->47013 47014 6d1361b1 _errno 47012->47014 47015 6d1361f0 Sleep 47014->47015 47016 6d1361b8 _errno 47014->47016 47015->47012 47017 6d136204 47015->47017 47018 6d1361c9 fprintf abort 47016->47018 47017->47016 47018->47013

    Executed Functions

    Function 6D136180 Relevance: 9.0, APIs: 6, Instructions: 40sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 0000000A.00000002.2183538921.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 0000000A.00000002.2183519312.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183593474.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183612229.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183631137.000000006D13E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183650749.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183711887.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183730420.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183730420.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183769750.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183787457.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183804236.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183819978.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID: _errno$Sleep_beginthreadabortfprintf
    • String ID:
    • API String ID: 1261927973-0
    • Opcode ID: cbc0e8097d1684d5fb3086414daff78151b2d4febf17fb925d5ed409ac5702bf
    • Instruction ID: a4741ff360a694e3f56998614ae3a14eeaafc55dddc5e0b99c289787aa33bc4c
    • Opcode Fuzzy Hash: cbc0e8097d1684d5fb3086414daff78151b2d4febf17fb925d5ed409ac5702bf
    • Instruction Fuzzy Hash: D2016DB5408325DFC7006F68D8C822EFBF4EF86324F42895DE59943215C7B09484DAA3
    Function 6D111EA0 Relevance: 1.3, APIs: 1, Instructions: 21memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 8 6d111ea0-6d111eb7 9 6d111eb9-6d111ec6 8->9 10 6d111ec8-6d111ee0 VirtualAlloc 8->10 9->10
    APIs
    Memory Dump Source
    • Source File: 0000000A.00000002.2183538921.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 0000000A.00000002.2183519312.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183593474.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183612229.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183631137.000000006D13E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183650749.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183711887.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183730420.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183730420.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183769750.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183787457.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183804236.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183819978.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction ID: 14c74c889be09ffabe4db2dee0c4235c6b533b8cbac67c43d789b71dbad2fea1
    • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction Fuzzy Hash: B2E0E571505600CFCB15DF18C2C1716BBE1EB48A00F0485A8DE098F74AD774ED10CB92

    Non-executed Functions

    Function 6D1364D0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6D13651F
    • UnhandledExceptionFilter.KERNEL32 ref: 6D13652F
    • GetCurrentProcess.KERNEL32 ref: 6D136538
    • TerminateProcess.KERNEL32 ref: 6D136549
    • abort.MSVCRT ref: 6D136552
    Memory Dump Source
    • Source File: 0000000A.00000002.2183538921.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 0000000A.00000002.2183519312.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183593474.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183612229.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183631137.000000006D13E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183650749.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183711887.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183730420.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183730420.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183769750.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183787457.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183804236.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183819978.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: 07f1f2b312b20a9a3997e5da1fb01066cc850e5789f2bf199413eb7383587379
    • Instruction ID: 7815274e10f22bd5a1ea7b1200c475780953d0498259abe3a6a51ec972e20764
    • Opcode Fuzzy Hash: 07f1f2b312b20a9a3997e5da1fb01066cc850e5789f2bf199413eb7383587379
    • Instruction Fuzzy Hash: 19112BB5905304DFCB00EF68C98A71EBBF0BB55309F018529EA9887304EBB5D544CF92
    Function 6D1364CC Relevance: 7.5, APIs: 5, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6D13651F
    • UnhandledExceptionFilter.KERNEL32 ref: 6D13652F
    • GetCurrentProcess.KERNEL32 ref: 6D136538
    • TerminateProcess.KERNEL32 ref: 6D136549
    • abort.MSVCRT ref: 6D136552
    Memory Dump Source
    • Source File: 0000000A.00000002.2183538921.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 0000000A.00000002.2183519312.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183593474.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183612229.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183631137.000000006D13E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183650749.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183711887.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183730420.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183730420.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183769750.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183787457.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183804236.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183819978.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: 4255b67cdf89ee2ad5c7c9ddda5869fcc46bc2e0dabb3c5f7e484b2685d06a71
    • Instruction ID: 0f48aede050555a9a6a7ffc5fcb89d60d46ba2765efa6f0a3c16f8227450d8d5
    • Opcode Fuzzy Hash: 4255b67cdf89ee2ad5c7c9ddda5869fcc46bc2e0dabb3c5f7e484b2685d06a71
    • Instruction Fuzzy Hash: 48111BB5905315DFDB00EFB9C98A71E7BF0BB06309F018529EA6897304EBB49444CF92
    Function 6D136049 Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 49fileCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.2183538921.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 0000000A.00000002.2183519312.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183593474.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183612229.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183631137.000000006D13E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183650749.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183711887.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183730420.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183730420.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183769750.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183787457.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183804236.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183819978.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeaveabortfwrite$Event
    • String ID: ;
    • API String ID: 3057923235-1661535913
    • Opcode ID: 55b3f2728b6f4b9e24a67581d6c6b429888ccdefce1e2ace7de560db88fe9c6a
    • Instruction ID: 0096919901f72ffc59eb1b4ec466a4f9d47ee09f19cdc90e12ff82e4fb333689
    • Opcode Fuzzy Hash: 55b3f2728b6f4b9e24a67581d6c6b429888ccdefce1e2ace7de560db88fe9c6a
    • Instruction Fuzzy Hash: 1711EAB1808655DFEB00BFB8D54E31EBBF0BB42309F42891CDA9557205DBB59548CBA3
