Edit tour

Windows Analysis Report
FQElDjFG5t.exe

Overview

General Information

Sample Name:	FQElDjFG5t.exe
Original Sample Name:	6b44d99b258c275ee7fcf230da177f3e.exe
Analysis ID:	1352543
MD5:	6b44d99b258c275ee7fcf230da177f3e
SHA1:	833a461f6d479d164b453cc9f5f51259d991b1b7
SHA256:	1aecadf489a6dd7a3a6e5dfda9425673a9d04d38a5cb6b0b8f961536c11237ed
Tags:	64exeSliver
Infos:

Detection

Sliver

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Sliver Implants

Potentially malicious time measurement code found

Found inlined nop instructions (likely shell or obfuscated code)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Installs a raw input device (often for capturing keystrokes)

Detected TCP or UDP traffic on non-standard ports

PE file contains sections with non-standard names

Detected potential crypto function

Found potential string decryption / allocating functions

Program does not show much activity (idle)

Contains functionality for execution timing, often used to detect debuggers

Classification

Process Tree

System is w10x64

FQElDjFG5t.exe (PID: 616 cmdline: C:\Users\user\Desktop\FQElDjFG5t.exe MD5: 6B44D99B258C275EE7FCF230DA177F3E)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Sliver	According to VK9 Seecurity, Sliver is a Command and Control (C2) system made for penetration testers, red teams, and advanced persistent threats. It generates implants (slivers) that can run on virtually every architecture out there, and securely manage these connections through a central server. Sliver supports multiple callback protocols including DNS, TCP, and HTTP(S) to make egress simple, even when those pesky blue teams block your domains. You can even have multiple operators (players) simultaneously commanding your sliver army.	No Attribution	https://asec.ahnlab.com/en/47088/ https://asec.ahnlab.com/en/55652/ https://asec.ahnlab.com/en/56941/ https://embee-research.ghost.io/shodan-censys-queries/ https://github.com/BishopFox/sliver	https://malpedia.caad.fkie.fraunhofer.de/details/win.sliver

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
FQElDjFG5t.exe	Multi_Trojan_Bishopsliver_42298c4a	unknown	unknown	0xbe9a14:$a1: ).RequestResend 0xbddf49:$a2: ).GetPrivInfo
FQElDjFG5t.exe	INDICATOR_TOOL_Sliver	Detects Sliver implant cross-platform adversary emulation/red team	ditekSHen	0x95ded1:$s3: .WGTCPForwarder 0x95e954:$s3: .WGTCPForwarder 0x9602eb:$s3: .WGTCPForwarder 0x960dc0:$s3: .WGTCPForwarder 0x962f7c:$s3: .WGTCPForwarder 0x963c38:$s3: .WGTCPForwarder 0x95a8d0:$s6: .BackdoorReq 0x95de2f:$s7: .ProcessDumpReq 0x960108:$s8: .InvokeSpawnDllReq 0x9563ff:$s9: .SpawnDll 0x95aa08:$s9: .SpawnDll

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3280051062.000000C00010E000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Sliver	Yara detected Sliver Implants	Joe Security
00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmp	Multi_Trojan_Bishopsliver_42298c4a	unknown	unknown	0x72c14:$a1: ).RequestResend 0x67149:$a2: ).GetPrivInfo
00000000.00000000.2020196596.0000000000D88000.00000002.00000001.01000000.00000003.sdmp	Multi_Trojan_Bishopsliver_42298c4a	unknown	unknown	0x72c14:$a1: ).RequestResend 0x67149:$a2: ).GetPrivInfo
Process Memory Space: FQElDjFG5t.exe PID: 616	JoeSecurity_Sliver	Yara detected Sliver Implants	Joe Security
Process Memory Space: FQElDjFG5t.exe PID: 616	Multi_Trojan_Bishopsliver_42298c4a	unknown	unknown	0x4b19b:$a1: ).RequestResend 0x7fff1:$a1: ).RequestResend 0x3f6d0:$a2: ).GetPrivInfo 0x74b59:$a2: ).GetPrivInfo

