Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
nsjrPbpaYZ.dll

Overview

General Information

Sample name:nsjrPbpaYZ.dll
renamed because original name is a hash value
Original sample name:a8588f81ee1a08eabad98fd33dfcb68f6e43c0ab9e0afefa7edf933e61e6ef8c.dll
Analysis ID:1544819
MD5:798c805d2bad90cde892d7fa9a1180c9
SHA1:66e7e13af3e23e0c72082432d4c841de3a05e149
SHA256:a8588f81ee1a08eabad98fd33dfcb68f6e43c0ab9e0afefa7edf933e61e6ef8c
Tags:2024bankerdllgolangloadermekotiouser-johnk3r
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 7284 cmdline: loaddll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 7292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7364 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 7400 cmdline: rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • WerFault.exe (PID: 7540 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7400 -s 832 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 7384 cmdline: rundll32.exe C:\Users\user\Desktop\nsjrPbpaYZ.dll,BarCreate MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 7548 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7384 -s 824 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 7616 cmdline: rundll32.exe C:\Users\user\Desktop\nsjrPbpaYZ.dll,BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7664 cmdline: rundll32.exe C:\Users\user\Desktop\nsjrPbpaYZ.dll,BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7752 cmdline: rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",BarCreate MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 7920 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7752 -s 832 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 7780 cmdline: rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7800 cmdline: rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7848 cmdline: rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",_cgo_dummy_export MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7928 cmdline: rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",SpellSpell MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7968 cmdline: rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",SpellInit MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8012 cmdline: rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",SpellFree MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8052 cmdline: rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",SignalInitializeCrashReporting MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8092 cmdline: rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",GetInstallDetailsPayload MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8132 cmdline: rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",BarRecognize MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.5% probability

Bitcoin Miner

barindex
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2F1830 4_2_6D2F1830
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF21830 13_2_6CF21830
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF21830 17_2_6CF21830
Source: nsjrPbpaYZ.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: nsjrPbpaYZ.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax4_2_6D2C2CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax4_2_6D2C2CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx4_2_6D2DCEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh4_2_6D2E9030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh4_2_6D2EA360
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax13_2_6CEF2CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax13_2_6CEF2CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx13_2_6CF0CEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh13_2_6CF19030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh13_2_6CF1A360
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax17_2_6CEF2CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax17_2_6CEF2CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov dword ptr [esp], edx17_2_6CF0CEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ebp, 0Dh17_2_6CF19030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then shr ecx, 0Dh17_2_6CF1A360
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2F1A70 NtCreateWaitCompletionPacket,4_2_6D2F1A70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2F2A90 NtCreateWaitCompletionPacket,4_2_6D2F2A90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2F1570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,4_2_6D2F1570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2F11F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,4_2_6D2F11F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF22A90 NtCreateWaitCompletionPacket,13_2_6CF22A90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF21A70 NtCreateWaitCompletionPacket,13_2_6CF21A70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF21570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,13_2_6CF21570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF211F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,13_2_6CF211F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF22A90 NtCreateWaitCompletionPacket,17_2_6CF22A90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF21A70 NtCreateWaitCompletionPacket,17_2_6CF21A70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF21570 NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,17_2_6CF21570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF211F0 NtCancelWaitCompletionPacket,NtAssociateWaitCompletionPacket,17_2_6CF211F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D344D204_2_6D344D20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2EAD504_2_6D2EAD50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D31BC204_2_6D31BC20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D346C204_2_6D346C20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2C2CA64_2_6D2C2CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2C2CA04_2_6D2C2CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2FCF904_2_6D2FCF90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D352E704_2_6D352E70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2CBE904_2_6D2CBE90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D33CEF04_2_6D33CEF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D315ED04_2_6D315ED0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2D59F04_2_6D2D59F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D3459D04_2_6D3459D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2ED9C54_2_6D2ED9C5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D32A8724_2_6D32A872
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2EBB104_2_6D2EBB10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2CFBC04_2_6D2CFBC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2ECA304_2_6D2ECA30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2D0AF04_2_6D2D0AF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D3185704_2_6D318570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D3425604_2_6D342560
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D3495A04_2_6D3495A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2E34004_2_6D2E3400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D3064704_2_6D306470
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2E14404_2_6D2E1440
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D33E7404_2_6D33E740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D3467404_2_6D346740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2E66304_2_6D2E6630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D31D6E04_2_6D31D6E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2EC6D04_2_6D2EC6D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2F60104_2_6D2F6010
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2ED0404_2_6D2ED040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2D80A04_2_6D2D80A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2EC0804_2_6D2EC080
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2C90F04_2_6D2C90F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2FA3204_2_6D2FA320
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D32332F4_2_6D32332F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2E93F04_2_6D2E93F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D3532304_2_6D353230
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2FE2404_2_6D2FE240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2C32A04_2_6D2C32A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D3272804_2_6D327280
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2EB2D04_2_6D2EB2D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CEF2CA613_2_6CEF2CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CEF2CA013_2_6CEF2CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF4BC2013_2_6CF4BC20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF1AD5013_2_6CF1AD50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF6CEF013_2_6CF6CEF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF45ED013_2_6CF45ED0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CEFBE9013_2_6CEFBE90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF2CF9013_2_6CF2CF90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF5A87213_2_6CF5A872
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF059F013_2_6CF059F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF1D9C513_2_6CF1D9C5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF00AF013_2_6CF00AF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF1CA3013_2_6CF1CA30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CEFFBC013_2_6CEFFBC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF1BB1013_2_6CF1BB10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF3647013_2_6CF36470
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF1144013_2_6CF11440
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF1340013_2_6CF13400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF4857013_2_6CF48570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF4D6E013_2_6CF4D6E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF1C6D013_2_6CF1C6D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF1663013_2_6CF16630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF6E74013_2_6CF6E740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CEF90F013_2_6CEF90F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF080A013_2_6CF080A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF1C08013_2_6CF1C080
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF1D04013_2_6CF1D040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF2601013_2_6CF26010
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF1B2D013_2_6CF1B2D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CEF32A013_2_6CEF32A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF5728013_2_6CF57280
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF2E24013_2_6CF2E240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF193F013_2_6CF193F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF2A32013_2_6CF2A320
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF5332F13_2_6CF5332F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CEF2CA617_2_6CEF2CA6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CEF2CA017_2_6CEF2CA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF4BC2017_2_6CF4BC20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF1AD5017_2_6CF1AD50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF6CEF017_2_6CF6CEF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF45ED017_2_6CF45ED0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CEFBE9017_2_6CEFBE90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF2CF9017_2_6CF2CF90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF5A87217_2_6CF5A872
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF059F017_2_6CF059F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF1D9C517_2_6CF1D9C5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF00AF017_2_6CF00AF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF1CA3017_2_6CF1CA30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CEFFBC017_2_6CEFFBC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF1BB1017_2_6CF1BB10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF3647017_2_6CF36470
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF1144017_2_6CF11440
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF1340017_2_6CF13400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF4857017_2_6CF48570
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF4D6E017_2_6CF4D6E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF1C6D017_2_6CF1C6D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF1663017_2_6CF16630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF6E74017_2_6CF6E740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CEF90F017_2_6CEF90F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF080A017_2_6CF080A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF1C08017_2_6CF1C080
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF1D04017_2_6CF1D040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF2601017_2_6CF26010
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF1B2D017_2_6CF1B2D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CEF32A017_2_6CEF32A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF5728017_2_6CF57280
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF2E24017_2_6CF2E240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF193F017_2_6CF193F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF2A32017_2_6CF2A320
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF5332F17_2_6CF5332F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CF56A90 appears 960 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CF27410 appears 1382 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CF25080 appears 46 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D2F7410 appears 693 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D326A90 appears 481 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CF23B30 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7400 -s 832
Source: nsjrPbpaYZ.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: classification engineClassification label: mal48.mine.winDLL@35/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7292:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\a2eb5e14-74d9-4f52-b9da-0a8310a0796fJump to behavior
Source: nsjrPbpaYZ.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nsjrPbpaYZ.dll,BarCreate
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: brarylfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrun
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: hed/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spa
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: rundll32.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nsjrPbpaYZ.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7400 -s 832
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7384 -s 824
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nsjrPbpaYZ.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nsjrPbpaYZ.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",_cgo_dummy_export
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7752 -s 832
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",SpellSpell
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",SpellInit
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",SpellFree
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",GetInstallDetailsPayload
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",BarRecognize
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nsjrPbpaYZ.dll,BarCreateJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nsjrPbpaYZ.dll,BarDestroyJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nsjrPbpaYZ.dll,BarFreeRecJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",BarCreateJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",BarDestroyJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",BarFreeRecJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",_cgo_dummy_exportJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",SpellSpellJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",SpellInitJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",SpellFreeJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",SignalInitializeCrashReportingJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",GetInstallDetailsPayloadJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",BarRecognizeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: nsjrPbpaYZ.dllStatic PE information: Image base 0x6d8c0000 > 0x60000000
Source: nsjrPbpaYZ.dllStatic file information: File size 1368576 > 1048576
Source: nsjrPbpaYZ.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2C13E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,4_2_6D2C13E0
Source: nsjrPbpaYZ.dllStatic PE information: real checksum: 0x1538a5 should be: 0x15533d
Source: nsjrPbpaYZ.dllStatic PE information: section name: .eh_fram
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01C3AF34 push eax; retf 0_2_01C3AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D335094 pushad ; ret 4_2_6D335095
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D33509D pushad ; ret 4_2_6D33509E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_05502369 push cs; ret 5_2_0550236A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04C3CD49 push cs; retf 11_2_04C3CD67
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04C3AF63 push eax; retf 11_2_04C3AF61
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04C3C393 push edx; retf 11_2_04C3C396
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_04C3AF34 push eax; retf 11_2_04C3AF61
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0543CD44 pushad ; retf 12_2_0543CD45
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0543DC89 push eax; ret 12_2_0543DC9A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_054803F2 push 724D7189h; ret 12_2_054803F7
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF65094 pushad ; ret 13_2_6CF65095
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF6509D pushad ; ret 13_2_6CF6509E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0503D270 push F4FD9929h; retf 14_2_0503D2C1
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04C3C850 push es; retf 15_2_04C3C874
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04C3C65B push es; retf 15_2_04C3C874
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04C3C876 push es; retf 15_2_04C3C874
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04C3AF34 push eax; retf 15_2_04C3AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF65094 pushad ; ret 17_2_6CF65095
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF6509D pushad ; ret 17_2_6CF6509E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_0503AF34 push eax; retf 19_2_0503AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04C3D30B push es; ret 21_2_04C3D336
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04C3AF63 push eax; retf 21_2_04C3AF61
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04C3AF34 push eax; retf 21_2_04C3AF61
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_0543AF34 push eax; retf 22_2_0543AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_04C3C882 push FFFFFF97h; iretd 23_2_04C3C881
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_04C3AF34 push eax; retf 23_2_04C3AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_04C3C83E push FFFFFF97h; iretd 23_2_04C3C881
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0543AF34 push eax; retf 24_2_0543AF39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0543BF14 push ecx; iretd 24_2_0543C3C2
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D32C0C0 rdtscp 4_2_6D32C0C0
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 1.4 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 1.4 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 1.4 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D32C0C0 rdtscp 4_2_6D32C0C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2C13E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,4_2_6D2C13E0
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D356300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,4_2_6D356300
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_6CF86300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,13_2_6CF86300
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_6CF86300 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,17_2_6CF86300
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D356250 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,4_2_6D356250
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D2F1C90 RtlGetVersion,RtlGetCurrentPeb,4_2_6D2F1C90

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		11
Process Injection		11
Virtualization/Sandbox Evasion		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		Boot or Logon Initialization Scripts1
DLL Side-Loading		11
Process Injection		LSASS Memory2
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager11
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS3
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Rundll32		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544819 Sample: nsjrPbpaYZ.dll Startdate: 29/10/2024 Architecture: WINDOWS Score: 48 27 AI detected suspicious sample 2->27 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 12 other processes 8->17 signatures5 29 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 10->29 19 WerFault.exe 2 10->19         started        21 rundll32.exe 13->21         started        23 WerFault.exe 2 15->23         started        process6 process7 25 WerFault.exe 2 21->25         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
nsjrPbpaYZ.dll5%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0017.t-0009.fb-t-msedge.net
13.107.253.45
truefalse
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1544819
    Start date and time:2024-10-29 19:29:20 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 6m 36s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:31
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:nsjrPbpaYZ.dll
    renamed because original name is a hash value
    Original Sample Name:a8588f81ee1a08eabad98fd33dfcb68f6e43c0ab9e0afefa7edf933e61e6ef8c.dll
    Detection:MAL
    Classification:mal48.mine.winDLL@35/0@0/0
    EGA Information:
    • Successful, ratio: 20%
    HCA Information:Failed
    Cookbook Comments:
    • Found application associated with file extension: .dll

    Warnings

    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
    • Excluded domains from analysis (whitelisted): azurefd-t-fb-prod.trafficmanager.net, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
    • Execution Graph export aborted for target loaddll32.exe, PID 7284 because there are no executed function
    • Execution Graph export aborted for target rundll32.exe, PID 7400 because there are no executed function
    • Execution Graph export aborted for target rundll32.exe, PID 7616 because there are no executed function
    • Execution Graph export aborted for target rundll32.exe, PID 7664 because there are no executed function
    • Execution Graph export aborted for target rundll32.exe, PID 7780 because there are no executed function
    • Execution Graph export aborted for target rundll32.exe, PID 7800 because there are no executed function
    • Execution Graph export aborted for target rundll32.exe, PID 7928 because there are no executed function
    • Execution Graph export aborted for target rundll32.exe, PID 7968 because there are no executed function
    • Execution Graph export aborted for target rundll32.exe, PID 8012 because there are no executed function
    • Execution Graph export aborted for target rundll32.exe, PID 8052 because there are no executed function
    • Execution Graph export aborted for target rundll32.exe, PID 8092 because there are no executed function
    • Execution Graph export aborted for target rundll32.exe, PID 8132 because there are no executed function
    • Not all processes where analyzed, report is missing behavior information
    • Report size exceeded maximum capacity and may have missing behavior information.
    • VT rate limit hit for: nsjrPbpaYZ.dll

    Simulations

    Behavior and APIs

    TimeTypeDescription
    14:30:25API Interceptor1x Sleep call for process: loaddll32.exe modified

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    s-part-0017.t-0009.fb-t-msedge.nethttps://get.hidrive.com/api/ZVDVVnH5/file/fgWacQquUMk6LQc3wqBJEzGet hashmaliciousUnknownBrowse
    • 13.107.253.45
    https://qH.todentu.ru/FcZpLy/#Obritchie@initusa.comGet hashmaliciousUnknownBrowse
    • 13.107.253.45
    securedoc_20241028T070148.htmlGet hashmaliciousUnknownBrowse
    • 13.107.253.45
    PO-000041522.exeGet hashmaliciousFormBookBrowse
    • 13.107.253.45
    CARDFACTORYAccess Program, Tuesday, October 29, 2024.emlGet hashmaliciousHTMLPhisherBrowse
    • 13.107.253.45
    https://www.google.mx/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=sf_rand_string_mixed(5)FgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Biw.%C2%ADgc%C2%ADrvn%C2%ADm0.%C2%ADza%C2%AD.c%E2%80%8Bo%C2%ADm%2Ffylee%2Fimages%2Fsf_rand_string_mixed(24)/roger.christenson@steptoe-johnson.comGet hashmaliciousUnknownBrowse
    • 13.107.253.45
    https://assets-usa.mkt.dynamics.com/a915fd66-2592-ef11-8a66-00224803a417/digitalassets/standaloneforms/3d7495e3-e695-ef11-8a69-000d3a3501d6Get hashmaliciousMamba2FABrowse
    • 13.107.253.45
    https://docs.google.com/drawings/d/1OzqwiA1nI8GUoiKob_qJY5xL1HmGK6VrRXlYUDuD68w/preview?pli=1JXThK7wTKLJQKP6wUqAFkc0vrlytjEsfyxX4slH6ZHg3eWCKKhJXThK7wTKLJQKP6wUqAFkc0vrlytjEsfyxX4slH6ZHg3eWCKKhJXThK7wTKLJQKP6wUqAFkc0vrlytjEsfyxX4slH6ZHg3eWCKKhJXThK7wTKLJQKP6wUqAFkc0vrlytjEsfyxX4slH6ZHg3eWCKKhJXThK7wTKLJQKP6wUqAFkc0vrlGet hashmaliciousMamba2FABrowse
    • 13.107.253.45
    Jo Smalley shared _Harbour Healthcare Ltd Project_ with you..emlGet hashmaliciousHTMLPhisherBrowse
    • 13.107.253.45
    Jo Smalley shared _Harbour Healthcare Ltd Project_ with you..emlGet hashmaliciousHTMLPhisherBrowse
    • 13.107.253.45

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
    Entropy (8bit):6.271230425445569
    TrID:
    • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
    • Generic Win/DOS Executable (2004/3) 0.20%
    • DOS Executable Generic (2002/1) 0.20%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:nsjrPbpaYZ.dll
    File size:1'368'576 bytes
    MD5:798c805d2bad90cde892d7fa9a1180c9
    SHA1:66e7e13af3e23e0c72082432d4c841de3a05e149
    SHA256:a8588f81ee1a08eabad98fd33dfcb68f6e43c0ab9e0afefa7edf933e61e6ef8c
    SHA512:01187a6b884708eaa21320d2e792d65a9edb05ab40f6ad5422108292adae18aff1546697796c309d8266c113ead25d8e236694254f74008891163e5e9d2a21c1
    SSDEEP:24576:WmOp/usPnfLS7e0fTvlyOSmLznUpRC0bXbTnuaZ02nMYm:WQvLtLw5L
    TLSH:5E551800FDC784F1E403263285AB62AB6325AD195F31CBC7FB44BB79FA776950836285
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....d.......H.................m.................................8....@... .........................-..