    Function 6D134D30 Relevance: 12.2, APIs: 8, Instructions: 156stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000A.00000002.2183538921.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 0000000A.00000002.2183519312.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183593474.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183612229.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183631137.000000006D13E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183650749.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183711887.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183730420.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183730420.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183769750.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183787457.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183804236.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183819978.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast_wcsnicmpfreelstrlenmallocmbstowcsstrlenstrtol
    • String ID:
    • API String ID: 533997002-0
    • Opcode ID: eb56d20676e1f49b03e5538db3b2dd04e35e911311dde8d626221e5cd879d5e8
    • Instruction ID: c9d015824299b3fb9f3a95b893b8f224784f7c18d1447e1d9cf9803e55981839
    • Opcode Fuzzy Hash: eb56d20676e1f49b03e5538db3b2dd04e35e911311dde8d626221e5cd879d5e8
    • Instruction Fuzzy Hash: B9518376A083258FD700DF29D48026AF7E5FBC8304F56893EE998D7204E7B5D949CB92
    Function 6D0B1020 Relevance: 9.1, APIs: 6, Instructions: 112sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,6D0B12E0,?,?,?,?,?,?,6D0B13A3), ref: 6D0B1057
    • _amsg_exit.MSVCRT ref: 6D0B1085
    Memory Dump Source
    • Source File: 0000000A.00000002.2183538921.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 0000000A.00000002.2183519312.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183593474.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183612229.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183631137.000000006D13E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183650749.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183711887.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183730420.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183730420.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183769750.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183787457.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183804236.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183819978.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID: Sleep_amsg_exit
    • String ID:
    • API String ID: 1015461914-0
    • Opcode ID: 7b507062d7c2e60e7c720d76be35d2b3222c5c4b941d517de41b6d6e2fd94c79
    • Instruction ID: 554ea7dc938220f407306ccdddaa9b3cee0f1a41f3f7ad60da4ea32bc5e8392f
    • Opcode Fuzzy Hash: 7b507062d7c2e60e7c720d76be35d2b3222c5c4b941d517de41b6d6e2fd94c79
    • Instruction Fuzzy Hash: 5041A1B1A1D241CBF7119F68D98571FB7F0FB81384F81892AD6648B248DBB68480CBD3
    Function 6D136230 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66fileCOMMON
    Download Yara Rule
    APIs
    • malloc.MSVCRT ref: 6D13623F
    • fwrite.MSVCRT ref: 6D13628D
    • abort.MSVCRT ref: 6D136292
    • free.MSVCRT ref: 6D1362B5
      • Part of subcall function 6D136180: _beginthread.MSVCRT ref: 6D1361A6
      • Part of subcall function 6D136180: _errno.MSVCRT ref: 6D1361B1
      • Part of subcall function 6D136180: _errno.MSVCRT ref: 6D1361B8
      • Part of subcall function 6D136180: fprintf.MSVCRT ref: 6D1361D8
      • Part of subcall function 6D136180: abort.MSVCRT ref: 6D1361DD
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.2183538921.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 0000000A.00000002.2183519312.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183593474.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183612229.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183631137.000000006D13E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183650749.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183711887.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183730420.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183730420.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183769750.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183787457.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183804236.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183819978.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID: _errnoabort$_beginthreadfprintffreefwritemalloc
    • String ID: +
    • API String ID: 2633710936-2126386893
    • Opcode ID: b2841f6b22a4637709774a6d753ef77ef8b34d9741355607bd7dd826d0cbfd9a
    • Instruction ID: 52bc9a57de02f3e8f7a6b1bb2312ed985d161016d1d43fb8ea7dc4a0a2ffc3ca
    • Opcode Fuzzy Hash: b2841f6b22a4637709774a6d753ef77ef8b34d9741355607bd7dd826d0cbfd9a
    • Instruction Fuzzy Hash: 43210BB4908714CFC700EF68D58951ABBF0FF89304F46899DE9888B329D7B5D880CB92
    Function 6D135E80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29fileCOMMON
    Download Yara Rule
    APIs
    • CreateEventA.KERNEL32 ref: 6D135EA2
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D135F59), ref: 6D135EBB
    • fwrite.MSVCRT ref: 6D135EF0
    • abort.MSVCRT ref: 6D135EF5
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.2183538921.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 0000000A.00000002.2183519312.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183593474.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183612229.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183631137.000000006D13E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183650749.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183711887.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183730420.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183730420.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183769750.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183787457.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183804236.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183819978.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID: CreateCriticalEventInitializeSectionabortfwrite
    • String ID: =
    • API String ID: 2455830200-2322244508
    • Opcode ID: 19656969490620cfa7116fbf4c07eff6b58a47c59c04fed491e06a7f804bdefe
    • Instruction ID: 5fc3639ff2d7f990cdcc01a4e1fa4bccacb5e94ee2dffcef56396b2be050705d
    • Opcode Fuzzy Hash: 19656969490620cfa7116fbf4c07eff6b58a47c59c04fed491e06a7f804bdefe
    • Instruction Fuzzy Hash: 4FF0CDB14087519FE740AF68C54D35FBBF0AB41309F82C85DD59586245DBB99044CB93
    Function 6D134F40 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
    Download Yara Rule
    APIs
    • bsearch.MSVCRT ref: 6D134F9F
    • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6D135E0F), ref: 6D134FDA
    • malloc.MSVCRT ref: 6D135008
    • qsort.MSVCRT ref: 6D135056
    Memory Dump Source
    • Source File: 0000000A.00000002.2183538921.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 0000000A.00000002.2183519312.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183593474.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183612229.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183631137.000000006D13E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183650749.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183711887.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183730420.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183730420.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183769750.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183787457.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183804236.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183819978.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLastbsearchmallocqsort