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.FQElDjFG5t.exe.210000.0.unpack	Multi_Trojan_Bishopsliver_42298c4a	unknown	unknown	0xbe9a14:$a1: ).RequestResend 0xbddf49:$a2: ).GetPrivInfo
0.2.FQElDjFG5t.exe.210000.0.unpack	INDICATOR_TOOL_Sliver	Detects Sliver implant cross-platform adversary emulation/red team	ditekSHen	0x95ded1:$s3: .WGTCPForwarder 0x95e954:$s3: .WGTCPForwarder 0x9602eb:$s3: .WGTCPForwarder 0x960dc0:$s3: .WGTCPForwarder 0x962f7c:$s3: .WGTCPForwarder 0x963c38:$s3: .WGTCPForwarder 0x95a8d0:$s6: .BackdoorReq 0x95de2f:$s7: .ProcessDumpReq 0x960108:$s8: .InvokeSpawnDllReq 0x9563ff:$s9: .SpawnDll 0x95aa08:$s9: .SpawnDll
0.0.FQElDjFG5t.exe.210000.0.unpack	Multi_Trojan_Bishopsliver_42298c4a	unknown	unknown	0xbe9a14:$a1: ).RequestResend 0xbddf49:$a2: ).GetPrivInfo
0.0.FQElDjFG5t.exe.210000.0.unpack	INDICATOR_TOOL_Sliver	Detects Sliver implant cross-platform adversary emulation/red team	ditekSHen	0x95ded1:$s3: .WGTCPForwarder 0x95e954:$s3: .WGTCPForwarder 0x9602eb:$s3: .WGTCPForwarder 0x960dc0:$s3: .WGTCPForwarder 0x962f7c:$s3: .WGTCPForwarder 0x963c38:$s3: .WGTCPForwarder 0x95a8d0:$s6: .BackdoorReq 0x95de2f:$s7: .ProcessDumpReq 0x960108:$s8: .InvokeSpawnDllReq 0x9563ff:$s9: .SpawnDll 0x95aa08:$s9: .SpawnDll

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: FQElDjFG5t.exe	ReversingLabs: Detection: 50%
Source: FQElDjFG5t.exe	Virustotal: Detection: 59%			Perma Link

Source: FQElDjFG5t.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\FQElDjFG5t.exe	Code function: 4x nop then mov rdi, 0000800000000000h		0_2_00237120
Source: C:\Users\user\Desktop\FQElDjFG5t.exe	Code function: 4x nop then mov rsi, r9		0_2_00237EC0

Source: global traffic

TCP traffic: 192.168.2.5:49705 -> 94.198.53.143:8888

Source: unknown	TCP traffic detected without corresponding DNS query: 94.198.53.143
Source: unknown	TCP traffic detected without corresponding DNS query: 94.198.53.143
Source: unknown	TCP traffic detected without corresponding DNS query: 94.198.53.143
Source: unknown	TCP traffic detected without corresponding DNS query: 94.198.53.143
Source: unknown	TCP traffic detected without corresponding DNS query: 94.198.53.143
Source: unknown	TCP traffic detected without corresponding DNS query: 94.198.53.143
Source: unknown	TCP traffic detected without corresponding DNS query: 94.198.53.143
Source: unknown	TCP traffic detected without corresponding DNS query: 94.198.53.143
Source: unknown	TCP traffic detected without corresponding DNS query: 94.198.53.143
Source: unknown	TCP traffic detected without corresponding DNS query: 94.198.53.143
Source: unknown	TCP traffic detected without corresponding DNS query: 94.198.53.143
Source: unknown	TCP traffic detected without corresponding DNS query: 94.198.53.143
Source: unknown	TCP traffic detected without corresponding DNS query: 94.198.53.143
Source: unknown	TCP traffic detected without corresponding DNS query: 94.198.53.143

Source: FQElDjFG5t.exe, 00000000.00000002.3280051062.000000C00016C000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_4b7d096d-5

System Summary

Malicious sample detected (through community Yara rule)

