Edit tour

Windows Analysis Report
iK9pj4aPIU.dll

Overview

General Information

Sample name:	iK9pj4aPIU.dll renamed because original name is a hash value
Original sample name:	c4fa313465383c60f92c1018c825c98dd25860891996f1f6993ad080c63b194a.dll
Analysis ID:	1544818
MD5:	1fc765a87c062b0c11bb9043679efa7c
SHA1:	dfe08757e7d81b23ee66bdcdda451acb58f47435
SHA256:	c4fa313465383c60f92c1018c825c98dd25860891996f1f6993ad080c63b194a
Tags:	2024bankerdllgolangloadermekotiouser-johnk3r
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6780 cmdline: loaddll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 2952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5692 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 2768 cmdline: rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 1568 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 840 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 5500 cmdline: rundll32.exe C:\Users\user\Desktop\iK9pj4aPIU.dll,BarCreate MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 4128 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5500 -s 812 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 5792 cmdline: rundll32.exe C:\Users\user\Desktop\iK9pj4aPIU.dll,BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 3276 cmdline: rundll32.exe C:\Users\user\Desktop\iK9pj4aPIU.dll,BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 4428 cmdline: rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",BarCreate MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 2756 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 844 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 4568 cmdline: rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 344 cmdline: rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6200 cmdline: rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",_cgo_dummy_export MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 5420 cmdline: rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",SpellSpell MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 4268 cmdline: rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",SpellInit MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 1240 cmdline: rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",SpellFree MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 4932 cmdline: rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",SignalInitializeCrashReporting MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 2976 cmdline: rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",GetInstallDetailsPayload MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 768 cmdline: rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",BarRecognize MD5: 889B99C52A60DD49227C5E485A016679)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.4% probability

Bitcoin Miner

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1D14C0	3_2_6D1D14C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF114C0	13_2_6CF114C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF114C0	17_2_6CF114C0

Source: iK9pj4aPIU.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: iK9pj4aPIU.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	3_2_6D1C9DA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	3_2_6D1BCB60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	3_2_6D1C8A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	3_2_6D1A3000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	13_2_6CF09DA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	13_2_6CF08A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	13_2_6CEFCB60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	13_2_6CEE3000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ecx, 0Dh	17_2_6CF09DA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then shr ebp, 0Dh	17_2_6CF08A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov dword ptr [esp], edx	17_2_6CEFCB60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov ebp, edi	17_2_6CEE3000

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1CAD00	3_2_6D1CAD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1B7DD0	3_2_6D1B7DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D216FB0	3_2_6D216FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1F7FB0	3_2_6D1F7FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1C8E10	3_2_6D1C8E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1ABE4F	3_2_6D1ABE4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1DCE40	3_2_6D1DCE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D212940	3_2_6D212940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1B0830	3_2_6D1B0830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1B5820	3_2_6D1B5820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D221A00	3_2_6D221A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1CCA70	3_2_6D1CCA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1ACA60	3_2_6D1ACA60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1CBAB0	3_2_6D1CBAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1CD525	3_2_6D1CD525
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1CB540	3_2_6D1CB540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D215590	3_2_6D215590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1CC460	3_2_6D1CC460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D217490	3_2_6D217490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1FF732	3_2_6D1FF732
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1E6730	3_2_6D1E6730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D223710	3_2_6D223710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1CA790	3_2_6D1CA790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1A3620	3_2_6D1A3620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D221640	3_2_6D221640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1CC100	3_2_6D1CC100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D215100	3_2_6D215100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1C61A0	3_2_6D1C61A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1A3000	3_2_6D1A3000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1DE040	3_2_6D1DE040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1D6040	3_2_6D1D6040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1C3090	3_2_6D1C3090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1C10D0	3_2_6D1C10D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D216240	3_2_6D216240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D1A92E0	3_2_6D1A92E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEF7DD0	13_2_6CEF7DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF0AD00	13_2_6CF0AD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEEBE4F	13_2_6CEEBE4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF1CE40	13_2_6CF1CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF08E10	13_2_6CF08E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF37FB0	13_2_6CF37FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF56FB0	13_2_6CF56FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEF5820	13_2_6CEF5820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEF0830	13_2_6CEF0830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF52940	13_2_6CF52940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF0BAB0	13_2_6CF0BAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF0CA70	13_2_6CF0CA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEECA60	13_2_6CEECA60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF61A00	13_2_6CF61A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF57490	13_2_6CF57490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF0C460	13_2_6CF0C460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF55590	13_2_6CF55590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF0B540	13_2_6CF0B540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF0D525	13_2_6CF0D525
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF61640	13_2_6CF61640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEE3620	13_2_6CEE3620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF0A790	13_2_6CF0A790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF3F732	13_2_6CF3F732
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF26730	13_2_6CF26730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF63710	13_2_6CF63710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF010D0	13_2_6CF010D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF03090	13_2_6CF03090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF1E040	13_2_6CF1E040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF16040	13_2_6CF16040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEE3000	13_2_6CEE3000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF061A0	13_2_6CF061A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF0C100	13_2_6CF0C100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF55100	13_2_6CF55100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CEE92E0	13_2_6CEE92E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF56240	13_2_6CF56240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEF7DD0	17_2_6CEF7DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF0AD00	17_2_6CF0AD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEEBE4F	17_2_6CEEBE4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF1CE40	17_2_6CF1CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF08E10	17_2_6CF08E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF37FB0	17_2_6CF37FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF56FB0	17_2_6CF56FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEF5820	17_2_6CEF5820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEF0830	17_2_6CEF0830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF52940	17_2_6CF52940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF0BAB0	17_2_6CF0BAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF0CA70	17_2_6CF0CA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEECA60	17_2_6CEECA60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF61A00	17_2_6CF61A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF57490	17_2_6CF57490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF0C460	17_2_6CF0C460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF55590	17_2_6CF55590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF0B540	17_2_6CF0B540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF0D525	17_2_6CF0D525
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF61640	17_2_6CF61640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEE3620	17_2_6CEE3620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF0A790	17_2_6CF0A790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF3F732	17_2_6CF3F732
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF26730	17_2_6CF26730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF63710	17_2_6CF63710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF010D0	17_2_6CF010D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF03090	17_2_6CF03090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF1E040	17_2_6CF1E040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF16040	17_2_6CF16040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEE3000	17_2_6CEE3000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF061A0	17_2_6CF061A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF0C100	17_2_6CF0C100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF55100	17_2_6CF55100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CEE92E0	17_2_6CEE92E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF56240	17_2_6CF56240

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D1D7450 appears 687 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CEEF4D0 appears 36 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CF14FD0 appears 922 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D1D4FD0 appears 461 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CF17450 appears 1374 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CEE2F90 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CF150A0 appears 38 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CF13620 appears 32 times

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 840

Source: iK9pj4aPIU.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: classification engine

Classification label: mal48.mine.winDLL@35/0@0/0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D224310 GetLastError,FormatMessageA,fprintf,LocalFree,

3_2_6D224310

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2952:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\7e5fc8c4-0319-464e-b65e-f047036d7275

Jump to behavior

Source: iK9pj4aPIU.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iK9pj4aPIU.dll,BarCreate

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iK9pj4aPIU.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 840
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5500 -s 812
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iK9pj4aPIU.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iK9pj4aPIU.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",_cgo_dummy_export
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",SpellSpell
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 844
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iK9pj4aPIU.dll,BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iK9pj4aPIU.dll,BarDestroy	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iK9pj4aPIU.dll,BarFreeRec	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",BarCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",BarDestroy	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",BarFreeRec	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",_cgo_dummy_export	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",SpellSpell	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",SpellInit	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",SpellFree	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",SignalInitializeCrashReporting	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",GetInstallDetailsPayload	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",BarRecognize	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: iK9pj4aPIU.dll

Static PE information: Image base 0x6d8c0000 > 0x60000000

Source: iK9pj4aPIU.dll

Static file information: File size 1198080 > 1048576

Source: iK9pj4aPIU.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D1A13E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_6D1A13E0

Source: iK9pj4aPIU.dll

Static PE information: real checksum: 0x125242 should be: 0x12517a

Source: iK9pj4aPIU.dll

Static PE information: section name: .eh_fram

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D296FBD push cs; ret	3_2_6D296FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D2959F2 push es; iretd	3_2_6D295A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D2976AA push ebx; iretd	3_2_6D2979EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D299120 push esp; iretd	3_2_6D29918F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C38F4F push es; ret	4_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C3B510 push esp; ret	4_2_04C3B98A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04C38F3B push es; ret	4_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04C3A49A push cs; ret	11_2_04C3A4B1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04C3AF6A push es; ret	11_2_04C3B08A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CFD6FBD push cs; ret	13_2_6CFD6FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CFD59F2 push es; iretd	13_2_6CFD5A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CFD76AA push ebx; iretd	13_2_6CFD79EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CFD9120 push esp; iretd	13_2_6CFD918F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C38F4F push es; ret	14_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C38F3B push es; ret	14_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C80ED4 push 732236DAh; ret	14_2_04C80EE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04C80F17 push 732236DAh; ret	14_2_04C80EE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C3A483 push 0004C303h; ret	15_2_04C3A58A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C3A997 push es; retf	15_2_04C3A999
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C3AEFC push es; ret	15_2_04C3B08A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CFD6FBD push cs; ret	17_2_6CFD6FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CFD59F2 push es; iretd	17_2_6CFD5A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CFD76AA push ebx; iretd	17_2_6CFD79EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CFD9120 push esp; iretd	17_2_6CFD918F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04C38F4B push es; ret	18_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04C3B50F pushad ; iretd	18_2_04C3B511
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_04C38F34 push es; ret	18_2_04C38F4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_0443A972 push edx; iretd	20_2_0443A973
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_044803C4 pushfd ; retf	20_2_044803D3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_04C38F4F push es; ret	21_2_04C38F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_04C38F3B push es; ret	21_2_04C38F4A

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D200F80 rdtscp

3_2_6D200F80

Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.3 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: rundll32.exe, 00000012.00000002.1548712859.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6
Source: rundll32.exe, 00000017.00000002.1548984276.0000000002B6A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllw
Source: rundll32.exe, 00000004.00000002.1445793275.0000000002CEF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllY
Source: rundll32.exe, 0000000E.00000002.1533763667.0000000002CEA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
Source: rundll32.exe, 00000015.00000002.1548518911.0000000002F3A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
Source: rundll32.exe, 0000000F.00000002.1535277386.0000000002A7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^
Source: loaddll32.exe, 00000000.00000002.1551245452.0000000000C3F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll`
Source: rundll32.exe, 00000003.00000002.1445708441.000000000284A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
Source: rundll32.exe, 0000000B.00000002.1471024831.0000000002EAA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1500995544.00000000034CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.1540552760.000000000333A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000002.1536951191.000000000041A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000002.1549786205.000000000293A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1550313048.0000000002C5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D200F80 rdtscp

3_2_6D200F80

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D1A13E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_6D1A13E0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D223710 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,memcpy,memset,IsBadReadPtr,realloc,SetLastError,SetLastError,SetLastError,SetLastError,SetLastError,memcpy,SetLastError,SetLastError,SetLastError,SetLastError,

3_2_6D223710

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D224AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	3_2_6D224AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D224ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	3_2_6D224ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF64AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	13_2_6CF64AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF64ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	13_2_6CF64ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF64AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	17_2_6CF64AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_6CF64ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	17_2_6CF64ADC

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D224A30 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

3_2_6D224A30

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	1 Rundll32	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
iK9pj4aPIU.dll	3%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544818
Start date and time:	2024-10-29 19:28:57 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	iK9pj4aPIU.dll renamed because original name is a hash value
Original Sample Name:	c4fa313465383c60f92c1018c825c98dd25860891996f1f6993ad080c63b194a.dll
Detection:	MAL
Classification:	mal48.mine.winDLL@35/0@0/0
EGA Information:	Successful, ratio: 20%
HCA Information:	Successful, ratio: 55% Number of executed functions: 6 Number of non-executed functions: 103
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target loaddll32.exe, PID 6780 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 1240 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 2768 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 2976 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 3276 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 344 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 4268 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 4568 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 4932 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 5420 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 5792 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 768 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
VT rate limit hit for: iK9pj4aPIU.dll

Simulations

Behavior and APIs

Time	Type	Description
14:30:07	API Interceptor	1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.27139769337339
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	iK9pj4aPIU.dll
File size:	1'198'080 bytes
MD5:	1fc765a87c062b0c11bb9043679efa7c
SHA1:	dfe08757e7d81b23ee66bdcdda451acb58f47435
SHA256:	c4fa313465383c60f92c1018c825c98dd25860891996f1f6993ad080c63b194a
SHA512:	35f5ba81d411d68444d741ed461db85e61a594d8c5aff3e92994cc9a0b069a0f18bef1c4d493eebc9bfa5082025d8f114b9d61a9f354a386629a9cea0f636325
SSDEEP:	24576:+BmqgQfLJEgFIdQFqPS+Q4Zz5wIHDSfqdj4P3j:+/4Fvvcz
TLSH:	A0452800FD8784F1E50B2672996B62AF3734AE054F319BC7FA54B679F6732E11832285
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....L...D...F...........`.....m................................BR....@... ......................@..-..

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x6d8c1380
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x6d8c0000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:	0x6d944bc0, 0x6d944b70
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	a4a784e5029279463818b31167e8f38b

Entrypoint Preview

Instruction
sub esp, 1Ch
mov dword ptr [6DA23550h], 00000000h
mov edx, dword ptr [esp+24h]
cmp edx, 01h
je 00007F1A10744E1Ch
mov ecx, dword ptr [esp+28h]
mov eax, dword ptr [esp+20h]
call 00007F1A10744C82h
add esp, 1Ch
retn 000Ch
lea esi, dword ptr [esi+00000000h]
mov dword ptr [esp+0Ch], edx
call 00007F1A107C847Ch
mov edx, dword ptr [esp+0Ch]
jmp 00007F1A10744DD9h
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], 6D9DF000h
mov dword ptr [esp+04h], eax
call 00007F1A107C92DEh
add esp, 1Ch
ret
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 6D94D000h
call dword ptr [6DA25224h]
sub esp, 04h
test eax, eax
je 00007F1A10744E75h
mov ebx, eax
mov dword ptr [esp], 6D94D000h
call dword ptr [6DA2526Ch]
mov edi, dword ptr [6DA2522Ch]
sub esp, 04h
mov dword ptr [6DA23584h], eax
mov dword ptr [esp+04h], 6D94D013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 6D94D029h
mov dword ptr [esp], ebx
call edi
mov dword ptr [6D946000h], eax
sub esp, 08h
test esi, esi
je 00007F1A10744E13h
mov dword ptr [esp+00h], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x164000	0x12d	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x165000	0xb94	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x168000	0x72d8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x11c670	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1651d0	0x194	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x84a98	0x84c00	ca34ea513a495a8b3a727f2b168c7cb6	False	0.4715215248352166	data	6.285711054160198	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x86000	0x60c8	0x6200	d4796ddf31d3fad8388188e8fefdaa2b	False	0.42247289540816324	data	4.417894764166673	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x8d000	0x8fa40	0x8fc00	0844e26ecf7ea58c81b4ceb36d32e4a1	False	0.4364639945652174	data	5.590873116966232	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.eh_fram	0x11d000	0x1274	0x1400	7e0c196a5297fcb1314a2ce26d210985	False	0.3359375	data	4.556527782531458	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x11f000	0x4459c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x164000	0x12d	0x200	413e4b4248816189509f7ffe80d08073	False	0.458984375	data	3.4189467598340144	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.idata	0x165000	0xb94	0xc00	e1ea2a2551376701992ead81eecc63e4	False	0.3958333333333333	data	5.069558373921308	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x166000	0x2c	0x200	51289c22ed2d6bf0af49e9f6ae9824ce	False	0.0546875	data	0.2069200177871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x167000	0x8	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x168000	0x72d8	0x7400	221b02b192b6347cc842883c5d87bcc2	False	0.6956155711206896	data	6.638607337537364	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

KERNEL32.dll

AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateFileA, CreateIoCompletionPort, CreateThread, CreateWaitableTimerExW, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FormatMessageA, FreeEnvironmentStringsW, FreeLibrary, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetLastError, GetModuleHandleA, GetNativeSystemInfo, GetProcAddress, GetProcessAffinityMask, GetProcessHeap, GetQueuedCompletionStatusEx, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadLocale, GetTickCount, HeapAlloc, HeapFree, InitializeCriticalSection, IsBadReadPtr, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, LoadLibraryW, LocalFree, PostQueuedCompletionStatus, QueryPerformanceCounter, RaiseFailFastException, ResumeThread, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessPriorityBoost, SetThreadContext, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TerminateProcess, TlsAlloc, TlsGetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WriteConsoleW, WriteFile, lstrlenA

msvcrt.dll

_amsg_exit, _beginthread, _errno, _initterm, _iob, _lock, _unlock, _wcsnicmp, abort, bsearch, calloc, fprintf, free, fwrite, malloc, mbstowcs, memcpy, memset, qsort, realloc, strcmp, strlen, strncmp, strtol, vfprintf, wcstombs