    • String ID:
    • API String ID: 1451747280-0
    • Opcode ID: b9c6b0c3bfc4c7b0625efed98b5b7536344ba2c490b8ac7fd3eb5cb3f78c2336
    • Instruction ID: 7ec7a1ed5051809786fb24dbf084e66479a0a49ad41a221d233741d656f18a25
    • Opcode Fuzzy Hash: b9c6b0c3bfc4c7b0625efed98b5b7536344ba2c490b8ac7fd3eb5cb3f78c2336
    • Instruction Fuzzy Hash: EF418C756083218FD310DF29D48062BB7F5FF89314F0A892DE99987318D7B5E858CB92
    Function 6D135A90 Relevance: 7.6, APIs: 5, Instructions: 79threadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000A.00000002.2183538921.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 0000000A.00000002.2183519312.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183593474.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183612229.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183631137.000000006D13E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183650749.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183711887.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183730420.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183730420.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183769750.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183787457.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183804236.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183819978.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$LocaleThread
    • String ID:
    • API String ID: 2451566642-0
    • Opcode ID: b190498cdef721e7f7d017568cff2155dfeebea58c20246468becf32d830595e
    • Instruction ID: 3cf132821f8391b7fedd3c5a812960fb5a0c27545f1dc75d85b2a995e25324ae
    • Opcode Fuzzy Hash: b190498cdef721e7f7d017568cff2155dfeebea58c20246468becf32d830595e
    • Instruction Fuzzy Hash: E221A7706182158FE7009F38D889667B7F5BF45354F07C928E6A5CB288EBB5E805CB51
    Function 6D1372A0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000A.00000002.2183538921.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 0000000A.00000002.2183519312.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183593474.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183612229.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183631137.000000006D13E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183650749.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183711887.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183730420.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183730420.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183769750.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183787457.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183804236.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183819978.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID: _lock_unlockcalloc
    • String ID:
    • API String ID: 3876498383-0
    • Opcode ID: abf89457b4ab2571923629326531c7e76d384adab28384de11d3b51bd2a4809e
    • Instruction ID: eccb082a78abce1370a9c60cb452e195490c9b5dfba0e01268232d5b13ec6786
    • Opcode Fuzzy Hash: abf89457b4ab2571923629326531c7e76d384adab28384de11d3b51bd2a4809e
    • Instruction Fuzzy Hash: F8112171908221CFD7409F6CC58075ABBE4FF45364F17866AE898CB389DBB4D445CB52
    Function 6D136420 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON
    Download Yara Rule
    APIs
    • GetSystemTimeAsFileTime.KERNEL32 ref: 6D136459
    • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D0B13B9), ref: 6D13646A
    • GetCurrentThreadId.KERNEL32 ref: 6D136472
    • GetTickCount.KERNEL32 ref: 6D13647A
    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D0B13B9), ref: 6D136489
    Memory Dump Source
    • Source File: 0000000A.00000002.2183538921.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 0000000A.00000002.2183519312.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183593474.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183612229.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183631137.000000006D13E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183650749.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183711887.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183730420.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183730420.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183769750.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183787457.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183804236.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183819978.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
    • String ID:
    • API String ID: 1445889803-0
    • Opcode ID: f87fe4a6b80a12ac53b3005fb0e0e6db3cfc277c2a84144a80a238458c21beed
    • Instruction ID: 576720da7317a4ef2c7eac6241b0b89bda2644c251e95bf4bc9f2369febccaa6
    • Opcode Fuzzy Hash: f87fe4a6b80a12ac53b3005fb0e0e6db3cfc277c2a84144a80a238458c21beed
    • Instruction Fuzzy Hash: 8D1188B9A043008BCB10DF79E88874BBBF1FB89268F02483AE554C7200EB75D448CB92
    Function 6D135FB0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32 ref: 6D135FE0
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D134549), ref: 6D135FEC
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D134549), ref: 6D135FFE
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6D134549), ref: 6D13600E
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D134549), ref: 6D136020
    Memory Dump Source
    • Source File: 0000000A.00000002.2183538921.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 0000000A.00000002.2183519312.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183593474.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183612229.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183631137.000000006D13E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183650749.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183711887.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183730420.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183730420.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183769750.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183787457.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183804236.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183819978.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$ObjectSingleWait
    • String ID:
    • API String ID: 1755037574-0
    • Opcode ID: 4c62771d551cc29dd79d0c74c30833720d7b5fded0f6d2a072451d35523d2ccd
    • Instruction ID: f339d627e5b8d126e3556c7a732b4ddfdd4a4b0b7463ebb29911ecf75b2afd2f
    • Opcode Fuzzy Hash: 4c62771d551cc29dd79d0c74c30833720d7b5fded0f6d2a072451d35523d2ccd
    • Instruction Fuzzy Hash: 090144715083498FEB00BFB999CA51FFBF8AF82215F024529DA9447345DB719458CBE3
    Function 6D136670 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.2183538921.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 0000000A.00000002.2183519312.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183593474.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183612229.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183631137.000000006D13E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183650749.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183711887.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183730420.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183730420.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183769750.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183787457.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183804236.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183819978.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID: QueryVirtual