    File Icon

    Icon Hash:7ae282899bbab082

    Static PE Info

    General

    Entrypoint:0x6d8c1380
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x6d8c0000
    Subsystem:windows cui
    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
    TLS Callbacks:0x6d9563e0, 0x6d956390
    CLR (.Net) Version:
    OS Version Major:6
    OS Version Minor:1
    File Version Major:6
    File Version Minor:1
    Subsystem Version Major:6
    Subsystem Version Minor:1
    Import Hash:47d9e8363ec498a9360ee0a7da269805

    Entrypoint Preview

    Instruction
    sub esp, 1Ch
    mov dword ptr [6DA2C730h], 00000000h
    mov edx, dword ptr [esp+24h]
    cmp edx, 01h
    je 00007FC524CBD07Ch
    mov ecx, dword ptr [esp+28h]
    mov eax, dword ptr [esp+20h]
    call 00007FC524CBCEE2h
    add esp, 1Ch
    retn 000Ch
    lea esi, dword ptr [esi+00000000h]
    mov dword ptr [esp+0Ch], edx
    call 00007FC524D51EFCh
    mov edx, dword ptr [esp+0Ch]
    jmp 00007FC524CBD039h
    nop
    sub esp, 1Ch
    mov eax, dword ptr [esp+20h]
    mov dword ptr [esp], 6DA08000h
    mov dword ptr [esp+04h], eax
    call 00007FC524D52D4Eh
    add esp, 1Ch
    ret
    nop
    nop
    nop
    nop
    nop
    push ebp
    mov ebp, esp
    push edi
    push esi
    push ebx
    sub esp, 1Ch
    mov dword ptr [esp], 6D95F000h
    call dword ptr [6DA2E21Ch]
    sub esp, 04h
    test eax, eax
    je 00007FC524CBD0D5h
    mov ebx, eax
    mov dword ptr [esp], 6D95F000h
    call dword ptr [6DA2E264h]
    mov edi, dword ptr [6DA2E224h]
    sub esp, 04h
    mov dword ptr [6DA2C764h], eax
    mov dword ptr [esp+04h], 6D95F013h
    mov dword ptr [esp], ebx
    call edi
    sub esp, 08h
    mov esi, eax
    mov dword ptr [esp+04h], 6D95F029h
    mov dword ptr [esp], ebx
    call edi
    mov dword ptr [6D958000h], eax
    sub esp, 08h
    test esi, esi
    je 00007FC524CBD073h
    mov dword ptr [esp+00h], 00000000h

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x16d0000x12d.edata
    IMAGE_DIRECTORY_ENTRY_IMPORT0x16e0000xb78.idata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1710000x868c.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x144fb00x18.rdata
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x16e1cc0x190.idata
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x962a80x964009f268f0e5afde806d938dac8584964e3False0.46978018406821964data6.28246172539859IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .data0x980000x67c80x6800b47c993337da413440a57e7d7c64dc0bFalse0.42025991586538464data4.442833777421028IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .rdata0x9f0000xa63800xa640034730ae46295c7756a69f9e5824ab5acFalse0.4318080357142857data5.59142855262264IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
    .eh_fram0x1460000x12740x140085e22b3e84813337ea1a67b904c6bbcdFalse0.3369140625data4.565839626312234IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
    .bss0x1480000x2477c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .edata0x16d0000x12d0x20067859e1c9d81f1d2bdf6b531a2016f52False0.44921875data3.400613123216997IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
    .idata0x16e0000xb780xc00cb8eb4a241279d6fed66c3ea8ecac795False0.3961588541666667data5.12056831676781IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .CRT0x16f0000x2c0x200db151290603a2662b590a75b7e0b0988False0.0546875data0.2069200177871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .tls0x1700000x80x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .reloc0x1710000x868c0x880079ed408bbe5c4bbb01c59442165783edFalse0.6667911305147058data6.630417318575256IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

    Imports

    DLLImport
    KERNEL32.dllAddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateIoCompletionPort, CreateThread, CreateWaitableTimerExW, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FormatMessageA, FreeEnvironmentStringsW, FreeLibrary, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetLastError, GetModuleHandleA, GetNativeSystemInfo, GetProcAddress, GetProcessAffinityMask, GetProcessHeap, GetQueuedCompletionStatusEx, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadLocale, GetTickCount, HeapAlloc, HeapFree, InitializeCriticalSection, IsBadReadPtr, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, LoadLibraryW, LocalFree, PostQueuedCompletionStatus, QueryPerformanceCounter, RaiseFailFastException, ResumeThread, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessPriorityBoost, SetThreadContext, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TerminateProcess, TlsAlloc, TlsGetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WriteConsoleW, WriteFile, lstrlenA
    msvcrt.dll_amsg_exit, _beginthread, _errno, _initterm, _iob, _lock, _unlock, _wcsnicmp, abort, bsearch, calloc, fprintf, free, fwrite, malloc, mbstowcs, memcpy, memset, qsort, realloc, strcmp, strlen, strncmp, strtol, vfprintf, wcstombs

    Exports

    NameOrdinalAddress
    BarCreate10x6d9545d0
    BarDestroy20x6d954850
    BarFreeRec30x6d954800
    BarRecognize40x6d9547b0
    GetInstallDetailsPayload50x6d954710
    SignalInitializeCrashReporting60x6d954760
    SpellFree70x6d954620
    SpellInit80x6d954670
    SpellSpell90x6d9546c0
    _cgo_dummy_export100x6da2c768

    Network Behavior

    UDP Packets

    TimestampSource PortDest PortSource IPDest IP
    Oct 29, 2024 19:30:34.791035891 CET53509961.1.1.1192.168.2.9

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Oct 29, 2024 19:30:12.233860970 CET1.1.1.1192.168.2.90xd6b1No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.netazurefd-t-fb-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
    Oct 29, 2024 19:30:12.233860970 CET1.1.1.1192.168.2.90xd6b1No error (0)dual.s-part-0017.t-0009.fb-t-msedge.nets-part-0017.t-0009.fb-t-msedge.netCNAME (Canonical name)IN (0x0001)false
    Oct 29, 2024 19:30:12.233860970 CET1.1.1.1192.168.2.90xd6b1No error (0)s-part-0017.t-0009.fb-t-msedge.net13.107.253.45A (IP address)IN (0x0001)false

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:14:30:15
    Start date:29/10/2024
    Path:C:\Windows\System32\loaddll32.exe
    Wow64 process (32bit):true
    Commandline:loaddll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll"
    Imagebase:0x310000
    File size:126'464 bytes
    MD5 hash:51E6071F9CBA48E79F10C84515AAE618
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:1
    Start time:14:30:15
    Start date:29/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff70f010000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:3
    Start time:14:30:15
    Start date:29/10/2024
    Path:C:\Windows\SysWOW64\cmd.exe
    Wow64 process (32bit):true
    Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",#1
    Imagebase:0xc50000
    File size:236'544 bytes
    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:4
    Start time:14:30:15
    Start date:29/10/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe C:\Users\user\Desktop\nsjrPbpaYZ.dll,BarCreate
    Imagebase:0x680000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:5
    Start time:14:30:15
    Start date:29/10/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",#1
    Imagebase:0x680000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:9
    Start time:14:30:15
    Start date:29/10/2024
    Path:C:\Windows\SysWOW64\WerFault.exe
    Wow64 process (32bit):true
    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7400 -s 832
    Imagebase:0x730000
    File size:483'680 bytes
    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:10
    Start time:14:30:15
    Start date:29/10/2024
    Path:C:\Windows\SysWOW64\WerFault.exe
    Wow64 process (32bit):true
    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7384 -s 824
    Imagebase:0x730000
    File size:483'680 bytes
    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:11
    Start time:14:30:18
    Start date:29/10/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe C:\Users\user\Desktop\nsjrPbpaYZ.dll,BarDestroy
    Imagebase:0x680000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:12
    Start time:14:30:21
    Start date:29/10/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe C:\Users\user\Desktop\nsjrPbpaYZ.dll,BarFreeRec
    Imagebase:0x680000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:13
    Start time:14:30:24
    Start date:29/10/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",BarCreate
    Imagebase:0x680000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:14
    Start time:14:30:24
    Start date:29/10/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",BarDestroy
    Imagebase:0x680000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:15
    Start time:14:30:24
    Start date:29/10/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",BarFreeRec
    Imagebase:0x680000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:17
    Start time:14:30:24
    Start date:29/10/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",_cgo_dummy_export
    Imagebase:0x680000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:18
    Start time:14:30:24
    Start date:29/10/2024
    Path:C:\Windows\SysWOW64\WerFault.exe
    Wow64 process (32bit):true
    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7752 -s 832
    Imagebase:0x730000
    File size:483'680 bytes
    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:19
    Start time:14:30:25
    Start date:29/10/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",SpellSpell
    Imagebase:0x680000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:20
    Start time:14:30:25
    Start date:29/10/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",SpellInit
    Imagebase:0x680000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:21
    Start time:14:30:25
    Start date:29/10/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",SpellFree
    Imagebase:0x680000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:22
    Start time:14:30:25
    Start date:29/10/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",SignalInitializeCrashReporting
    Imagebase:0x680000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:23
    Start time:14:30:25
    Start date:29/10/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",GetInstallDetailsPayload
    Imagebase:0x680000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:24
    Start time:14:30:25
    Start date:29/10/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\nsjrPbpaYZ.dll",BarRecognize
    Imagebase:0x680000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    Disassembly

    Reset < >

      Execution Graph

      Execution Coverage:0%
      Dynamic/Decrypted Code Coverage:0%
      Signature Coverage:0%
      Total number of Nodes:3
      Total number of Limit Nodes:0
      execution_graph 52007 6d32cea0 52008 6d32cec8 WriteFile 52007->52008 52009 6d32ceb9 52007->52009 52009->52008

      Executed Functions

      Function 6D32CEA0 Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 0 6d32cea0-6d32ceb7 1 6d32cec8-6d32cee0 WriteFile 0->1 2 6d32ceb9-6d32cec6 0->2 2->1
      APIs
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID: FileWrite
      • String ID:
      • API String ID: 3934441357-0
      • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
      • Instruction ID: f8deee1c1cb17b013c08631ee01722d444e94f50e04c8229ece5aaf58a425a25
      • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
      • Instruction Fuzzy Hash: FBE0E571505600CFCB15DF18C2C1316BBE1EB48A00F0485A8DE098F74AD734EE10CB92