Exports

Name	Ordinal	Address
BarCreate	1	0x6d942db0
BarDestroy	2	0x6d943030
BarFreeRec	3	0x6d942fe0
BarRecognize	4	0x6d942f90
GetInstallDetailsPayload	5	0x6d942ef0
SignalInitializeCrashReporting	6	0x6d942f40
SpellFree	7	0x6d942e00
SpellInit	8	0x6d942e50
SpellSpell	9	0x6d942ea0
_cgo_dummy_export	10	0x6da23588

Target ID:	0
Start time:	14:29:56
Start date:	29/10/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll"
Imagebase:	0x1a0000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:29:56
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:29:56
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",#1
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:29:56
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\iK9pj4aPIU.dll,BarCreate
Imagebase:	0x770000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:29:56
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",#1
Imagebase:	0x770000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	14:29:57
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 840
Imagebase:	0xcf0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	14:29:57
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5500 -s 812
Imagebase:	0xcf0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	14:29:59
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\iK9pj4aPIU.dll,BarDestroy
Imagebase:	0x770000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	14:30:02
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\iK9pj4aPIU.dll,BarFreeRec
Imagebase:	0x770000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	14:30:05
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",BarCreate
Imagebase:	0x770000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	14:30:05
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",BarDestroy
Imagebase:	0x770000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	14:30:05
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",BarFreeRec
Imagebase:	0x770000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	14:30:05
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",_cgo_dummy_export
Imagebase:	0x770000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	14:30:06
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",SpellSpell
Imagebase:	0x770000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	14:30:06
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 844
Imagebase:	0xcf0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	14:30:06
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",SpellInit
Imagebase:	0x770000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	14:30:06
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",SpellFree
Imagebase:	0x770000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	14:30:06
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",SignalInitializeCrashReporting
Imagebase:	0x770000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	14:30:06
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",GetInstallDetailsPayload
Imagebase:	0x770000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	14:30:07
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\iK9pj4aPIU.dll",BarRecognize
Imagebase:	0x770000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	11
Total number of Limit Nodes:	1

Executed Functions

Function 6D224790 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_beginthread.MSVCRT ref: 6D2247B6
_errno.MSVCRT ref: 6D2247C1
_errno.MSVCRT ref: 6D2247C8
fprintf.MSVCRT ref: 6D2247E8
abort.MSVCRT ref: 6D2247ED
Sleep.KERNEL32 ref: 6D224806

Strings

runtime: failed to create new OS thread (%d), xrefs: 6D2247D9

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID: _errno$Sleep_beginthreadabortfprintf
String ID: runtime: failed to create new OS thread (%d)
API String ID: 1261927973-3231778263
Opcode ID: 52916197085231f8d0d9f9ed2d63c255ff69cc7b96089901b95c1ecaa6e3e826
Instruction ID: 71a2626faf3a2ddb643f018275516b4ab23bede49c983ad06059fbf194f05853
Opcode Fuzzy Hash: 52916197085231f8d0d9f9ed2d63c255ff69cc7b96089901b95c1ecaa6e3e826
Instruction Fuzzy Hash: 540181B54593199FC7007F68D88862EBBF8FF8A765F42891EF58843211D7719480DB63

Function 6D201D40 Relevance: 1.3, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 6D201D68

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
Instruction ID: 7cbd48408f559f8ddeb9e57a8ee52815cbe0a5c0e9b58af1f7dc7d5eee16bdee
Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
Instruction Fuzzy Hash: 04E0C2715056008FCB15DF18C2C1316BBE1EB48A00F0485A8DE098B74AD734ED10DA92

Non-executed Functions

Function 6D223710 Relevance: 33.8, APIs: 17, Strings: 2, Instructions: 564
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNEL32 ref: 6D2237CC
GetProcessHeap.KERNEL32 ref: 6D22382D
HeapAlloc.KERNEL32 ref: 6D223846
memcpy.MSVCRT ref: 6D223912
memset.MSVCRT ref: 6D2239A9
IsBadReadPtr.KERNEL32 ref: 6D223A0F
realloc.MSVCRT ref: 6D223A5E
SetLastError.KERNEL32 ref: 6D223B19
SetLastError.KERNEL32 ref: 6D223B39

Strings

?, xrefs: 6D22371A
@, xrefs: 6D223833

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID: ErrorHeapLast$AllocInfoNativeProcessReadSystemmemcpymemsetrealloc
String ID: ?$@
API String ID: 2257136212-1463999369
Opcode ID: 63a94ed43a11d97522cf58a0725933c1208876011394870bf26e6469c0f3bfa5
Instruction ID: 7e00e52953771c59e728ab145be52e3336586a0ad233948bc67618805bee0eaa
Opcode Fuzzy Hash: 63a94ed43a11d97522cf58a0725933c1208876011394870bf26e6469c0f3bfa5
Instruction Fuzzy Hash: 4D4203B064870A9FD710DF29C584B6AFBF0BF88354F04892DE99987710E774E894CB82

Function 6D1B5820 Relevance: 19.8, Strings: 15, Instructions: 1007
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

gcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= , xrefs: 6D1B58EA
@s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-0, xrefs: 6D1B6136
gc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltadxaesshaavxfmaintmapbindfile, xrefs: 6D1B6109
, xrefs: 6D1B5ED9
MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, xrefs: 6D1B684B
MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException , xrefs: 6D1B67E1
failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre, xrefs: 6D1B6A79
gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foun, xrefs: 6D1B6A8F
non-concurrent sweep failed to drain all sweep queuescompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not enabledno goroutines (main called runtime.Goexit) - d, xrefs: 6D1B6A63
ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32, xrefs: 6D1B635B
+:(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+1, xrefs: 6D1B6313, 6D1B65D0
5, xrefs: 6D1B6A6C
., xrefs: 6D1B606D
/]+:(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT, xrefs: 6D1B6595
ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ lockedm, xrefs: 6D1B6721

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID:
String ID: $ @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-0$ MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:$ MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException $ ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32$ ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ lockedm$+:(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+1$.$/]+:(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT$5$failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre$gc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltadxaesshaavxfmaintmapbindfile$gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foun$gcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= $non-concurrent sweep failed to drain all sweep queuescompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not enabledno goroutines (main called runtime.Goexit) - d
API String ID: 0-4142148823
Opcode ID: 0a8b5d3f68d75c7fda7e3cb2e7ce4f53392754b63f5fe1a91ea045d780601251
Instruction ID: 080dffbf0cbd037f98e7d46313fef29eb7d1d6a382fc353d1e998abbf75ea6d5
Opcode Fuzzy Hash: 0a8b5d3f68d75c7fda7e3cb2e7ce4f53392754b63f5fe1a91ea045d780601251
Instruction Fuzzy Hash: 7EB215B860D3458FD764DF28C194B9BBBF5FB89308F02892ED98987355D7B0A844CB52

Function 6D1C8E10 Relevance: 16.9, Strings: 13, Instructions: 645
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc, xrefs: 6D1C9103
runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foundruntime: sudog with non-nil cgfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon, xrefs: 6D1C971E
, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime:, xrefs: 6D1C974B
bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6D1C91D8, 6D1C999E
runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 6D1C90B0, 6D1C94E9
] = pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleep, xrefs: 6D1C9550
runtime: npages = runtime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupQueryServiceStatusGetCompu, xrefs: 6D1C91A1
, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by ProcessPrngMoveFileExWNetShar, xrefs: 6D1C960D
, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= (...) m=nil base stringGetACPSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13rdtscppopcntuint16uint32uint64structCommonCopySidWSARecvWSASendconnectconsole\\.\UNCforcegcallocmWcpuprofalloc, xrefs: 6D1C96BE
][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CET, xrefs: 6D1C90DA, 6D1C9523
, [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+1, xrefs: 6D1C912D, 6D1C9157, 6D1C957A, 6D1C95A4
, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type float32float64TuesdayJanuaryOctoberMUI_StdMUI_Dltavx512finvaliduintptrno anodeCancelIoReadFileAcceptExWSAIoctlshutdownnil PoolscavengepollDes, xrefs: 6D1C963A
runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSrunqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard TimeSA Western Standard , xrefs: 6D1C9691

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID:
String ID: , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+1$, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= (...) m=nil base stringGetACPSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13rdtscppopcntuint16uint32uint64structCommonCopySidWSARecvWSASendconnectconsole\\.\UNCforcegcallocmWcpuprofalloc$, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type float32float64TuesdayJanuaryOctoberMUI_StdMUI_Dltavx512finvaliduintptrno anodeCancelIoReadFileAcceptExWSAIoctlshutdownnil PoolscavengepollDes$, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime:$, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by ProcessPrngMoveFileExWNetShar$] = pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleep$] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc$][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CET$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foundruntime: sudog with non-nil cgfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon$runtime: npages = runtime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupQueryServiceStatusGetCompu$runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSrunqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard TimeSA Western Standard $runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
API String ID: 0-1009071329
Opcode ID: 7a1c683c69e479531c64bf5a80f8fabc401a7dd1e627f80ff9731d3b356895cf
Instruction ID: 553c6f4d6cf5fedd1c10a0d2c59064a0a10060d1b69cf50a86897040802c2406
Opcode Fuzzy Hash: 7a1c683c69e479531c64bf5a80f8fabc401a7dd1e627f80ff9731d3b356895cf
Instruction Fuzzy Hash: FB525775A0C7498FD360DF68C59075AB7F1BF89708F42892DEA9887349D7B4A844CB83

Function 6D1C3090 Relevance: 14.6, Strings: 11, Instructions: 823COMMON

Download Yara Rule

Strings

sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine LockFileEx, xrefs: 6D1C3975, 6D1C3D1F
mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6D1C399F, 6D1C3D49
nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(avx512bwavx512vlLazyMouseFindCloseLocalFreeMoveFileWWriteFileWSASendTontdll.dlld.nx != 0prof, xrefs: 6D1C3A3E
mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcinternal lockOSThread errorruntime: checkdea, xrefs: 6D1C3D7D
mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1, xrefs: 6D1C3D9C
swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 6D1C3922
sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executionattempte, xrefs: 6D1C390C
mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification, xrefs: 6D1C39D3
, xrefs: 6D1C3ACF
previous allocCount=, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:, xrefs: 6D1C3A68
sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = WSAGetOverlappedResult not found_cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevrunt, xrefs: 6D1C3AC6

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID:
String ID: $ mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$ nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(avx512bwavx512vlLazyMouseFindCloseLocalFreeMoveFileWWriteFileWSASendTontdll.dlld.nx != 0prof$ previous allocCount=, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:$ sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine LockFileEx$mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification$mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcinternal lockOSThread errorruntime: checkdea$mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1$sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = WSAGetOverlappedResult not found_cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevrunt$sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executionattempte$swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
API String ID: 0-2340954961
Opcode ID: 258201fdc7c37b0080a945a4326ef822da66d88ecdece5a9d19ab45d6f058ba5
Instruction ID: a94082db0fd9055943679b149f310f73dda00e20e2e5cf6f0ee14a5f179882c3
Opcode Fuzzy Hash: 258201fdc7c37b0080a945a4326ef822da66d88ecdece5a9d19ab45d6f058ba5
Instruction Fuzzy Hash: 878233B460C3958FC351DF24C08076ABBE1BF99308F41896DE9D88B399D7B89949CB53

Function 6D1A13E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 6D1A13F0
LoadLibraryA.KERNEL32 ref: 6D1A1406
GetProcAddress.KERNEL32 ref: 6D1A1425
GetProcAddress.KERNEL32 ref: 6D1A1437

Strings

__deregister_frame_info, xrefs: 6D1A142C
__register_frame_info, xrefs: 6D1A141A
libgcc_s_dw2-1.dll, xrefs: 6D1A13E9, 6D1A13FF

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: 0b6a7a37c9bef7e946c7b164327f40f4bad7dbfaea56d837f72fb309234985fd
Instruction ID: 4932cec10b1b583184c10a5dda417640914ae21982906e0edea64020a85a95d1
Opcode Fuzzy Hash: 0b6a7a37c9bef7e946c7b164327f40f4bad7dbfaea56d837f72fb309234985fd
Instruction Fuzzy Hash: 6C015EB9849208ABCB007F79950972EBFB8AF82355F05452EE88897219D7705444CBD3

Function 6D1ABE4F Relevance: 12.0, Strings: 9, Instructions: 703COMMON

Download Yara Rule

Strings

mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential, xrefs: 6D1AC7B0
malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no , xrefs: 6D1AC79A
mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= , xrefs: 6D1AC76E
unexpected malloc header in delayed zeroing of large objectmanual span allocation called with non-manually-managed typeaddr range base and limit are not in the same memory segmentruntime: netpoll: PostQueuedCompletionStatus failed (errno= runtime: GetQueuedCom, xrefs: 6D1AC714
malloc during signalclose of nil channelnotetsleep not on g0bad system page size to unallocated spanp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitws2_32.dll not found, xrefs: 6D1AC784
4, xrefs: 6D1AC777
delayed zeroing on data that may contain pointerssweeper left outstanding across sweep generationsfully empty unfreed span set block found in resetcasgstatus: waiting for Gwaiting but is Grunnablecgo argument has Go pointer to unpinned Go pointerruntime: unabl, xrefs: 6D1AC72A
2, xrefs: 6D1AC7B9
!"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 6D1AC219

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID:
String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC$2$4$delayed zeroing on data that may contain pointerssweeper left outstanding across sweep generationsfully empty unfreed span set block found in resetcasgstatus: waiting for Gwaiting but is Grunnablecgo argument has Go pointer to unpinned Go pointerruntime: unabl$malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no $malloc during signalclose of nil channelnotetsleep not on g0bad system page size to unallocated spanp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitws2_32.dll not found$mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential$mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= $unexpected malloc header in delayed zeroing of large objectmanual span allocation called with non-manually-managed typeaddr range base and limit are not in the same memory segmentruntime: netpoll: PostQueuedCompletionStatus failed (errno= runtime: GetQueuedCom
API String ID: 0-4221549744
Opcode ID: c1a094237a3124c03cd8c803139ebc1d27694e3c57b8d06262b0578bf77b68d1
Instruction ID: 990da442576d59b10e9ab5dc5975b9c02095afb64cda234f5a34cf265ca514c3
Opcode Fuzzy Hash: c1a094237a3124c03cd8c803139ebc1d27694e3c57b8d06262b0578bf77b68d1
Instruction Fuzzy Hash: D552BE796483458FC304CF69C09072ABBF2BF89318F09896DE9958B396D7B5D845CF82

Function 6D224AE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 6D224B2F
UnhandledExceptionFilter.KERNEL32 ref: 6D224B3F
GetCurrentProcess.KERNEL32 ref: 6D224B48
TerminateProcess.KERNEL32 ref: 6D224B59
abort.MSVCRT ref: 6D224B62

Strings

40m, xrefs: 6D224B38

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
String ID: 40m
API String ID: 520269711-3833095980
Opcode ID: 3ebc24188eac44bbf07247b04ed2f867bc0f3cf8cf2179486a67ff1e9bb0a981
Instruction ID: 956020c850dc0780b15ca6da76af12bdc34f74c9cf269e9be6551138e0bd9949
Opcode Fuzzy Hash: 3ebc24188eac44bbf07247b04ed2f867bc0f3cf8cf2179486a67ff1e9bb0a981
Instruction Fuzzy Hash: 411116B1805305AFCB00EF69C548B6EBBF8BB49344F40852EE8488B300E3759944CF82

Function 6D224ADC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 6D224B2F
UnhandledExceptionFilter.KERNEL32 ref: 6D224B3F
GetCurrentProcess.KERNEL32 ref: 6D224B48
TerminateProcess.KERNEL32 ref: 6D224B59
abort.MSVCRT ref: 6D224B62

Strings

40m, xrefs: 6D224B38

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
String ID: 40m
API String ID: 520269711-3833095980
Opcode ID: f99684be6f8e64d476b3adbcf92470c87ef2d1e4e8dbe7ec9303b4e21c0520d1
Instruction ID: 1fdfcd6e71494e9ee86b8c4966ff2add058fad6e7e6ccec31892446ecb695096
Opcode Fuzzy Hash: f99684be6f8e64d476b3adbcf92470c87ef2d1e4e8dbe7ec9303b4e21c0520d1
Instruction Fuzzy Hash: 2911D7B5805205EFDB00EF79C548B6EBBF8BB06345F01452EE9489B341E7759944CF92