    • String ID: @
    • API String ID: 1804819252-2766056989
    • Opcode ID: 8b1ec9d4ea2298521fb7c7e9775eec42014c4f4e383cc5888d89c9c83515d6b0
    • Instruction ID: 7c451a0920947dbd0a57f20ea0b5bd5fc955be2088b71e69241b6ff61cd6e07d
    • Opcode Fuzzy Hash: 8b1ec9d4ea2298521fb7c7e9775eec42014c4f4e383cc5888d89c9c83515d6b0
    • Instruction Fuzzy Hash: EA417BB69043159BCB00DF69D8C965AFBF0FB85758F46C929DA9887208E770E444CBD2
    Function 6D13672C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualQuery.KERNEL32 ref: 6D1366FD
    • VirtualProtect.KERNEL32 ref: 6D136757
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6D1D1F04), ref: 6D136764
      • Part of subcall function 6D137400: fwrite.MSVCRT ref: 6D13742F
      • Part of subcall function 6D137400: vfprintf.MSVCRT ref: 6D13744F
      • Part of subcall function 6D137400: abort.MSVCRT ref: 6D137454
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.2183538921.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 0000000A.00000002.2183519312.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183593474.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183612229.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183631137.000000006D13E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183650749.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183711887.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183730420.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183730420.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183769750.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183787457.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183804236.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183819978.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID: Virtual$ErrorLastProtectQueryabortfwritevfprintf
    • String ID: @
    • API String ID: 1616349570-2766056989
    • Opcode ID: bb9db7cef30e1de0562a8e77011642a03a65070ffeb648a0d60329e0dbe4294e
    • Instruction ID: ac775a3018f10064d6edeebc259f288c5afcf58ee7770b3d7d3ca14afa335806
    • Opcode Fuzzy Hash: bb9db7cef30e1de0562a8e77011642a03a65070ffeb648a0d60329e0dbe4294e
    • Instruction Fuzzy Hash: D5214FB58047159FDB00DF28D88975AFBF0BF44318F46CA29DAA887218E774D404CF92
    Function 6D135090 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000A.00000002.2183538921.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 0000000A.00000002.2183519312.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183593474.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183612229.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183631137.000000006D13E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183650749.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183711887.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183730420.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183730420.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183769750.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183787457.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183804236.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183819978.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID: Heapfree$FreeProcess
    • String ID:
    • API String ID: 3425746932-0
    • Opcode ID: c274282d029b54c164222cc4966fbe08e15f179ff660029d08d68aeb2525763f
    • Instruction ID: d2aa389b4b98bb9e91246be51a5a87aaf4f13a3f42bba92cd3c3dbaecc9df095
    • Opcode Fuzzy Hash: c274282d029b54c164222cc4966fbe08e15f179ff660029d08d68aeb2525763f
    • Instruction Fuzzy Hash: 182105B4A086118BEB009F68D4C872ABBF0BF94604F16C96CE8898B209D775D844CF82
    Function 6D136A40 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000A.00000002.2183538921.000000006D0B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D0B0000, based on PE: true
    • Associated: 0000000A.00000002.2183519312.000000006D0B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183593474.000000006D138000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183612229.000000006D139000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183631137.000000006D13E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183650749.000000006D140000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183711887.000000006D1D2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183730420.000000006D1D8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183730420.000000006D1DC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183769750.000000006D210000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183787457.000000006D217000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183804236.000000006D218000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000A.00000002.2183819978.000000006D21B000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_6d0b0000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterErrorLastLeaveValue
    • String ID:
    • API String ID: 682475483-0
    • Opcode ID: 0c40cf7338932a9863fa2acdb325587b4a6dcc0f04b71b9159f35c63752502ce
    • Instruction ID: 3b6773ff309feba9383642e9aedeefac1789fe02f2f93c3ed1b4d5e2e4f0439b
    • Opcode Fuzzy Hash: 0c40cf7338932a9863fa2acdb325587b4a6dcc0f04b71b9159f35c63752502ce
    • Instruction Fuzzy Hash: 9AF0A4B65046599FCB007F78C8CA62BBBB4BB55244B068568DE5457208EB30E815CBE3

    Execution Graph

    Execution Coverage:0%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:11
    Total number of Limit Nodes:1
    execution_graph 46970 6d0a1ea0 46971 6d0a1ec8 VirtualAlloc 46970->46971 46972 6d0a1eb9 46970->46972 46972->46971 46973 6d0c6180 46974 6d0c6197 _beginthread 46973->46974 46975 6d0c61b1 _errno 46974->46975 46976 6d0c61e2 46974->46976 46977 6d0c61b8 _errno 46975->46977 46978 6d0c61f0 Sleep 46975->46978 46980 6d0c61c9 fprintf abort 46977->46980 46978->46974 46979 6d0c6204 46978->46979 46979->46977 46980->46976

    Executed Functions

    Function 6D0C6180 Relevance: 9.0, APIs: 6, Instructions: 40sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 0000000C.00000002.2261616035.000000006D041000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D040000, based on PE: true
    • Associated: 0000000C.00000002.2261464716.000000006D040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262032176.000000006D0C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262528308.000000006D0C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262708649.000000006D0CC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262885233.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263361599.000000006D162000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263540813.000000006D168000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263540813.000000006D16C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264065587.000000006D1A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264221668.000000006D1A7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264384746.000000006D1A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264536113.000000006D1AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6d040000_rundll32.jbxd
    Similarity
    • API ID: _errno$Sleep_beginthreadabortfprintf
    • String ID:
    • API String ID: 1261927973-0
    • Opcode ID: c8960c839014f3ea7d426c95f12ae0ef620163bdb9a9bb4c09b36344f25baef0
    • Instruction ID: 8c37ef3da78db0404e12721af3f9c2101372f9845b3d041b7d65a33cfd732ced
    • Opcode Fuzzy Hash: c8960c839014f3ea7d426c95f12ae0ef620163bdb9a9bb4c09b36344f25baef0
    • Instruction Fuzzy Hash: E6016DB54093019FD7106F68D88833EBBF4FF86321F89495DE98583221C7719480DAA3