Source: FQElDjFG5t.exe, type: SAMPLE	Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
Source: FQElDjFG5t.exe, type: SAMPLE	Matched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen
Source: 0.2.FQElDjFG5t.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
Source: 0.2.FQElDjFG5t.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen
Source: 0.0.FQElDjFG5t.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
Source: 0.0.FQElDjFG5t.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen
Source: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
Source: 00000000.00000000.2020196596.0000000000D88000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
Source: Process Memory Space: FQElDjFG5t.exe PID: 616, type: MEMORYSTR	Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown

Source: FQElDjFG5t.exe, type: SAMPLE	Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: FQElDjFG5t.exe, type: SAMPLE	Matched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team
Source: 0.2.FQElDjFG5t.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: 0.2.FQElDjFG5t.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team
Source: 0.0.FQElDjFG5t.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: 0.0.FQElDjFG5t.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team
Source: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: 00000000.00000000.2020196596.0000000000D88000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: Process Memory Space: FQElDjFG5t.exe PID: 616, type: MEMORYSTR	Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14

Source: C:\Users\user\Desktop\FQElDjFG5t.exe	Code function: 0_2_00256860	0_2_00256860
Source: C:\Users\user\Desktop\FQElDjFG5t.exe	Code function: 0_2_002160A0	0_2_002160A0
Source: C:\Users\user\Desktop\FQElDjFG5t.exe	Code function: 0_2_002580A0	0_2_002580A0
Source: C:\Users\user\Desktop\FQElDjFG5t.exe	Code function: 0_2_0021D120	0_2_0021D120
Source: C:\Users\user\Desktop\FQElDjFG5t.exe	Code function: 0_2_00239120	0_2_00239120
Source: C:\Users\user\Desktop\FQElDjFG5t.exe	Code function: 0_2_00237120	0_2_00237120
Source: C:\Users\user\Desktop\FQElDjFG5t.exe	Code function: 0_2_00216980	0_2_00216980
Source: C:\Users\user\Desktop\FQElDjFG5t.exe	Code function: 0_2_00234980	0_2_00234980
Source: C:\Users\user\Desktop\FQElDjFG5t.exe	Code function: 0_2_0022E260	0_2_0022E260
Source: C:\Users\user\Desktop\FQElDjFG5t.exe	Code function: 0_2_00256A40	0_2_00256A40
Source: C:\Users\user\Desktop\FQElDjFG5t.exe	Code function: 0_2_00224B40	0_2_00224B40
Source: C:\Users\user\Desktop\FQElDjFG5t.exe	Code function: 0_2_0021BBA0	0_2_0021BBA0
Source: C:\Users\user\Desktop\FQElDjFG5t.exe	Code function: 0_2_002433C0	0_2_002433C0
Source: C:\Users\user\Desktop\FQElDjFG5t.exe	Code function: 0_2_0022BCA0	0_2_0022BCA0
Source: C:\Users\user\Desktop\FQElDjFG5t.exe	Code function: 0_2_00233CC0	0_2_00233CC0
Source: C:\Users\user\Desktop\FQElDjFG5t.exe	Code function: 0_2_0022F520	0_2_0022F520
Source: C:\Users\user\Desktop\FQElDjFG5t.exe	Code function: 0_2_0021C560	0_2_0021C560
Source: C:\Users\user\Desktop\FQElDjFG5t.exe	Code function: 0_2_00240560	0_2_00240560
Source: C:\Users\user\Desktop\FQElDjFG5t.exe	Code function: 0_2_002375A0	0_2_002375A0
Source: C:\Users\user\Desktop\FQElDjFG5t.exe	Code function: 0_2_00223E60	0_2_00223E60
Source: C:\Users\user\Desktop\FQElDjFG5t.exe	Code function: 0_2_00216E40	0_2_00216E40
Source: C:\Users\user\Desktop\FQElDjFG5t.exe	Code function: 0_2_00237EC0	0_2_00237EC0
Source: C:\Users\user\Desktop\FQElDjFG5t.exe	Code function: 0_2_00219740	0_2_00219740
Source: C:\Users\user\Desktop\FQElDjFG5t.exe	Code function: 0_2_00253FA0	0_2_00253FA0
Source: C:\Users\user\Desktop\FQElDjFG5t.exe	Code function: 0_2_00228F80	0_2_00228F80
Source: C:\Users\user\Desktop\FQElDjFG5t.exe	Code function: 0_2_00245FE0	0_2_00245FE0