Function 6D212940 Relevance: 10.5, Strings: 7, Instructions: 1779COMMON

Download Yara Rule

Strings

0, xrefs: 6D213724
0, xrefs: 6D213530
0, xrefs: 6D213647
%!Month(avx512bwavx512vlLazyMouseFindCloseLocalFreeMoveFileWWriteFileWSASendTontdll.dlld.nx != 0profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedcoroutinecopystackinterface ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s, xrefs: 6D2143B9, 6D21469B
0, xrefs: 6D213491
%!Weekday(complex128MessageBoxWbroken pipebad messagefile existsbad addressRegCloseKeyCloseHandleCreateFileWDeleteFileWExitProcessFreeLibraryGetFileTypeOpenProcessSetFileTimeVirtualLockWSARecvFromclosesocketgetpeernamegetsocknamecrypt32.dllmswsock.dllsecur32.d, xrefs: 6D213FAA, 6D214275
)./]+:(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08I, xrefs: 6D213FC4, 6D21428F, 6D2143D3, 6D2146B5

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID:
String ID: %!Month(avx512bwavx512vlLazyMouseFindCloseLocalFreeMoveFileWWriteFileWSASendTontdll.dlld.nx != 0profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedcoroutinecopystackinterface ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s$%!Weekday(complex128MessageBoxWbroken pipebad messagefile existsbad addressRegCloseKeyCloseHandleCreateFileWDeleteFileWExitProcessFreeLibraryGetFileTypeOpenProcessSetFileTimeVirtualLockWSARecvFromclosesocketgetpeernamegetsocknamecrypt32.dllmswsock.dllsecur32.d$)./]+:(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08I$0$0$0$0
API String ID: 0-3104040810
Opcode ID: 1847f12cda26de98729f3adabd2d5f8a0d838196028322612ce5a18a362aecbc
Instruction ID: 62af7ae926b27a3b21906cc84ff6c6034d22446b5e3e5e89e4e08bd24ae7ead2
Opcode Fuzzy Hash: 1847f12cda26de98729f3adabd2d5f8a0d838196028322612ce5a18a362aecbc
Instruction Fuzzy Hash: 0F03F6B464C3868FC329CF18C49069EFBE1BFC9304F15892EEA9997351D770A945CB92

Function 6D1F7FB0 Relevance: 10.5, Strings: 8, Instructions: 515COMMON

Download Yara Rule

Strings

pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleepgcin, xrefs: 6D1F8681
, xrefs: 6D1F8127
non-Go function at pc=RtlLookupFunctionEntryCreateEnvironmentBlockSao Tome Standard TimeAleutian Standard TimeParaguay Standard TimeMountain Standard TimeAtlantic Standard TimePakistan Standard TimeSakhalin Standard TimeGeorgian Standard TimeCaucasus Standard , xrefs: 6D1F87B3
fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault an, xrefs: 6D1F8627
:(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12, xrefs: 6D1F84EB
, xrefs: 6D1F811F
sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit , xrefs: 6D1F8654
(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12P, xrefs: 6D1F840E

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID:
String ID: $ $ fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault an$ pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleepgcin$ sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfuncntohsclosedefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit $(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12P$:(=,-[<{}_M: ??M , [("")) ) @s -> Pn=][}]i)> +"LlLtLuMn\\?\\.\??finptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOFMayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12$non-Go function at pc=RtlLookupFunctionEntryCreateEnvironmentBlockSao Tome Standard TimeAleutian Standard TimeParaguay Standard TimeMountain Standard TimeAtlantic Standard TimePakistan Standard TimeSakhalin Standard TimeGeorgian Standard TimeCaucasus Standard
API String ID: 0-1565611637
Opcode ID: 6f37cafb80939953a58853a538b308ef16d6aeffa57ce0c400ee730c71e6f3b0
Instruction ID: 75cfa54534d2b57360ba9812966a49f40b7ca23d21ef0afe7f230dc1bdb02435
Opcode Fuzzy Hash: 6f37cafb80939953a58853a538b308ef16d6aeffa57ce0c400ee730c71e6f3b0
Instruction Fuzzy Hash: 1E32D2B460C3818FC365DF25C18079EBBE1AFC9308F45892EE9C987359D7B0A846CB52

Function 6D224310 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 6D224314
FormatMessageA.KERNEL32 ref: 6D224359
fprintf.MSVCRT ref: 6D224382
LocalFree.KERNEL32 ref: 6D22438E

Strings

Erro: %s, xrefs: 6D224373

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessagefprintf
String ID: Erro: %s
API String ID: 659079672-2412703935
Opcode ID: eaab6d2c4c9ad059a37e221508fcc6891a464b02e85658f933c6d6ea970e8473
Instruction ID: fd9831d4e3092784d81c8e0868faf0970a7fc1da0741b8ea24344fd1844001b9
Opcode Fuzzy Hash: eaab6d2c4c9ad059a37e221508fcc6891a464b02e85658f933c6d6ea970e8473
Instruction Fuzzy Hash: 33019DB04083059FDB00AF64C08831EBFF4AF88749F40891EE8989A250E7B88249CF93

Function 6D1DCE40 Relevance: 8.6, Strings: 6, Instructions: 1065COMMON

Download Yara Rule

Strings

findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionAdjustTokenPrivilegesLookupPrivilegeValueWNetUserGetLocalGroupsGetProfi, xrefs: 6D1DDEEE
findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a corrupted shared librarylfstack node a, xrefs: 6D1DDEAC
global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsruntime: typeBitsBulkBarrier without typeruntime.SetFinalizer: second argument is gcSweep being done but phase is not GCoffobjects added out, xrefs: 6D1DDE96
findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for traceReg, xrefs: 6D1DDEC2
!, xrefs: 6D1DDEE1
findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of r, xrefs: 6D1DDED8

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID:
String ID: !$findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of r$findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for traceReg$findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a corrupted shared librarylfstack node a$findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionAdjustTokenPrivilegesLookupPrivilegeValueWNetUserGetLocalGroupsGetProfi$global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsruntime: typeBitsBulkBarrier without typeruntime.SetFinalizer: second argument is gcSweep being done but phase is not GCoffobjects added out
API String ID: 0-3247796029
Opcode ID: 846fd9bd1a7d4f66e0c07bfba99ace57329ce066216cfd757079ef8a868128c7
Instruction ID: 722327a6b0c268cc47a87877b088b4c14eba063b0df7bb6719bdeb588157ffb8
Opcode Fuzzy Hash: 846fd9bd1a7d4f66e0c07bfba99ace57329ce066216cfd757079ef8a868128c7
Instruction Fuzzy Hash: F9A2DE7860C3419FD764DF68C090B6BBBE1AF8A748F45882DE9D887354E7B5E844CB42

Function 6D224A30 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 6D224A69
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D1A13B9), ref: 6D224A7A
GetCurrentThreadId.KERNEL32 ref: 6D224A82
GetTickCount.KERNEL32 ref: 6D224A8A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D1A13B9), ref: 6D224A99

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 33e1cca968189ee507d3d666b322d94dcd3dc67633cfa1d7484dbc3aba6841ec
Instruction ID: 10ad5e60b0bd727825cc22af22340cd6529e8aaa4d31afa8d869e9c78580eac6
Opcode Fuzzy Hash: 33e1cca968189ee507d3d666b322d94dcd3dc67633cfa1d7484dbc3aba6841ec
Instruction Fuzzy Hash: CE115EB65553058FCB00EF79E98866BBBF8FB89659F01093AE444C7300EB35D549CB92

Function 6D1C10D0 Relevance: 5.5, Strings: 4, Instructions: 494COMMON

Download Yara Rule

Strings

runtime: min = runtime: inUse=runtime: max = bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame runtimer: bad ptraceback stuckruntime.gopanicImper, xrefs: 6D1C161C, 6D1C166B
min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= runtime: pid=: unknown pc called from dalTLDpSugct?GetTempPath2WModule32NextW, xrefs: 6D1C1650
min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce, xrefs: 6D1C169F
!, xrefs: 6D1C16A8

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID:
String ID: !$min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce$min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= runtime: pid=: unknown pc called from dalTLDpSugct?GetTempPath2WModule32NextW$runtime: min = runtime: inUse=runtime: max = bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame runtimer: bad ptraceback stuckruntime.gopanicImper
API String ID: 0-1474820873
Opcode ID: c6139d928bb7b73d57ab7865e6d2621b5da29b4bf8976006e9ae5fc921aeb8c6
Instruction ID: 5b3c95a272352c1ed08dede30346455d8e94b2b98edce3c4d4a31f7db4dec1af
Opcode Fuzzy Hash: c6139d928bb7b73d57ab7865e6d2621b5da29b4bf8976006e9ae5fc921aeb8c6
Instruction Fuzzy Hash: EEF1057268832A4FD305DE98C4C061EB7E2FBD5348F15893CD9948B389EBB5D885C6C2

Function 6D1D14C0 Relevance: 5.1, Strings: 4, Instructions: 57COMMON

Download Yara Rule

Strings

', xrefs: 6D1D1521
PowerRegisterSuspendResumeNotification, xrefs: 6D1D150F
', xrefs: 6D1D1519
powrprof.dll, xrefs: 6D1D14DD

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID:
String ID: '$'$PowerRegisterSuspendResumeNotification$powrprof.dll
API String ID: 0-4026319467
Opcode ID: 0340ef73d93f6c52f46f8f5da19f6dbe7258b2cb92817119483f35d541eda4c7
Instruction ID: f0e145db5c2ced0fa2dd1570b99bc458958acbe39426847a95738f8ca3f0ff42
Opcode Fuzzy Hash: 0340ef73d93f6c52f46f8f5da19f6dbe7258b2cb92817119483f35d541eda4c7
Instruction Fuzzy Hash: E621BEB49083028FD744DF25C09476ABBF0BB89348F00891EE49987244E7B59688CF92

Function 6D1D6040 Relevance: 4.1, Strings: 3, Instructions: 316COMMON

Download Yara Rule

Strings

', xrefs: 6D1D64E3
invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:DuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "permission deniedwrong medium typeno, xrefs: 6D1D64C4
suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function 2006-01-02 15:04:05.999999999 -0700 MSTaddress family not supported by protocolinvalid span in heapArena, xrefs: 6D1D64DA

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID:
String ID: '$invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:DuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "permission deniedwrong medium typeno$suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function 2006-01-02 15:04:05.999999999 -0700 MSTaddress family not supported by protocolinvalid span in heapArena
API String ID: 0-536681504
Opcode ID: b61dd4ed3a113b8311b6e47925ae5cc79aff100b9fe9551085f66b4711e3c89c
Instruction ID: e203e29ba986d12e4b2d8e6297e0456709e753e3ef3f081e38d85ed72727ab68
Opcode Fuzzy Hash: b61dd4ed3a113b8311b6e47925ae5cc79aff100b9fe9551085f66b4711e3c89c
Instruction Fuzzy Hash: A5D1327460C3598FC345CF29C09062BBBF1AF8A708F05886DE9D487356D7B5E944CB92

Function 6D1C61A0 Relevance: 3.0, Strings: 2, Instructions: 472COMMON

Download Yara Rule

Strings

grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me, xrefs: 6D1C6840
+, xrefs: 6D1C6849

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID:
String ID: +$grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me
API String ID: 0-3347251187
Opcode ID: 35611661de46e1707c14a0ba78e4e7c7e4371c28db55721fb67d7a185ee548eb
Instruction ID: d453d6c8702c1e726ef2eb2b1967aef5921c0cc75844bc833dce48ee287bf131
Opcode Fuzzy Hash: 35611661de46e1707c14a0ba78e4e7c7e4371c28db55721fb67d7a185ee548eb
Instruction Fuzzy Hash: 7422EF7460D3458FC354DF69C190B2ABBE1BF99744F05892DE6D887368EBB4D844CB82

Function 6D1CAD00 Relevance: 2.8, Strings: 2, Instructions: 280COMMON

Download Yara Rule

Strings

@, xrefs: 6D1CAF6E
bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6D1CB085

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID:
String ID: @$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod
API String ID: 0-1191861649
Opcode ID: b921d36464c1c595bb35f3dc73ed2f0277454658e8cb1c1228df657854907acf
Instruction ID: 445446b4f4830bc837125b53dacb26e17f72809055a9def0fe5aecfbc8aca4bd
Opcode Fuzzy Hash: b921d36464c1c595bb35f3dc73ed2f0277454658e8cb1c1228df657854907acf
Instruction Fuzzy Hash: 28B1B2756087098FC308CF58C49065AB7F1FFC8318F448A2DE9999B391DB74E956CB82

Function 6D1FF732 Relevance: 2.6, Strings: 2, Instructions: 137COMMON

Download Yara Rule

Strings

, xrefs: 6D1FF758
@, xrefs: 6D1FF75D

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: c7e224ef971673089f086218aa271f4b9ab2f61b61c256d639c2201918dad4a6
Instruction ID: b2130564c2d72218004ac4919fa7c2dc3d47b48a55701d2ee541dce9fbf7951e
Opcode Fuzzy Hash: c7e224ef971673089f086218aa271f4b9ab2f61b61c256d639c2201918dad4a6
Instruction Fuzzy Hash: AD51B114C0CF9B65E6330BBDC4026627B206EB3154B01DB6FFDD6B54B2E7526944FA22

Function 6D1BCB60 Relevance: 2.6, Strings: 2, Instructions: 88COMMON

Download Yara Rule

Strings

gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackunsafe.Slice: ptr is nil and len is not , xrefs: 6D1BCC41
,, xrefs: 6D1BCC4A

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID:
String ID: ,$gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackunsafe.Slice: ptr is nil and len is not
API String ID: 0-2682900153
Opcode ID: 80bc8ade275a70aa0bb0c1e0a1f44234510a914fc3acc4b94985b8fa84bdd614
Instruction ID: 56ecb4787297dfbd746691e347a40f297f5b11a11c6f0cf394b60bcd18bf9f0e
Opcode Fuzzy Hash: 80bc8ade275a70aa0bb0c1e0a1f44234510a914fc3acc4b94985b8fa84bdd614
Instruction Fuzzy Hash: 8B317C75A497568FC305DF18C480B6AB7E2ABD6218F4985BDCC884F387CB71984ACB81

Function 6D216240 Relevance: 1.9, Strings: 1, Instructions: 607COMMON

Download Yara Rule

Strings

,M3.2.0,M11.1.0RegCreateKeyExWRegDeleteValueWstring too large0123456789abcdefinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePointerExOpenProcessTokenRegQueryInfoKeyWRegQueryValueExWDnsNameCompare_WCreateD, xrefs: 6D2163DE

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID:
String ID: ,M3.2.0,M11.1.0RegCreateKeyExWRegDeleteValueWstring too large0123456789abcdefinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePointerExOpenProcessTokenRegQueryInfoKeyWRegQueryValueExWDnsNameCompare_WCreateD
API String ID: 0-4001910974
Opcode ID: f247d683bc78c61a1d7a2f7b4f4c5fa83219c50951ce859f8d89c20aad86b168
Instruction ID: 95027c4eb5aca0636f847d6216371a50703ff5e855a40e14a7b5ccdd1a81182e
Opcode Fuzzy Hash: f247d683bc78c61a1d7a2f7b4f4c5fa83219c50951ce859f8d89c20aad86b168
Instruction Fuzzy Hash: D05216B5A0C3898FD334CF18C59039FBBE1ABC4304F45892DDAD897391EBB599448B92

Function 6D1CCA70 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pagespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinning: not a spinning mentersyscallblock inconsistent runtime: spl, xrefs: 6D1CCDFB

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID:
String ID: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pagespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinning: not a spinning mentersyscallblock inconsistent runtime: spl
API String ID: 0-3032229779
Opcode ID: 555e9d741e754ad3c37c37e8b8cf4e7cbd78d31c8c9787029ae055c075c3f362
Instruction ID: fc091ed63d754ac50cdd3abe65260f682a2af4d1ee21bf7c62dc25f8448079b6
Opcode Fuzzy Hash: 555e9d741e754ad3c37c37e8b8cf4e7cbd78d31c8c9787029ae055c075c3f362
Instruction Fuzzy Hash: F1B1F37860C3068FC744DF68D08092ABBF2BB99744F469C2DE99487358E7B5ED45CB82

Function 6D215100 Relevance: 1.5, Strings: 1, Instructions: 278COMMON

Download Yara Rule

Strings

;, xrefs: 6D2153EA

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID:
String ID: ;
API String ID: 0-1661535913
Opcode ID: 385d69fbbf4ba5b58af01c58c04d075f47c44615c24585a5cb77a799fd524f2e
Instruction ID: d037b97b12a5f129e4dd1a95d30ab51f79563d1af48f5cc0fdc2cf4377bcd814
Opcode Fuzzy Hash: 385d69fbbf4ba5b58af01c58c04d075f47c44615c24585a5cb77a799fd524f2e
Instruction Fuzzy Hash: 5EA1A371B083054FC70CDE6DD99131AFAE6ABC8304F49CA3DE588DB7A4E674D9058B86