    Function 6D0A1EA0 Relevance: 1.3, APIs: 1, Instructions: 21memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 8 6d0a1ea0-6d0a1eb7 9 6d0a1ec8-6d0a1ee0 VirtualAlloc 8->9 10 6d0a1eb9-6d0a1ec6 8->10 10->9
    APIs
    Memory Dump Source
    • Source File: 0000000C.00000002.2261616035.000000006D041000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D040000, based on PE: true
    • Associated: 0000000C.00000002.2261464716.000000006D040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262032176.000000006D0C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262528308.000000006D0C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262708649.000000006D0CC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262885233.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263361599.000000006D162000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263540813.000000006D168000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263540813.000000006D16C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264065587.000000006D1A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264221668.000000006D1A7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264384746.000000006D1A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264536113.000000006D1AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6d040000_rundll32.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction ID: 406b93d1df19091136887f3972b69bf32e2fcf2f9bf058b01d9eda3732a71a87
    • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
    • Instruction Fuzzy Hash: 69E0E571505640CFDB15DF18C2C1716BBE1EB48A00F0485A8DE098F74AD734ED10CBD2

    Non-executed Functions

    Function 6D0C64D0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6D0C651F
    • UnhandledExceptionFilter.KERNEL32 ref: 6D0C652F
    • GetCurrentProcess.KERNEL32 ref: 6D0C6538
    • TerminateProcess.KERNEL32 ref: 6D0C6549
    • abort.MSVCRT ref: 6D0C6552
    Memory Dump Source
    • Source File: 0000000C.00000002.2261616035.000000006D041000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D040000, based on PE: true
    • Associated: 0000000C.00000002.2261464716.000000006D040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262032176.000000006D0C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262528308.000000006D0C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262708649.000000006D0CC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262885233.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263361599.000000006D162000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263540813.000000006D168000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263540813.000000006D16C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264065587.000000006D1A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264221668.000000006D1A7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264384746.000000006D1A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264536113.000000006D1AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6d040000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: 385c7a90f478f7f53e65041c4ec3aa7df4e35c19c9f6b629b3ac7accf403828f
    • Instruction ID: 2a40ea795d7d981347c266d37c766b9c4b1b241afc7c8d36457f9a902d391bdc
    • Opcode Fuzzy Hash: 385c7a90f478f7f53e65041c4ec3aa7df4e35c19c9f6b629b3ac7accf403828f
    • Instruction Fuzzy Hash: 291113B59056058FDB00EF6CD55872EBBF0BB8A304F48892AE888C7354E3B49944CF93
    Function 6D0C64CC Relevance: 7.5, APIs: 5, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 6D0C651F
    • UnhandledExceptionFilter.KERNEL32 ref: 6D0C652F
    • GetCurrentProcess.KERNEL32 ref: 6D0C6538
    • TerminateProcess.KERNEL32 ref: 6D0C6549
    • abort.MSVCRT ref: 6D0C6552
    Memory Dump Source
    • Source File: 0000000C.00000002.2261616035.000000006D041000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D040000, based on PE: true
    • Associated: 0000000C.00000002.2261464716.000000006D040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262032176.000000006D0C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262528308.000000006D0C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262708649.000000006D0CC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262885233.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263361599.000000006D162000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263540813.000000006D168000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263540813.000000006D16C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264065587.000000006D1A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264221668.000000006D1A7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264384746.000000006D1A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264536113.000000006D1AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6d040000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
    • String ID:
    • API String ID: 520269711-0
    • Opcode ID: 1c62cd260d388de30816801b99f156ba8ba7162bcdc1bd5bfbaf112cc681058c
    • Instruction ID: 690df56332ba73c6b8cd609d692e3297da1d01878ebb0289a4c3140feafabd87
    • Opcode Fuzzy Hash: 1c62cd260d388de30816801b99f156ba8ba7162bcdc1bd5bfbaf112cc681058c
    • Instruction Fuzzy Hash: 081102B58056498FDB00EF6DE55836E7BF0BB4A300F08852AE948C7345E7B4A848CF92
    Function 6D0C6049 Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 49fileCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.2261616035.000000006D041000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D040000, based on PE: true
    • Associated: 0000000C.00000002.2261464716.000000006D040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262032176.000000006D0C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262528308.000000006D0C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262708649.000000006D0CC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262885233.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263361599.000000006D162000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263540813.000000006D168000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263540813.000000006D16C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264065587.000000006D1A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264221668.000000006D1A7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264384746.000000006D1A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264536113.000000006D1AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6d040000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeaveabortfwrite$Event
    • String ID: ;
    • API String ID: 3057923235-1661535913
    • Opcode ID: aabf23897e6b3e5b789fdca6377549745d1284ea5582624279231dd6ae632a8c
    • Instruction ID: ca1d0c498d55cee71b7e7ebf2a42ec4ceb0ae1c7d605ac2a194500505deae674
    • Opcode Fuzzy Hash: aabf23897e6b3e5b789fdca6377549745d1284ea5582624279231dd6ae632a8c
    • Instruction Fuzzy Hash: F11195F58086458FEB00BFB8D10936EBFF0BB92308F45491DE88557205DBB59559CB93
    Function 6D0C4D30 Relevance: 12.2, APIs: 8, Instructions: 156stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000C.00000002.2261616035.000000006D041000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D040000, based on PE: true