Source: C:\Users\user\Desktop\FQElDjFG5t.exe	Code function: String function: 002572E0 appears 37 times
Source: C:\Users\user\Desktop\FQElDjFG5t.exe	Code function: String function: 00242BC0 appears 304 times

Source: FQElDjFG5t.exe	ReversingLabs: Detection: 50%
Source: FQElDjFG5t.exe	Virustotal: Detection: 59%

Source: C:\Users\user\Desktop\FQElDjFG5t.exe

File read: C:\Users\user\Desktop\FQElDjFG5t.exe

Jump to behavior

Source: FQElDjFG5t.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\FQElDjFG5t.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\FQElDjFG5t.exe

File opened: C:\Windows\system32\32d5d4ec2242a952d34df308cf2233ed2d63c0984b18cb8445435f26968b52e0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Jump to behavior

Source: classification engine

Classification label: mal68.troj.evad.winEXE@1/0@0/1

Source: FQElDjFG5t.exe

Static file information: File size 15886848 > 1048576

Source: FQElDjFG5t.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: FQElDjFG5t.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x93e800
Source: FQElDjFG5t.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x57e800

Source: FQElDjFG5t.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: FQElDjFG5t.exe

Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\FQElDjFG5t.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\FQElDjFG5t.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\FQElDjFG5t.exe

Code function: 0_2_0026B7A0 rdtscp

0_2_0026B7A0

Source: FQElDjFG5t.exe, 00000000.00000002.3280763749.000001B6C116C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllII

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\FQElDjFG5t.exe

Code function: 0_2_0026B7A0 Start: 0026B7A9 End: 0026B7BF

0_2_0026B7A0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\FQElDjFG5t.exe

Code function: 0_2_0026B7A0 rdtscp

0_2_0026B7A0

Source: C:\Users\user\Desktop\FQElDjFG5t.exe

Queries volume information: C:\Users\user\Desktop\FQElDjFG5t.exe VolumeInformation

Jump to behavior

Stealing of Sensitive Information

Yara detected Sliver Implants

Source: Yara match	File source: 00000000.00000002.3280051062.000000C00010E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FQElDjFG5t.exe PID: 616, type: MEMORYSTR

Remote Access Functionality

Yara detected Sliver Implants

Source: Yara match	File source: 00000000.00000002.3280051062.000000C00010E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FQElDjFG5t.exe PID: 616, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Deobfuscate/Decode Files or Information	11 Input Capture	11 Security Software Discovery	Remote Services	11 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	2 Obfuscated Files or Information	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
FQElDjFG5t.exe	50%	ReversingLabs	Win64.Trojan.TangoMarte
FQElDjFG5t.exe	60%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
94.198.53.143	unknown	Russian Federation		56694	DHUBRU	false

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1352543
Start date and time:	2023-12-03 14:50:10 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	FQElDjFG5t.exe renamed because original name is a hash value
Original Sample Name:	6b44d99b258c275ee7fcf230da177f3e.exe
Detection:	MAL
Classification:	mal68.troj.evad.winEXE@1/0@0/1
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target FQElDjFG5t.exe, PID 616 because there are no executed function