      Non-executed Functions

      Function 6D2D59F0 Relevance: 18.5, Strings: 14, Instructions: 1019COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 987 6d2d59f0-6d2d5a05 988 6d2d5a0b-6d2d5a31 call 6d330980 987->988 989 6d2d6c61-6d2d6c66 call 6d32ae50 987->989 994 6d2d5a3a-6d2d5a3d 988->994 995 6d2d5a33-6d2d5a38 988->995 989->987 996 6d2d5a40-6d2d5aa7 call 6d3309b0 call 6d32cff0 994->996 995->996 1001 6d2d5aa9-6d2d5ab1 call 6d32c260 996->1001 1002 6d2d5ab3-6d2d5b83 call 6d2f9e30 call 6d32ad60 * 2 call 6d2f9a20 996->1002 1001->1002 1013 6d2d5b8b-6d2d5b93 call 6d319ba0 1002->1013 1014 6d2d5b85-6d2d5b89 1002->1014 1015 6d2d5b97-6d2d5b99 1013->1015 1014->1015 1018 6d2d5bcf-6d2d5be5 1015->1018 1019 6d2d5b9b-6d2d5bca call 6d31a140 call 6d319cd0 1015->1019 1020 6d2d5be7-6d2d5bef call 6d32c260 1018->1020 1021 6d2d5bf1-6d2d5c00 1018->1021 1019->1018 1020->1021 1025 6d2d6c4a-6d2d6c60 call 6d326a90 1021->1025 1026 6d2d5c06-6d2d5f1c call 6d3309b0 call 6d32ad60 call 6d32cff0 call 6d32d050 call 6d3309d0 * 2 call 6d2efc30 call 6d31f810 * 2 call 6d3307f0 * 3 1021->1026 1025->989 1055 6d2d5f1e 1026->1055 1056 6d2d5f24-6d2d5fc2 call 6d2ca4e0 call 6d2fed60 call 6d2ca700 call 6d2e1f00 call 6d2d85c0 call 6d2ece30 call 6d2e29f0 1026->1056 1055->1056 1071 6d2d5fc4-6d2d5fc6 1056->1071 1072 6d2d5fd0-6d2d5fd2 1056->1072 1073 6d2d5fcc-6d2d5fce 1071->1073 1074 6d2d6c34-6d2d6c45 call 6d326a90 1071->1074 1075 6d2d6c1e-6d2d6c2f call 6d326a90 1072->1075 1076 6d2d5fd8-6d2d6095 call 6d32c476 call 6d32c94a call 6d32ad60 call 6d2ed3f0 call 6d2e5470 call 6d32ad60 * 2 1072->1076 1073->1072 1073->1076 1074->1025 1075->1074 1093 6d2d60b4-6d2d60bc 1076->1093 1094 6d2d6097-6d2d60af call 6d2e2a70 1076->1094 1096 6d2d6abf-6d2d6b05 call 6d2ca4e0 1093->1096 1097 6d2d60c2-6d2d6130 call 6d32c47a call 6d2f6bb0 call 6d31fa50 1093->1097 1094->1093 1102 6d2d6b14-6d2d6b30 call 6d2ca700 1096->1102 1103 6d2d6b07-6d2d6b12 call 6d32c260 1096->1103 1115 6d2d6140-6d2d615e 1097->1115 1112 6d2d6b55-6d2d6b5e 1102->1112 1103->1102 1113 6d2d6b60-6d2d6b8b call 6d2ded90 1112->1113 1114 6d2d6b32-6d2d6b54 call 6d2c43c0 1112->1114 1128 6d2d6b8d-6d2d6b96 call 6d32ad60 1113->1128 1129 6d2d6b9b-6d2d6bf2 call 6d308b70 * 2 1113->1129 1114->1112 1118 6d2d6169-6d2d61ec 1115->1118 1119 6d2d6160-6d2d6163 1115->1119 1120 6d2d6c14-6d2d6c19 call 6d32c2e0 1118->1120 1121 6d2d61f2-6d2d61fc 1118->1121 1119->1118 1124 6d2d6216-6d2d621c 1119->1124 1120->1075 1126 6d2d620f-6d2d6211 1121->1126 1127 6d2d61fe-6d2d620a 1121->1127 1130 6d2d6c0a-6d2d6c0f call 6d32c2e0 1124->1130 1131 6d2d6222-6d2d63bc call 6d327ed0 call 6d2f6bb0 call 6d2f7410 call 6d2f7100 call 6d2f7410 * 3 call 6d2f7230 call 6d2f7410 call 6d2f6c10 call 6d32c47a 1124->1131 1132 6d2d6132-6d2d613e 1126->1132 1127->1132 1128->1129 1144 6d2d6bf4-6d2d6bfa 1129->1144 1145 6d2d6c03-6d2d6c09 1129->1145 1130->1120 1164 6d2d645e-6d2d6461 1131->1164 1132->1115 1144->1145 1147 6d2d6bfc 1144->1147 1147->1145 1165 6d2d64e7-6d2d6690 call 6d2f6bb0 call 6d2f7410 call 6d2f6c10 call 6d330830 * 4 call 6d32c476 1164->1165 1166 6d2d6467-6d2d6484 1164->1166 1201 6d2d6717-6d2d671a 1165->1201 1168 6d2d648a-6d2d64e2 call 6d2f6bb0 call 6d2f7410 call 6d2f6c10 1166->1168 1169 6d2d63c1-6d2d6457 call 6d2d80a0 call 6d327ed0 call 6d2f6bb0 call 6d2f7410 call 6d2f6c10 1166->1169 1168->1169 1169->1164 1202 6d2d67c0-6d2d6a5a call 6d3309b0 * 2 call 6d2f6bb0 call 6d2f7410 call 6d2f7100 call 6d2f7410 call 6d2f7100 call 6d2f7410 call 6d2f7100 call 6d2f7410 call 6d2f7100 call 6d2f7410 call 6d2f7100 call 6d2f7410 call 6d2f7100 call 6d2f7410 call 6d2f7230 call 6d2f7410 call 6d2f6c10 1201->1202 1203 6d2d6720-6d2d6744 1201->1203 1269 6d2d6a7c-6d2d6aad call 6d2f6bb0 call 6d2f6db0 call 6d2f6c10 1202->1269 1270 6d2d6a5c-6d2d6a77 call 6d2f6bb0 call 6d2f7410 call 6d2f6c10 1202->1270 1204 6d2d674b-6d2d6779 call 6d2f6bb0 call 6d2f7410 call 6d2f6c10 1203->1204 1205 6d2d6746-6d2d6749 1203->1205 1212 6d2d6695-6d2d6716 call 6d2d80a0 call 6d327ed0 call 6d2f6bb0 call 6d2f7410 call 6d2f6c10 1204->1212 1205->1204 1207 6d2d677e-6d2d6780 1205->1207 1207->1212 1213 6d2d6786-6d2d67bb call 6d2f6bb0 call 6d2f7410 call 6d2f6c10 1207->1213 1212->1201 1213->1212 1269->1096 1282 6d2d6aaf-6d2d6aba call 6d2ca700 1269->1282 1270->1269 1282->1096
      Strings
      • ., xrefs: 6D2D61FE
      • @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12, xrefs: 6D2D62C7
      • , xrefs: 6D2D606A
      • +:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08, xrefs: 6D2D64A4, 6D2D678B
      • ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACE, xrefs: 6D2D64EC
      • gc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltadxaesshaavxfmaintma, xrefs: 6D2D629A
      • gcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= , xrefs: 6D2D5ABA
      • non-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class bo, xrefs: 6D2D6C1E
      • failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre, xrefs: 6D2D6C34
      • MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc=, xrefs: 6D2D699C
      • ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ gp.goid, xrefs: 6D2D68DC
      • 5, xrefs: 6D2D6C27
      • MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, xrefs: 6D2D6A06
      • gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket, xrefs: 6D2D6C4A
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: $ @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12$ MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:$ MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc=$ ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACE$ ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ gp.goid$+:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08$.$5$failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre$gc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14StdDltadxaesshaavxfmaintma$gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket$gcing MB, got= ... max=scav ptr ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= $non-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class bo
      • API String ID: 0-2575422049
      • Opcode ID: 7b41238d1c9c97cafd8843715463e67a007d0b28d5180b992f59f3f86f5f6353
      • Instruction ID: 307a25813f79ec3473371907e7a92d08915cd3bc4298eef04216dbd21f5deac7
      • Opcode Fuzzy Hash: 7b41238d1c9c97cafd8843715463e67a007d0b28d5180b992f59f3f86f5f6353
      • Instruction Fuzzy Hash: DDB2F5745497498FD764EF28C190B9ABBF5FB8A304F02892ED9C987350DB70A845CF92
      Function 6D2E93F0 Relevance: 16.9, Strings: 13, Instructions: 643COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1284 6d2e93f0-6d2e9402 1285 6d2e9408-6d2e9450 1284->1285 1286 6d2e9f94-6d2e9f99 call 6d32ae50 1284->1286 1287 6d2e9476-6d2e947d 1285->1287 1286->1284 1289 6d2e957b-6d2e9581 1287->1289 1290 6d2e9483-6d2e94ed 1287->1290 1294 6d2e97f9-6d2e9800 call 6d32c2f0 1289->1294 1295 6d2e9587-6d2e95b3 call 6d2ec5d0 1289->1295 1292 6d2e9f8c-6d2e9f93 call 6d32c320 1290->1292 1293 6d2e94f3-6d2e94f5 1290->1293 1292->1286 1297 6d2e94fb-6d2e9545 1293->1297 1298 6d2e9f85-6d2e9f87 call 6d32c340 1293->1298 1301 6d2e9805-6d2e980c 1294->1301 1309 6d2e95b5-6d2e9620 call 6d2e9360 1295->1309 1310 6d2e9621-6d2e9631 1295->1310 1302 6d2e9547-6d2e9550 1297->1302 1303 6d2e9552-6d2e9556 1297->1303 1298->1292 1307 6d2e9810-6d2e9812 1301->1307 1308 6d2e9558-6d2e9576 1302->1308 1303->1308 1313 6d2e99fd 1307->1313 1314 6d2e9818 1307->1314 1308->1307 1311 6d2e9637-6d2e9648 1310->1311 1312 6d2e97f4 call 6d32c2e0 1310->1312 1317 6d2e964e-6d2e9653 1311->1317 1318 6d2e97e1-6d2e97e9 1311->1318 1312->1294 1316 6d2e9a01-6d2e9a0a 1313->1316 1319 6d2e9f7e-6d2e9f80 call 6d32c2e0 1314->1319 1320 6d2e981e-6d2e984c 1314->1320 1322 6d2e9d72-6d2e9de0 call 6d2e9360 1316->1322 1323 6d2e9a10-6d2e9a16 1316->1323 1324 6d2e9659-6d2e9666 1317->1324 1325 6d2e97c6-6d2e97d6 1317->1325 1318->1312 1319->1298 1327 6d2e984e-6d2e9854 1320->1327 1328 6d2e9856-6d2e98af 1320->1328 1343 6d2e9ee5-6d2e9eeb 1322->1343 1331 6d2e9a1c-6d2e9a26 1323->1331 1332 6d2e9d53-6d2e9d71 1323->1332 1333 6d2e966c-6d2e97b3 call 6d2f6bb0 call 6d2f7410 call 6d2f7230 call 6d2f7410 call 6d2f7230 call 6d2f7410 call 6d2f7100 call 6d2f7410 call 6d2f7100 call 6d2f7410 call 6d2f7100 call 6d2f7410 call 6d2f6c10 call 6d2f6bb0 call 6d2f7410 call 6d2f7100 call 6d2f6db0 call 6d2f6c10 call 6d326a90 1324->1333 1334 6d2e97b8-6d2e97c1 1324->1334 1325->1318 1327->1301 1344 6d2e98bf-6d2e98c8 1328->1344 1345 6d2e98b1-6d2e98bd 1328->1345 1336 6d2e9a28-6d2e9a3f 1331->1336 1337 6d2e9a41-6d2e9a55 1331->1337 1333->1334 1341 6d2e9a5c 1336->1341 1337->1341 1346 6d2e9a5e-6d2e9a6f 1341->1346 1347 6d2e9a71-6d2e9a91 1341->1347 1350 6d2e9eed-6d2e9f02 1343->1350 1351 6d2e9f68-6d2e9f79 call 6d326a90 1343->1351 1349 6d2e98ce-6d2e98e0 1344->1349 1345->1349 1353 6d2e9a98 1346->1353 1347->1353 1355 6d2e99c8-6d2e99ca 1349->1355 1356 6d2e98e6-6d2e98eb 1349->1356 1357 6d2e9f0b-6d2e9f1d 1350->1357 1358 6d2e9f04-6d2e9f09 1350->1358 1351->1319 1362 6d2e9a9a-6d2e9a9f 1353->1362 1363 6d2e9aa1-6d2e9aa4 1353->1363 1365 6d2e99cc-6d2e99e0 1355->1365 1366 6d2e99e2 1355->1366 1359 6d2e98ed-6d2e98f2 1356->1359 1360 6d2e98f4-6d2e9908 1356->1360 1361 6d2e9f1f 1357->1361 1358->1361 1367 6d2e990f-6d2e9911 1359->1367 1360->1367 1368 6d2e9f28-6d2e9f40 1361->1368 1369 6d2e9f21-6d2e9f26 1361->1369 1370 6d2e9aaa-6d2e9d4e call 6d2f6bb0 call 6d2f7410 call 6d2f7230 call 6d2f7410 call 6d2f7230 call 6d2f7410 call 6d2f7100 call 6d2f7410 call 6d2f7100 call 6d2f7410 call 6d2f7100 call 6d2f6db0 call 6d2f6c10 call 6d2f6bb0 call 6d2f7410 call 6d2f7230 call 6d2f7410 call 6d2f7100 call 6d2f7410 call 6d2f7230 call 6d2f6db0 call 6d2f6c10 call 6d2f6bb0 call 6d2f7410 call 6d2f72a0 call 6d2f7410 call 6d2f7230 call 6d2f6db0 call 6d2f6c10 call 6d2f6bb0 call 6d2f7410 call 6d2f7100 call 6d2f7410 call 6d2f7100 call 6d2f6db0 call 6d2f6c10 1362->1370 1363->1370 1372 6d2e99e6-6d2e99fb 1365->1372 1366->1372 1374 6d2e9917-6d2e9919 1367->1374 1375 6d2e9452-6d2e946f 1367->1375 1373 6d2e9f42-6d2e9f4e 1368->1373 1369->1373 1370->1343 1372->1316 1378 6d2e9f5a-6d2e9f5d 1373->1378 1379 6d2e9f50-6d2e9f55 1373->1379 1380 6d2e991b-6d2e9920 1374->1380 1381 6d2e9922-6d2e993d 1374->1381 1375->1287 1378->1351 1384 6d2e994b 1380->1384 1385 6d2e993f-6d2e9944 1381->1385 1386 6d2e99a7-6d2e99c3 1381->1386 1390 6d2e995e-6d2e996d 1384->1390 1391 6d2e994d-6d2e995c 1384->1391 1385->1384 1386->1301 1395 6d2e9970-6d2e99a2 1390->1395 1391->1395 1395->1301
      Strings
      • runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSruntime: mp.lockedInt = runqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard , xrefs: 6D2E9C5B
      • , levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime:, xrefs: 6D2E9D15
      • runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 6D2E967A, 6D2E9AB3
      • bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6D2E97A2, 6D2E9F68
      • runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket, xrefs: 6D2E9CE8
      • , j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type float32float64\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_Dltavx512finvaliduintptros/execruntimetls3desno anodeCancelIoReadFileAcceptExWSAIoctlshu, xrefs: 6D2E9C04
      • runtime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupQuerySer, xrefs: 6D2E976B
      • ][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13C, xrefs: 6D2E96A4, 6D2E9AED
      • , i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base stringGetACPSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13rdtscppopcntuint16uint32uint64structcmd/gonetdnsCommonCopySidWSARecvWSASendconnectconsoleforcegcallocmWc, xrefs: 6D2E9C88
      • ] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc, xrefs: 6D2E96CD
      • , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST, xrefs: 6D2E96F7, 6D2E9721, 6D2E9B44, 6D2E9B6E
      • ] = pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheapt, xrefs: 6D2E9B1A
      • , npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by short writeProcessPrngMoveFileExWNetShar, xrefs: 6D2E9BD7
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST$, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base stringGetACPSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13rdtscppopcntuint16uint32uint64structcmd/gonetdnsCommonCopySidWSARecvWSASendconnectconsoleforcegcallocmWc$, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type float32float64\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_Dltavx512finvaliduintptros/execruntimetls3desno anodeCancelIoReadFileAcceptExWSAIoctlshu$, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime:$, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by short writeProcessPrngMoveFileExWNetShar$] = pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheapt$] = (usagefalseinit ms, fault and tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localsse41sse42ssse3int16int32int64uint8arraysliceGreeklistensocketsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc$][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13C$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket$runtime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupQuerySer$runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSruntime: mp.lockedInt = runqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard $runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
      • API String ID: 0-566501290
      • Opcode ID: fa2a957fdc635cba263f3e5bda7da4f25d4c5e089a61332a152ea1ea4712aa1f
      • Instruction ID: 0f57105c400ee38f0f1cb062e8268060e0231ddddf3e18d91bdd80a9ee40f300
      • Opcode Fuzzy Hash: fa2a957fdc635cba263f3e5bda7da4f25d4c5e089a61332a152ea1ea4712aa1f
      • Instruction Fuzzy Hash: 5F524675A987198FD320DF68C08075AFBF5FF89344F41892EEA9897340D774A845CB92
      Function 6D2F1570 Relevance: 16.4, Strings: 13, Instructions: 150COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1644 6d2f1570-6d2f157e 1645 6d2f181e-6d2f1823 call 6d32ae50 1644->1645 1646 6d2f1584-6d2f15b6 call 6d2f32a0 1644->1646 1645->1644 1651 6d2f15bc-6d2f15ea call 6d2f1470 1646->1651 1652 6d2f1807-6d2f181d call 6d326a90 1646->1652 1657 6d2f15fc-6d2f1631 call 6d2f32a0 1651->1657 1658 6d2f15ec-6d2f15f9 call 6d32c270 1651->1658 1652->1645 1663 6d2f1637-6d2f1669 call 6d2f1470 1657->1663 1664 6d2f17f1-6d2f1802 call 6d326a90 1657->1664 1658->1657 1668 6d2f167b-6d2f1683 1663->1668 1669 6d2f166b-6d2f1678 call 6d32c270 1663->1669 1664->1652 1671 6d2f172d-6d2f175f call 6d2f1470 1668->1671 1672 6d2f1689-6d2f16bb call 6d2f1470 1668->1672 1669->1668 1678 6d2f1771-6d2f17a9 call 6d2f1470 1671->1678 1679 6d2f1761-6d2f176e call 6d32c270 1671->1679 1680 6d2f16cd-6d2f16d5 1672->1680 1681 6d2f16bd-6d2f16ca call 6d32c270 1672->1681 1693 6d2f17bb-6d2f17c4 1678->1693 1694 6d2f17ab-6d2f17b8 call 6d32c270 1678->1694 1679->1678 1685 6d2f17db-6d2f17ec call 6d326a90 1680->1685 1686 6d2f16db-6d2f170d call 6d2f1470 1680->1686 1681->1680 1685->1664 1696 6d2f171f-6d2f1727 1686->1696 1697 6d2f170f-6d2f171c call 6d32c270 1686->1697 1694->1693 1696->1671 1700 6d2f17c5-6d2f17d6 call 6d326a90 1696->1700 1697->1696 1700->1685
      Strings
      • ProcessPrng, xrefs: 6D2F15BF
      • RtlGetCurrentPeb, xrefs: 6D2F1734
      • ntdll.dll, xrefs: 6D2F1608
      • NtCreateWaitCompletionPacket, xrefs: 6D2F163E
      • bcryptprimitives.dll not foundpanic called with nil argumentcheckdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer found on stack locals stack map entries for abi mismatch detected between runtime: impossible , xrefs: 6D2F1807
      • RtlGetVersion, xrefs: 6D2F177E
      • NtCreateWaitCompletionPacket exists but NtCancelWaitCompletionPacket does notcannot convert slice with length %y to array or pointer to array with length %xNtCreateWaitCompletionPacket exists but NtAssociateWaitCompletionPacket does notcgocheck > 1 mode is no , xrefs: 6D2F17C5
      • , xrefs: 6D2F16A2
      • P, xrefs: 6D2F17E4
      • , xrefs: 6D2F169A
      • bcryptprimitives.dll, xrefs: 6D2F158D
      • NtAssociateWaitCompletionPacket, xrefs: 6D2F1690
      • NtCancelWaitCompletionPacket, xrefs: 6D2F16E2
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: $ $NtAssociateWaitCompletionPacket$NtCancelWaitCompletionPacket$NtCreateWaitCompletionPacket$NtCreateWaitCompletionPacket exists but NtCancelWaitCompletionPacket does notcannot convert slice with length %y to array or pointer to array with length %xNtCreateWaitCompletionPacket exists but NtAssociateWaitCompletionPacket does notcgocheck > 1 mode is no $P$ProcessPrng$RtlGetCurrentPeb$RtlGetVersion$bcryptprimitives.dll$bcryptprimitives.dll not foundpanic called with nil argumentcheckdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer found on stack locals stack map entries for abi mismatch detected between runtime: impossible $ntdll.dll
      • API String ID: 0-2332038095
      • Opcode ID: 391992fb076d8ae9f6b974ad0600343cffa9e21f8bc8150c4343e9cf13dd00c2
      • Instruction ID: e5456c1ff0ac4b19ef32ef31bf458b511eeb3201cbc81189072dc54dda73dd8b
      • Opcode Fuzzy Hash: 391992fb076d8ae9f6b974ad0600343cffa9e21f8bc8150c4343e9cf13dd00c2
      • Instruction Fuzzy Hash: 81718CB454A7069FEB44EF68C29076ABBF4BB8A344F41C82DE49983340D774D849CF96
      Function 6D2E3400 Relevance: 14.6, Strings: 11, Instructions: 876COMMON
      Download Yara Rule
      Strings
      • mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification, xrefs: 6D2E3D16
      • previous allocCount=, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:, xrefs: 6D2E3DAB
      • mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdea, xrefs: 6D2E418A
      • sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executiontraceSto, xrefs: 6D2E3C4F
      • sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = NtAssociateWaitCompletionPacket, xrefs: 6D2E3E09
      • nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMo, xrefs: 6D2E3D81
      • swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 6D2E3C65
      • sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine LockFileExWSASocketWunixpacket, xrefs: 6D2E3CB8, 6D2E412C
      • mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1, xrefs: 6D2E41A9
      • mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6D2E3CE2, 6D2E4156
      • , xrefs: 6D2E3E12
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: $ mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$ nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMo$ previous allocCount=, levelBits[level] = runtime: searchIdx = panic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:$ sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine LockFileExWSASocketWunixpacket$mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification$mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdea$mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1$sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = NtAssociateWaitCompletionPacket$sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executiontraceSto$swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
      • API String ID: 0-893999930
      • Opcode ID: 1d963d477639c58c9071cb13c82ce946f3d3bed548d19505a5cb7d5089b19db6
      • Instruction ID: 3e0f567a0b81f385ad1a83f29ce316dbe0addc94a9c6e53484f3d774276f4345
      • Opcode Fuzzy Hash: 1d963d477639c58c9071cb13c82ce946f3d3bed548d19505a5cb7d5089b19db6
      • Instruction Fuzzy Hash: B48211B454C3998FC755DF24C080B6ABBE1BF8974AF81896DE9C88B391D730D845CB92
      Function 6D2F2A90 Relevance: 14.0, Strings: 11, Instructions: 253COMMON
      Download Yara Rule
      Strings
      • runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:, xrefs: 6D2F2D95
      • ,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12, xrefs: 6D2F2D29
      • runtime: NtCreateWaitCompletionPacket failed; errno=casfrom_Gscanstatus: gp->status is not in scan statenon-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS thr, xrefs: 6D2F2DEC
      • NtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a cor, xrefs: 6D2F2E20
      • runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] wi, xrefs: 6D2F2EFD
      • runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] with length %ypanicwrap: unexpected string afte, xrefs: 6D2F2E47, 6D2F2EA2
      • runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!internal error: unknown network type godebug: unexpected IncNonDefault of b, xrefs: 6D2F2F31
      • VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notunexpected runtime.netpoll error: network dropped connec, xrefs: 6D2F2DC9
      • CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplet, xrefs: 6D2F2E7B, 6D2F2ED6
      • %, xrefs: 6D2F2F3A
      • bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timersOpenServiceWRevertToSelfCreateEventWGetConsoleCPUnlockFi, xrefs: 6D2F2D6E
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: %$,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12$CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplet$NtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a cor$VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notunexpected runtime.netpoll error: network dropped connec$bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timersOpenServiceWRevertToSelfCreateEventWGetConsoleCPUnlockFi$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] wi$runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!internal error: unknown network type godebug: unexpected IncNonDefault of b$runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerociphertext is not a multiple of the block sizeslice bounds out of range [:%x] with length %ypanicwrap: unexpected string afte$runtime: NtCreateWaitCompletionPacket failed; errno=casfrom_Gscanstatus: gp->status is not in scan statenon-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS thr$runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:
      • API String ID: 0-2809656213
      • Opcode ID: c0bd5170582b2d4ccfbaac31816bfe772837746e7f9abaaa1a1556d56dead8b7
      • Instruction ID: b3355221ec3980ab5747fc4d72ed186bb4a9ca19b53fa4864602bc941ac03270
      • Opcode Fuzzy Hash: c0bd5170582b2d4ccfbaac31816bfe772837746e7f9abaaa1a1556d56dead8b7
      • Instruction Fuzzy Hash: 6BC1BEB45897469FD700EF64C19475ABBF4EF89708F028D2CE58887240D775D84ACBA2
      Function 6D2C13E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID: AddressProc$HandleLibraryLoadModule
      • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
      • API String ID: 384173800-1835852900
      • Opcode ID: e4f8a610fe01dab77bfba17b8ea9d965ed61c8d9941aa20e0332eeb2b3b294bc
      • Instruction ID: 91bc11a295fc3ffbb6883a8993520457a27085dbcdc0e5f023641f34818ed1f8
      • Opcode Fuzzy Hash: e4f8a610fe01dab77bfba17b8ea9d965ed61c8d9941aa20e0332eeb2b3b294bc
      • Instruction Fuzzy Hash: C80171B58093049BCB50BF78964A71EBFF8EF42255F01463DD88987205E7309C94CBA3
      Function 6D32332F Relevance: 12.0, Strings: 9, Instructions: 757COMMON
      Download Yara Rule
      Strings
      • !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 6D3236FF
      • 3-, xrefs: 6D323D58
      • mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= , xrefs: 6D323D05
      • malloc during signalclose of nil channelnotetsleep not on g0bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not empty, xrefs: 6D323D1B
      • mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential, xrefs: 6D323D47
      • malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]mo, xrefs: 6D323D31
      • 4, xrefs: 6D323D0E
      • p, xrefs: 6D323D5E
      • 2, xrefs: 6D323D50
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC$2$4$malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]mo$malloc during signalclose of nil channelnotetsleep not on g0bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not empty$mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential$mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= $3-$p
      • API String ID: 0-234616912
      • Opcode ID: 393ba997ce215de6cde67bcb781cb2116d6ec64d48b28069df0892b636b3a26b
      • Instruction ID: bf9d20d4c2ee6e2755f6052849811ad3c35cea614bb97900e36fedd753a7d01d
      • Opcode Fuzzy Hash: 393ba997ce215de6cde67bcb781cb2116d6ec64d48b28069df0892b636b3a26b
      • Instruction Fuzzy Hash: C062BB70A083558FC704DF29C090A2ABBF1FF89714F15896DE9A88B392D736D945CF92
      Function 6D33CEF0 Relevance: 10.8, Strings: 8, Instructions: 756COMMON
      Download Yara Rule
      Strings
      • invalid pattern syntax (+ after -): cannot exec a shared library directlyvalue too large for defined data typeruntime: allocation size out of range) is smaller than minimum page size (/cpu/classes/gc/mark/idle:cpu-secondssetprofilebucket: profile already setfa, xrefs: 6D33D663
      • pattern bits too long: runtime: C malloc failedconnection reset by peerlevel 2 not synchronizedlink number out of rangeout of streams resourcesfunction not implementedstructure needs cleaningnot supported by windowsCertFreeCertificateChainCreateToolhelp32Snaps, xrefs: 6D33D785
      • $, xrefs: 6D33D66D
      • invalid pattern syntax: resource deadlock avoidedoperation now in progressno buffer space availableno such device or addresssocket type not supportedinvalid cross-device linkGetFinalPathNameByHandleWGetQueuedCompletionStatusUpdateProcThreadAttributegoroutine p, xrefs: 6D33CF75, 6D33D068, 6D33D138, 6D33D6F4, 6D33D816, 6D33D8A7, 6D33D938, 6D33D9CD
      • y: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KS, xrefs: 6D33D1C5
      • !, xrefs: 6D33D0EC
      • n, xrefs: 6D33D1B1
      • v, xrefs: 6D33D025
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: !$$$invalid pattern syntax (+ after -): cannot exec a shared library directlyvalue too large for defined data typeruntime: allocation size out of range) is smaller than minimum page size (/cpu/classes/gc/mark/idle:cpu-secondssetprofilebucket: profile already setfa$invalid pattern syntax: resource deadlock avoidedoperation now in progressno buffer space availableno such device or addresssocket type not supportedinvalid cross-device linkGetFinalPathNameByHandleWGetQueuedCompletionStatusUpdateProcThreadAttributegoroutine p$n$pattern bits too long: runtime: C malloc failedconnection reset by peerlevel 2 not synchronizedlink number out of rangeout of streams resourcesfunction not implementedstructure needs cleaningnot supported by windowsCertFreeCertificateChainCreateToolhelp32Snaps$v$y: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KS
      • API String ID: 0-3686076665
      • Opcode ID: ec44b6b3f781da7bdd709c85c78d73f62f831e6193b62f2a740ef921e5ad2348
      • Instruction ID: a89ccab89aa1eefad4995f550fce32d60b654e6fca4469b396248350b13974cc
      • Opcode Fuzzy Hash: ec44b6b3f781da7bdd709c85c78d73f62f831e6193b62f2a740ef921e5ad2348
      • Instruction Fuzzy Hash: 847222B49083958FC754DF28D18075AFBF5BB89700F458A2DE9A887340EB75E948CF92
      Function 6D342560 Relevance: 10.5, Strings: 7, Instructions: 1779COMMON
      Download Yara Rule
      Strings
      • )]+:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+, xrefs: 6D343BE4, 6D343EAF, 6D343FF3, 6D3442D5
      • %!Weekday(complex128execerrdothttp2debugcrypto/tlsMessageBoxWbroken pipebad messagefile existsbad addressRegCloseKeyCloseHandleCreateFileWDeleteFileWExitProcessFreeLibraryGetFileTypeOpenProcessSetFileTimeVirtualLockWSARecvFromclosesocketgetpeernamegetsocknamec, xrefs: 6D343BCA, 6D343E95
      • 0, xrefs: 6D343344
      • %!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMoveFileWWriteFileWSASendTod.nx != 0timerSendpollCacheprofBlockstackpoolhchanLeafwbufSpansGC (idle)mSpanDeadinittracescavtracepanicwaitchan sendpreemptedcoroutinecopystac, xrefs: 6D343FD9, 6D3442BB
      • 0, xrefs: 6D3430B1
      • 0, xrefs: 6D343150
      • 0, xrefs: 6D343267
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: %!Month(avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlskyberx509sha1FindCloseLocalFreeMoveFileWWriteFileWSASendTod.nx != 0timerSendpollCacheprofBlockstackpoolhchanLeafwbufSpansGC (idle)mSpanDeadinittracescavtracepanicwaitchan sendpreemptedcoroutinecopystac$%!Weekday(complex128execerrdothttp2debugcrypto/tlsMessageBoxWbroken pipebad messagefile existsbad addressRegCloseKeyCloseHandleCreateFileWDeleteFileWExitProcessFreeLibraryGetFileTypeOpenProcessSetFileTimeVirtualLockWSARecvFromclosesocketgetpeernamegetsocknamec$)]+:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+$0$0$0$0
      • API String ID: 0-3084215349
      • Opcode ID: f16a649feeb5cd316149a8e6a9c0b1bdd30bd063969f9ef3c07eed7be81973f9
      • Instruction ID: 3e31706a043d5c8d54125fa12ef463743d6537549df12dcdfc88352ca6bcff6d
      • Opcode Fuzzy Hash: f16a649feeb5cd316149a8e6a9c0b1bdd30bd063969f9ef3c07eed7be81973f9
      • Instruction Fuzzy Hash: B303E178A083868FC329CF18C19079EFBE1BFC9310F15892EE99997351D774A945CB92
      Function 6D315ED0 Relevance: 10.5, Strings: 8, Instructions: 512COMMON
      Download Yara Rule
      Strings
      • pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptrace, xrefs: 6D316593
      • sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (us, xrefs: 6D316566
      • , xrefs: 6D316039
      • :(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08I, xrefs: 6D3163FD
      • (1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08ID, xrefs: 6D316320
      • fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit, xrefs: 6D316539
      • non-Go function at pc=RtlLookupFunctionEntryCreateEnvironmentBlockWSAGetOverlappedResultSao Tome Standard TimeAleutian Standard TimeParaguay Standard TimeMountain Standard TimeAtlantic Standard TimePakistan Standard TimeSakhalin Standard TimeGeorgian Standard , xrefs: 6D3166C5
      • , xrefs: 6D316031
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: $ $ fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usagefalseinit$ pc=true+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptrace$ sp= sp: lr: fp= gp= mp=) m=JuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTermssse3avx2bmi1bmi2boolint8uintchanfunctimentohswriteclosedefersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (us$(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08ID$:(1/=,-[<{}_My: ??M , [("")) ) @s -> Pn=][}]i)> +"osLlLtLuMnfinptrnilobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ...]:???pc= GEOF\\.\\?\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08I$non-Go function at pc=RtlLookupFunctionEntryCreateEnvironmentBlockWSAGetOverlappedResultSao Tome Standard TimeAleutian Standard TimeParaguay Standard TimeMountain Standard TimeAtlantic Standard TimePakistan Standard TimeSakhalin Standard TimeGeorgian Standard
      • API String ID: 0-3830612415
      • Opcode ID: 0c76d58b23c80ff669ff6b5cdaee985d905cf2f880743113d5254b7496fd6ea0
      • Instruction ID: 2fa34a550cd5f37498fb750dfe6a8120dbd08c23db2f568af01257c575f8418b
      • Opcode Fuzzy Hash: 0c76d58b23c80ff669ff6b5cdaee985d905cf2f880743113d5254b7496fd6ea0
      • Instruction Fuzzy Hash: 6E32D07464C3828FD365DF65C580B9ABBE1BF89308F058D2EE9C897351DB31A845CB92
      Function 6D2F1A70 Relevance: 8.9, Strings: 7, Instructions: 116COMMON
      Download Yara Rule
      Strings
      • runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already connectedmismatched count during itab ta, xrefs: 6D2F1BD9
      • timeBegin/EndPeriod not foundruntime: sudog with non-nil centersyscall inconsistent bp entersyscall inconsistent sp gfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon, xrefs: 6D2F1C0D
      • runtime: LoadLibraryExW failed; errno=runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already co, xrefs: 6D2F1C34
      • timeBeginPeriod, xrefs: 6D2F1B29
      • winmm.dll, xrefs: 6D2F1AF3
      • &, xrefs: 6D2F1C3D
      • timeEndPeriod, xrefs: 6D2F1B73
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: &$runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already connectedmismatched count during itab ta$runtime: LoadLibraryExW failed; errno=runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumbertime: missing Location in call to Datetransport endpoint is already co$timeBegin/EndPeriod not foundruntime: sudog with non-nil centersyscall inconsistent bp entersyscall inconsistent sp gfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon$timeBeginPeriod$timeEndPeriod$winmm.dll
      • API String ID: 0-424793872
      • Opcode ID: 4328b8cf92762271d2e34254279b588f53ba60de14fad7076446eb9adbcdc2c6
      • Instruction ID: d6b0e082a25979963f38ff47091fad77cb2baf4190ff90042be21db1a1eddc0c
      • Opcode Fuzzy Hash: 4328b8cf92762271d2e34254279b588f53ba60de14fad7076446eb9adbcdc2c6
      • Instruction Fuzzy Hash: 2E51A3B05897069FDB05EF64C19472ABBF4BF45749F018C2DE59883240D774D849CFA2
      Function 6D2FCF90 Relevance: 8.6, Strings: 6, Instructions: 1093COMMON
      Download Yara Rule
      Strings
      • findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for [origina, xrefs: 6D2FE0BF
      • findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a corrupted shared librarylfstack node a, xrefs: 6D2FE0A9
      • findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of r, xrefs: 6D2FE0D5
      • !, xrefs: 6D2FE0DE
      • findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionAdjustTokenPrivilegesLookupPrivilegeValueWNetUserGetLocalGroupsGetProfi, xrefs: 6D2FE0EB
      • global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/metadata/mspan/free:bytesruntime.SetFinaliz, xrefs: 6D2FE093
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: !$findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of r$findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for [origina$findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadline2006-01-02T15:04:05.999999999Z07:00accessing a corrupted shared librarylfstack node a$findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionAdjustTokenPrivilegesLookupPrivilegeValueWNetUserGetLocalGroupsGetProfi$global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/metadata/mspan/free:bytesruntime.SetFinaliz
      • API String ID: 0-3518981815
      • Opcode ID: 854b029f4e8cfd84624eddae539ebf2ac62c21c123342888911d0eb59ea1db70
      • Instruction ID: b45369a9e1e13ed22d2694975f38a92270c13db1f763c7641d6bba71d2486c5a
      • Opcode Fuzzy Hash: 854b029f4e8cfd84624eddae539ebf2ac62c21c123342888911d0eb59ea1db70
      • Instruction Fuzzy Hash: BCA2CE7468D3868FD764EF68C190B6AFBE0BB89744F01892DE9D887380E735D845CB52
      Function 6D2F11F0 Relevance: 7.6, Strings: 6, Instructions: 133COMMON
      Download Yara Rule
      Strings
      • runtime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocresize: invalid argspan has no free stacksstack growth after forkshrinkstack at bad timereflect.methodValueCallDestroy, xrefs: 6D2F139D, 6D2F13F8, 6D2F144B
      • runtime: NtAssociateWaitCompletionPacket failed; errno= runtime: checkmarks found unexpected unmarked object obj=tried to trace goroutine with invalid or unsupported statusmanual span allocation called with non-manually-managed typeaddr range base and limit ar, xrefs: 6D2F1369
      • runtime: SetWaitableTimer failed; errno= stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classe, xrefs: 6D2F13C4
      • runtime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not , xrefs: 6D2F1417
      • d, xrefs: 6D2F1276
      • 5, xrefs: 6D2F1420
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: 5$d$runtime: NtAssociateWaitCompletionPacket failed; errno= runtime: checkmarks found unexpected unmarked object obj=tried to trace goroutine with invalid or unsupported statusmanual span allocation called with non-manually-managed typeaddr range base and limit ar$runtime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not $runtime: SetWaitableTimer failed; errno= stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classe$runtime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocresize: invalid argspan has no free stacksstack growth after forkshrinkstack at bad timereflect.methodValueCallDestroy