    • Associated: 0000000C.00000002.2261464716.000000006D040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262032176.000000006D0C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262528308.000000006D0C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262708649.000000006D0CC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262885233.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263361599.000000006D162000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263540813.000000006D168000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263540813.000000006D16C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264065587.000000006D1A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264221668.000000006D1A7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264384746.000000006D1A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264536113.000000006D1AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6d040000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast_wcsnicmpfreelstrlenmallocmbstowcsstrlenstrtol
    • String ID:
    • API String ID: 533997002-0
    • Opcode ID: feeb03e0f57ac8bfcca33f440b5cef549faa19949a7c20e0e47c7358b0e15ea0
    • Instruction ID: c7ca1ed39931ce3dd67defc049b9dae0b61ac9e32b0974daa943b1f4822e1768
    • Opcode Fuzzy Hash: feeb03e0f57ac8bfcca33f440b5cef549faa19949a7c20e0e47c7358b0e15ea0
    • Instruction Fuzzy Hash: CE517175A083159FE700DF29D48036EB7E5FBC8304F46892AE998D7250E774E94ACB93
    Function 6D041020 Relevance: 9.1, APIs: 6, Instructions: 112sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(?,?,?,6D0412E0,?,?,?,?,?,?,6D0413A3), ref: 6D041057
    • _amsg_exit.MSVCRT ref: 6D041085
    Memory Dump Source
    • Source File: 0000000C.00000002.2261616035.000000006D041000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D040000, based on PE: true
    • Associated: 0000000C.00000002.2261464716.000000006D040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262032176.000000006D0C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262528308.000000006D0C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262708649.000000006D0CC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262885233.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263361599.000000006D162000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263540813.000000006D168000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263540813.000000006D16C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264065587.000000006D1A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264221668.000000006D1A7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264384746.000000006D1A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264536113.000000006D1AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6d040000_rundll32.jbxd
    Similarity
    • API ID: Sleep_amsg_exit
    • String ID:
    • API String ID: 1015461914-0
    • Opcode ID: 5f773b8869924ee8f77fa2349ba1fa2327c818d43c19943d20d91ea28ee55111
    • Instruction ID: b4c4df2b0db6a8ffe343eb049960da9f1923fdedd80261d7d6b9850426822bd1
    • Opcode Fuzzy Hash: 5f773b8869924ee8f77fa2349ba1fa2327c818d43c19943d20d91ea28ee55111
    • Instruction Fuzzy Hash: 24416EB1A08241CBF7019F6CE594B2EB7F0FB81384F45C93AD5548B248D7B98490CB93
    Function 6D0C6230 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66fileCOMMON
    Download Yara Rule
    APIs
    • malloc.MSVCRT ref: 6D0C623F
    • fwrite.MSVCRT ref: 6D0C628D
    • abort.MSVCRT ref: 6D0C6292
    • free.MSVCRT ref: 6D0C62B5
      • Part of subcall function 6D0C6180: _beginthread.MSVCRT ref: 6D0C61A6
      • Part of subcall function 6D0C6180: _errno.MSVCRT ref: 6D0C61B1
      • Part of subcall function 6D0C6180: _errno.MSVCRT ref: 6D0C61B8
      • Part of subcall function 6D0C6180: fprintf.MSVCRT ref: 6D0C61D8
      • Part of subcall function 6D0C6180: abort.MSVCRT ref: 6D0C61DD
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.2261616035.000000006D041000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D040000, based on PE: true
    • Associated: 0000000C.00000002.2261464716.000000006D040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262032176.000000006D0C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262528308.000000006D0C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262708649.000000006D0CC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262885233.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263361599.000000006D162000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263540813.000000006D168000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263540813.000000006D16C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264065587.000000006D1A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264221668.000000006D1A7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264384746.000000006D1A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264536113.000000006D1AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6d040000_rundll32.jbxd
    Similarity
    • API ID: _errnoabort$_beginthreadfprintffreefwritemalloc
    • String ID: +
    • API String ID: 2633710936-2126386893
    • Opcode ID: b3ed77e5514569b6d0706fcfb2622ce0a5c5dfd383667b7ac6538d43892b0d9d
    • Instruction ID: 206db7b06d3053ade0c2e06ded16e505baadd649248e3554c8d685951487eb35
    • Opcode Fuzzy Hash: b3ed77e5514569b6d0706fcfb2622ce0a5c5dfd383667b7ac6538d43892b0d9d
    • Instruction Fuzzy Hash: 4421C7B49087008FD710EF68D58461EBBF4FF89314F85899DE9888B326D3759880CB93
    Function 6D0C5E80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29fileCOMMON
    Download Yara Rule
    APIs
    • CreateEventA.KERNEL32 ref: 6D0C5EA2
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D0C5F59), ref: 6D0C5EBB
    • fwrite.MSVCRT ref: 6D0C5EF0
    • abort.MSVCRT ref: 6D0C5EF5
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.2261616035.000000006D041000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D040000, based on PE: true
    • Associated: 0000000C.00000002.2261464716.000000006D040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262032176.000000006D0C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262528308.000000006D0C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262708649.000000006D0CC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262885233.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263361599.000000006D162000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263540813.000000006D168000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263540813.000000006D16C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264065587.000000006D1A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264221668.000000006D1A7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264384746.000000006D1A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264536113.000000006D1AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6d040000_rundll32.jbxd
    Similarity
    • API ID: CreateCriticalEventInitializeSectionabortfwrite
    • String ID: =
    • API String ID: 2455830200-2322244508
    • Opcode ID: d24fead80348c49e989de1d4732ed40769cb0b1e58761d01170dde6cd7a7217d
    • Instruction ID: c28f9ddf8c62cbd0b7434b10a62643daa4ec59ffab51ba170b4d4ce8fadc723b
    • Opcode Fuzzy Hash: d24fead80348c49e989de1d4732ed40769cb0b1e58761d01170dde6cd7a7217d
    • Instruction Fuzzy Hash: 5CF0ECB58087419FE700AF68D51932EBFF0BB81304F85885DD49986245DBB990488F93
    Function 6D0C4F40 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
    Download Yara Rule
    APIs
    • bsearch.MSVCRT ref: 6D0C4F9F
    • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6D0C5E0F), ref: 6D0C4FDA
    • malloc.MSVCRT ref: 6D0C5008
    • qsort.MSVCRT ref: 6D0C5056
    Memory Dump Source
    • Source File: 0000000C.00000002.2261616035.000000006D041000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D040000, based on PE: true