Function 6D1C9DA0 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

@, xrefs: 6D1C9FCC

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 71ddc7c4984ffa659ee9557bf6bfff626791e51a0ca8961c41b56eb64baaa63b
Instruction ID: 5342eef6c80842a23c26251749d6558f60bef544d90a48bbb46b1d3b0f1af999
Opcode Fuzzy Hash: 71ddc7c4984ffa659ee9557bf6bfff626791e51a0ca8961c41b56eb64baaa63b
Instruction Fuzzy Hash: B39120B5A093459FC344CF28C18061EBBE1FF88748F419A2DE999D7341E778E985CB82

Function 6D217490 Relevance: .6, Instructions: 601COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06cd6ce7af86e9afd5437f3589ee1d891dcb8b21400af30b465b000ac12dd44d
Instruction ID: d5ebe26b7dc0b927c117ddb2953cfd12b6da2ec1bbf25e0eebac6cfe2d623d3b
Opcode Fuzzy Hash: 06cd6ce7af86e9afd5437f3589ee1d891dcb8b21400af30b465b000ac12dd44d
Instruction Fuzzy Hash: BD228F71A9C34ACFD325CF69C89075BB7E2BBC5305F55C82CDA8987240EB719949CB82

Function 6D215590 Relevance: .5, Instructions: 530COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdfda4e835028ba365d8399a1cf429f379635ec427a45447d7e8936b5e2d9571
Instruction ID: f957707eae1b1ed91fa6fa6c57b7ea4db00e4a676a7ec32c073ba52fa686a3c9
Opcode Fuzzy Hash: cdfda4e835028ba365d8399a1cf429f379635ec427a45447d7e8936b5e2d9571
Instruction Fuzzy Hash: 2D129772A487498FC324DE5DCD8025AF7E6BBC4304F55CA3DDA588B354EB70E9098B82

Function 6D1CBAB0 Relevance: .5, Instructions: 477COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b64491fea7fef5e2c8c2bd5a49797635cc5666da727c69d676b92a21937a4a9
Instruction ID: 4424063024f5399102dc0ad25d63a86845fde76f2a28bb39c3c7e85f8f05d715
Opcode Fuzzy Hash: 3b64491fea7fef5e2c8c2bd5a49797635cc5666da727c69d676b92a21937a4a9
Instruction Fuzzy Hash: 66E11933B5971A4BD319DDAC88C025EB2D2ABD4354F09863CDD64DB384FAB9D84986C2

Function 6D1CB540 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f46577fe8663a4ff9d784e03dcc63dc55a4f13783f2286d98a9be9ae2a7442a1
Instruction ID: 59e8c3bb07691c50d668d92d0a3c53222bbd98e9ab51abd5726af4314845c879
Opcode Fuzzy Hash: f46577fe8663a4ff9d784e03dcc63dc55a4f13783f2286d98a9be9ae2a7442a1
Instruction Fuzzy Hash: D0E1D433E2472507D3149E58CC80249B2D2ABC8670F4EC73DED95AB785EAB4ED5987C2

Function 6D216FB0 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c57c6ccebcab155edd9b85fbf13f2e17d29f7507ba2f6302b5962daeb60781b4
Instruction ID: cc9ed8eb6b3b627b664aa7a9965b159b9d782be1d96540a66e6142e9ba6489ca
Opcode Fuzzy Hash: c57c6ccebcab155edd9b85fbf13f2e17d29f7507ba2f6302b5962daeb60781b4
Instruction Fuzzy Hash: 6FE1B172E9C36A8BC315CE29C85031FBBE2BBC5700F45C92DEA918B341E7719905CB82

Function 6D1B7DD0 Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6b43c0ad2f81f83f7887874d6b5688197e6eb04b105c76572f1e3ca5872cd11
Instruction ID: 3dfc6e9bfb427fd44f8bd70862475cbececc79cc2942ba658a087605c097a06b
Opcode Fuzzy Hash: c6b43c0ad2f81f83f7887874d6b5688197e6eb04b105c76572f1e3ca5872cd11
Instruction Fuzzy Hash: ABC1D132B483164FC709DE6CC89061EBBE2ABC8744F49863DE955CB3A5E7B5EC058781

Function 6D1DE040 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc879f4e58b2208f2d94156c5d8a46da20160ead0a8d4a8b13ea3a6e5d1b59e1
Instruction ID: c3d7e5704975ea800eddf1b2ebca5094315bc78c2e2cf37d90b8d9eb87ee0fcd
Opcode Fuzzy Hash: dc879f4e58b2208f2d94156c5d8a46da20160ead0a8d4a8b13ea3a6e5d1b59e1
Instruction Fuzzy Hash: C9F1C17860C3918FC7A4CF29C090B5BFBE2BBC9204F54892DE9D887356DB71A905CB52

Function 6D221A00 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e5a8b9d0da13909470ba4cd4b51630beeef63fa611bc3c7a7edc1a4cbc21c2c
Instruction ID: 51ed064a1526b31d1bb630209c23ea47bc3378e45fc0c4be67bad20db391e67c
Opcode Fuzzy Hash: 5e5a8b9d0da13909470ba4cd4b51630beeef63fa611bc3c7a7edc1a4cbc21c2c
Instruction Fuzzy Hash: DAC1627060432E4FC251CE5EDCC0A6A73D1AB8821DF91866D96448F7C3DA3AF46BD7A4

Function 6D221640 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2c304363ddfa0ae9e42ba32a04f5261f497ab41d967aed42d07778073a3030c
Instruction ID: 4549303fb843466004cbe61fa532993ac8a85ab0445b7f2aae47f685eef7521d
Opcode Fuzzy Hash: a2c304363ddfa0ae9e42ba32a04f5261f497ab41d967aed42d07778073a3030c
Instruction Fuzzy Hash: BEC1627060432E4FC251CE5EDCC0A6A73D1AB8821DF91866D9644CF7C3DA3AF46B97A4

Function 6D1CC100 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11c73a52c8a68bb0bb7590ea596437560dd16ae423432d64fc403ab478fc393e
Instruction ID: 04a34826e3012e2f1d1ddde1646e985d234baa77abb9f145fa0233165f6ca281
Opcode Fuzzy Hash: 11c73a52c8a68bb0bb7590ea596437560dd16ae423432d64fc403ab478fc393e
Instruction Fuzzy Hash: 0F91787260831A8FC319DE99C4D051EB3E3FBC8344F19873CD9650B385EBB99D098682

Function 6D1CC460 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea820fb3a647f2d33b2968f327260f7a2a08918f975de2968ba78326fc136cd1
Instruction ID: 53b5d5e44c3ecfba946cbb24dd442b5b738ba5cbd91377d36aae98bc06a1986d
Opcode Fuzzy Hash: ea820fb3a647f2d33b2968f327260f7a2a08918f975de2968ba78326fc136cd1
Instruction Fuzzy Hash: 2581053674873A4FD716DDA888D065E7293A7D8318F06863CD9748B3C9EBF99C0582C2

Function 6D1CA790 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5633393e1b0311bba9aaf857d40bc74c153a6db9346244c782ebb14f19d1bc73
Instruction ID: a08d33802a574d77d1ff8e888b1d0bb545aaee3c24aeecc0c0649d2cd97209b1
Opcode Fuzzy Hash: 5633393e1b0311bba9aaf857d40bc74c153a6db9346244c782ebb14f19d1bc73
Instruction Fuzzy Hash: 0991E876B187184BD305DE59CCC0659B3E2BBC8324F49C63CE8A897345E674EE49CB82

Function 6D1A3620 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d96113abebe1a352ddd90bf2e100eb0b25cd4f8467a62c65a6dc1bb3273ac20
Instruction ID: e4aeae1fccddd359752fbae721dc9ebff0141910d1af5a9c1258f5093beaae3e
Opcode Fuzzy Hash: 7d96113abebe1a352ddd90bf2e100eb0b25cd4f8467a62c65a6dc1bb3273ac20
Instruction Fuzzy Hash: A0810AB6A183108FC314DF69D88095AF7E2BFC8748F46892DF988D7315D771D9158B82

Function 6D1C8A50 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 266d35e5876d7e7ee115265a75a3a928d2f5bd5062cff4608d7292cb2dede254
Instruction ID: a96c989afd4712160fd220d57af067f09fc4ef75fbff7f229ce0b327154cc804
Opcode Fuzzy Hash: 266d35e5876d7e7ee115265a75a3a928d2f5bd5062cff4608d7292cb2dede254
Instruction Fuzzy Hash: A491CAB4A093459FC348CF28C080A2ABBE0FF89708F019A6EF99997351D774E945CF42

Function 6D1A3000 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fb78ab16ed966bd214bfb83c076cdf847146d44a345b006b0e7450b6642d477
Instruction ID: 8223b59aee48f024aefe28b11e6b3837f260cb516dfb4b420df824fcd7adf4b7
Opcode Fuzzy Hash: 2fb78ab16ed966bd214bfb83c076cdf847146d44a345b006b0e7450b6642d477
Instruction Fuzzy Hash: 9961A87090C3A84AE30D9F6E44A503EFFE15BC9701F444E6EF5E603382DAB49505DBAA

Function 6D1CD525 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c0e2073331250fe1a091d64b3b5a9f68f5de42e8ebd5ac5dc53668366fff58b
Instruction ID: 9fc330885b2acf02be5c0fd024e8c1abeb2aff11c0fe9e8dd1d0109954dca0d3
Opcode Fuzzy Hash: 5c0e2073331250fe1a091d64b3b5a9f68f5de42e8ebd5ac5dc53668366fff58b
Instruction Fuzzy Hash: 9D518CB57493229FC318DF65C590A1AB7E0FF88604F058A7CE9999B392D770E845CBC2

Function 6D1ACA60 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e97adcb9dec7b2923d73a6527bfa4cc5e6dd4e937b65b09513c3beb8c4b6c5cd
Instruction ID: c574c126cd39d3ab52855fafc1bf53d059a69f7344135f8ba191c89e9933950b
Opcode Fuzzy Hash: e97adcb9dec7b2923d73a6527bfa4cc5e6dd4e937b65b09513c3beb8c4b6c5cd
Instruction Fuzzy Hash: 7441B575908B058FC306DF79C49031AB3E6BFCA384F15872DE94A9B356EB719882C741

Function 6D1B0830 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf8c3afe33371ecc5464c0fbbb2b33b03d1fcd359ae6f52921c452e0bc05aae3
Instruction ID: cec15c394c51b4df82051f5160cb0e1175263ce0c2a13726b899eb32500266dd
Opcode Fuzzy Hash: bf8c3afe33371ecc5464c0fbbb2b33b03d1fcd359ae6f52921c452e0bc05aae3
Instruction Fuzzy Hash: 5B3152B391971D8BD300AF498C40259F7E2BBD0B20F5E8A5ED9A417701DBB0AA15CBC7

Function 6D1A92E0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79ee5313586695e8a7d9e889c8c415ae1194a902a71374e7b7451b83445a0fb8
Instruction ID: a6401aef1d4209c601789cfc9414e9703e26c9370c9f87c3961e792b1cf5b951
Opcode Fuzzy Hash: 79ee5313586695e8a7d9e889c8c415ae1194a902a71374e7b7451b83445a0fb8
Instruction Fuzzy Hash: 9B21F2357082058BDB0CCE39D8E022AB7F2AFCA31079AC56CD541CB798DAB5A845CB46

Function 6D1E6730 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a0126eb573f590a4232b7ed67ffecab8b8efe7b1a77b7adc5b02bbbb3b33b6d
Instruction ID: 7da92bcb479d62dcb6df465e81d303d006a93a297ee29ba98bd09a13a5ae6a30
Opcode Fuzzy Hash: 4a0126eb573f590a4232b7ed67ffecab8b8efe7b1a77b7adc5b02bbbb3b33b6d
Instruction Fuzzy Hash: 58111BB4740B128FC348DF99C0D4A66B3E1FBCD210B4686BDDA4A8B767C770A811DB85

Function 6D200F80 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce0d3196979b106c539d935073089131de11fbbfa87e63284b652b4847e3c9e4
Instruction ID: b745884eea10b78e9f484a38111fbd97ab000e837c0afc7b0398df076d557866
Opcode Fuzzy Hash: ce0d3196979b106c539d935073089131de11fbbfa87e63284b652b4847e3c9e4
Instruction Fuzzy Hash: AFC08CB08AA3565DF341CF288208346BEE09B89300F80C488A14842100C3358180A318

Function 6D224659 Relevance: 21.0, APIs: 9, Strings: 3, Instructions: 49
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fwrite.MSVCRT ref: 6D22468B
abort.MSVCRT ref: 6D224690
EnterCriticalSection.KERNEL32 ref: 6D2246AF
LeaveCriticalSection.KERNEL32 ref: 6D2246C9
SetEvent.KERNEL32 ref: 6D2246DA
fwrite.MSVCRT ref: 6D224713
abort.MSVCRT ref: 6D224718
EnterCriticalSection.KERNEL32 ref: 6D22472A
LeaveCriticalSection.KERNEL32 ref: 6D224743

Strings

;, xrefs: 6D2246F8
runtime: failed to signal runtime initialization complete., xrefs: 6D22470C
unexpected cgo_bindm on Windows, xrefs: 6D224684

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeaveabortfwrite$Event
String ID: ;$runtime: failed to signal runtime initialization complete.$unexpected cgo_bindm on Windows
API String ID: 3057923235-924395932
Opcode ID: fb1f6a72b3e1d0135074a7bb88121b07a8270cfde828c971ecd33e5400db797e
Instruction ID: 71c8a93393bee4add622cf0fa62ca0ecf4b923396a6aaec2f3fb46ebd18df6c0
Opcode Fuzzy Hash: fb1f6a72b3e1d0135074a7bb88121b07a8270cfde828c971ecd33e5400db797e
Instruction Fuzzy Hash: 6E11A4B54086019FDB04BF78C10E36EBBF4BB46308F42892DE98957205DBB5A599CF93

Function 6D224C80 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 6D224D0D

Strings

VirtualProtect failed with code 0x%x, xrefs: 6D224D7A
@, xrefs: 6D224D58
VirtualQuery failed for %d bytes at address %p, xrefs: 6D224DA7
Address %p has no image-section, xrefs: 6D224DBB

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
API String ID: 1804819252-1098444051
Opcode ID: 6c5b1c1ebe161a82dce1d812d99868d8658c86edb8931c8a524fc0ee92d2ec47
Instruction ID: 29b96a4551ea8f30915476de27eec4bc3eace3504684c06a7cdd49ef6cb8c913
Opcode Fuzzy Hash: 6c5b1c1ebe161a82dce1d812d99868d8658c86edb8931c8a524fc0ee92d2ec47
Instruction Fuzzy Hash: 2E4159B6944306AFC700DF69D484A2AFBF8FF99354F41892EE9589B214E330E445CF92

Function 6D2232D0 Relevance: 12.2, APIs: 8, Instructions: 156stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6D223306
mbstowcs.MSVCRT ref: 6D223335
_wcsnicmp.MSVCRT ref: 6D223392
strtol.MSVCRT ref: 6D2233F2
lstrlenA.KERNEL32 ref: 6D223400
malloc.MSVCRT ref: 6D223469
SetLastError.KERNEL32 ref: 6D223483
free.MSVCRT ref: 6D2234BA

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID: ErrorLast_wcsnicmpfreelstrlenmallocmbstowcsstrlenstrtol
String ID:
API String ID: 533997002-0
Opcode ID: 1cd51cec255f1201f08e1b5b3d800989b69c6612293f72099f845800a1d8095e
Instruction ID: ce13be6e74a551d146e03f125cddff4c173fd79a5b4da826404f7da4f17ec526
Opcode Fuzzy Hash: 1cd51cec255f1201f08e1b5b3d800989b69c6612293f72099f845800a1d8095e
Instruction Fuzzy Hash: F2516A76A4831A8FC701DF29D48026AB7E5BBC8304F45897EF998D7210E774DA49CB92

Function 6D224840 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66fileCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6D22484F
fwrite.MSVCRT ref: 6D22489D
abort.MSVCRT ref: 6D2248A2
free.MSVCRT ref: 6D2248C5

Part of subcall function 6D224790: _beginthread.MSVCRT ref: 6D2247B6
Part of subcall function 6D224790: _errno.MSVCRT ref: 6D2247C1
Part of subcall function 6D224790: _errno.MSVCRT ref: 6D2247C8
Part of subcall function 6D224790: fprintf.MSVCRT ref: 6D2247E8
Part of subcall function 6D224790: abort.MSVCRT ref: 6D2247ED