      • API String ID: 0-2414937731
      • Opcode ID: d2e619d9b5ae9d89cf5c630f58b2710baf78ea83b57ecf5a19e3f816fad6f1b0
      • Instruction ID: 2d2f2b095f21be2d7654b499f1d7b0b3079ba35a1e619e76475f08da75d14bca
      • Opcode Fuzzy Hash: d2e619d9b5ae9d89cf5c630f58b2710baf78ea83b57ecf5a19e3f816fad6f1b0
      • Instruction Fuzzy Hash: 9A51DCB458D7099FD741EF28C09471AFBF4BF89708F028C2DE98887350D77499898BA2
      Function 6D356300 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
      Download Yara Rule
      APIs
      • SetUnhandledExceptionFilter.KERNEL32 ref: 6D35634F
      • UnhandledExceptionFilter.KERNEL32 ref: 6D35635F
      • GetCurrentProcess.KERNEL32 ref: 6D356368
      • TerminateProcess.KERNEL32 ref: 6D356379
      • abort.MSVCRT ref: 6D356382
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
      • String ID:
      • API String ID: 520269711-0
      • Opcode ID: c3f4fa910d869a18c7640620ace6b92bc3ec1ea0b24601575cec71142a97d9cb
      • Instruction ID: 898ac79a8c56860544840150e1edbd3210055f9ae1fa0a279f40c77eb2f05c6d
      • Opcode Fuzzy Hash: c3f4fa910d869a18c7640620ace6b92bc3ec1ea0b24601575cec71142a97d9cb
      • Instruction Fuzzy Hash: 14110FB5804201CFCB00EF78C189B6ABBF0BB4A300F00892DE989D7350E734DA548F92
      Function 6D356250 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON
      Download Yara Rule
      APIs
      • GetSystemTimeAsFileTime.KERNEL32 ref: 6D356289
      • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D2C13B9), ref: 6D35629A
      • GetCurrentThreadId.KERNEL32 ref: 6D3562A2
      • GetTickCount.KERNEL32 ref: 6D3562AA
      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D2C13B9), ref: 6D3562B9
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
      • String ID:
      • API String ID: 1445889803-0
      • Opcode ID: bdf4b05fc2664d2f763b192d194dde126d3cc8e7dd3742730b0dd72f0d965484
      • Instruction ID: 8c85aaf77796e6ae69175fde088f13f36fb006a1a56aa7b2153e58f344aae299
      • Opcode Fuzzy Hash: bdf4b05fc2664d2f763b192d194dde126d3cc8e7dd3742730b0dd72f0d965484
      • Instruction Fuzzy Hash: 1B1182B55053018FDB00EF79E88865BBBF8FB89254F054D39E449C7300EB31D8598BA2
      Function 6D2E1440 Relevance: 5.5, Strings: 4, Instructions: 494COMMON
      Download Yara Rule
      Strings
      • min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce, xrefs: 6D2E1A0F
      • !, xrefs: 6D2E1A18
      • runtime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame ts set in timertraceback stuckrunti, xrefs: 6D2E198C, 6D2E19DB
      • min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=dalTLDpSugct?GetTempPath2WModule32NextW, xrefs: 6D2E19C0
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: !$min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce$min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=dalTLDpSugct?GetTempPath2WModule32NextW$runtime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame ts set in timertraceback stuckrunti
      • API String ID: 0-967014423
      • Opcode ID: 6db84fb6fe004af5c4f51c5058126614a2d0845cbdad5b6655a38b37538b0b30
      • Instruction ID: 22a0ede35fb49a683b995b8ed02324aedf95f9d79dcf3bbd43e1a8c103f474cd
      • Opcode Fuzzy Hash: 6db84fb6fe004af5c4f51c5058126614a2d0845cbdad5b6655a38b37538b0b30
      • Instruction Fuzzy Hash: 8CF1E23668932A4FD702DF98C4C061EB7E2BBC5384F558A3CD9949B381EB71D845C6C2
      Function 6D2FA320 Relevance: 5.4, Strings: 4, Instructions: 352COMMON
      Download Yara Rule
      Strings
      • stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classes/gc/mark/dedicated:cpu-seconds/memory/cl, xrefs: 6D2FA690
      • stopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/met, xrefs: 6D2FA7EB
      • stopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a , xrefs: 6D2FA843
      • stopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executionruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base pointer out of rangeattempting to link in too many, xrefs: 6D2FA7B0
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: stopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2runtime: typeBitsBulkBarrier without type/memory/classes/met$stopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a $stopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executionruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base pointer out of rangeattempting to link in too many$stopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basehash mismatch: data integrity check failedpersistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classes/gc/mark/dedicated:cpu-seconds/memory/cl
      • API String ID: 0-2039697367
      • Opcode ID: b9d954050a8b6e804db2410a4d4e432b8898b8be7a0c3364feb73fe94d93c257
      • Instruction ID: 85087332aa1fb541dc17636c7001a43b2e492892505c1c581bc43d8875ee2670
      • Opcode Fuzzy Hash: b9d954050a8b6e804db2410a4d4e432b8898b8be7a0c3364feb73fe94d93c257
      • Instruction Fuzzy Hash: 43F1ED74A8D3858FC308DF69C190A6AFBF1BB89704F05892DE99887351D770E846CF82
      Function 6D2F1830 Relevance: 5.1, Strings: 4, Instructions: 57COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: '$'$PowerRegisterSuspendResumeNotification$powrprof.dll
      • API String ID: 0-4026319467
      • Opcode ID: e33c19a27a28b34f8080a8a6dda9bc799b6d2eee1d53c87bc5bb958c7006b0f8
      • Instruction ID: b0ca73abbf81c71e59665107d54a997e93261f2d79544b40c4ad857966342be9
      • Opcode Fuzzy Hash: e33c19a27a28b34f8080a8a6dda9bc799b6d2eee1d53c87bc5bb958c7006b0f8
      • Instruction Fuzzy Hash: 6921CCB49493469FD704DF25C190B6ABBF0BB89348F80882DE48887340E7759A89CF83
      Function 6D306470 Relevance: 4.2, Strings: 3, Instructions: 451COMMON
      Download Yara Rule
      Strings
      • runtime: malformed profBuf buffer - tag and data out of syncabiRegArgsType needs GC Prog, update methodValueCallFrameObjsfound bad pointer in Go heap (incorrect use of unsafe or cgo?)limiterEvent.stop: found wrong event in p's limiter event slotruntime: intern, xrefs: 6D306A04
      • <, xrefs: 6D306A0D
      • runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplete multibyte or wide characterslice bounds out of range [::%x] with capacity %yinvalid memory add, xrefs: 6D3069D7
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: <$runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=invalid or incomplete multibyte or wide characterslice bounds out of range [::%x] with capacity %yinvalid memory add$runtime: malformed profBuf buffer - tag and data out of syncabiRegArgsType needs GC Prog, update methodValueCallFrameObjsfound bad pointer in Go heap (incorrect use of unsafe or cgo?)limiterEvent.stop: found wrong event in p's limiter event slotruntime: intern
      • API String ID: 0-450027851
      • Opcode ID: f76fe498d11dbb8752d2ed8f60429abcbdc88f0ebbccc81b80539e8d4bd37a98
      • Instruction ID: 516b55fad5a6f02466efdff248cb215c9abcd8ee76845bc5e9bedf27fcacb562
      • Opcode Fuzzy Hash: f76fe498d11dbb8752d2ed8f60429abcbdc88f0ebbccc81b80539e8d4bd37a98
      • Instruction Fuzzy Hash: BC024AB0A0C7058FD714DF69C19061ABBE1BFC8704F55892DEA9987354EB71E885CB82
      Function 6D2F6010 Relevance: 4.1, Strings: 3, Instructions: 313COMMON
      Download Yara Rule
      Strings
      • invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:DuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "[bisect-match 0xpermission deniedwro, xrefs: 6D2F648D
      • suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function traceRegion: alloc with concurrent drop2006-01-02 15:04:05.999999999 -0700 MSTaddress family not support, xrefs: 6D2F64A3
      • ', xrefs: 6D2F64AC
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: '$invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:DuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "[bisect-match 0xpermission deniedwro$suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function traceRegion: alloc with concurrent drop2006-01-02 15:04:05.999999999 -0700 MSTaddress family not support
      • API String ID: 0-3278438963
      • Opcode ID: 07c54aaf77e684fa5fbcba7b3d16024891c9ae6ecbb4d70215d24aed50f27ca2
      • Instruction ID: 697bebbd703fe0b1449a39714eade66b3367f0cb64671ad1e204254eaa1170f4
      • Opcode Fuzzy Hash: 07c54aaf77e684fa5fbcba7b3d16024891c9ae6ecbb4d70215d24aed50f27ca2
      • Instruction Fuzzy Hash: 2CD12E7468C3568BC705DF29C090A2ABBF2EF8A709F458C6DE9C487351D735E946CB82
      Function 6D2E6630 Relevance: 3.0, Strings: 2, Instructions: 499COMMON
      Download Yara Rule
      Strings
      • grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me, xrefs: 6D2E6D4E
      • +, xrefs: 6D2E6D57
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: +$grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me
      • API String ID: 0-3347251187
      • Opcode ID: 2a38151114b08ea58c12914380598b7d1a71554ff0611581568629dac7bfc9e3
      • Instruction ID: dc8695bd630e7d433e30712c5c32fedd54fd747d0e5b09a0914a6b1f7f64bc09
      • Opcode Fuzzy Hash: 2a38151114b08ea58c12914380598b7d1a71554ff0611581568629dac7bfc9e3
      • Instruction Fuzzy Hash: BF22DD7464C3868FC354DF69C190A2ABBE1BF89785F458D2DEAD887350DB35E844CB82
      Function 6D2EB2D0 Relevance: 2.8, Strings: 2, Instructions: 264COMMON
      Download Yara Rule
      Strings
      • bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 6D2EB60F
      • @, xrefs: 6D2EB4FB
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: @$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod
      • API String ID: 0-1191861649
      • Opcode ID: 9e53fc9b943b10c8b632b12984eae2e5f092580e3a59c8d920a97ca704f166b3
      • Instruction ID: ae76ca31322064e0bd9fa4b81b28ce82b153778c1b1fc028c52dc4d6c74d25ad
      • Opcode Fuzzy Hash: 9e53fc9b943b10c8b632b12984eae2e5f092580e3a59c8d920a97ca704f166b3
      • Instruction Fuzzy Hash: 14A1BF75A0871A8FC304CF18C88065AB7E1FFC8354F458A2DE9999B351DB34E94ACBC2
      Function 6D32A872 Relevance: 2.6, Strings: 2, Instructions: 137COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: $@
      • API String ID: 0-1077428164
      • Opcode ID: ba7b13a5c1733e04ef80f541df03cb2f84a1a6e5cb78719fac05c64f0c5aa1f8
      • Instruction ID: 203125dc90fa05e0a5cc4ce21ef47cf46aaf23e8c3b1e1b0ce97412eb2819f7d
      • Opcode Fuzzy Hash: ba7b13a5c1733e04ef80f541df03cb2f84a1a6e5cb78719fac05c64f0c5aa1f8
      • Instruction Fuzzy Hash: 3251A610C1CF9B65EA330BBDC4426667B206EB7140B01D76FFDD6B58B2E7136940BA22
      Function 6D2DCEC0 Relevance: 2.6, Strings: 2, Instructions: 88COMMON
      Download Yara Rule
      Strings
      • ,, xrefs: 6D2DCFAA
      • gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackcannot send after transport endpoint shu, xrefs: 6D2DCFA1
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: ,$gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackcannot send after transport endpoint shu
      • API String ID: 0-27675022
      • Opcode ID: ecab468190076ff2b14c324bbaef1e11d748190a21e8589802614d56a94c689c
      • Instruction ID: 9842b6611aa0f51a705045f85675f73dc544ec13301ec1ff0caf160a8c4892b7
      • Opcode Fuzzy Hash: ecab468190076ff2b14c324bbaef1e11d748190a21e8589802614d56a94c689c
      • Instruction Fuzzy Hash: FA3150756493968FD345DF14C480A59B7B1BB86608F0985BDDD884F383CB31D84ACBC5
      Function 6D3459D0 Relevance: 1.9, Strings: 1, Instructions: 607COMMON
      Download Yara Rule
      Strings
      • ,M3.2.0,M11.1.0jstmpllitinterptarinsecurepathx509keypairleafx509usepolicieszipinsecurepathRegCreateKeyExWRegDeleteValueWstring too large0123456789abcdefinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePoint, xrefs: 6D345B6E
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: ,M3.2.0,M11.1.0jstmpllitinterptarinsecurepathx509keypairleafx509usepolicieszipinsecurepathRegCreateKeyExWRegDeleteValueWstring too large0123456789abcdefinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePoint
      • API String ID: 0-1364986362
      • Opcode ID: 4e3866709d326cd2572cf4cdbd1fe4e8e48b27380f329d29ac9209d1e7ae2c88
      • Instruction ID: 3e0dfb61eed7d2feb9e42e7e16498d42062f76e922f082680223df2948391f67
      • Opcode Fuzzy Hash: 4e3866709d326cd2572cf4cdbd1fe4e8e48b27380f329d29ac9209d1e7ae2c88
      • Instruction Fuzzy Hash: EE5216B5A083858FD334CF18C5913DFBBE1ABC5304F45892DDAD89B391EBB599448B82
      Function 6D318570 Relevance: 1.8, Strings: 1, Instructions: 543COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: 4
      • API String ID: 0-4088798008
      • Opcode ID: 0f396876874922b437a0f5d5a8c30b217d04e9dcaae7cbbe5891ae9878af9a91
      • Instruction ID: 47e272b541cae513408ab48ad66fa0359644a94a4dde9e43b2a3471de5613724
      • Opcode Fuzzy Hash: 0f396876874922b437a0f5d5a8c30b217d04e9dcaae7cbbe5891ae9878af9a91
      • Instruction Fuzzy Hash: 8222DC7560D3468FC738DF18C8C466EB7E1AFC9304F148A2CDA998B391DB31A905CB96
      Function 6D2D0AF0 Relevance: 1.6, Strings: 1, Instructions: 306COMMON
      Download Yara Rule
      Strings
      • span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor, xrefs: 6D2D0D52
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor
      • API String ID: 0-1712010102
      • Opcode ID: ba94b8105440627c1a3284526e5b5b86b369335520840bbf205394e586465e53
      • Instruction ID: dca1077ce60d848aad2e0531bb52aa7208f1b1be5055c76e6142cd8cf68335d6
      • Opcode Fuzzy Hash: ba94b8105440627c1a3284526e5b5b86b369335520840bbf205394e586465e53
      • Instruction Fuzzy Hash: BDD1357065C34A9FC784DF29C190A2EBBE0BF89748F40892DE8D987361E735D945CB52
      Function 6D2ED040 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
      Download Yara Rule
      Strings
      • runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin, xrefs: 6D2ED3CB
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin
      • API String ID: 0-429552053
      • Opcode ID: f3625bcb87707074c2eb87eed8d14dbdf90778cd61ec290985f33a7e64d3ff84
      • Instruction ID: fe90cfee77022118736de40eca91e83e769288774d0ecd6fd40f51eb43b253ea
      • Opcode Fuzzy Hash: f3625bcb87707074c2eb87eed8d14dbdf90778cd61ec290985f33a7e64d3ff84
      • Instruction Fuzzy Hash: 33B1E37464834A8FC744EF68C18092AB7F1BBCA784F82892DE99487351E735ED45CF82
      Function 6D3495A0 Relevance: 1.5, Strings: 1, Instructions: 278COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: ;
      • API String ID: 0-1661535913
      • Opcode ID: 7cc0b9ffec2894bd9e760f23877f636b6734a1cd2e6ad219d8cb67fbc3859c87
      • Instruction ID: 237c44bc8c6536520ee89d21475b5d347133efd907c266aa601a28ebecb749ff
      • Opcode Fuzzy Hash: 7cc0b9ffec2894bd9e760f23877f636b6734a1cd2e6ad219d8cb67fbc3859c87
      • Instruction Fuzzy Hash: AEA19471B083054FC70CDE5DD95131AFAE6ABC8304F05CA3DE589CB7A4E639D9098B86
      Function 6D2EA360 Relevance: 1.5, Strings: 1, Instructions: 213COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: @
      • API String ID: 0-2766056989
      • Opcode ID: 2926aa5057f7cd3879a5e71f508a4e8e92a3f51ff2b930cae7bc63e37c5722d2
      • Instruction ID: ef9a43ec3a54cddb497373a95bbfd5451fab2b8bb72c68444372e4334d47cc65
      • Opcode Fuzzy Hash: 2926aa5057f7cd3879a5e71f508a4e8e92a3f51ff2b930cae7bc63e37c5722d2
      • Instruction Fuzzy Hash: 4691F3B5A593099FC344CF28C080A5ABBF1FF89744F81992DE99897341E735D985CF82
      Function 6D33E740 Relevance: .9, Instructions: 941COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1ad3c4c18bdaf1a3a3a2c3ece843a7f41d4c54749ffbe180d67ea321140305b7
      • Instruction ID: 9ce1d40b23609ded8faa988aab6e7502f673a32abd4dd9ed97bba7add479eba2
      • Opcode Fuzzy Hash: 1ad3c4c18bdaf1a3a3a2c3ece843a7f41d4c54749ffbe180d67ea321140305b7
      • Instruction Fuzzy Hash: BE825D75A083A58BC729CE0DC5903AAF3E6BBDD300F568A2DD699D3350E770AD05CB91
      Function 6D346C20 Relevance: .6, Instructions: 601COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: deceedf9fab612ba1c6905b09d77149ea5859e7f0becbfb51df6ba6a4493f9e1
      • Instruction ID: 90f4c9bd127f8740dd8fb91a999a488b56d6a5b9ac0f8d29531a51f5d716c3cc
      • Opcode Fuzzy Hash: deceedf9fab612ba1c6905b09d77149ea5859e7f0becbfb51df6ba6a4493f9e1
      • Instruction Fuzzy Hash: 7A2261B2A1C7468FD724CF65C5903ABB7E2BBC5304F55C82DDAC587241EB7998098BC2
      Function 6D344D20 Relevance: .5, Instructions: 530COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 81c1a857d75281dc00fe9e564fd858fb0fc69d4209ae24abc317b41f8a20dd9a
      • Instruction ID: 30395102170663d5d18106074274ea75ffd36a2f0b36e8aee720d016fc1ebec9
      • Opcode Fuzzy Hash: 81c1a857d75281dc00fe9e564fd858fb0fc69d4209ae24abc317b41f8a20dd9a
      • Instruction Fuzzy Hash: 26128872A087498FC314DE5DC98124AF7E6BBC4304F55CA3DD9988B355EB74E909CB82
      Function 6D2EC080 Relevance: .5, Instructions: 477COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 89b0c70bacbeed22cafea463804f826bd8235f945556e3945bd825368b754be9
      • Instruction ID: f00dd1f18ae0a86ff9a79aca7edf3c8954591b2d3c4c8af039c9d3921a2b5916
      • Opcode Fuzzy Hash: 89b0c70bacbeed22cafea463804f826bd8235f945556e3945bd825368b754be9
      • Instruction Fuzzy Hash: C7E12633B9871A4BD315DDEDC8C025EB6D2ABC8784F49863CDD649B380FA75D80A96C1
      Function 6D31BC20 Relevance: .5, Instructions: 462COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 7c79b1d6837babde330dc2870d4ba3f557acd87f6217e532a3590ddaf42a0f2d
      • Instruction ID: 6cb5d5266b2a0eb160ef65a7e7567283cdeaf085681ddd48cc32a65829030060
      • Opcode Fuzzy Hash: 7c79b1d6837babde330dc2870d4ba3f557acd87f6217e532a3590ddaf42a0f2d
      • Instruction Fuzzy Hash: 05027D3160C3568FC728CF68C88066AF7E1BF89344F15893DEA998B351D731E946CB92
      Function 6D2EBB10 Relevance: .5, Instructions: 462COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b7935c6a5b299839dc9a408e8db348abac875f153b032ac038f2210fef130d3b
      • Instruction ID: 8e3ceb216f9b5dadbc1bf70443f14753fd725095ddf818e451db00b796dc15e5
      • Opcode Fuzzy Hash: b7935c6a5b299839dc9a408e8db348abac875f153b032ac038f2210fef130d3b