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DHUBRU	6.exe	Get hash	malicious	Unknown	Browse	188.127.230.235
	https://www.thestageonbroadway.com	Get hash	malicious	Unknown	Browse	188.127.230.189
	HCLcleanupcachecookiebacupcleanall.doc	Get hash	malicious	Remcos	Browse	188.127.249.32
	approval_order_PO.docx.doc	Get hash	malicious	Remcos	Browse	188.127.249.32
	https://andreeasasser.com	Get hash	malicious	Unknown	Browse	188.127.230.189
	http://www.southportland.org	Get hash	malicious	Unknown	Browse	188.127.231.166
	http://gnavigatio.com	Get hash	malicious	Unknown	Browse	188.127.227.131
	n3azp2aT3v.exe	Get hash	malicious	Unknown	Browse	94.198.50.231
	n3azp2aT3v.exe	Get hash	malicious	Unknown	Browse	94.198.50.231
	iIxNeD04JI.exe	Get hash	malicious	Unknown	Browse	94.198.50.231
	iIxNeD04JI.exe	Get hash	malicious	Unknown	Browse	94.198.50.231
	Browser_updates_14.0.6336.js	Get hash	malicious	NetSupport RAT	Browse	188.127.230.98
	https://cristinaamaro.com/cdn/help.php?671	Get hash	malicious	NetSupport RAT	Browse	188.127.230.98
	Hilix.mips.elf	Get hash	malicious	Mirai	Browse	91.199.137.77
	Chrome_update.js	Get hash	malicious	NetSupport RAT	Browse	188.127.227.119
	Remittance76_PO_876543.htm	Get hash	malicious	Unknown	Browse	188.127.227.223
	Remittance76_PO_876543.htm	Get hash	malicious	Unknown	Browse	188.127.227.223
	8zUWZCJ5Ze.elf	Get hash	malicious	Mirai	Browse	91.199.137.62
	24a93ddf60120497dd5848ec03147621840eb5b371d81.exe	Get hash	malicious	NetSupport RAT	Browse	185.9.147.202
	24a93ddf60120497dd5848ec03147621840eb5b371d81.exe	Get hash	malicious	NetSupport RAT	Browse	185.9.147.202

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.118170899262842
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	FQElDjFG5t.exe
File size:	15'886'848 bytes
MD5:	6b44d99b258c275ee7fcf230da177f3e
SHA1:	833a461f6d479d164b453cc9f5f51259d991b1b7
SHA256:	1aecadf489a6dd7a3a6e5dfda9425673a9d04d38a5cb6b0b8f961536c11237ed
SHA512:	5ed0cb03aa7f84445cd45e51836deb95fb62b9cb6b578f1ee173639464ea850b68ad27f79160207895f92b0cebda6972cfa5937bbd6bb28d0cb074907cdfb8b0
SSDEEP:	98304:KXX+aiZFtuYvgK408HLwkoS9fye+ZV6zEmHyd6ceCSGp:K0tzvf4bHUkT9fd+ZdmPk
TLSH:	9BF61A03F8951594C4F9D1B489218262FA70785C0B7973DF6BA1F7B42B327E09EBA790
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........h........".................@.........@...........................................`... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x45d040
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	f0ea7b7844bbc5bfa9bb32efdcea957c