Strings

runtime/cgo: out of memory in thread_start, xrefs: 6D224896
+, xrefs: 6D224882

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID: _errnoabort$_beginthreadfprintffreefwritemalloc
String ID: +$runtime/cgo: out of memory in thread_start
API String ID: 2633710936-1802439445
Opcode ID: 4b81d57e4039ad5aab58187e958cb9b4529ccfc34e22ae0d3acf395494012fb7
Instruction ID: a8aa6df2aafe78b7b83cb49efa81c06c85f0ada3d652cda304fd7373302ea1b4
Opcode Fuzzy Hash: 4b81d57e4039ad5aab58187e958cb9b4529ccfc34e22ae0d3acf395494012fb7
Instruction Fuzzy Hash: 8821C8745497449FC700EF28D58491ABBF4FF89314F4589ADE9888B325D3759881CF93

Function 6D224490 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32 ref: 6D2244B2
InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D224569), ref: 6D2244CB
fwrite.MSVCRT ref: 6D224500
abort.MSVCRT ref: 6D224505

Strings

=, xrefs: 6D2244E5
runtime: failed to create runtime initialization wait event., xrefs: 6D2244F9

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID: CreateCriticalEventInitializeSectionabortfwrite
String ID: =$runtime: failed to create runtime initialization wait event.
API String ID: 2455830200-3519180978
Opcode ID: 4ed9bc4c3b1374c228b49b6bcee2216c9db8c48808f444a3476b62004486ac6e
Instruction ID: 3941f909904104372415c2a32a32d964ae979f6b44a751deacf0132e76be4ca6
Opcode Fuzzy Hash: 4ed9bc4c3b1374c228b49b6bcee2216c9db8c48808f444a3476b62004486ac6e
Instruction Fuzzy Hash: 2EF0ECB0409306AFE700BF68C00932EBAF4BF45749F81885EE89886240EBB99145CF93

Function 6D1A1020 Relevance: 9.1, APIs: 6, Instructions: 112sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,6D1A12E0,?,?,?,?,?,?,6D1A13A3), ref: 6D1A1057
_amsg_exit.MSVCRT ref: 6D1A1085

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: 13f7e6bc38ad7cc7fd0c55d0dddbc2170e68cf83be0684c1c7b2f073c38ccccd
Instruction ID: 1ce95c424744e183a96cbabec6defd1974a287ce32b9f5f12fa5410a4e7d3b83
Opcode Fuzzy Hash: 13f7e6bc38ad7cc7fd0c55d0dddbc2170e68cf83be0684c1c7b2f073c38ccccd
Instruction Fuzzy Hash: 9C41B3B96082019FE701AF6DC589B2BB7F4FB96348F45C52FD5488B219D7B598C0CB82

Function 6D224D3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 6D224D0D
VirtualProtect.KERNEL32 ref: 6D224D67
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6D2BCA48), ref: 6D224D74

Part of subcall function 6D225A10: fwrite.MSVCRT ref: 6D225A3F
Part of subcall function 6D225A10: vfprintf.MSVCRT ref: 6D225A5F
Part of subcall function 6D225A10: abort.MSVCRT ref: 6D225A64

Strings

VirtualProtect failed with code 0x%x, xrefs: 6D224D7A
@, xrefs: 6D224D58

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQueryabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$@
API String ID: 1616349570-2953866262
Opcode ID: 827fe0491ebb36fe174deac7ea12799a612a653cf0a6d03d2b9606508009d8c0
Instruction ID: 1386aadd520838a702714f87c1bac2d140f71fed1280a31e17ff95b647b01603
Opcode Fuzzy Hash: 827fe0491ebb36fe174deac7ea12799a612a653cf0a6d03d2b9606508009d8c0
Instruction Fuzzy Hash: 7C2138B68487069FD700DF28C48462AFBF4BF89359F51CA2EE99897264E370E505CF52

Function 6D2234E0 Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

bsearch.MSVCRT ref: 6D22353F
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6D2243CF), ref: 6D22357A
malloc.MSVCRT ref: 6D2235A8
qsort.MSVCRT ref: 6D2235F6

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID: ErrorLastbsearchmallocqsort
String ID:
API String ID: 1451747280-0
Opcode ID: 5db7c324eca695a119048bd0e62d539be957ef735f25285435e951a37aa61e6f
Instruction ID: efb8f68bf877a802423e0025dc33ce7455c1cd3ba99579c211014df8bae1a479
Opcode Fuzzy Hash: 5db7c324eca695a119048bd0e62d539be957ef735f25285435e951a37aa61e6f
Instruction Fuzzy Hash: 7B414975A983068FD710DF29C480A6AB7F5FF88315F45892DE88987320E774F858CB92

Function 6D224030 Relevance: 7.6, APIs: 5, Instructions: 79threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32 ref: 6D2240D5
SetLastError.KERNEL32 ref: 6D2240F7
SetLastError.KERNEL32 ref: 6D22410B

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID: ErrorLast$LocaleThread
String ID:
API String ID: 2451566642-0
Opcode ID: 000ba96234b4572ff8dd31b5388111a0be51e4094f0841957ebf056698be7c50
Instruction ID: b84b408fc5bc7eb00f12da5c07eef6e179d373495982ff24b2b7804f498f8160
Opcode Fuzzy Hash: 000ba96234b4572ff8dd31b5388111a0be51e4094f0841957ebf056698be7c50
Instruction Fuzzy Hash: 9D21D570654209CBD700DF38C844A66B7F4BF9A314F048A29F9A5CB390EB35E946CB52

Function 6D2258B0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 6D2258C9
_unlock.MSVCRT ref: 6D2258F1
calloc.MSVCRT ref: 6D22593F

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID: _lock_unlockcalloc
String ID:
API String ID: 3876498383-0
Opcode ID: abf89457b4ab2571923629326531c7e76d384adab28384de11d3b51bd2a4809e
Instruction ID: ea55085b6d1284cc31c7e7e14cd75d6ca3c5f370a510690b9f4891b263e41044
Opcode Fuzzy Hash: abf89457b4ab2571923629326531c7e76d384adab28384de11d3b51bd2a4809e
Instruction Fuzzy Hash: ED114F7059824A8BD7009F28C48077A7BE4FF49364F95C669F498CF289DB74D444CB92

Function 6D2245C0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 6D2245F0
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D222DB9), ref: 6D2245FC
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D222DB9), ref: 6D22460E
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6D222DB9), ref: 6D22461E
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D222DB9), ref: 6D224630

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ObjectSingleWait
String ID:
API String ID: 1755037574-0
Opcode ID: eeaa1592941efd8e0048c1bec29e9ce34df19c85e82473885f6bac1e6a6ea125
Instruction ID: a768010b14515a27d2defbc560ccd19de290b74d75bd69c13a1263d9e56b20bc
Opcode Fuzzy Hash: eeaa1592941efd8e0048c1bec29e9ce34df19c85e82473885f6bac1e6a6ea125
Instruction Fuzzy Hash: B7015EB55143099BDB04BF79D58AA2ABBB8AF5B314F01052EE89447240D730E859CFA3

Function 6D225A10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 6D225A3F
vfprintf.MSVCRT ref: 6D225A5F
abort.MSVCRT ref: 6D225A64

Strings

Mingw-w64 runtime failure:, xrefs: 6D225A38

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID: abortfwritevfprintf
String ID: Mingw-w64 runtime failure:
API String ID: 3176311984-2889761391
Opcode ID: d333e81ddecf3d0a4ada27fdd6210463fe9c89b484e8ef6630523fbc8b0de3f6
Instruction ID: 246a7c2d80e44385d97ede813985322c8e6ff55d3cf0c4eec0948c152fbbd64e
Opcode Fuzzy Hash: d333e81ddecf3d0a4ada27fdd6210463fe9c89b484e8ef6630523fbc8b0de3f6
Instruction Fuzzy Hash: 3AE0C9B048D3089EC300AF68C08522EBAF4BF84358F82C92CE5C847245C7B89484DF53

Function 6D224DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6D1A12A5), ref: 6D224EE9

Strings

Unknown pseudo relocation protocol version %d., xrefs: 6D225044
Unknown pseudo relocation bit size %d., xrefs: 6D224F79

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 544645111-395989641
Opcode ID: f7ca8c7439b2d290c02ca534baccd96d47cba70ae540fd07daa9d7a922ea6764
Instruction ID: ce04d8fbec8687b1fab195587d50b65ac203076edfa75595527a435862955eec
Opcode Fuzzy Hash: f7ca8c7439b2d290c02ca534baccd96d47cba70ae540fd07daa9d7a922ea6764
Instruction Fuzzy Hash: 3E61D775A8421A9FCB00CF6DC4C0A69B7B5FF99368F19C16EE9159B308D371A803DB91

Function 6D2243A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 6D224408

Part of subcall function 6D2234E0: bsearch.MSVCRT ref: 6D22353F

fprintf.MSVCRT ref: 6D22443C

Strings

$, xrefs: 6D2243ED

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID: bsearchfprintffwrite
String ID: $
API String ID: 1110293247-3993045852
Opcode ID: 956eff3c8c86ca22e69bf4c19cc203bc85e5726ca85ced4cf810e7c1c2047bf2
Instruction ID: 215be72547358ee6a9fa47eb565c11a0a511fae507757a59cb7ceb2409fe6f0d
Opcode Fuzzy Hash: 956eff3c8c86ca22e69bf4c19cc203bc85e5726ca85ced4cf810e7c1c2047bf2
Instruction Fuzzy Hash: 1A0105B58893199BD700AF28944826EFBE4BB48758F02882EF9C997200E3B5D580CF53

Function 6D223630 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

free.MSVCRT ref: 6D223652
free.MSVCRT ref: 6D223692
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,6D223BBA), ref: 6D2236BB
HeapFree.KERNEL32 ref: 6D2236D0

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID: Heapfree$FreeProcess
String ID:
API String ID: 3425746932-0
Opcode ID: 2b9748b17b89255c3abce06fb8557ee3c4d39c26e78194a028fdf713a6c38a20
Instruction ID: c5f2fc2a71e92cf95a279979e2d066411f1a3c0204d665e63c023d84cd8e220c
Opcode Fuzzy Hash: 2b9748b17b89255c3abce06fb8557ee3c4d39c26e78194a028fdf713a6c38a20
Instruction Fuzzy Hash: 7121D6B5A053029BDB049F25C1C472ABBE9BF84704F55C96CE8898B309D734D885CB96

Function 6D225050 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 6D22505E
TlsGetValue.KERNEL32 ref: 6D225085
GetLastError.KERNEL32 ref: 6D22508C
LeaveCriticalSection.KERNEL32 ref: 6D2250AC

Memory Dump Source

Source File: 00000003.00000002.1447064090.000000006D1A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D1A0000, based on PE: true

Associated: 00000003.00000002.1446928163.000000006D1A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447146647.000000006D226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447179380.000000006D227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447208500.000000006D229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D22D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447226625.000000006D295000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447307242.000000006D2BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447324267.000000006D2C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447367022.000000006D2FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447485327.000000006D304000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447519968.000000006D305000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1447546962.000000006D308000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d1a0000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: c95bc9de7ce5a7a5a1455a77bd13e81d8b1d60b7d59ac113f9ebcbbad317a815
Instruction ID: 6fe693469e6552b6428e2835e96105ac76261f1efc455b0e811280b3dadedcc2
Opcode Fuzzy Hash: c95bc9de7ce5a7a5a1455a77bd13e81d8b1d60b7d59ac113f9ebcbbad317a815
Instruction Fuzzy Hash: 03F081B59042069BDB00BF78D988A3E7BB8AF49744B05052DED448720DE731A905CBE3

Analysis Process: rundll32.exePID: 4428, Parent PID: 6780COMMON

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	11
Total number of Limit Nodes:	1

Executed Functions

Function 6CF64790 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_beginthread.MSVCRT ref: 6CF647B6
_errno.MSVCRT ref: 6CF647C1
_errno.MSVCRT ref: 6CF647C8
fprintf.MSVCRT ref: 6CF647E8
abort.MSVCRT ref: 6CF647ED
Sleep.KERNEL32 ref: 6CF64806

Strings

runtime: failed to create new OS thread (%d), xrefs: 6CF647D9

Memory Dump Source

Source File: 0000000D.00000002.1552686262.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 0000000D.00000002.1552621562.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552848656.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552901539.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552958194.000000006CF69000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553218864.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553384268.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553431096.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553462543.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553502427.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cee0000_rundll32.jbxd

Similarity

API ID: _errno$Sleep_beginthreadabortfprintf
String ID: runtime: failed to create new OS thread (%d)
API String ID: 1261927973-3231778263
Opcode ID: 6b73f055ca90b31b3a0f19224afd5750d3de80b2e614900ea85d9a13bdae0eeb
Instruction ID: 3a242963ec0ee0d66c12a43b6e165f39b9c6a96a0071a0608b5a9d24c8176acc
Opcode Fuzzy Hash: 6b73f055ca90b31b3a0f19224afd5750d3de80b2e614900ea85d9a13bdae0eeb
Instruction Fuzzy Hash: 0B0146B5409310DFC700BF6AD98862EBFB4EF86725F46491EE48993B51C7319484DA63

Function 6CF41D40 Relevance: 1.5, APIs: 1, Instructions: 21
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 6CF41D68

Memory Dump Source

Source File: 0000000D.00000002.1552686262.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 0000000D.00000002.1552621562.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552848656.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552901539.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552958194.000000006CF69000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553218864.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553384268.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553431096.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553462543.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553502427.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cee0000_rundll32.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
Instruction ID: a11a2aa19138b7eb724e89f7648a9d852c8bc6e8c26c756f535b138795ddfcaf
Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
Instruction Fuzzy Hash: 65E0C2715056008FCB15DF18C2C1306BBE1EB48A00F0485A8DE098BB4AD734ED10CA92

Non-executed Functions

Function 6CF64AE0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 6CF64B2F
UnhandledExceptionFilter.KERNEL32 ref: 6CF64B3F
GetCurrentProcess.KERNEL32 ref: 6CF64B48
TerminateProcess.KERNEL32 ref: 6CF64B59
abort.MSVCRT ref: 6CF64B62

Memory Dump Source

Source File: 0000000D.00000002.1552686262.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 0000000D.00000002.1552621562.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552848656.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552901539.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552958194.000000006CF69000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553218864.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553384268.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553431096.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553462543.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553502427.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cee0000_rundll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
String ID:
API String ID: 520269711-0
Opcode ID: 93cb8a49a83f7005143caa661c10582e44e6c4020adc2d63e676111444dd7d61
Instruction ID: 475a52072084b51937c099b9de758c1b77abda63701cded62871704071be569b
Opcode Fuzzy Hash: 93cb8a49a83f7005143caa661c10582e44e6c4020adc2d63e676111444dd7d61
Instruction Fuzzy Hash: 9711D4B5905200DFCB40FF69C649B5EBBF0BB8A304F409529E988D7751E7359984CF52

Function 6CF64ADC Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 6CF64B2F
UnhandledExceptionFilter.KERNEL32 ref: 6CF64B3F
GetCurrentProcess.KERNEL32 ref: 6CF64B48
TerminateProcess.KERNEL32 ref: 6CF64B59
abort.MSVCRT ref: 6CF64B62

Memory Dump Source

Source File: 0000000D.00000002.1552686262.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 0000000D.00000002.1552621562.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552848656.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552901539.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552958194.000000006CF69000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553218864.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553384268.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553431096.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553462543.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553502427.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cee0000_rundll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
String ID:
API String ID: 520269711-0
Opcode ID: ec95cece641ee53a51ad3c8a28d17349c4ebea63bd283f109ab4a25ce09d4293
Instruction ID: 3814724204b81373646164d3b40ad7763806ff7e59c2416c8efd87f4becadf46
Opcode Fuzzy Hash: ec95cece641ee53a51ad3c8a28d17349c4ebea63bd283f109ab4a25ce09d4293
Instruction Fuzzy Hash: A411E2B5905200DFCB40FF6AC749B6DBBF0BB4A304F005529E9989B741E730A8848F82

Function 6CF64659 Relevance: 21.0, APIs: 9, Strings: 3, Instructions: 49
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fwrite.MSVCRT ref: 6CF6468B
abort.MSVCRT ref: 6CF64690
EnterCriticalSection.KERNEL32 ref: 6CF646AF
LeaveCriticalSection.KERNEL32 ref: 6CF646C9
SetEvent.KERNEL32 ref: 6CF646DA
fwrite.MSVCRT ref: 6CF64713
abort.MSVCRT ref: 6CF64718
EnterCriticalSection.KERNEL32 ref: 6CF6472A
LeaveCriticalSection.KERNEL32 ref: 6CF64743

Strings

unexpected cgo_bindm on Windows, xrefs: 6CF64684
runtime: failed to signal runtime initialization complete., xrefs: 6CF6470C
;, xrefs: 6CF646F8