      • Instruction Fuzzy Hash: 80E1C533E2472907D3149E58CC80249B6D3ABC8670F4EC72DED95AB781E9B4ED5987C2
      Function 6D346740 Relevance: .4, Instructions: 408COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: edc84a991bb1d49dab33e6294f47fdb8841d2377db0acbe2cb30ba0077c014f5
      • Instruction ID: a08aaf18a16fa0323ecec8375e6bbc41292922f1284af00bdaf5618532d72b52
      • Opcode Fuzzy Hash: edc84a991bb1d49dab33e6294f47fdb8841d2377db0acbe2cb30ba0077c014f5
      • Instruction Fuzzy Hash: 7DE1C0B2A0C7668BC305CF29849025FBBE2BBC5704F45C92DE9958B341E779D805CBD2
      Function 6D2D80A0 Relevance: .4, Instructions: 378COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c2d66cb1c3906cfa3a82dc2c349a07613f3660e9303ac4eb1e67e6e0bd50c0cf
      • Instruction ID: f586ebad5638e8efa7fef63bee010bad58a85ddf06e2e8fb9184d5adb91c7818
      • Opcode Fuzzy Hash: c2d66cb1c3906cfa3a82dc2c349a07613f3660e9303ac4eb1e67e6e0bd50c0cf
      • Instruction Fuzzy Hash: DEC1C132B4831A4BC749DE6DC89061EF7E2ABC8344F49863CE9599B3A5E774E805C7C1
      Function 6D31D6E0 Relevance: .4, Instructions: 368COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 991b9503163e2e870c87aec88d5b0926a437290c56012bfd05dad5d7f3f4d7e0
      • Instruction ID: 5d6c9931a3d3a5d01849883e6c8f924b8c1ba30266e9752041b82d09db6ee667
      • Opcode Fuzzy Hash: 991b9503163e2e870c87aec88d5b0926a437290c56012bfd05dad5d7f3f4d7e0
      • Instruction Fuzzy Hash: 05E1807560C3568FC319CF28D4C092AFBE1AFCA204F458A6DE9D58B392D734E945CB92
      Function 6D2FE240 Relevance: .3, Instructions: 331COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 428527c13d09c027ebc446cf317015b685d68fb33211e209e42e07341c070ed1
      • Instruction ID: 66a4c4bc6f8f4a68a49917857e660720f490282bed5eb99e28ced4b2563593b1
      • Opcode Fuzzy Hash: 428527c13d09c027ebc446cf317015b685d68fb33211e209e42e07341c070ed1
      • Instruction Fuzzy Hash: 41F1E07468C3958FC365DF29C190B5AFBE2BBC9204F14892EE9D887351DB31A806CB52
      Function 6D352E70 Relevance: .3, Instructions: 286COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 2566b9d8c45f67b846684a8382cb88acbef39b52fc5f6e9d72160aa2ad1bb63e
      • Instruction ID: 18f32a543f052f56e68a6ee2a35ca9050eecb8d5fed2a0d3d861b55270ea3e54
      • Opcode Fuzzy Hash: 2566b9d8c45f67b846684a8382cb88acbef39b52fc5f6e9d72160aa2ad1bb63e
      • Instruction Fuzzy Hash: 67C1627060432A4FC251CE5EDCC0A6A73D1AB4821DF91866D96448F7C3DA3AF46B97E4
      Function 6D353230 Relevance: .3, Instructions: 286COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 8d048900d939ad448e742ee2fdcc835e0d3fc40580cd0fe85fa5ad708d82bae5
      • Instruction ID: 67ae76154ddbad5c7af92b60f539b039a7c62164b0266446a71364a31a4403da
      • Opcode Fuzzy Hash: 8d048900d939ad448e742ee2fdcc835e0d3fc40580cd0fe85fa5ad708d82bae5
      • Instruction Fuzzy Hash: 8DC1627060432A4FC251CE5EDCC0A6A73D1AB4821DF91867D96448F7C3DA3AF46B97E4
      Function 6D2EC6D0 Relevance: .3, Instructions: 285COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b63b63e16691d68611b104f5addfbb67b1baabf5bc09031a983cd3e081c04c73
      • Instruction ID: 4f4333a0913f0fcac882fc77c0dfeda33c817effc3686e0e376aca4cc5cbaf7f
      • Opcode Fuzzy Hash: b63b63e16691d68611b104f5addfbb67b1baabf5bc09031a983cd3e081c04c73
      • Instruction Fuzzy Hash: 34916A3264872A4FC71ADE9DC4D051EBBE2FBC8784F95873CD9690B380EB719909C681
      Function 6D2ECA30 Relevance: .3, Instructions: 281COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 8966dd3c5fb09f49eb877fcad7587a136765ea768b8a6104a7ce2d64b58cfc77
      • Instruction ID: b9ed5109652c1eac032ae22e6e73498378f0286029ed0d7f07c662b6ad10bb61
      • Opcode Fuzzy Hash: 8966dd3c5fb09f49eb877fcad7587a136765ea768b8a6104a7ce2d64b58cfc77
      • Instruction Fuzzy Hash: 3C815637A8832E0FD712CEE988C065D3A92ABC4794F89863CD9748B3C1EB71980592C1
      Function 6D2EAD50 Relevance: .3, Instructions: 276COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1154779df2ee417057ebc887e27f346eef0ac0e1be49b70e4449dfce10b00bad
      • Instruction ID: dff7899cd211762ef81225657760dd58857cf1e48a9ad36a9db63186101ecd02
      • Opcode Fuzzy Hash: 1154779df2ee417057ebc887e27f346eef0ac0e1be49b70e4449dfce10b00bad
      • Instruction Fuzzy Hash: 6391D776A187194BD304DE59CCC0659B3E2BBC8360F49C63CECA89B345E674EE49CB81
      Function 6D2C32A0 Relevance: .2, Instructions: 219COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 4d8d7f05b49897d5ee190bbe5e2efd4eb2af23919511dd06137ccfa6ea586a42
      • Instruction ID: 8390634b4480891c7a87527c4faefb96417f8198ce4af11bc4eb444ec8401176
      • Opcode Fuzzy Hash: 4d8d7f05b49897d5ee190bbe5e2efd4eb2af23919511dd06137ccfa6ea586a42
      • Instruction Fuzzy Hash: 7E8108B2A183148FC354DF29D88095AF7E2BFC9748F46892DF988D7311E771E9158B82
      Function 6D2E9030 Relevance: .2, Instructions: 193COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 02f8b0348e03b0ba6854501406ea68fcc663031928dbdafb6dcad767d053e40b
      • Instruction ID: 5ed78e6d92b25de9ae83328d349cf7e3f470eba6f11230653e45448a5fed6ce1
      • Opcode Fuzzy Hash: 02f8b0348e03b0ba6854501406ea68fcc663031928dbdafb6dcad767d053e40b
      • Instruction Fuzzy Hash: 8391BEB4A093499FC308DF28C090A1ABBF1FF89748F419A6EE99997351D730E945CF46
      Function 6D2C2CA6 Relevance: .2, Instructions: 161COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: aaac1fa95927537056fa748d1ed80cb4c36531cfe69fe86e380ee050db7f54d2
      • Instruction ID: 3f9394611acbf1cf398aa44c69e21c7749b61d439db2939378126c1aeb56c8d1
      • Opcode Fuzzy Hash: aaac1fa95927537056fa748d1ed80cb4c36531cfe69fe86e380ee050db7f54d2
      • Instruction Fuzzy Hash: 0451857090C3A44AE3158F6F48D402EFFE16FC6301F884A6EF5E443382D5B89515DBAA
      Function 6D2C2CA0 Relevance: .2, Instructions: 160COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 4af47486766d2845aaf31793201a2f2b7c57d3df4351244bf79dfa37564d6ad4
      • Instruction ID: 4ea48f18b08354a5a7a91692240efaa10cf651526f532b90fecdcd7a73c0d60d
      • Opcode Fuzzy Hash: 4af47486766d2845aaf31793201a2f2b7c57d3df4351244bf79dfa37564d6ad4
      • Instruction Fuzzy Hash: A051767090C3A44AE3158F6F48D402AFFF16FC6301F884A6EF5E443392D5B89515DBAA
      Function 6D2ED9C5 Relevance: .1, Instructions: 134COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: fbe9cd5c3e92d37fce9c21e9f9797373ede47f0d7d62cd5d4c9a675d1c8dd8e3
      • Instruction ID: 095033de29346a07831ebfd9c4589620031847bf46cd5ec2c6afadeb584ea5c4
      • Opcode Fuzzy Hash: fbe9cd5c3e92d37fce9c21e9f9797373ede47f0d7d62cd5d4c9a675d1c8dd8e3
      • Instruction Fuzzy Hash: 815159B56493268FC318DF69C490A1AB7E0BF88644F0585BCED999B391D731EC46CBC2
      Function 6D2CBE90 Relevance: .1, Instructions: 116COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 13b94f5376f0d089eabc155e94d2f7ae8c8c8381110a11bd6b5a6de3353ef1a1
      • Instruction ID: 7513880d6e11d8a528fc22484bb51c5e0d39c123c3f4a2f2b71e0c8ab00a6d13
      • Opcode Fuzzy Hash: 13b94f5376f0d089eabc155e94d2f7ae8c8c8381110a11bd6b5a6de3353ef1a1
      • Instruction Fuzzy Hash: 3041C371918B058FC346DE39C49031AB3E6BFCA784F54C72DE94A6B352EB319842CB42
      Function 6D2CFBC0 Relevance: .1, Instructions: 97COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 15c14b11714b5d03be1516d4ff223c0a547394de4cc6ee3bc8ab52ed8007dd55
      • Instruction ID: 1d3a6cd8bdd051bea1b18473ce2859a0b9cb5ffe17d1364707db317445cea446
      • Opcode Fuzzy Hash: 15c14b11714b5d03be1516d4ff223c0a547394de4cc6ee3bc8ab52ed8007dd55
      • Instruction Fuzzy Hash: 5131637395971D8BD300AF498C40249F7E2ABC0B20F5E8A5ED99417701EBB0AE15CBC7
      Function 6D2C90F0 Relevance: .1, Instructions: 76COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 0cf87112622bcd65b5761b8fc7b1c3c90641460242610bc911db53225baaf698
      • Instruction ID: 3d28715fc7b310289cea37a2797dac6b407cf2299ef62165af8343227d424698
      • Opcode Fuzzy Hash: 0cf87112622bcd65b5761b8fc7b1c3c90641460242610bc911db53225baaf698
      • Instruction Fuzzy Hash: 9B2122317442568BDB08CF39C8E0226B7F3BBCA311B49852CD445876A0DA70EC09C742
      Function 6D2F1C90 Relevance: .0, Instructions: 46COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: fbf0eb705950122ad7260f1dc530a2fdf91ae8ed1c786d3a189317a6d3a5b8d1
      • Instruction ID: 5d38239c1537e42206c3b8a95672d2716fa8de4b36f59fa42e87f302c495f65c
      • Opcode Fuzzy Hash: fbf0eb705950122ad7260f1dc530a2fdf91ae8ed1c786d3a189317a6d3a5b8d1
      • Instruction Fuzzy Hash: 29118FB46883498FD706DF20C0A0B69B7F2FF86308F858C6CD5894B791D736984ACB52
      Function 6D327280 Relevance: .0, Instructions: 46COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 063f0a8fb58234a5b1b6931ef8d6063f3f8b5da31d3a33721207dee717965921
      • Instruction ID: 03824a7cfea3c8be24b7bb2a04fe7f194ea3d33f0aa3e842d64ed52f8bb2ecff
      • Opcode Fuzzy Hash: 063f0a8fb58234a5b1b6931ef8d6063f3f8b5da31d3a33721207dee717965921
      • Instruction Fuzzy Hash: 2311EDB4600B118FD398DF59C0D4E65B3E2FB8C200B4A81BDDB0E8BB66C670AC55DB85
      Function 6D32C0C0 Relevance: .0, Instructions: 10COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: df71401f9f26abc27de217fabeb58d173ebec0fd8c0e462f9e44268018909ffb
      • Instruction ID: bd32827dbc56c4f6d7d851eb28d6778371b603ae66a60ed539b7100efa1b9472
      • Opcode Fuzzy Hash: df71401f9f26abc27de217fabeb58d173ebec0fd8c0e462f9e44268018909ffb
      • Instruction Fuzzy Hash: BCC04CB0C5E3529DF751CB1C854135ABEF49B85350F90C499A28842254C375CA849615
      Function 6D2C1020 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 112sleepCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 2587 6d2c1020-6d2c102c 2588 6d2c102e-6d2c1036 2587->2588 2589 6d2c10a0-6d2c10a3 2587->2589 2592 6d2c108f-6d2c1095 2588->2592 2593 6d2c1038-6d2c1048 2588->2593 2590 6d2c10a9-6d2c10ba 2589->2590 2591 6d2c1150-6d2c115b 2589->2591 2594 6d2c10d4-6d2c10e0 2590->2594 2595 6d2c1060-6d2c106e 2593->2595 2598 6d2c10c0-6d2c10c2 2594->2598 2599 6d2c10e2 2594->2599 2596 6d2c1050-6d2c105d Sleep 2595->2596 2597 6d2c1070-6d2c1078 2595->2597 2596->2595 2600 6d2c107e-6d2c108a _amsg_exit 2597->2600 2601 6d2c1160-6d2c1187 call 6d357190 2597->2601 2602 6d2c10c8-6d2c10d1 Sleep 2598->2602 2603 6d2c1190-6d2c1195 2598->2603 2604 6d2c10e4-6d2c10ec 2599->2604 2600->2592 2602->2594 2603->2604 2606 6d2c1200-6d2c120c _amsg_exit 2604->2606 2607 6d2c10f2-6d2c10f9 2604->2607 2609 6d2c10ff-6d2c1107 2607->2609 2610 6d2c11b0-6d2c11ce _initterm 2607->2610 2611 6d2c110d-6d2c110f 2609->2611 2612 6d2c11d3-6d2c11f1 _initterm 2609->2612 2610->2609 2613 6d2c1115-6d2c111c 2611->2613 2614 6d2c11a0-6d2c11a6 2611->2614 2612->2606 2612->2611 2615 6d2c111e-6d2c1137 2613->2615 2616 6d2c113a-6d2c114c 2613->2616 2614->2610 2614->2613 2615->2616
      APIs
      • Sleep.KERNEL32(?,?,?,6D2C12E0,?,?,?,?,?,?,6D2C13A3), ref: 6D2C1057
      • _amsg_exit.MSVCRT ref: 6D2C1085
      Strings
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID: Sleep_amsg_exit
      • String ID: 0?\$c5m
      • API String ID: 1015461914-45356212
      • Opcode ID: dfc8bab28b765362579666ce5ceb34ce0c9afb0006014ae3eb7561b8020e290b
      • Instruction ID: 0ca0eb077d8273c4a0df84053b6d956ce3da46cc7b9baab0cc8fa55badabd9b7
      • Opcode Fuzzy Hash: dfc8bab28b765362579666ce5ceb34ce0c9afb0006014ae3eb7561b8020e290b
      • Instruction Fuzzy Hash: A24183B169824A8BEB42BF69C585B2A77F0FB82345F41862DD9448B244D775CCC4CB93
      Function 6D3564A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON
      Download Yara Rule
      APIs
      Strings
      • Address %p has no image-section, xrefs: 6D3565DB
      • VirtualProtect failed with code 0x%x, xrefs: 6D35659A
      • @, xrefs: 6D356578
      • VirtualQuery failed for %d bytes at address %p, xrefs: 6D3565C7
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID: QueryVirtual
      • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
      • API String ID: 1804819252-1098444051
      • Opcode ID: 2b56cccc73554af2a9211ef38415b710c9a2f857ce2a272ca4207cda28580c90
      • Instruction ID: e04ff26ec541fc9dca56b99ab3b7f4852ab20e70342ca69fb73ae43e39d91836
      • Opcode Fuzzy Hash: 2b56cccc73554af2a9211ef38415b710c9a2f857ce2a272ca4207cda28580c90
      • Instruction Fuzzy Hash: DF415DB59043029FDB00EF69D485A5AFBF4FF85354F06CA29D9998B214E330E854CBD2
      Function 6D355CB0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON
      Download Yara Rule
      APIs
      • CreateEventA.KERNEL32 ref: 6D355CD2
      • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D355D89), ref: 6D355CEB
      • fwrite.MSVCRT ref: 6D355D20
      • abort.MSVCRT ref: 6D355D25
      Strings
      • runtime: failed to create runtime initialization wait event., xrefs: 6D355D19
      • =, xrefs: 6D355D05
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID: CreateCriticalEventInitializeSectionabortfwrite
      • String ID: =$runtime: failed to create runtime initialization wait event.
      • API String ID: 2455830200-3519180978
      • Opcode ID: d745d9fedc07c30b435e8476777f5a2f7b280636520dda5684147df2f36cd488
      • Instruction ID: 00770b57deb155ae985a25bc0afe31bb379ce0f1d1d6944a5eeb2280f6b950df
      • Opcode Fuzzy Hash: d745d9fedc07c30b435e8476777f5a2f7b280636520dda5684147df2f36cd488
      • Instruction Fuzzy Hash: 66F0C9B04083019FE700BF68C50932ABAF0AF41354F81896CD89986280D7B9D5548B93
      Function 6D3570C0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID: _lock_unlockcalloc
      • String ID:
      • API String ID: 3876498383-0
      • Opcode ID: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
      • Instruction ID: f4ed93883c4e421f2f7fc20b6738a0122d4cbe1a4fea5b848c747a14a5e5c474
      • Opcode Fuzzy Hash: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
      • Instruction Fuzzy Hash: A1115EF09182018FE7409F68C880B6A7BE4FF45354F15CA69E998CB385EB74D960CB62
      Function 6D355DE0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
      Download Yara Rule
      APIs
      • WaitForSingleObject.KERNEL32 ref: 6D355E10
      • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D3545D9), ref: 6D355E1C
      • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6D3545D9), ref: 6D355E2E
      • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6D3545D9), ref: 6D355E3E
      • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D3545D9), ref: 6D355E50
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID: CriticalSection$EnterLeave$ObjectSingleWait
      • String ID:
      • API String ID: 1755037574-0
      • Opcode ID: 2cad01941a7014555441c46466ea0581164d912bce0e541baf1d8f901a9c16c0
      • Instruction ID: fbcbde9d203d12985c44f631c17dc8229e455cb4fd88a9db6a273dd89392dc45
      • Opcode Fuzzy Hash: 2cad01941a7014555441c46466ea0581164d912bce0e541baf1d8f901a9c16c0
      • Instruction Fuzzy Hash: 76015EB1504348CFDB00FF799989A2ABBB4AF46210F410939D99187240D731E978CBA3
      Function 6D357220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON
      Download Yara Rule
      APIs
      Strings
      • Mingw-w64 runtime failure:, xrefs: 6D357248
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID: abortfwritevfprintf
      • String ID: Mingw-w64 runtime failure:
      • API String ID: 3176311984-2889761391
      • Opcode ID: a9aa1a4f79a3bd78ac1d28181fae6f8527faf0a7e57267ba67b8617c7aebc537
      • Instruction ID: 053b72c7a796f2c446153d9a6e265aa04dd363c4648bcb795114b82d2021aad4
      • Opcode Fuzzy Hash: a9aa1a4f79a3bd78ac1d28181fae6f8527faf0a7e57267ba67b8617c7aebc537
      • Instruction Fuzzy Hash: 9EE0C2B080C3049ED300AF64C185A5EBAE4BF89388F02CA1CE1C847241D77888948B53
      Function 6D3565F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON
      Download Yara Rule
      APIs
      • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6D2C12A5), ref: 6D356709
      Strings
      • Unknown pseudo relocation bit size %d., xrefs: 6D356799
      • Unknown pseudo relocation protocol version %d., xrefs: 6D356864
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID: ProtectVirtual
      • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
      • API String ID: 544645111-395989641
      • Opcode ID: a0d86f001264e14408ddaefd6bf1cdfb02de79f48507f531de164a4762c2ae3d
      • Instruction ID: aa9c52b6cf51fdae7a704d333bdcd6b08ac6de8b0544d36e8a300ec053fd6909
      • Opcode Fuzzy Hash: a0d86f001264e14408ddaefd6bf1cdfb02de79f48507f531de164a4762c2ae3d
      • Instruction Fuzzy Hash: 5F61AAB0A043068FCB08DF68C9C0E69B7B9FB85318B158669D9559B305D371ED26CBD2
      Function 6D356870 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000004.00000002.1367134314.000000006D2C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D2C0000, based on PE: true
      • Associated: 00000004.00000002.1367116619.000000006D2C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367206443.000000006D358000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367226950.000000006D359000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367247989.000000006D35A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367269425.000000006D35F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367352618.000000006D408000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D40E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367374262.000000006D413000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367418150.000000006D426000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367439378.000000006D42D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367459563.000000006D42E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000004.00000002.1367484787.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_6d2c0000_rundll32.jbxd
      Similarity
      • API ID: CriticalSection$EnterErrorLastLeaveValue
      • String ID:
      • API String ID: 682475483-0
      • Opcode ID: a1a5d64a373e2215545bab529a25e76015311acebb1f9e861d5ead7e35d04c36
      • Instruction ID: 6b0cea1642413ffe244af34fd1a454603c7ef8b719c63cc30a2883135744d569
      • Opcode Fuzzy Hash: a1a5d64a373e2215545bab529a25e76015311acebb1f9e861d5ead7e35d04c36
      • Instruction Fuzzy Hash: 0EF081719002058BDF107F7CC4CAA2A7BB4AA85250B050578DD458B205E731E828CBE3