    • Associated: 0000000C.00000002.2261464716.000000006D040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262032176.000000006D0C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262528308.000000006D0C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262708649.000000006D0CC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262885233.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263361599.000000006D162000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263540813.000000006D168000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263540813.000000006D16C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264065587.000000006D1A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264221668.000000006D1A7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264384746.000000006D1A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264536113.000000006D1AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6d040000_rundll32.jbxd
    Similarity
    • API ID: ErrorLastbsearchmallocqsort
    • String ID:
    • API String ID: 1451747280-0
    • Opcode ID: cf20bce01b5d5c8644d94187d6576b1d200b65883f01a795f17a2ef2bea5eed4
    • Instruction ID: 502c704014a31868752d94c126db31c521e455ad5dc43c0abe23751c3e8c3fa0
    • Opcode Fuzzy Hash: cf20bce01b5d5c8644d94187d6576b1d200b65883f01a795f17a2ef2bea5eed4
    • Instruction Fuzzy Hash: 89414574A083019FE310DF6AD48072EB7F1FF88314F05892DE8898B324E774E8598B92
    Function 6D0C5A90 Relevance: 7.6, APIs: 5, Instructions: 79threadCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000C.00000002.2261616035.000000006D041000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D040000, based on PE: true
    • Associated: 0000000C.00000002.2261464716.000000006D040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262032176.000000006D0C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262528308.000000006D0C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262708649.000000006D0CC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262885233.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263361599.000000006D162000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263540813.000000006D168000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263540813.000000006D16C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264065587.000000006D1A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264221668.000000006D1A7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264384746.000000006D1A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264536113.000000006D1AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6d040000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$LocaleThread
    • String ID:
    • API String ID: 2451566642-0
    • Opcode ID: 02e882a9dd836404bdb700bf1af92046176a0b2ec76bf1ff26286c7bb1573f2f
    • Instruction ID: 7128dc189a04f3b9573857db26a09e870839e71325f563f0ceb8fdea64445d4b
    • Opcode Fuzzy Hash: 02e882a9dd836404bdb700bf1af92046176a0b2ec76bf1ff26286c7bb1573f2f
    • Instruction Fuzzy Hash: FF21A5786146058FE700AF38D88877EBBF5BF85314F098929E5A5CB291EB35E805CB53
    Function 6D0C72A0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000C.00000002.2261616035.000000006D041000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D040000, based on PE: true
    • Associated: 0000000C.00000002.2261464716.000000006D040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262032176.000000006D0C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262528308.000000006D0C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262708649.000000006D0CC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262885233.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263361599.000000006D162000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263540813.000000006D168000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263540813.000000006D16C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264065587.000000006D1A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264221668.000000006D1A7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264384746.000000006D1A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264536113.000000006D1AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6d040000_rundll32.jbxd
    Similarity
    • API ID: _lock_unlockcalloc
    • String ID:
    • API String ID: 3876498383-0
    • Opcode ID: abf89457b4ab2571923629326531c7e76d384adab28384de11d3b51bd2a4809e
    • Instruction ID: 651f6f30373ec9703387c34c2ce63dba53c502cf029ba7bd965f96832ec7b815
    • Opcode Fuzzy Hash: abf89457b4ab2571923629326531c7e76d384adab28384de11d3b51bd2a4809e
    • Instruction Fuzzy Hash: 00111C709082018BF740DF6CC98475EBBE4FF85354F658669E8A8CB285EB38D445CB53
    Function 6D0C6420 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON
    Download Yara Rule
    APIs
    • GetSystemTimeAsFileTime.KERNEL32 ref: 6D0C6459
    • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D0413B9), ref: 6D0C646A
    • GetCurrentThreadId.KERNEL32 ref: 6D0C6472
    • GetTickCount.KERNEL32 ref: 6D0C647A
    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D0413B9), ref: 6D0C6489
    Memory Dump Source
    • Source File: 0000000C.00000002.2261616035.000000006D041000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D040000, based on PE: true
    • Associated: 0000000C.00000002.2261464716.000000006D040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262032176.000000006D0C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262528308.000000006D0C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262708649.000000006D0CC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262885233.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263361599.000000006D162000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263540813.000000006D168000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263540813.000000006D16C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264065587.000000006D1A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264221668.000000006D1A7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264384746.000000006D1A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264536113.000000006D1AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6d040000_rundll32.jbxd
    Similarity
    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
    • String ID:
    • API String ID: 1445889803-0
    • Opcode ID: a91924b23b39ccbabb282088b1251ee341414edc3db7b33db82dc0348bc36516
    • Instruction ID: d22cc3f7d3d58c644f8a86b6d21251247c825b730cdabaad6e48b50d7e59c36b
    • Opcode Fuzzy Hash: a91924b23b39ccbabb282088b1251ee341414edc3db7b33db82dc0348bc36516
    • Instruction Fuzzy Hash: 2A1166B5A093008BCB00DF79E88876FBBF4FB89264F44093AE444C7210EB319448CB93
    Function 6D0C5FB0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32 ref: 6D0C5FE0
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D0C4549), ref: 6D0C5FEC
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D0C4549), ref: 6D0C5FFE
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6D0C4549), ref: 6D0C600E
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D0C4549), ref: 6D0C6020
    Memory Dump Source
    • Source File: 0000000C.00000002.2261616035.000000006D041000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D040000, based on PE: true
    • Associated: 0000000C.00000002.2261464716.000000006D040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262032176.000000006D0C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262528308.000000006D0C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262708649.000000006D0CC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262885233.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263361599.000000006D162000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263540813.000000006D168000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263540813.000000006D16C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264065587.000000006D1A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264221668.000000006D1A7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264384746.000000006D1A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264536113.000000006D1AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6d040000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$ObjectSingleWait