Memory Dump Source

Source File: 0000000D.00000002.1552686262.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 0000000D.00000002.1552621562.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552848656.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552901539.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552958194.000000006CF69000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553218864.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553384268.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553431096.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553462543.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553502427.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cee0000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeaveabortfwrite$Event
String ID: ;$runtime: failed to signal runtime initialization complete.$unexpected cgo_bindm on Windows
API String ID: 3057923235-924395932
Opcode ID: 2762821f8b0d120ba9213b701174c327a5996a2a9dd988a4de5e2ffa253a0545
Instruction ID: d6e605001a5a011a38349e120e6b4d5908a2c1d2b2f6ee0af3a6af190cfb6f28
Opcode Fuzzy Hash: 2762821f8b0d120ba9213b701174c327a5996a2a9dd988a4de5e2ffa253a0545
Instruction Fuzzy Hash: 4C11C3B5844601CFEB00BFB9C20D76EBAF0BB46304F41992DD88557A21DB75A499CB93

Function 6CF64C80 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 6CF64D0D

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 6CF64DA7
@, xrefs: 6CF64D58
VirtualProtect failed with code 0x%x, xrefs: 6CF64D7A
Address %p has no image-section, xrefs: 6CF64DBB

Memory Dump Source

Source File: 0000000D.00000002.1552686262.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 0000000D.00000002.1552621562.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552848656.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552901539.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552958194.000000006CF69000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553218864.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553384268.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553431096.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553462543.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553502427.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cee0000_rundll32.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
API String ID: 1804819252-1098444051
Opcode ID: 41b702ec26f3d65eb7d8418bb5ac320d779b0865776c4e0d8c457b746f626a7b
Instruction ID: a1dce3ec5abf688929490f9f2388233318e5e596577230abbb22caabd5c3f913
Opcode Fuzzy Hash: 41b702ec26f3d65eb7d8418bb5ac320d779b0865776c4e0d8c457b746f626a7b
Instruction Fuzzy Hash: C4418EB6904301DFCB00EF6AD584B5AFBF0FB8A358F558A19D8589BB14E330E444CB92

Function 6CEE13E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 6CEE13F0
LoadLibraryA.KERNEL32 ref: 6CEE1406
GetProcAddress.KERNEL32 ref: 6CEE1425
GetProcAddress.KERNEL32 ref: 6CEE1437

Strings

libgcc_s_dw2-1.dll, xrefs: 6CEE13E9, 6CEE13FF
__deregister_frame_info, xrefs: 6CEE142C
__register_frame_info, xrefs: 6CEE141A

Memory Dump Source

Source File: 0000000D.00000002.1552686262.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 0000000D.00000002.1552621562.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552848656.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552901539.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552958194.000000006CF69000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553218864.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553384268.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553431096.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553462543.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553502427.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cee0000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: 0398308ffae5e2a08f7cfd6d7055728052fd9ab364939e112b7b25ea8aa40d0c
Instruction ID: 889f96abe727e9f7ae5da5b720531bb467c415426648341248cc80ce21c4665e
Opcode Fuzzy Hash: 0398308ffae5e2a08f7cfd6d7055728052fd9ab364939e112b7b25ea8aa40d0c
Instruction Fuzzy Hash: 430171B6809300ABC7007FBA960A32EBFF4EB4A344F11452DD8D987B15D7309484CB93

Function 6CF632D0 Relevance: 12.2, APIs: 8, Instructions: 156stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6CF63306
mbstowcs.MSVCRT ref: 6CF63335
_wcsnicmp.MSVCRT ref: 6CF63392
strtol.MSVCRT ref: 6CF633F2
lstrlenA.KERNEL32 ref: 6CF63400
malloc.MSVCRT ref: 6CF63469
SetLastError.KERNEL32 ref: 6CF63483
free.MSVCRT ref: 6CF634BA

Memory Dump Source

Source File: 0000000D.00000002.1552686262.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 0000000D.00000002.1552621562.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552848656.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552901539.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552958194.000000006CF69000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553218864.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553384268.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553431096.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553462543.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553502427.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cee0000_rundll32.jbxd

Similarity

API ID: ErrorLast_wcsnicmpfreelstrlenmallocmbstowcsstrlenstrtol
String ID:
API String ID: 533997002-0
Opcode ID: 64751cfac03bef62b4a97da5952e72f564ff33847407c7c2ddb25ef2bb0e7bc1
Instruction ID: e9a4080780b1b4b360c0c667ab5fbcb904f54e310fb3b17d362f453c29d2446c
Opcode Fuzzy Hash: 64751cfac03bef62b4a97da5952e72f564ff33847407c7c2ddb25ef2bb0e7bc1
Instruction Fuzzy Hash: D4518E76A083158FC700DF2AD48026EF7E5FBC8308F55892EE898D7A41E774D949CB92

Function 6CF64840 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66fileCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6CF6484F
fwrite.MSVCRT ref: 6CF6489D
abort.MSVCRT ref: 6CF648A2
free.MSVCRT ref: 6CF648C5

Part of subcall function 6CF64790: _beginthread.MSVCRT ref: 6CF647B6
Part of subcall function 6CF64790: _errno.MSVCRT ref: 6CF647C1
Part of subcall function 6CF64790: _errno.MSVCRT ref: 6CF647C8
Part of subcall function 6CF64790: fprintf.MSVCRT ref: 6CF647E8
Part of subcall function 6CF64790: abort.MSVCRT ref: 6CF647ED

Strings

runtime/cgo: out of memory in thread_start, xrefs: 6CF64896
+, xrefs: 6CF64882

Memory Dump Source

Source File: 0000000D.00000002.1552686262.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 0000000D.00000002.1552621562.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552848656.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552901539.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552958194.000000006CF69000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553218864.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553384268.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553431096.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553462543.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553502427.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cee0000_rundll32.jbxd

Similarity

API ID: _errnoabort$_beginthreadfprintffreefwritemalloc
String ID: +$runtime/cgo: out of memory in thread_start
API String ID: 2633710936-1802439445
Opcode ID: b9ea4e978864e87119ac9672f8e88bc6719dedf676f75939525b1a04ffc15b9b
Instruction ID: 6caac0c0e3970fb5af3a8caca95fb1c01f536c2ad3060e0348a79d7638cb678e
Opcode Fuzzy Hash: b9ea4e978864e87119ac9672f8e88bc6719dedf676f75939525b1a04ffc15b9b
Instruction Fuzzy Hash: 3021E3B4904740CFC700EF29D59591ABBF0FF8A304F45899DE9889BB26D3359844CB92

Function 6CF64490 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32 ref: 6CF644B2
InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CF64569), ref: 6CF644CB
fwrite.MSVCRT ref: 6CF64500
abort.MSVCRT ref: 6CF64505

Strings

runtime: failed to create runtime initialization wait event., xrefs: 6CF644F9
=, xrefs: 6CF644E5

Memory Dump Source

Source File: 0000000D.00000002.1552686262.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 0000000D.00000002.1552621562.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552848656.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552901539.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552958194.000000006CF69000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553218864.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553384268.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553431096.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553462543.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553502427.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cee0000_rundll32.jbxd

Similarity

API ID: CreateCriticalEventInitializeSectionabortfwrite
String ID: =$runtime: failed to create runtime initialization wait event.
API String ID: 2455830200-3519180978
Opcode ID: c9e81f26f7eed0340ac08fe8fd557a4d56e18608c347a1aa746256a59f9f85ff
Instruction ID: fe2f3717976ba685c0ce61ef7383b248215248aa25a9c539f52d402db3438fdc
Opcode Fuzzy Hash: c9e81f26f7eed0340ac08fe8fd557a4d56e18608c347a1aa746256a59f9f85ff
Instruction Fuzzy Hash: 37F0C9B0405301DFE700BF69C51936EBEF0BB46304F95885DD8D987651DB7A90888F53

Function 6CEE1020 Relevance: 9.1, APIs: 6, Instructions: 112sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,6CEE12E0,?,?,?,?,?,?,6CEE13A3), ref: 6CEE1057
_amsg_exit.MSVCRT ref: 6CEE1085

Memory Dump Source

Source File: 0000000D.00000002.1552686262.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 0000000D.00000002.1552621562.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552848656.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552901539.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552958194.000000006CF69000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553218864.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553384268.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553431096.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553462543.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553502427.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cee0000_rundll32.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: cfbe760964819a02de6ee75009fe39cc140bf3637e3a8d02c4958ca2af06d2fb
Instruction ID: 3ced5b958cd25065fa3c83378f3d41b3819bbd01d69d61bd74cdf3a6f7beacd7
Opcode Fuzzy Hash: cfbe760964819a02de6ee75009fe39cc140bf3637e3a8d02c4958ca2af06d2fb
Instruction Fuzzy Hash: 9441B9B1609240CBE700AF99D585B5E77F0EB8E388F60852DD4588BB06D731D8C1DB82

Function 6CF64D3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 6CF64D0D
VirtualProtect.KERNEL32 ref: 6CF64D67
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CFFCA48), ref: 6CF64D74

Part of subcall function 6CF65A10: fwrite.MSVCRT ref: 6CF65A3F
Part of subcall function 6CF65A10: vfprintf.MSVCRT ref: 6CF65A5F
Part of subcall function 6CF65A10: abort.MSVCRT ref: 6CF65A64

Strings

@, xrefs: 6CF64D58
VirtualProtect failed with code 0x%x, xrefs: 6CF64D7A

Memory Dump Source

Source File: 0000000D.00000002.1552686262.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 0000000D.00000002.1552621562.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552848656.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552901539.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552958194.000000006CF69000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553218864.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553384268.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553431096.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553462543.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553502427.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cee0000_rundll32.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQueryabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$@
API String ID: 1616349570-2953866262
Opcode ID: 5402ab8a7a615db016683616c57a360ace7a2d73968f33de7cad841cbee40fa5
Instruction ID: bce9cc57c91703ff0b8c0da105aed136b82920ad82fbe5fc1e522d3abc1a8392
Opcode Fuzzy Hash: 5402ab8a7a615db016683616c57a360ace7a2d73968f33de7cad841cbee40fa5
Instruction Fuzzy Hash: F92135B6804301DFD700EF29D688B5AFBF0BF89318F548A29D99897A15E330E548CF52

Function 6CF64310 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 6CF64314
FormatMessageA.KERNEL32 ref: 6CF64359
fprintf.MSVCRT ref: 6CF64382
LocalFree.KERNEL32 ref: 6CF6438E

Strings

Erro: %s, xrefs: 6CF64373

Memory Dump Source

Source File: 0000000D.00000002.1552686262.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 0000000D.00000002.1552621562.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552848656.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552901539.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552958194.000000006CF69000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553218864.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553384268.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553431096.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553462543.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553502427.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cee0000_rundll32.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessagefprintf
String ID: Erro: %s
API String ID: 659079672-2412703935
Opcode ID: f9d8d331b5ee1bcf6ed6fc4efc1a4808ab2092be52dbcda902bf54e634d48dbb
Instruction ID: bfa7cfa35df0bf5d5fee65903e368032d16afcbcf7d9406031f076d6b95da849
Opcode Fuzzy Hash: f9d8d331b5ee1bcf6ed6fc4efc1a4808ab2092be52dbcda902bf54e634d48dbb
Instruction Fuzzy Hash: 5B019DB4808301DFDB00EF65C18971EBFF0AB89349F00891DE8D89B650E77981888F93

Function 6CF634E0 Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

bsearch.MSVCRT ref: 6CF6353F
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6CF643CF), ref: 6CF6357A
malloc.MSVCRT ref: 6CF635A8
qsort.MSVCRT ref: 6CF635F6

Memory Dump Source

Source File: 0000000D.00000002.1552686262.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 0000000D.00000002.1552621562.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552848656.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552901539.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552958194.000000006CF69000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553218864.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553384268.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553431096.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553462543.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553502427.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cee0000_rundll32.jbxd

Similarity

API ID: ErrorLastbsearchmallocqsort
String ID:
API String ID: 1451747280-0
Opcode ID: 38377a1da80c09bce9a85e801da6b084d1f1bd749dcdad281f51aaf0ca1fa171
Instruction ID: f26670c30b450c4ba113faec3a4c947adae8dc81c40e34c3976909739aaecb86
Opcode Fuzzy Hash: 38377a1da80c09bce9a85e801da6b084d1f1bd749dcdad281f51aaf0ca1fa171
Instruction Fuzzy Hash: 05414E75A083018FD710DF6AC580A2BB7F5FF89314F15892DE88987B61E774E858CB92

Function 6CF64030 Relevance: 7.6, APIs: 5, Instructions: 79threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32 ref: 6CF640D5
SetLastError.KERNEL32 ref: 6CF640F7
SetLastError.KERNEL32 ref: 6CF6410B

Memory Dump Source

Source File: 0000000D.00000002.1552686262.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 0000000D.00000002.1552621562.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552848656.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552901539.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552958194.000000006CF69000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553218864.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553384268.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553431096.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553462543.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553502427.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cee0000_rundll32.jbxd

Similarity

API ID: ErrorLast$LocaleThread
String ID:
API String ID: 2451566642-0
Opcode ID: a90821d39d7a72e56669430f09a0ecfb99c01ed1ac51d93ad0e834a040a5c597
Instruction ID: 1d03d30b0fdaf62fefc0acc28ec1b74fc8084bc8358e809881b0c46bfc1a99c7
Opcode Fuzzy Hash: a90821d39d7a72e56669430f09a0ecfb99c01ed1ac51d93ad0e834a040a5c597
Instruction Fuzzy Hash: 5721A771604200CBD700FF3AC954A577BF5AF86318F158629D5A5CB790DB35E849CB52

Function 6CF658B0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 6CF658C9
_unlock.MSVCRT ref: 6CF658F1
calloc.MSVCRT ref: 6CF6593F

Memory Dump Source

Source File: 0000000D.00000002.1552686262.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 0000000D.00000002.1552621562.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552848656.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552901539.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552958194.000000006CF69000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553218864.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553384268.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553431096.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553462543.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553502427.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cee0000_rundll32.jbxd

Similarity

API ID: _lock_unlockcalloc
String ID:
API String ID: 3876498383-0
Opcode ID: abf89457b4ab2571923629326531c7e76d384adab28384de11d3b51bd2a4809e
Instruction ID: 7691d97f5f91d579102f610846f34377d47129c9cc0af9ba2c001fd293e8ae52
Opcode Fuzzy Hash: abf89457b4ab2571923629326531c7e76d384adab28384de11d3b51bd2a4809e
Instruction Fuzzy Hash: 84114C716052018BE7009F3AC48075ABBE4FF45368F548669D898EBF86DB34D448CB52

Function 6CF64A30 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 6CF64A69
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CEE13B9), ref: 6CF64A7A
GetCurrentThreadId.KERNEL32 ref: 6CF64A82
GetTickCount.KERNEL32 ref: 6CF64A8A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CEE13B9), ref: 6CF64A99

Memory Dump Source

Source File: 0000000D.00000002.1552686262.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 0000000D.00000002.1552621562.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552848656.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552901539.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552958194.000000006CF69000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553218864.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553384268.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553431096.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553462543.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553502427.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cee0000_rundll32.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 8fe020463de34f9542d205e16a5368e66fb40199f23b8eb5ceefb64d75914cd0
Instruction ID: 2f250829174552d8027344997280554ae0b9caff45439584854057cfe9e9fbce
Opcode Fuzzy Hash: 8fe020463de34f9542d205e16a5368e66fb40199f23b8eb5ceefb64d75914cd0
Instruction Fuzzy Hash: 461154B6A153019FCB00FF79D64865BBBF0FB86254F01093AE584C7600E735D4488792

Function 6CF645C0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 6CF645F0
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CF62DB9), ref: 6CF645FC
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CF62DB9), ref: 6CF6460E
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6CF62DB9), ref: 6CF6461E
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6CF62DB9), ref: 6CF64630

Memory Dump Source

Source File: 0000000D.00000002.1552686262.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 0000000D.00000002.1552621562.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552848656.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552901539.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552958194.000000006CF69000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553218864.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553384268.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553431096.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553462543.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553502427.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cee0000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ObjectSingleWait
String ID:
API String ID: 1755037574-0
Opcode ID: 78748068ea10d9eafa65d10cb7d8f07a6c0ac0a646fe4351f4022458e673809d
Instruction ID: 556979191127fdafabb0c40c23d8cad694efa33735c2b42703e298df5034875e
Opcode Fuzzy Hash: 78748068ea10d9eafa65d10cb7d8f07a6c0ac0a646fe4351f4022458e673809d
Instruction Fuzzy Hash: 1C015EB5584345CBDA00FF7AD689A1ABFB4AB4B314F015539D89047650D730E899CB93

Function 6CF65A10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 6CF65A3F
vfprintf.MSVCRT ref: 6CF65A5F
abort.MSVCRT ref: 6CF65A64