      Execution Graph

      Execution Coverage:0%
      Dynamic/Decrypted Code Coverage:0%
      Signature Coverage:0%
      Total number of Nodes:3
      Total number of Limit Nodes:0
      execution_graph 45399 6cf5cea0 45400 6cf5ceb9 45399->45400 45401 6cf5cec8 WriteFile 45399->45401 45400->45401

      Executed Functions

      Function 6CF5CEA0 Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 0 6cf5cea0-6cf5ceb7 1 6cf5ceb9-6cf5cec6 0->1 2 6cf5cec8-6cf5cee0 WriteFile 0->2 1->2
      APIs
      Memory Dump Source
      • Source File: 0000000D.00000002.1469351139.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
      • Associated: 0000000D.00000002.1469272908.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469625846.000000006CF88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469692155.000000006CF89000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469754251.000000006CF8A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469819119.000000006CF8F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470024207.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470083538.000000006D03E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470083538.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470180600.000000006D056000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470223406.000000006D05D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470266960.000000006D05E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470318029.000000006D061000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_13_2_6cef0000_rundll32.jbxd
      Similarity
      • API ID: FileWrite
      • String ID:
      • API String ID: 3934441357-0
      • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
      • Instruction ID: d7bac60a75b526d84000dba0cfef9db798cf9b3692f2a79a16db3d22b63892c0
      • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
      • Instruction Fuzzy Hash: 03E0E571505600CFCB15DF18C2C1306BBE1EB48A00F4485A8DE098FB4AD734ED10CB92

      Non-executed Functions

      Function 6CF86300 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
      Download Yara Rule
      APIs
      • SetUnhandledExceptionFilter.KERNEL32 ref: 6CF8634F
      • UnhandledExceptionFilter.KERNEL32 ref: 6CF8635F
      • GetCurrentProcess.KERNEL32 ref: 6CF86368
      • TerminateProcess.KERNEL32 ref: 6CF86379
      • abort.MSVCRT ref: 6CF86382
      Memory Dump Source
      • Source File: 0000000D.00000002.1469351139.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
      • Associated: 0000000D.00000002.1469272908.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469625846.000000006CF88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469692155.000000006CF89000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469754251.000000006CF8A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469819119.000000006CF8F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470024207.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470083538.000000006D03E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470083538.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470180600.000000006D056000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470223406.000000006D05D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470266960.000000006D05E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470318029.000000006D061000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_13_2_6cef0000_rundll32.jbxd
      Similarity
      • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
      • String ID:
      • API String ID: 520269711-0
      • Opcode ID: 355a4bf656ea05a7c595ed4d5a02508be7a3c25684ab0a42f23a8566ceda117d
      • Instruction ID: be7008f7014ef6d6e9daa0d3837f0c91487d3d197794399e9f7124f84fa4927f
      • Opcode Fuzzy Hash: 355a4bf656ea05a7c595ed4d5a02508be7a3c25684ab0a42f23a8566ceda117d
      • Instruction Fuzzy Hash: 6511DFB5905201CFDB00EF69C249B6ABBF0FB4A304F108929E988CB354E7349A448F96
      Function 6CF864A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON
      Download Yara Rule
      APIs
      Strings
      • VirtualQuery failed for %d bytes at address %p, xrefs: 6CF865C7
      • @, xrefs: 6CF86578
      • VirtualProtect failed with code 0x%x, xrefs: 6CF8659A
      • Address %p has no image-section, xrefs: 6CF865DB
      Memory Dump Source
      • Source File: 0000000D.00000002.1469351139.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
      • Associated: 0000000D.00000002.1469272908.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469625846.000000006CF88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469692155.000000006CF89000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469754251.000000006CF8A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469819119.000000006CF8F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470024207.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470083538.000000006D03E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470083538.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470180600.000000006D056000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470223406.000000006D05D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470266960.000000006D05E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470318029.000000006D061000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_13_2_6cef0000_rundll32.jbxd
      Similarity
      • API ID: QueryVirtual
      • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
      • API String ID: 1804819252-1098444051
      • Opcode ID: 8e01c8f42ac3fb024a5e4fbe7c94d996bbc5ec8eda4976b99009d3caf6cd4904
      • Instruction ID: 4e106b9d326b19760b17345f00bee2130cfe30d37066aa410060cbabbf2f41b0
      • Opcode Fuzzy Hash: 8e01c8f42ac3fb024a5e4fbe7c94d996bbc5ec8eda4976b99009d3caf6cd4904
      • Instruction Fuzzy Hash: 38418BB69063029FD700DF69D58474AFBF0FB85718F158A29E958CBB58E730E444CB92
      Function 6CEF13E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 0000000D.00000002.1469351139.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
      • Associated: 0000000D.00000002.1469272908.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469625846.000000006CF88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469692155.000000006CF89000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469754251.000000006CF8A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469819119.000000006CF8F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470024207.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470083538.000000006D03E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470083538.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470180600.000000006D056000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470223406.000000006D05D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470266960.000000006D05E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470318029.000000006D061000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_13_2_6cef0000_rundll32.jbxd
      Similarity
      • API ID: AddressProc$HandleLibraryLoadModule
      • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
      • API String ID: 384173800-1835852900
      • Opcode ID: 2302e9dacd6155e13448a0d92e1c740ef3dcfeff3ca67b1de2837f1075534feb
      • Instruction ID: ecabffe71d05b23d07c5ba3fb993f445549635781e3b6cb2ddbe486ccd53bc3d
      • Opcode Fuzzy Hash: 2302e9dacd6155e13448a0d92e1c740ef3dcfeff3ca67b1de2837f1075534feb
      • Instruction Fuzzy Hash: 41017CB280A3188FCB40BFB8960A31EBFF4EB82355F12452DD8D987604D7319444CBA3
      Function 6CF85CB0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON
      Download Yara Rule
      APIs
      • CreateEventA.KERNEL32 ref: 6CF85CD2
      • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CF85D89), ref: 6CF85CEB
      • fwrite.MSVCRT ref: 6CF85D20
      • abort.MSVCRT ref: 6CF85D25
      Strings
      • runtime: failed to create runtime initialization wait event., xrefs: 6CF85D19
      • =, xrefs: 6CF85D05
      Memory Dump Source
      • Source File: 0000000D.00000002.1469351139.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
      • Associated: 0000000D.00000002.1469272908.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469625846.000000006CF88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469692155.000000006CF89000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469754251.000000006CF8A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469819119.000000006CF8F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470024207.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470083538.000000006D03E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470083538.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470180600.000000006D056000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470223406.000000006D05D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470266960.000000006D05E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470318029.000000006D061000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_13_2_6cef0000_rundll32.jbxd
      Similarity
      • API ID: CreateCriticalEventInitializeSectionabortfwrite
      • String ID: =$runtime: failed to create runtime initialization wait event.
      • API String ID: 2455830200-3519180978
      • Opcode ID: f71fb244ffbb6af2343ee7d37ac4c06d113575fe0e8cfb5468f0f6e757f8dd1e
      • Instruction ID: db1bc697e40b3a8d144e77a13627b8de16e4b98f95d9450c4192fcfead37f0d6
      • Opcode Fuzzy Hash: f71fb244ffbb6af2343ee7d37ac4c06d113575fe0e8cfb5468f0f6e757f8dd1e
      • Instruction Fuzzy Hash: 98F0E7B14093019FE700AF68C60931EBBF0BF41348F91885DE8D98A240DBBA8058CF93
      Function 6CEF1020 Relevance: 9.1, APIs: 6, Instructions: 112sleepCOMMON
      Download Yara Rule
      APIs
      • Sleep.KERNEL32(?,?,?,6CEF12E0,?,?,?,?,?,?,6CEF13A3), ref: 6CEF1057
      • _amsg_exit.MSVCRT ref: 6CEF1085
      Memory Dump Source
      • Source File: 0000000D.00000002.1469351139.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
      • Associated: 0000000D.00000002.1469272908.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469625846.000000006CF88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469692155.000000006CF89000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469754251.000000006CF8A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469819119.000000006CF8F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470024207.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470083538.000000006D03E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470083538.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470180600.000000006D056000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470223406.000000006D05D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470266960.000000006D05E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470318029.000000006D061000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_13_2_6cef0000_rundll32.jbxd
      Similarity
      • API ID: Sleep_amsg_exit
      • String ID:
      • API String ID: 1015461914-0
      • Opcode ID: af1ae758ca161fcdad179624b581b2e9d76a9c8cfdd9ec5ae5f1877dbec0be38
      • Instruction ID: aaa8ea716a641384a2f05cce32185116f444fdef695557148ee96bc4d22ff721
      • Opcode Fuzzy Hash: af1ae758ca161fcdad179624b581b2e9d76a9c8cfdd9ec5ae5f1877dbec0be38
      • Instruction Fuzzy Hash: 8C41D8F2609249CBEB009FADC68474B77F4EB82348F61452ED964CBB04D736D482CB82
      Function 6CF870C0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 0000000D.00000002.1469351139.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
      • Associated: 0000000D.00000002.1469272908.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469625846.000000006CF88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469692155.000000006CF89000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469754251.000000006CF8A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469819119.000000006CF8F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470024207.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470083538.000000006D03E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470083538.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470180600.000000006D056000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470223406.000000006D05D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470266960.000000006D05E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470318029.000000006D061000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_13_2_6cef0000_rundll32.jbxd
      Similarity
      • API ID: _lock_unlockcalloc
      • String ID:
      • API String ID: 3876498383-0
      • Opcode ID: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
      • Instruction ID: 54cbfd284245bd1b89fcdfc6987e272680a5f3b91d4c0ea21639b0d02ba158fa
      • Opcode Fuzzy Hash: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
      • Instruction Fuzzy Hash: 15114C713066018BE7009F68C88075A7BF4BF45364F158A6AF4A8CBB85EB74E844CB62
      Function 6CF86250 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON
      Download Yara Rule
      APIs
      • GetSystemTimeAsFileTime.KERNEL32 ref: 6CF86289
      • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CEF13B9), ref: 6CF8629A
      • GetCurrentThreadId.KERNEL32 ref: 6CF862A2
      • GetTickCount.KERNEL32 ref: 6CF862AA
      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CEF13B9), ref: 6CF862B9
      Memory Dump Source
      • Source File: 0000000D.00000002.1469351139.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
      • Associated: 0000000D.00000002.1469272908.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469625846.000000006CF88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469692155.000000006CF89000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469754251.000000006CF8A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469819119.000000006CF8F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470024207.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470083538.000000006D03E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470083538.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470180600.000000006D056000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470223406.000000006D05D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470266960.000000006D05E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470318029.000000006D061000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_13_2_6cef0000_rundll32.jbxd
      Similarity
      • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
      • String ID:
      • API String ID: 1445889803-0
      • Opcode ID: 5138bef41ad46bcb539b7678f9cec4d6e251c184a6b8dff8cd8ca8e69ff70228
      • Instruction ID: 8a48faa0f7417bd3c16142851ccac6621372e95a0bf2207f183557ee183df5d4
      • Opcode Fuzzy Hash: 5138bef41ad46bcb539b7678f9cec4d6e251c184a6b8dff8cd8ca8e69ff70228
      • Instruction Fuzzy Hash: 47115EB5A563008BDF00DF79E58865BBBF4FB8A365F050D39E894C6604EB31D4488B92
      Function 6CF85DE0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
      Download Yara Rule
      APIs
      • WaitForSingleObject.KERNEL32 ref: 6CF85E10
      • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CF845D9), ref: 6CF85E1C
      • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CF845D9), ref: 6CF85E2E
      • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6CF845D9), ref: 6CF85E3E
      • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6CF845D9), ref: 6CF85E50
      Memory Dump Source
      • Source File: 0000000D.00000002.1469351139.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
      • Associated: 0000000D.00000002.1469272908.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469625846.000000006CF88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469692155.000000006CF89000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469754251.000000006CF8A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469819119.000000006CF8F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470024207.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470083538.000000006D03E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470083538.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470180600.000000006D056000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470223406.000000006D05D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470266960.000000006D05E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470318029.000000006D061000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_13_2_6cef0000_rundll32.jbxd
      Similarity
      • API ID: CriticalSection$EnterLeave$ObjectSingleWait
      • String ID:
      • API String ID: 1755037574-0
      • Opcode ID: 9ebc32adf45ac8d6408fa42855588be0689641ce1bf7dd506f732dbc169a3ee7
      • Instruction ID: d62efbe3ee432f89037dbced19befd05f0ce2ac54cb45c2ba2fdf732f8a6c27f
      • Opcode Fuzzy Hash: 9ebc32adf45ac8d6408fa42855588be0689641ce1bf7dd506f732dbc169a3ee7
      • Instruction Fuzzy Hash: DB015EB1508308CFEB00FFB9DE8961ABBB4AF42210F410529DCD087250D731A468CBA7
      Function 6CF87220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON
      Download Yara Rule
      APIs
      Strings
      • Mingw-w64 runtime failure:, xrefs: 6CF87248
      Memory Dump Source
      • Source File: 0000000D.00000002.1469351139.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
      • Associated: 0000000D.00000002.1469272908.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469625846.000000006CF88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469692155.000000006CF89000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469754251.000000006CF8A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469819119.000000006CF8F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470024207.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470083538.000000006D03E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470083538.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470180600.000000006D056000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470223406.000000006D05D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470266960.000000006D05E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470318029.000000006D061000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_13_2_6cef0000_rundll32.jbxd
      Similarity
      • API ID: abortfwritevfprintf
      • String ID: Mingw-w64 runtime failure:
      • API String ID: 3176311984-2889761391
      • Opcode ID: ed5760d6f4a342660183ca49d9ef055e2923ebad01eb511e9ff009d0c96f0f1e
      • Instruction ID: f1cec573db6228bf530a8f32453f9ff094156d5a3643d90bc821143d391afb1f
      • Opcode Fuzzy Hash: ed5760d6f4a342660183ca49d9ef055e2923ebad01eb511e9ff009d0c96f0f1e
      • Instruction Fuzzy Hash: 2CE0AEB010A3089FD300AFA5C08539EBAF4AF89348F01891DE0D84B741DB7994898F53
      Function 6CF865F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON
      Download Yara Rule
      APIs
      • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CEF12A5), ref: 6CF86709
      Strings
      • Unknown pseudo relocation bit size %d., xrefs: 6CF86799
      • Unknown pseudo relocation protocol version %d., xrefs: 6CF86864
      Memory Dump Source
      • Source File: 0000000D.00000002.1469351139.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
      • Associated: 0000000D.00000002.1469272908.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469625846.000000006CF88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469692155.000000006CF89000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469754251.000000006CF8A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469819119.000000006CF8F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470024207.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470083538.000000006D03E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470083538.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470180600.000000006D056000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470223406.000000006D05D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470266960.000000006D05E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470318029.000000006D061000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_13_2_6cef0000_rundll32.jbxd
      Similarity
      • API ID: ProtectVirtual
      • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
      • API String ID: 544645111-395989641
      • Opcode ID: dc321d28c642da7b64332a36242c8e326f56aa975f9b164b572e2824e66a3349
      • Instruction ID: a6636237cc3a11f6b884675fb389586b3e8e90ed16205ca8c6df33d005e8481a
      • Opcode Fuzzy Hash: dc321d28c642da7b64332a36242c8e326f56aa975f9b164b572e2824e66a3349
      • Instruction Fuzzy Hash: 4961F235A223568FCF08CF68C5C069DB7B1FF85318F258A29F814DBB18D330A8458B82
      Function 6CF86870 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 0000000D.00000002.1469351139.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
      • Associated: 0000000D.00000002.1469272908.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469625846.000000006CF88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469692155.000000006CF89000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469754251.000000006CF8A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1469819119.000000006CF8F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470024207.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470083538.000000006D03E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470083538.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470180600.000000006D056000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470223406.000000006D05D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470266960.000000006D05E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 0000000D.00000002.1470318029.000000006D061000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_13_2_6cef0000_rundll32.jbxd
      Similarity
      • API ID: CriticalSection$EnterErrorLastLeaveValue
      • String ID:
      • API String ID: 682475483-0
      • Opcode ID: 945fd69a4910b9caa04b66e4a29bf079224e8d62e5a4434c984a335def861f2a
      • Instruction ID: fae3eb44afdbae979aab77531f8ba986c5ea90d43cd06d2ec84f93db29839ca4
      • Opcode Fuzzy Hash: 945fd69a4910b9caa04b66e4a29bf079224e8d62e5a4434c984a335def861f2a
      • Instruction Fuzzy Hash: EDF0C8719012058FEF007F7DD6C9A1A7BB4EE45354B050568ED88C7708E730E418CBA3