Entrypoint Preview

Instruction
jmp 00007F947CE227B0h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
pushfd
cld
dec eax
sub esp, 000000E0h
dec eax
mov dword ptr [esp], edi
dec eax
mov dword ptr [esp+08h], esi
dec eax
mov dword ptr [esp+10h], ebp
dec eax
mov dword ptr [esp+18h], ebx
dec esp
mov dword ptr [esp+20h], esp
dec esp
mov dword ptr [esp+28h], ebp
dec esp
mov dword ptr [esp+30h], esi
dec esp
mov dword ptr [esp+38h], edi
movups dqword ptr [esp+40h], xmm6
movups dqword ptr [esp+50h], xmm7
inc esp
movups dqword ptr [esp+60h], xmm0
inc esp
movups dqword ptr [esp+70h], xmm1
inc esp
movups dqword ptr [esp+00000080h], xmm2
inc esp
movups dqword ptr [esp+00000090h], xmm3
inc esp
movups dqword ptr [esp+000000A0h], xmm4
inc esp
movups dqword ptr [esp+000000B0h], xmm5
inc esp
movups dqword ptr [esp+000000C0h], xmm6
inc esp
movups dqword ptr [esp+000000D0h], xmm7
dec eax
sub esp, 30h
dec ecx
mov ebp, ecx
dec ecx
mov edi, eax
dec eax
mov edx, dword ptr [00EFDBE3h]
dec eax
mov edx, dword ptr [edx]
dec eax
cmp edx, 00000000h
jne 00007F947CE2647Eh
dec eax
mov eax, 00000000h
jmp 00007F947CE26543h
dec eax
mov edx, dword ptr [edx]
dec eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf6f000	0x490	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf70000	0x279b0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xebf040	0x148	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x93e7fd	0x93e800	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x940000	0x57e788	0x57e800	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xebf000	0xaf350	0x41200	False	0.38803832773512476	data	4.773375836859468	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xf6f000	0x490	0x600	False	0.3372395833333333	data	3.6139814069913854	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0xf70000	0x279b0	0x27a00	False	0.13942355086750788	data	5.4438349548067215	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0xf98000	0x4	0x200	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 3, 2023 14:51:00.311356068 CET	49705	8888	192.168.2.5	94.198.53.143
Dec 3, 2023 14:51:00.519615889 CET	8888	49705	94.198.53.143	192.168.2.5
Dec 3, 2023 14:51:01.030443907 CET	49705	8888	192.168.2.5	94.198.53.143
Dec 3, 2023 14:51:01.240024090 CET	8888	49705	94.198.53.143	192.168.2.5
Dec 3, 2023 14:51:01.749279022 CET	49705	8888	192.168.2.5	94.198.53.143
Dec 3, 2023 14:51:01.957565069 CET	8888	49705	94.198.53.143	192.168.2.5
Dec 3, 2023 14:51:02.467902899 CET	49705	8888	192.168.2.5	94.198.53.143
Dec 3, 2023 14:51:02.676217079 CET	8888	49705	94.198.53.143	192.168.2.5
Dec 3, 2023 14:51:03.186655045 CET	49705	8888	192.168.2.5	94.198.53.143
Dec 3, 2023 14:51:03.395139933 CET	8888	49705	94.198.53.143	192.168.2.5
Dec 3, 2023 14:52:03.397701979 CET	49713	8888	192.168.2.5	94.198.53.143
Dec 3, 2023 14:52:03.605952024 CET	8888	49713	94.198.53.143	192.168.2.5
Dec 3, 2023 14:52:04.115473986 CET	49713	8888	192.168.2.5	94.198.53.143
Dec 3, 2023 14:52:04.328780890 CET	8888	49713	94.198.53.143	192.168.2.5
Dec 3, 2023 14:52:04.834007978 CET	49713	8888	192.168.2.5	94.198.53.143
Dec 3, 2023 14:52:05.042041063 CET	8888	49713	94.198.53.143	192.168.2.5
Dec 3, 2023 14:52:05.552767038 CET	49713	8888	192.168.2.5	94.198.53.143
Dec 3, 2023 14:52:05.768969059 CET	8888	49713	94.198.53.143	192.168.2.5
Dec 3, 2023 14:52:06.271625042 CET	49713	8888	192.168.2.5	94.198.53.143
Dec 3, 2023 14:52:06.479882002 CET	8888	49713	94.198.53.143	192.168.2.5
Dec 3, 2023 14:53:06.482491970 CET	49716	8888	192.168.2.5	94.198.53.143
Dec 3, 2023 14:53:06.690773964 CET	8888	49716	94.198.53.143	192.168.2.5
Dec 3, 2023 14:53:07.201913118 CET	49716	8888	192.168.2.5	94.198.53.143
Dec 3, 2023 14:53:07.410693884 CET	8888	49716	94.198.53.143	192.168.2.5
Dec 3, 2023 14:53:07.920677900 CET	49716	8888	192.168.2.5	94.198.53.143
Dec 3, 2023 14:53:08.158020020 CET	8888	49716	94.198.53.143	192.168.2.5
Dec 3, 2023 14:53:08.670706987 CET	49716	8888	192.168.2.5	94.198.53.143