Strings

Mingw-w64 runtime failure:, xrefs: 6CF65A38

Memory Dump Source

Source File: 0000000D.00000002.1552686262.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 0000000D.00000002.1552621562.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552848656.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552901539.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552958194.000000006CF69000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553218864.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553384268.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553431096.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553462543.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553502427.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cee0000_rundll32.jbxd

Similarity

API ID: abortfwritevfprintf
String ID: Mingw-w64 runtime failure:
API String ID: 3176311984-2889761391
Opcode ID: 6876c871cb5e7cb27f08cafb7ba5b6fe099c694f1a74285055e83bce556fa33b
Instruction ID: 14418d36131cfffc333de9b61b2358f527b39033e59d633e19f85489a694cb7d
Opcode Fuzzy Hash: 6876c871cb5e7cb27f08cafb7ba5b6fe099c694f1a74285055e83bce556fa33b
Instruction Fuzzy Hash: 17E0C2B040D3049EC300AFAAC08529EBAF8AF89348F518A1CD4C967F52C7788489CF53

Function 6CF64DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CEE12A5), ref: 6CF64EE9

Strings

Unknown pseudo relocation bit size %d., xrefs: 6CF64F79
Unknown pseudo relocation protocol version %d., xrefs: 6CF65044

Memory Dump Source

Source File: 0000000D.00000002.1552686262.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 0000000D.00000002.1552621562.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552848656.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552901539.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552958194.000000006CF69000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553218864.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553384268.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553431096.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553462543.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553502427.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cee0000_rundll32.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 544645111-395989641
Opcode ID: 6a166c4007158375500418aed179768707d48938279ae6fddf1ac9b89df925c0
Instruction ID: c377d5967d049b422ef1c1110a33fd74bc40ccb9f1eeabfa810f9dd44c18469c
Opcode Fuzzy Hash: 6a166c4007158375500418aed179768707d48938279ae6fddf1ac9b89df925c0
Instruction Fuzzy Hash: 25612432E002118FCB14EF6EC5E0699BBB6FB89318F148529D8259BF15D331F946CB81

Function 6CF643A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 6CF64408

Part of subcall function 6CF634E0: bsearch.MSVCRT ref: 6CF6353F

fprintf.MSVCRT ref: 6CF6443C

Strings

$, xrefs: 6CF643ED

Memory Dump Source

Source File: 0000000D.00000002.1552686262.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 0000000D.00000002.1552621562.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552848656.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552901539.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552958194.000000006CF69000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553218864.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553384268.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553431096.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553462543.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553502427.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cee0000_rundll32.jbxd

Similarity

API ID: bsearchfprintffwrite
String ID: $
API String ID: 1110293247-3993045852
Opcode ID: 3d4d9c32c4c903d40badae40a302c2d73fe35bbf79b159c397cd8fded46930f5
Instruction ID: 7d7e8cfc35df49e991e88c2fdfec433ded6b9a806593d6c1c1ee9d29698881ad
Opcode Fuzzy Hash: 3d4d9c32c4c903d40badae40a302c2d73fe35bbf79b159c397cd8fded46930f5
Instruction Fuzzy Hash: CA0113B58093109FD700BF2A954A25EFFE0AF49318F15882EE8C987B01E77A8444CF63

Function 6CF63630 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

free.MSVCRT ref: 6CF63652
free.MSVCRT ref: 6CF63692
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,6CF63BBA), ref: 6CF636BB
HeapFree.KERNEL32 ref: 6CF636D0

Memory Dump Source

Source File: 0000000D.00000002.1552686262.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 0000000D.00000002.1552621562.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552848656.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552901539.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552958194.000000006CF69000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553218864.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553384268.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553431096.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553462543.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553502427.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cee0000_rundll32.jbxd

Similarity

API ID: Heapfree$FreeProcess
String ID:
API String ID: 3425746932-0
Opcode ID: fc8adf6489cbbc1a95524f8110a47ffd1938bde530b92ebd56617f37df227bae
Instruction ID: f6e54fc77d910bc3b6e21a94101043dbceb71bf8c8cd9fcdf95b3b48d8462b5d
Opcode Fuzzy Hash: fc8adf6489cbbc1a95524f8110a47ffd1938bde530b92ebd56617f37df227bae
Instruction Fuzzy Hash: D521E9B5A057018BDB00AF26C1C8B1ABBF0BF84714F15C96CDC898BB0AD735D849CB91

Function 6CF65050 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 6CF6505E
TlsGetValue.KERNEL32 ref: 6CF65085
GetLastError.KERNEL32 ref: 6CF6508C
LeaveCriticalSection.KERNEL32 ref: 6CF650AC

Memory Dump Source

Source File: 0000000D.00000002.1552686262.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 0000000D.00000002.1552621562.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552848656.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552901539.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1552958194.000000006CF69000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553015131.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553218864.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553271054.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553384268.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553431096.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553462543.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.1553502427.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6cee0000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: 65920d36d4ae2bc3581e318955e7fa86f6592830238459eb3e440fa50d2853b7
Instruction ID: 3f352e6dccff8a7c09c81c9ec4c8e9870653793db2f89835341bcd9b085d2aa0
Opcode Fuzzy Hash: 65920d36d4ae2bc3581e318955e7fa86f6592830238459eb3e440fa50d2853b7
Instruction Fuzzy Hash: C4F081B6904201DBDB00BF799689A1E7BB4BA46304F450528DD855B606E730E845CBE3

Analysis Process: rundll32.exePID: 6200, Parent PID: 6780COMMON

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	11
Total number of Limit Nodes:	1

Executed Functions

Function 6CF64790 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_beginthread.MSVCRT ref: 6CF647B6
_errno.MSVCRT ref: 6CF647C1
_errno.MSVCRT ref: 6CF647C8
fprintf.MSVCRT ref: 6CF647E8
abort.MSVCRT ref: 6CF647ED
Sleep.KERNEL32 ref: 6CF64806

Strings

runtime: failed to create new OS thread (%d), xrefs: 6CF647D9

Memory Dump Source

Source File: 00000011.00000002.1548981821.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 00000011.00000002.1548883189.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549197634.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549273209.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549358521.000000006CF6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549785487.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550085129.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550183040.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550294565.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550375111.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6cee0000_rundll32.jbxd

Similarity

API ID: _errno$Sleep_beginthreadabortfprintf
String ID: runtime: failed to create new OS thread (%d)
API String ID: 1261927973-3231778263
Opcode ID: 6b73f055ca90b31b3a0f19224afd5750d3de80b2e614900ea85d9a13bdae0eeb
Instruction ID: 3a242963ec0ee0d66c12a43b6e165f39b9c6a96a0071a0608b5a9d24c8176acc
Opcode Fuzzy Hash: 6b73f055ca90b31b3a0f19224afd5750d3de80b2e614900ea85d9a13bdae0eeb
Instruction Fuzzy Hash: 0B0146B5409310DFC700BF6AD98862EBFB4EF86725F46491EE48993B51C7319484DA63

Function 6CF41D40 Relevance: 1.3, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 6CF41D68

Memory Dump Source

Source File: 00000011.00000002.1548981821.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 00000011.00000002.1548883189.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549197634.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549273209.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549358521.000000006CF6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549785487.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550085129.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550183040.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550294565.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550375111.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6cee0000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
Instruction ID: a11a2aa19138b7eb724e89f7648a9d852c8bc6e8c26c756f535b138795ddfcaf
Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
Instruction Fuzzy Hash: 65E0C2715056008FCB15DF18C2C1306BBE1EB48A00F0485A8DE098BB4AD734ED10CA92

Non-executed Functions

Function 6CF64AE0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 6CF64B2F
UnhandledExceptionFilter.KERNEL32 ref: 6CF64B3F
GetCurrentProcess.KERNEL32 ref: 6CF64B48
TerminateProcess.KERNEL32 ref: 6CF64B59
abort.MSVCRT ref: 6CF64B62

Memory Dump Source

Source File: 00000011.00000002.1548981821.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 00000011.00000002.1548883189.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549197634.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549273209.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549358521.000000006CF6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549785487.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550085129.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550183040.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550294565.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550375111.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6cee0000_rundll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
String ID:
API String ID: 520269711-0
Opcode ID: 93cb8a49a83f7005143caa661c10582e44e6c4020adc2d63e676111444dd7d61
Instruction ID: 475a52072084b51937c099b9de758c1b77abda63701cded62871704071be569b
Opcode Fuzzy Hash: 93cb8a49a83f7005143caa661c10582e44e6c4020adc2d63e676111444dd7d61
Instruction Fuzzy Hash: 9711D4B5905200DFCB40FF69C649B5EBBF0BB8A304F409529E988D7751E7359984CF52

Function 6CF64ADC Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 6CF64B2F
UnhandledExceptionFilter.KERNEL32 ref: 6CF64B3F
GetCurrentProcess.KERNEL32 ref: 6CF64B48
TerminateProcess.KERNEL32 ref: 6CF64B59
abort.MSVCRT ref: 6CF64B62

Memory Dump Source

Source File: 00000011.00000002.1548981821.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 00000011.00000002.1548883189.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549197634.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549273209.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549358521.000000006CF6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549785487.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550085129.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550183040.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550294565.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550375111.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6cee0000_rundll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
String ID:
API String ID: 520269711-0
Opcode ID: ec95cece641ee53a51ad3c8a28d17349c4ebea63bd283f109ab4a25ce09d4293
Instruction ID: 3814724204b81373646164d3b40ad7763806ff7e59c2416c8efd87f4becadf46
Opcode Fuzzy Hash: ec95cece641ee53a51ad3c8a28d17349c4ebea63bd283f109ab4a25ce09d4293
Instruction Fuzzy Hash: A411E2B5905200DFCB40FF6AC749B6DBBF0BB4A304F005529E9989B741E730A8848F82

Function 6CF64659 Relevance: 21.0, APIs: 9, Strings: 3, Instructions: 49
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fwrite.MSVCRT ref: 6CF6468B
abort.MSVCRT ref: 6CF64690
EnterCriticalSection.KERNEL32 ref: 6CF646AF
LeaveCriticalSection.KERNEL32 ref: 6CF646C9
SetEvent.KERNEL32 ref: 6CF646DA
fwrite.MSVCRT ref: 6CF64713
abort.MSVCRT ref: 6CF64718
EnterCriticalSection.KERNEL32 ref: 6CF6472A
LeaveCriticalSection.KERNEL32 ref: 6CF64743

Strings

unexpected cgo_bindm on Windows, xrefs: 6CF64684
runtime: failed to signal runtime initialization complete., xrefs: 6CF6470C
;, xrefs: 6CF646F8

Memory Dump Source

Source File: 00000011.00000002.1548981821.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 00000011.00000002.1548883189.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549197634.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549273209.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549358521.000000006CF6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549785487.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550085129.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550183040.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550294565.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550375111.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6cee0000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeaveabortfwrite$Event
String ID: ;$runtime: failed to signal runtime initialization complete.$unexpected cgo_bindm on Windows
API String ID: 3057923235-924395932
Opcode ID: 2762821f8b0d120ba9213b701174c327a5996a2a9dd988a4de5e2ffa253a0545
Instruction ID: d6e605001a5a011a38349e120e6b4d5908a2c1d2b2f6ee0af3a6af190cfb6f28
Opcode Fuzzy Hash: 2762821f8b0d120ba9213b701174c327a5996a2a9dd988a4de5e2ffa253a0545
Instruction Fuzzy Hash: 4C11C3B5844601CFEB00BFB9C20D76EBAF0BB46304F41992DD88557A21DB75A499CB93

Function 6CF64C80 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 6CF64D0D

Strings

VirtualProtect failed with code 0x%x, xrefs: 6CF64D7A
Address %p has no image-section, xrefs: 6CF64DBB
VirtualQuery failed for %d bytes at address %p, xrefs: 6CF64DA7
@, xrefs: 6CF64D58

Memory Dump Source

Source File: 00000011.00000002.1548981821.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 00000011.00000002.1548883189.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549197634.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549273209.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549358521.000000006CF6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549785487.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550085129.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550183040.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550294565.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550375111.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6cee0000_rundll32.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
API String ID: 1804819252-1098444051
Opcode ID: 41b702ec26f3d65eb7d8418bb5ac320d779b0865776c4e0d8c457b746f626a7b
Instruction ID: a1dce3ec5abf688929490f9f2388233318e5e596577230abbb22caabd5c3f913
Opcode Fuzzy Hash: 41b702ec26f3d65eb7d8418bb5ac320d779b0865776c4e0d8c457b746f626a7b
Instruction Fuzzy Hash: C4418EB6904301DFCB00EF6AD584B5AFBF0FB8A358F558A19D8589BB14E330E444CB92

Function 6CEE13E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 6CEE13F0
LoadLibraryA.KERNEL32 ref: 6CEE1406
GetProcAddress.KERNEL32 ref: 6CEE1425
GetProcAddress.KERNEL32 ref: 6CEE1437

Strings

__register_frame_info, xrefs: 6CEE141A
__deregister_frame_info, xrefs: 6CEE142C
libgcc_s_dw2-1.dll, xrefs: 6CEE13E9, 6CEE13FF

Memory Dump Source

Source File: 00000011.00000002.1548981821.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 00000011.00000002.1548883189.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549197634.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549273209.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549358521.000000006CF6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549785487.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550085129.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550183040.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550294565.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550375111.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6cee0000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: 0398308ffae5e2a08f7cfd6d7055728052fd9ab364939e112b7b25ea8aa40d0c
Instruction ID: 889f96abe727e9f7ae5da5b720531bb467c415426648341248cc80ce21c4665e
Opcode Fuzzy Hash: 0398308ffae5e2a08f7cfd6d7055728052fd9ab364939e112b7b25ea8aa40d0c
Instruction Fuzzy Hash: 430171B6809300ABC7007FBA960A32EBFF4EB4A344F11452DD8D987B15D7309484CB93

Function 6CF632D0 Relevance: 12.2, APIs: 8, Instructions: 156stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6CF63306
mbstowcs.MSVCRT ref: 6CF63335
_wcsnicmp.MSVCRT ref: 6CF63392
strtol.MSVCRT ref: 6CF633F2
lstrlenA.KERNEL32 ref: 6CF63400
malloc.MSVCRT ref: 6CF63469
SetLastError.KERNEL32 ref: 6CF63483
free.MSVCRT ref: 6CF634BA

Memory Dump Source

Source File: 00000011.00000002.1548981821.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 00000011.00000002.1548883189.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549197634.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549273209.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549358521.000000006CF6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549785487.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550085129.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550183040.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550294565.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550375111.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6cee0000_rundll32.jbxd

Similarity

API ID: ErrorLast_wcsnicmpfreelstrlenmallocmbstowcsstrlenstrtol
String ID:
API String ID: 533997002-0
Opcode ID: 64751cfac03bef62b4a97da5952e72f564ff33847407c7c2ddb25ef2bb0e7bc1
Instruction ID: e9a4080780b1b4b360c0c667ab5fbcb904f54e310fb3b17d362f453c29d2446c
Opcode Fuzzy Hash: 64751cfac03bef62b4a97da5952e72f564ff33847407c7c2ddb25ef2bb0e7bc1
Instruction Fuzzy Hash: D4518E76A083158FC700DF2AD48026EF7E5FBC8308F55892EE898D7A41E774D949CB92

Function 6CF64840 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66fileCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6CF6484F
fwrite.MSVCRT ref: 6CF6489D
abort.MSVCRT ref: 6CF648A2
free.MSVCRT ref: 6CF648C5

Part of subcall function 6CF64790: _beginthread.MSVCRT ref: 6CF647B6
Part of subcall function 6CF64790: _errno.MSVCRT ref: 6CF647C1
Part of subcall function 6CF64790: _errno.MSVCRT ref: 6CF647C8
Part of subcall function 6CF64790: fprintf.MSVCRT ref: 6CF647E8
Part of subcall function 6CF64790: abort.MSVCRT ref: 6CF647ED

Strings

+, xrefs: 6CF64882
runtime/cgo: out of memory in thread_start, xrefs: 6CF64896

Memory Dump Source

Source File: 00000011.00000002.1548981821.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 00000011.00000002.1548883189.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549197634.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549273209.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549358521.000000006CF6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549785487.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550085129.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550183040.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550294565.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550375111.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6cee0000_rundll32.jbxd

Similarity

API ID: _errnoabort$_beginthreadfprintffreefwritemalloc
String ID: +$runtime/cgo: out of memory in thread_start
API String ID: 2633710936-1802439445
Opcode ID: b9ea4e978864e87119ac9672f8e88bc6719dedf676f75939525b1a04ffc15b9b
Instruction ID: 6caac0c0e3970fb5af3a8caca95fb1c01f536c2ad3060e0348a79d7638cb678e
Opcode Fuzzy Hash: b9ea4e978864e87119ac9672f8e88bc6719dedf676f75939525b1a04ffc15b9b
Instruction Fuzzy Hash: 3021E3B4904740CFC700EF29D59591ABBF0FF8A304F45899DE9889BB26D3359844CB92