      Execution Graph

      Execution Coverage:0%
      Dynamic/Decrypted Code Coverage:0%
      Signature Coverage:0%
      Total number of Nodes:3
      Total number of Limit Nodes:0
      execution_graph 45399 6cf5cea0 45400 6cf5ceb9 45399->45400 45401 6cf5cec8 VirtualAlloc 45399->45401 45400->45401

      Executed Functions

      Function 6CF5CEA0 Relevance: 1.3, APIs: 1, Instructions: 21memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 0 6cf5cea0-6cf5ceb7 1 6cf5ceb9-6cf5cec6 0->1 2 6cf5cec8-6cf5cee0 VirtualAlloc 0->2 1->2
      APIs
      Memory Dump Source
      • Source File: 00000011.00000002.1465638966.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
      • Associated: 00000011.00000002.1465555088.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1465951309.000000006CF88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466038937.000000006CF89000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466133630.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466222302.000000006CF8F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466591489.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466695672.000000006D03E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466695672.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466908400.000000006D056000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1467015638.000000006D05D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1467128542.000000006D05E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1467260191.000000006D061000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_17_2_6cef0000_rundll32.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
      • Instruction ID: d7bac60a75b526d84000dba0cfef9db798cf9b3692f2a79a16db3d22b63892c0
      • Opcode Fuzzy Hash: a2cfa61b4501b04a2c5f40c8367aff7a2baaadd22eedac0d36916a775c4c6aab
      • Instruction Fuzzy Hash: 03E0E571505600CFCB15DF18C2C1306BBE1EB48A00F4485A8DE098FB4AD734ED10CB92

      Non-executed Functions

      Function 6CF86300 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
      Download Yara Rule
      APIs
      • SetUnhandledExceptionFilter.KERNEL32 ref: 6CF8634F
      • UnhandledExceptionFilter.KERNEL32 ref: 6CF8635F
      • GetCurrentProcess.KERNEL32 ref: 6CF86368
      • TerminateProcess.KERNEL32 ref: 6CF86379
      • abort.MSVCRT ref: 6CF86382
      Memory Dump Source
      • Source File: 00000011.00000002.1465638966.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
      • Associated: 00000011.00000002.1465555088.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1465951309.000000006CF88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466038937.000000006CF89000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466133630.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466222302.000000006CF8F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466591489.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466695672.000000006D03E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466695672.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466908400.000000006D056000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1467015638.000000006D05D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1467128542.000000006D05E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1467260191.000000006D061000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_17_2_6cef0000_rundll32.jbxd
      Similarity
      • API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
      • String ID:
      • API String ID: 520269711-0
      • Opcode ID: 355a4bf656ea05a7c595ed4d5a02508be7a3c25684ab0a42f23a8566ceda117d
      • Instruction ID: be7008f7014ef6d6e9daa0d3837f0c91487d3d197794399e9f7124f84fa4927f
      • Opcode Fuzzy Hash: 355a4bf656ea05a7c595ed4d5a02508be7a3c25684ab0a42f23a8566ceda117d
      • Instruction Fuzzy Hash: 6511DFB5905201CFDB00EF69C249B6ABBF0FB4A304F108929E988CB354E7349A448F96
      Function 6CF864A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 106COMMON
      Download Yara Rule
      APIs
      Strings
      • VirtualQuery failed for %d bytes at address %p, xrefs: 6CF865C7
      • @, xrefs: 6CF86578
      • VirtualProtect failed with code 0x%x, xrefs: 6CF8659A
      • Address %p has no image-section, xrefs: 6CF865DB
      Memory Dump Source
      • Source File: 00000011.00000002.1465638966.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
      • Associated: 00000011.00000002.1465555088.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1465951309.000000006CF88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466038937.000000006CF89000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466133630.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466222302.000000006CF8F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466591489.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466695672.000000006D03E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466695672.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466908400.000000006D056000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1467015638.000000006D05D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1467128542.000000006D05E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1467260191.000000006D061000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_17_2_6cef0000_rundll32.jbxd
      Similarity
      • API ID: QueryVirtual
      • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
      • API String ID: 1804819252-1098444051
      • Opcode ID: 8e01c8f42ac3fb024a5e4fbe7c94d996bbc5ec8eda4976b99009d3caf6cd4904
      • Instruction ID: 4e106b9d326b19760b17345f00bee2130cfe30d37066aa410060cbabbf2f41b0
      • Opcode Fuzzy Hash: 8e01c8f42ac3fb024a5e4fbe7c94d996bbc5ec8eda4976b99009d3caf6cd4904
      • Instruction Fuzzy Hash: 38418BB69063029FD700DF69D58474AFBF0FB85718F158A29E958CBB58E730E444CB92
      Function 6CEF13E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000011.00000002.1465638966.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
      • Associated: 00000011.00000002.1465555088.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1465951309.000000006CF88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466038937.000000006CF89000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466133630.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466222302.000000006CF8F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466591489.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466695672.000000006D03E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466695672.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466908400.000000006D056000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1467015638.000000006D05D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1467128542.000000006D05E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1467260191.000000006D061000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_17_2_6cef0000_rundll32.jbxd
      Similarity
      • API ID: AddressProc$HandleLibraryLoadModule
      • String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
      • API String ID: 384173800-1835852900
      • Opcode ID: 2302e9dacd6155e13448a0d92e1c740ef3dcfeff3ca67b1de2837f1075534feb
      • Instruction ID: ecabffe71d05b23d07c5ba3fb993f445549635781e3b6cb2ddbe486ccd53bc3d
      • Opcode Fuzzy Hash: 2302e9dacd6155e13448a0d92e1c740ef3dcfeff3ca67b1de2837f1075534feb
      • Instruction Fuzzy Hash: 41017CB280A3188FCB40BFB8960A31EBFF4EB82355F12452DD8D987604D7319444CBA3
      Function 6CF85CB0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29fileCOMMON
      Download Yara Rule
      APIs
      • CreateEventA.KERNEL32 ref: 6CF85CD2
      • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CF85D89), ref: 6CF85CEB
      • fwrite.MSVCRT ref: 6CF85D20
      • abort.MSVCRT ref: 6CF85D25
      Strings
      • runtime: failed to create runtime initialization wait event., xrefs: 6CF85D19
      • =, xrefs: 6CF85D05
      Memory Dump Source
      • Source File: 00000011.00000002.1465638966.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
      • Associated: 00000011.00000002.1465555088.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1465951309.000000006CF88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466038937.000000006CF89000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466133630.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466222302.000000006CF8F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466591489.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466695672.000000006D03E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466695672.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466908400.000000006D056000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1467015638.000000006D05D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1467128542.000000006D05E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1467260191.000000006D061000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_17_2_6cef0000_rundll32.jbxd
      Similarity
      • API ID: CreateCriticalEventInitializeSectionabortfwrite
      • String ID: =$runtime: failed to create runtime initialization wait event.
      • API String ID: 2455830200-3519180978
      • Opcode ID: f71fb244ffbb6af2343ee7d37ac4c06d113575fe0e8cfb5468f0f6e757f8dd1e
      • Instruction ID: db1bc697e40b3a8d144e77a13627b8de16e4b98f95d9450c4192fcfead37f0d6
      • Opcode Fuzzy Hash: f71fb244ffbb6af2343ee7d37ac4c06d113575fe0e8cfb5468f0f6e757f8dd1e
      • Instruction Fuzzy Hash: 98F0E7B14093019FE700AF68C60931EBBF0BF41348F91885DE8D98A240DBBA8058CF93
      Function 6CEF1020 Relevance: 9.1, APIs: 6, Instructions: 112sleepCOMMON
      Download Yara Rule
      APIs
      • Sleep.KERNEL32(?,?,?,6CEF12E0,?,?,?,?,?,?,6CEF13A3), ref: 6CEF1057
      • _amsg_exit.MSVCRT ref: 6CEF1085
      Memory Dump Source
      • Source File: 00000011.00000002.1465638966.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
      • Associated: 00000011.00000002.1465555088.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1465951309.000000006CF88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466038937.000000006CF89000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466133630.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466222302.000000006CF8F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466591489.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466695672.000000006D03E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466695672.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466908400.000000006D056000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1467015638.000000006D05D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1467128542.000000006D05E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1467260191.000000006D061000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_17_2_6cef0000_rundll32.jbxd
      Similarity
      • API ID: Sleep_amsg_exit
      • String ID:
      • API String ID: 1015461914-0
      • Opcode ID: af1ae758ca161fcdad179624b581b2e9d76a9c8cfdd9ec5ae5f1877dbec0be38
      • Instruction ID: aaa8ea716a641384a2f05cce32185116f444fdef695557148ee96bc4d22ff721
      • Opcode Fuzzy Hash: af1ae758ca161fcdad179624b581b2e9d76a9c8cfdd9ec5ae5f1877dbec0be38
      • Instruction Fuzzy Hash: 8C41D8F2609249CBEB009FADC68474B77F4EB82348F61452ED964CBB04D736D482CB82
      Function 6CF870C0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000011.00000002.1465638966.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
      • Associated: 00000011.00000002.1465555088.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1465951309.000000006CF88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466038937.000000006CF89000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466133630.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466222302.000000006CF8F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466591489.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466695672.000000006D03E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466695672.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466908400.000000006D056000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1467015638.000000006D05D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1467128542.000000006D05E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1467260191.000000006D061000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_17_2_6cef0000_rundll32.jbxd
      Similarity
      • API ID: _lock_unlockcalloc
      • String ID:
      • API String ID: 3876498383-0
      • Opcode ID: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
      • Instruction ID: 54cbfd284245bd1b89fcdfc6987e272680a5f3b91d4c0ea21639b0d02ba158fa
      • Opcode Fuzzy Hash: 4d3c068b07ec5fce6d9273f5b487f9c815bb7a17f2cdc34182bbc4932eb09fa6
      • Instruction Fuzzy Hash: 15114C713066018BE7009F68C88075A7BF4BF45364F158A6AF4A8CBB85EB74E844CB62
      Function 6CF86250 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON
      Download Yara Rule
      APIs
      • GetSystemTimeAsFileTime.KERNEL32 ref: 6CF86289
      • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CEF13B9), ref: 6CF8629A
      • GetCurrentThreadId.KERNEL32 ref: 6CF862A2
      • GetTickCount.KERNEL32 ref: 6CF862AA
      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CEF13B9), ref: 6CF862B9
      Memory Dump Source
      • Source File: 00000011.00000002.1465638966.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
      • Associated: 00000011.00000002.1465555088.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1465951309.000000006CF88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466038937.000000006CF89000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466133630.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466222302.000000006CF8F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466591489.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466695672.000000006D03E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466695672.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466908400.000000006D056000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1467015638.000000006D05D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1467128542.000000006D05E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1467260191.000000006D061000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_17_2_6cef0000_rundll32.jbxd
      Similarity
      • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
      • String ID:
      • API String ID: 1445889803-0
      • Opcode ID: 5138bef41ad46bcb539b7678f9cec4d6e251c184a6b8dff8cd8ca8e69ff70228
      • Instruction ID: 8a48faa0f7417bd3c16142851ccac6621372e95a0bf2207f183557ee183df5d4
      • Opcode Fuzzy Hash: 5138bef41ad46bcb539b7678f9cec4d6e251c184a6b8dff8cd8ca8e69ff70228
      • Instruction Fuzzy Hash: 47115EB5A563008BDF00DF79E58865BBBF4FB8A365F050D39E894C6604EB31D4488B92
      Function 6CF85DE0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
      Download Yara Rule
      APIs
      • WaitForSingleObject.KERNEL32 ref: 6CF85E10
      • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CF845D9), ref: 6CF85E1C
      • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CF845D9), ref: 6CF85E2E
      • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6CF845D9), ref: 6CF85E3E
      • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6CF845D9), ref: 6CF85E50
      Memory Dump Source
      • Source File: 00000011.00000002.1465638966.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
      • Associated: 00000011.00000002.1465555088.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1465951309.000000006CF88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466038937.000000006CF89000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466133630.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466222302.000000006CF8F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466591489.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466695672.000000006D03E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466695672.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466908400.000000006D056000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1467015638.000000006D05D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1467128542.000000006D05E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1467260191.000000006D061000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_17_2_6cef0000_rundll32.jbxd
      Similarity
      • API ID: CriticalSection$EnterLeave$ObjectSingleWait
      • String ID:
      • API String ID: 1755037574-0
      • Opcode ID: 9ebc32adf45ac8d6408fa42855588be0689641ce1bf7dd506f732dbc169a3ee7
      • Instruction ID: d62efbe3ee432f89037dbced19befd05f0ce2ac54cb45c2ba2fdf732f8a6c27f
      • Opcode Fuzzy Hash: 9ebc32adf45ac8d6408fa42855588be0689641ce1bf7dd506f732dbc169a3ee7
      • Instruction Fuzzy Hash: DB015EB1508308CFEB00FFB9DE8961ABBB4AF42210F410529DCD087250D731A468CBA7
      Function 6CF87220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24fileCOMMON
      Download Yara Rule
      APIs
      Strings
      • Mingw-w64 runtime failure:, xrefs: 6CF87248
      Memory Dump Source
      • Source File: 00000011.00000002.1465638966.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
      • Associated: 00000011.00000002.1465555088.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1465951309.000000006CF88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466038937.000000006CF89000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466133630.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466222302.000000006CF8F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466591489.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466695672.000000006D03E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466695672.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466908400.000000006D056000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1467015638.000000006D05D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1467128542.000000006D05E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1467260191.000000006D061000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_17_2_6cef0000_rundll32.jbxd
      Similarity
      • API ID: abortfwritevfprintf
      • String ID: Mingw-w64 runtime failure:
      • API String ID: 3176311984-2889761391
      • Opcode ID: ed5760d6f4a342660183ca49d9ef055e2923ebad01eb511e9ff009d0c96f0f1e
      • Instruction ID: f1cec573db6228bf530a8f32453f9ff094156d5a3643d90bc821143d391afb1f
      • Opcode Fuzzy Hash: ed5760d6f4a342660183ca49d9ef055e2923ebad01eb511e9ff009d0c96f0f1e
      • Instruction Fuzzy Hash: 2CE0AEB010A3089FD300AFA5C08539EBAF4AF89348F01891DE0D84B741DB7994898F53
      Function 6CF865F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170memoryCOMMON
      Download Yara Rule
      APIs
      • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CEF12A5), ref: 6CF86709
      Strings
      • Unknown pseudo relocation bit size %d., xrefs: 6CF86799
      • Unknown pseudo relocation protocol version %d., xrefs: 6CF86864
      Memory Dump Source
      • Source File: 00000011.00000002.1465638966.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
      • Associated: 00000011.00000002.1465555088.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1465951309.000000006CF88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466038937.000000006CF89000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466133630.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466222302.000000006CF8F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466591489.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466695672.000000006D03E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466695672.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466908400.000000006D056000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1467015638.000000006D05D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1467128542.000000006D05E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1467260191.000000006D061000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_17_2_6cef0000_rundll32.jbxd
      Similarity
      • API ID: ProtectVirtual
      • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
      • API String ID: 544645111-395989641
      • Opcode ID: dc321d28c642da7b64332a36242c8e326f56aa975f9b164b572e2824e66a3349
      • Instruction ID: a6636237cc3a11f6b884675fb389586b3e8e90ed16205ca8c6df33d005e8481a
      • Opcode Fuzzy Hash: dc321d28c642da7b64332a36242c8e326f56aa975f9b164b572e2824e66a3349
      • Instruction Fuzzy Hash: 4961F235A223568FCF08CF68C5C069DB7B1FF85318F258A29F814DBB18D330A8458B82
      Function 6CF86870 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000011.00000002.1465638966.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEF0000, based on PE: true
      • Associated: 00000011.00000002.1465555088.000000006CEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1465951309.000000006CF88000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466038937.000000006CF89000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466133630.000000006CF8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466222302.000000006CF8F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466591489.000000006D038000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466695672.000000006D03E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466695672.000000006D043000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1466908400.000000006D056000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1467015638.000000006D05D000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1467128542.000000006D05E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000011.00000002.1467260191.000000006D061000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_17_2_6cef0000_rundll32.jbxd
      Similarity
      • API ID: CriticalSection$EnterErrorLastLeaveValue
      • String ID:
      • API String ID: 682475483-0
      • Opcode ID: 945fd69a4910b9caa04b66e4a29bf079224e8d62e5a4434c984a335def861f2a
      • Instruction ID: fae3eb44afdbae979aab77531f8ba986c5ea90d43cd06d2ec84f93db29839ca4
      • Opcode Fuzzy Hash: 945fd69a4910b9caa04b66e4a29bf079224e8d62e5a4434c984a335def861f2a
      • Instruction Fuzzy Hash: EDF0C8719012058FEF007F7DD6C9A1A7BB4EE45354B050568ED88C7708E730E418CBA3