Target ID:	0
Start time:	14:50:59
Start date:	03/12/2023
Path:	C:\Users\user\Desktop\FQElDjFG5t.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\FQElDjFG5t.exe
Imagebase:	0x210000
File size:	15'886'848 bytes
MD5 hash:	6B44D99B258C275EE7FCF230DA177F3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Yara matches:	Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000000.00000002.3280051062.000000C00010E000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Multi_Trojan_Bishopsliver_42298c4a, Description: unknown, Source: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: Multi_Trojan_Bishopsliver_42298c4a, Description: unknown, Source: 00000000.00000000.2020196596.0000000000D88000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Function 0021C560 Relevance: 8.0, Strings: 6, Instructions: 510COMMON

Download Yara Rule

Strings

mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockspan set block with unpopped elements found in resetcompileCallback: argument size is larger than uintptrgcControllerState.findRunnable: blackening not enab, xrefs: 0021CD3F
!"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 0021C8CD
malloc during signalnotetsleep not on g0p mcache not flushedreflect.makeFuncStubruntime: double waitselectgo: bad wakeupsemaRoot rotateRighttrace: out of memorywirep: already in goworkbuf is not emptyws2_32.dll not foundExtensionRangeOptionsasync stack too lar, xrefs: 0021CD50
malloc deadlockmisaligned maskmissing mcache?preempt SPWRITErecovery failedruntime error: runtimer: bad pscan missed a gstartm: m has pstopm holding psync.Mutex.Locktraceback stuck, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle), xrefs: 0021CD65
mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewruntime: unable to acquire - semaphore out of syncfatal: systemstack called from unexpected goroutinelimiterEvent.stop: invalid limiter event type foundpotentia, xrefs: 0021CD76
delayed zeroing on data that may contain pointersfully empty unfreed span set block found in resetinvalid memory address or nil pointer dereferencepanicwrap: unexpected string after package name: runtime.reflect_makemap: unsupported map key typeruntime: unexpe, xrefs: 0021CCF7

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC$delayed zeroing on data that may contain pointersfully empty unfreed span set block found in resetinvalid memory address or nil pointer dereferencepanicwrap: unexpected string after package name: runtime.reflect_makemap: unsupported map key typeruntime: unexpe$malloc deadlockmisaligned maskmissing mcache?preempt SPWRITErecovery failedruntime error: runtimer: bad pscan missed a gstartm: m has pstopm holding psync.Mutex.Locktraceback stuck, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)$malloc during signalnotetsleep not on g0p mcache not flushedreflect.makeFuncStubruntime: double waitselectgo: bad wakeupsemaRoot rotateRighttrace: out of memorywirep: already in goworkbuf is not emptyws2_32.dll not foundExtensionRangeOptionsasync stack too lar$mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewruntime: unable to acquire - semaphore out of syncfatal: systemstack called from unexpected goroutinelimiterEvent.stop: invalid limiter event type foundpotentia$mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockspan set block with unpopped elements found in resetcompileCallback: argument size is larger than uintptrgcControllerState.findRunnable: blackening not enab
API String ID: 0-101214207
Opcode ID: 0e473ff9c561d72fd1d1afa45c9f15abc78760d71a254a792b6b7ef71dcf6857
Instruction ID: 02e5c1ddbbe096b66ea0d91c4e4c6053133ecef19be0f853f8679ec5600eacae
Opcode Fuzzy Hash: 0e473ff9c561d72fd1d1afa45c9f15abc78760d71a254a792b6b7ef71dcf6857
Instruction Fuzzy Hash: 9122F27A268B9482DB14CF15E0407EABBA5F3A8BD4F645122EF8D07755CB78C8E4CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0021BBA0 Relevance: 6.6, Strings: 5, Instructions: 349COMMON