Function 6CF64490 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32 ref: 6CF644B2
InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CF64569), ref: 6CF644CB
fwrite.MSVCRT ref: 6CF64500
abort.MSVCRT ref: 6CF64505

Strings

=, xrefs: 6CF644E5
runtime: failed to create runtime initialization wait event., xrefs: 6CF644F9

Memory Dump Source

Source File: 00000011.00000002.1548981821.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 00000011.00000002.1548883189.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549197634.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549273209.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549358521.000000006CF6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549785487.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550085129.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550183040.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550294565.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550375111.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6cee0000_rundll32.jbxd

Similarity

API ID: CreateCriticalEventInitializeSectionabortfwrite
String ID: =$runtime: failed to create runtime initialization wait event.
API String ID: 2455830200-3519180978
Opcode ID: c9e81f26f7eed0340ac08fe8fd557a4d56e18608c347a1aa746256a59f9f85ff
Instruction ID: fe2f3717976ba685c0ce61ef7383b248215248aa25a9c539f52d402db3438fdc
Opcode Fuzzy Hash: c9e81f26f7eed0340ac08fe8fd557a4d56e18608c347a1aa746256a59f9f85ff
Instruction Fuzzy Hash: 37F0C9B0405301DFE700BF69C51936EBEF0BB46304F95885DD8D987651DB7A90888F53

Function 6CEE1020 Relevance: 9.1, APIs: 6, Instructions: 112sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,6CEE12E0,?,?,?,?,?,?,6CEE13A3), ref: 6CEE1057
_amsg_exit.MSVCRT ref: 6CEE1085

Memory Dump Source

Source File: 00000011.00000002.1548981821.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 00000011.00000002.1548883189.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549197634.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549273209.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549358521.000000006CF6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549785487.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550085129.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550183040.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550294565.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550375111.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6cee0000_rundll32.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: cfbe760964819a02de6ee75009fe39cc140bf3637e3a8d02c4958ca2af06d2fb
Instruction ID: 3ced5b958cd25065fa3c83378f3d41b3819bbd01d69d61bd74cdf3a6f7beacd7
Opcode Fuzzy Hash: cfbe760964819a02de6ee75009fe39cc140bf3637e3a8d02c4958ca2af06d2fb
Instruction Fuzzy Hash: 9441B9B1609240CBE700AF99D585B5E77F0EB8E388F60852DD4588BB06D731D8C1DB82

Function 6CF64D3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 6CF64D0D
VirtualProtect.KERNEL32 ref: 6CF64D67
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CFFCA48), ref: 6CF64D74

Part of subcall function 6CF65A10: fwrite.MSVCRT ref: 6CF65A3F
Part of subcall function 6CF65A10: vfprintf.MSVCRT ref: 6CF65A5F
Part of subcall function 6CF65A10: abort.MSVCRT ref: 6CF65A64

Strings

VirtualProtect failed with code 0x%x, xrefs: 6CF64D7A
@, xrefs: 6CF64D58

Memory Dump Source

Source File: 00000011.00000002.1548981821.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 00000011.00000002.1548883189.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549197634.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549273209.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549358521.000000006CF6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549785487.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550085129.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550183040.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550294565.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550375111.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6cee0000_rundll32.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQueryabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$@
API String ID: 1616349570-2953866262
Opcode ID: 5402ab8a7a615db016683616c57a360ace7a2d73968f33de7cad841cbee40fa5
Instruction ID: bce9cc57c91703ff0b8c0da105aed136b82920ad82fbe5fc1e522d3abc1a8392
Opcode Fuzzy Hash: 5402ab8a7a615db016683616c57a360ace7a2d73968f33de7cad841cbee40fa5
Instruction Fuzzy Hash: F92135B6804301DFD700EF29D688B5AFBF0BF89318F548A29D99897A15E330E548CF52

Function 6CF64310 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 6CF64314
FormatMessageA.KERNEL32 ref: 6CF64359
fprintf.MSVCRT ref: 6CF64382
LocalFree.KERNEL32 ref: 6CF6438E

Strings

Erro: %s, xrefs: 6CF64373

Memory Dump Source

Source File: 00000011.00000002.1548981821.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 00000011.00000002.1548883189.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549197634.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549273209.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549358521.000000006CF6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549785487.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550085129.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550183040.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550294565.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550375111.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6cee0000_rundll32.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessagefprintf
String ID: Erro: %s
API String ID: 659079672-2412703935
Opcode ID: f9d8d331b5ee1bcf6ed6fc4efc1a4808ab2092be52dbcda902bf54e634d48dbb
Instruction ID: bfa7cfa35df0bf5d5fee65903e368032d16afcbcf7d9406031f076d6b95da849
Opcode Fuzzy Hash: f9d8d331b5ee1bcf6ed6fc4efc1a4808ab2092be52dbcda902bf54e634d48dbb
Instruction Fuzzy Hash: 5B019DB4808301DFDB00EF65C18971EBFF0AB89349F00891DE8D89B650E77981888F93

Function 6CF634E0 Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

bsearch.MSVCRT ref: 6CF6353F
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6CF643CF), ref: 6CF6357A
malloc.MSVCRT ref: 6CF635A8
qsort.MSVCRT ref: 6CF635F6

Memory Dump Source

Source File: 00000011.00000002.1548981821.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 00000011.00000002.1548883189.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549197634.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549273209.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549358521.000000006CF6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549785487.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550085129.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550183040.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550294565.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550375111.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6cee0000_rundll32.jbxd

Similarity

API ID: ErrorLastbsearchmallocqsort
String ID:
API String ID: 1451747280-0
Opcode ID: 38377a1da80c09bce9a85e801da6b084d1f1bd749dcdad281f51aaf0ca1fa171
Instruction ID: f26670c30b450c4ba113faec3a4c947adae8dc81c40e34c3976909739aaecb86
Opcode Fuzzy Hash: 38377a1da80c09bce9a85e801da6b084d1f1bd749dcdad281f51aaf0ca1fa171
Instruction Fuzzy Hash: 05414E75A083018FD710DF6AC580A2BB7F5FF89314F15892DE88987B61E774E858CB92

Function 6CF64030 Relevance: 7.6, APIs: 5, Instructions: 79threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32 ref: 6CF640D5
SetLastError.KERNEL32 ref: 6CF640F7
SetLastError.KERNEL32 ref: 6CF6410B

Memory Dump Source

Source File: 00000011.00000002.1548981821.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 00000011.00000002.1548883189.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549197634.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549273209.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549358521.000000006CF6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549785487.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550085129.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550183040.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550294565.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550375111.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6cee0000_rundll32.jbxd

Similarity

API ID: ErrorLast$LocaleThread
String ID:
API String ID: 2451566642-0
Opcode ID: a90821d39d7a72e56669430f09a0ecfb99c01ed1ac51d93ad0e834a040a5c597
Instruction ID: 1d03d30b0fdaf62fefc0acc28ec1b74fc8084bc8358e809881b0c46bfc1a99c7
Opcode Fuzzy Hash: a90821d39d7a72e56669430f09a0ecfb99c01ed1ac51d93ad0e834a040a5c597
Instruction Fuzzy Hash: 5721A771604200CBD700FF3AC954A577BF5AF86318F158629D5A5CB790DB35E849CB52

Function 6CF658B0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 6CF658C9
_unlock.MSVCRT ref: 6CF658F1
calloc.MSVCRT ref: 6CF6593F

Memory Dump Source

Source File: 00000011.00000002.1548981821.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 00000011.00000002.1548883189.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549197634.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549273209.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549358521.000000006CF6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549785487.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550085129.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550183040.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550294565.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550375111.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6cee0000_rundll32.jbxd

Similarity

API ID: _lock_unlockcalloc
String ID:
API String ID: 3876498383-0
Opcode ID: abf89457b4ab2571923629326531c7e76d384adab28384de11d3b51bd2a4809e
Instruction ID: 7691d97f5f91d579102f610846f34377d47129c9cc0af9ba2c001fd293e8ae52
Opcode Fuzzy Hash: abf89457b4ab2571923629326531c7e76d384adab28384de11d3b51bd2a4809e
Instruction Fuzzy Hash: 84114C716052018BE7009F3AC48075ABBE4FF45368F548669D898EBF86DB34D448CB52

Function 6CF64A30 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 6CF64A69
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CEE13B9), ref: 6CF64A7A
GetCurrentThreadId.KERNEL32 ref: 6CF64A82
GetTickCount.KERNEL32 ref: 6CF64A8A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CEE13B9), ref: 6CF64A99

Memory Dump Source

Source File: 00000011.00000002.1548981821.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 00000011.00000002.1548883189.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549197634.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549273209.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549358521.000000006CF6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549785487.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550085129.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550183040.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550294565.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550375111.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6cee0000_rundll32.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 8fe020463de34f9542d205e16a5368e66fb40199f23b8eb5ceefb64d75914cd0
Instruction ID: 2f250829174552d8027344997280554ae0b9caff45439584854057cfe9e9fbce
Opcode Fuzzy Hash: 8fe020463de34f9542d205e16a5368e66fb40199f23b8eb5ceefb64d75914cd0
Instruction Fuzzy Hash: 461154B6A153019FCB00FF79D64865BBBF0FB86254F01093AE584C7600E735D4488792

Function 6CF645C0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 6CF645F0
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CF62DB9), ref: 6CF645FC
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CF62DB9), ref: 6CF6460E
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6CF62DB9), ref: 6CF6461E
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6CF62DB9), ref: 6CF64630

Memory Dump Source

Source File: 00000011.00000002.1548981821.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 00000011.00000002.1548883189.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549197634.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549273209.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549358521.000000006CF6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549785487.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550085129.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550183040.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550294565.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550375111.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6cee0000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ObjectSingleWait
String ID:
API String ID: 1755037574-0
Opcode ID: 78748068ea10d9eafa65d10cb7d8f07a6c0ac0a646fe4351f4022458e673809d
Instruction ID: 556979191127fdafabb0c40c23d8cad694efa33735c2b42703e298df5034875e
Opcode Fuzzy Hash: 78748068ea10d9eafa65d10cb7d8f07a6c0ac0a646fe4351f4022458e673809d
Instruction Fuzzy Hash: 1C015EB5584345CBDA00FF7AD689A1ABFB4AB4B314F015539D89047650D730E899CB93

Function 6CF65A10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 6CF65A3F
vfprintf.MSVCRT ref: 6CF65A5F
abort.MSVCRT ref: 6CF65A64

Strings

Mingw-w64 runtime failure:, xrefs: 6CF65A38

Memory Dump Source

Source File: 00000011.00000002.1548981821.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 00000011.00000002.1548883189.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549197634.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549273209.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549358521.000000006CF6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549785487.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550085129.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550183040.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550294565.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550375111.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6cee0000_rundll32.jbxd

Similarity

API ID: abortfwritevfprintf
String ID: Mingw-w64 runtime failure:
API String ID: 3176311984-2889761391
Opcode ID: 6876c871cb5e7cb27f08cafb7ba5b6fe099c694f1a74285055e83bce556fa33b
Instruction ID: 14418d36131cfffc333de9b61b2358f527b39033e59d633e19f85489a694cb7d
Opcode Fuzzy Hash: 6876c871cb5e7cb27f08cafb7ba5b6fe099c694f1a74285055e83bce556fa33b
Instruction Fuzzy Hash: 17E0C2B040D3049EC300AFAAC08529EBAF8AF89348F518A1CD4C967F52C7788489CF53

Function 6CF64DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CEE12A5), ref: 6CF64EE9

Strings

Unknown pseudo relocation protocol version %d., xrefs: 6CF65044
Unknown pseudo relocation bit size %d., xrefs: 6CF64F79

Memory Dump Source

Source File: 00000011.00000002.1548981821.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 00000011.00000002.1548883189.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549197634.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549273209.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549358521.000000006CF6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549785487.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550085129.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550183040.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550294565.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550375111.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6cee0000_rundll32.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 544645111-395989641
Opcode ID: 6a166c4007158375500418aed179768707d48938279ae6fddf1ac9b89df925c0
Instruction ID: c377d5967d049b422ef1c1110a33fd74bc40ccb9f1eeabfa810f9dd44c18469c
Opcode Fuzzy Hash: 6a166c4007158375500418aed179768707d48938279ae6fddf1ac9b89df925c0
Instruction Fuzzy Hash: 25612432E002118FCB14EF6EC5E0699BBB6FB89318F148529D8259BF15D331F946CB81

Function 6CF643A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 6CF64408

Part of subcall function 6CF634E0: bsearch.MSVCRT ref: 6CF6353F

fprintf.MSVCRT ref: 6CF6443C

Strings

$, xrefs: 6CF643ED

Memory Dump Source

Source File: 00000011.00000002.1548981821.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 00000011.00000002.1548883189.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549197634.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549273209.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549358521.000000006CF6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549785487.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550085129.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550183040.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550294565.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550375111.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6cee0000_rundll32.jbxd

Similarity

API ID: bsearchfprintffwrite
String ID: $
API String ID: 1110293247-3993045852
Opcode ID: 3d4d9c32c4c903d40badae40a302c2d73fe35bbf79b159c397cd8fded46930f5
Instruction ID: 7d7e8cfc35df49e991e88c2fdfec433ded6b9a806593d6c1c1ee9d29698881ad
Opcode Fuzzy Hash: 3d4d9c32c4c903d40badae40a302c2d73fe35bbf79b159c397cd8fded46930f5
Instruction Fuzzy Hash: CA0113B58093109FD700BF2A954A25EFFE0AF49318F15882EE8C987B01E77A8444CF63

Function 6CF63630 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

free.MSVCRT ref: 6CF63652
free.MSVCRT ref: 6CF63692
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,6CF63BBA), ref: 6CF636BB
HeapFree.KERNEL32 ref: 6CF636D0

Memory Dump Source

Source File: 00000011.00000002.1548981821.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 00000011.00000002.1548883189.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549197634.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549273209.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549358521.000000006CF6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549785487.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550085129.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550183040.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550294565.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550375111.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6cee0000_rundll32.jbxd

Similarity

API ID: Heapfree$FreeProcess
String ID:
API String ID: 3425746932-0
Opcode ID: fc8adf6489cbbc1a95524f8110a47ffd1938bde530b92ebd56617f37df227bae
Instruction ID: f6e54fc77d910bc3b6e21a94101043dbceb71bf8c8cd9fcdf95b3b48d8462b5d
Opcode Fuzzy Hash: fc8adf6489cbbc1a95524f8110a47ffd1938bde530b92ebd56617f37df227bae
Instruction Fuzzy Hash: D521E9B5A057018BDB00AF26C1C8B1ABBF0BF84714F15C96CDC898BB0AD735D849CB91

Function 6CF65050 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 6CF6505E
TlsGetValue.KERNEL32 ref: 6CF65085
GetLastError.KERNEL32 ref: 6CF6508C
LeaveCriticalSection.KERNEL32 ref: 6CF650AC

Memory Dump Source

Source File: 00000011.00000002.1548981821.000000006CEE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 00000011.00000002.1548883189.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549197634.000000006CF66000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549273209.000000006CF67000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549358521.000000006CF6B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CF6D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549435394.000000006CFD5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549785487.000000006CFFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D005000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1549881739.000000006D009000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550085129.000000006D03D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550183040.000000006D044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550294565.000000006D045000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000011.00000002.1550375111.000000006D048000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6cee0000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: 65920d36d4ae2bc3581e318955e7fa86f6592830238459eb3e440fa50d2853b7
Instruction ID: 3f352e6dccff8a7c09c81c9ec4c8e9870653793db2f89835341bcd9b085d2aa0
Opcode Fuzzy Hash: 65920d36d4ae2bc3581e318955e7fa86f6592830238459eb3e440fa50d2853b7
Instruction Fuzzy Hash: C4F081B6904201DBDB00BF799689A1E7BB4BA46304F450528DD855B606E730E845CBE3

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report iK9pj4aPIU.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Software Vulnerabilities

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Exports

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: loaddll32.exePID: 6780, Parent PID: 4084

General

Chronological Activities

Analysis Process: conhost.exePID: 2952, Parent PID: 6780

General

Chronological Activities

Analysis Process: cmd.exePID: 5692, Parent PID: 6780

General

Chronological Activities

Analysis Process: rundll32.exePID: 5500, Parent PID: 6780

Windows Analysis Report
iK9pj4aPIU.dll

Function 6D224790 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40
sleepCOMMON

Function 6D201D40 Relevance: 1.3, APIs: 1, Instructions: 21
memoryCOMMON

Function 6D223710 Relevance: 33.8, APIs: 17, Strings: 2, Instructions: 564
memoryCOMMON

Function 6D1B5820 Relevance: 19.8, Strings: 15, Instructions: 1007
COMMON

Function 6D1C8E10 Relevance: 16.9, Strings: 13, Instructions: 645
COMMON