    • String ID:
    • API String ID: 1755037574-0
    • Opcode ID: 7366931377d83396d40a7ad35a25d021d01e9ffd937a5a84dfc869d8c7ffe5b2
    • Instruction ID: 5cf8df4835fab7a811c163d19d0877a65c7f697ccd5b2da39c7943e323f74a94
    • Opcode Fuzzy Hash: 7366931377d83396d40a7ad35a25d021d01e9ffd937a5a84dfc869d8c7ffe5b2
    • Instruction Fuzzy Hash: 96019EB85047088FEB00BFBDA58962EBFF4EF92214F050529D89057245D7B0A409CBD3
    Function 6D0C6670 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.2261616035.000000006D041000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D040000, based on PE: true
    • Associated: 0000000C.00000002.2261464716.000000006D040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262032176.000000006D0C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262528308.000000006D0C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262708649.000000006D0CC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262885233.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263361599.000000006D162000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263540813.000000006D168000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263540813.000000006D16C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264065587.000000006D1A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264221668.000000006D1A7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264384746.000000006D1A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264536113.000000006D1AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6d040000_rundll32.jbxd
    Similarity
    • API ID: QueryVirtual
    • String ID: @
    • API String ID: 1804819252-2766056989
    • Opcode ID: d873b9984570b4e51b71c086a7362a72f3def7fdb5f6ca5d58c9a5a7b36e3d49
    • Instruction ID: 67969130f76c51e0348e7a318c702707e1e5415e3004a75bedb7b22b54aee4b8
    • Opcode Fuzzy Hash: d873b9984570b4e51b71c086a7362a72f3def7fdb5f6ca5d58c9a5a7b36e3d49
    • Instruction Fuzzy Hash: 67417AB6A047019FEB10DF68E49476EFBF0FB85754F458A29D94897224E370E844CBD2
    Function 6D0C672C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualQuery.KERNEL32 ref: 6D0C66FD
    • VirtualProtect.KERNEL32 ref: 6D0C6757
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6D161F04), ref: 6D0C6764
      • Part of subcall function 6D0C7400: fwrite.MSVCRT ref: 6D0C742F
      • Part of subcall function 6D0C7400: vfprintf.MSVCRT ref: 6D0C744F
      • Part of subcall function 6D0C7400: abort.MSVCRT ref: 6D0C7454
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.2261616035.000000006D041000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D040000, based on PE: true
    • Associated: 0000000C.00000002.2261464716.000000006D040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262032176.000000006D0C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262528308.000000006D0C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262708649.000000006D0CC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262885233.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263361599.000000006D162000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263540813.000000006D168000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263540813.000000006D16C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264065587.000000006D1A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264221668.000000006D1A7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264384746.000000006D1A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264536113.000000006D1AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6d040000_rundll32.jbxd
    Similarity
    • API ID: Virtual$ErrorLastProtectQueryabortfwritevfprintf
    • String ID: @
    • API String ID: 1616349570-2766056989
    • Opcode ID: f0c704064905f39cdd6ae919f54c78bb7b14af388d8a031d3f2f06c77225224f
    • Instruction ID: 694c1b08cdb3f4d87a3f23db2c5793ae105815504845d4fd529ada3d0efab942
    • Opcode Fuzzy Hash: f0c704064905f39cdd6ae919f54c78bb7b14af388d8a031d3f2f06c77225224f
    • Instruction Fuzzy Hash: 392157B69087028FEB00DF68E48472DFBF0BF85318F458A2AD99887224E374D405CB92
    Function 6D0C5090 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000C.00000002.2261616035.000000006D041000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D040000, based on PE: true
    • Associated: 0000000C.00000002.2261464716.000000006D040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262032176.000000006D0C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262528308.000000006D0C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262708649.000000006D0CC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262885233.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263361599.000000006D162000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263540813.000000006D168000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263540813.000000006D16C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264065587.000000006D1A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264221668.000000006D1A7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264384746.000000006D1A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264536113.000000006D1AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6d040000_rundll32.jbxd
    Similarity
    • API ID: Heapfree$FreeProcess
    • String ID:
    • API String ID: 3425746932-0
    • Opcode ID: 382ad5fa724cafa9cb5fbc9086250bf6ffcd1dc96330d6ca0b1149c5f9a9a685
    • Instruction ID: 6af9ac576efcc4977e3c89bc0c0c67cf1559826a4c2d66d11029065226fc8afd
    • Opcode Fuzzy Hash: 382ad5fa724cafa9cb5fbc9086250bf6ffcd1dc96330d6ca0b1149c5f9a9a685
    • Instruction Fuzzy Hash: D021D4B9A086018BEB049F65D4C872EBBE0BF84604F15C969EC898B209D734D845CB92
    Function 6D0C6A40 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 0000000C.00000002.2261616035.000000006D041000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D040000, based on PE: true
    • Associated: 0000000C.00000002.2261464716.000000006D040000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262032176.000000006D0C8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262528308.000000006D0C9000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262708649.000000006D0CC000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2262885233.000000006D0D0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263361599.000000006D162000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263540813.000000006D168000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2263540813.000000006D16C000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264065587.000000006D1A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264221668.000000006D1A7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264384746.000000006D1A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 0000000C.00000002.2264536113.000000006D1AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_6d040000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterErrorLastLeaveValue
    • String ID:
    • API String ID: 682475483-0
    • Opcode ID: 57578eb3e11bdeed6113c4609f9298468bf86f9be327155945f7c69213727d86
    • Instruction ID: 829f9dc35e982ae4eed49c0bf706fe98b580f2c274ad4f62edc48ac675b575ac
    • Opcode Fuzzy Hash: 57578eb3e11bdeed6113c4609f9298468bf86f9be327155945f7c69213727d86
    • Instruction Fuzzy Hash: D9F0AFB6A00B058FDB10BF6CE48967E7BB4FA45380B094568DD448B219E770E815CBE3