Download Yara Rule

Strings

misrounded allocation in sysAllocruntime: failed to decommit pagesruntime: name offset out of rangeruntime: text offset out of rangeruntime: type offset out of rangeslice bounds out of range [%x:%y]stackalloc not on scheduler stackstoplockedm: inconsistent loc, xrefs: 0021C23A
memory reservation exceeds address space limitpanicwrap: unexpected string after type name: released less than one physical page of memoryruntime: name offset base pointer out of rangeruntime: text offset base pointer out of rangeruntime: type offset base poin, xrefs: 0021C24B
out of memory allocating heap arena mapruntime: blocked write on free polldescstack growth not allowed in system callsuspendG from non-preemptible goroutinetrailing backslash at end of expressionbulkBarrierPreWrite: unaligned argumentscannot free workbufs when, xrefs: 0021BF68
out of memory allocating heap arena metadataspan on userArena.faultList has invalid sizeunsafe.Slice: ptr is nil and len is not zeroexitsyscall: syscall frame is no longer validproduced a trigger greater than the heap goaltransitioning GC to the same state as , xrefs: 0021BF46
out of memory allocating allArenasruntime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll, xrefs: 0021BF35

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: memory reservation exceeds address space limitpanicwrap: unexpected string after type name: released less than one physical page of memoryruntime: name offset base pointer out of rangeruntime: text offset base pointer out of rangeruntime: type offset base poin$misrounded allocation in sysAllocruntime: failed to decommit pagesruntime: name offset out of rangeruntime: text offset out of rangeruntime: type offset out of rangeslice bounds out of range [%x:%y]stackalloc not on scheduler stackstoplockedm: inconsistent loc$out of memory allocating allArenasruntime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll$out of memory allocating heap arena mapruntime: blocked write on free polldescstack growth not allowed in system callsuspendG from non-preemptible goroutinetrailing backslash at end of expressionbulkBarrierPreWrite: unaligned argumentscannot free workbufs when$out of memory allocating heap arena metadataspan on userArena.faultList has invalid sizeunsafe.Slice: ptr is nil and len is not zeroexitsyscall: syscall frame is no longer validproduced a trigger greater than the heap goaltransitioning GC to the same state as
API String ID: 0-1643033615
Opcode ID: ce10a2faa6ffb2736525d080221c15718faaa40f7fe48bda1b522bdefbe25f75
Instruction ID: a4bac948091c3992fc3db30ac824aa5aa89b4f747d5971065a8112e2859de05e
Opcode Fuzzy Hash: ce10a2faa6ffb2736525d080221c15718faaa40f7fe48bda1b522bdefbe25f75
Instruction Fuzzy Hash: 35F1AC36618B8482DB648F52E4403EAB7A5F399B94F448222EFAD53789CF7CC495CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00228F80 Relevance: 5.5, Strings: 4, Instructions: 545COMMON

Download Yara Rule

Strings

gc done but gcphase != _GCoffgfput: bad status (not Gdead)invalid character class rangeinvalid function symbol tableinvalid length of trace eventneed padding in bucket (elem)notesleep - waitm out of syncruntime.semasleep wait_failedruntime: impossible type kin, xrefs: 0022997D
., xrefs: 00229666
failed to set sweep barriergcstopm: not waiting for gcgrowslice: len out of rangeinternal lockOSThread errorinvalid profile bucket typemakechan: size out of rangemakeslice: cap out of rangemakeslice: len out of rangemspan.sweep: bad span stateprogToPointerMask, xrefs: 0022996C
gcinggnamegroupgscanhchanhost@hostshttpsimap2imap3imapsint16int32int64json=kind=labelmatchmheapmkdirmonthmtimename=ndr:"no IPntohsoneofpanicparsepop3srangerouterune schedsleepslicesse41sse42ssse3startsudogsweeptext/tls: traceuint8unameusageutf-8valueweak=write, xrefs: 00229057, 0022906D

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: .$failed to set sweep barriergcstopm: not waiting for gcgrowslice: len out of rangeinternal lockOSThread errorinvalid profile bucket typemakechan: size out of rangemakeslice: cap out of rangemakeslice: len out of rangemspan.sweep: bad span stateprogToPointerMask$gc done but gcphase != _GCoffgfput: bad status (not Gdead)invalid character class rangeinvalid function symbol tableinvalid length of trace eventneed padding in bucket (elem)notesleep - waitm out of syncruntime.semasleep wait_failedruntime: impossible type kin$gcinggnamegroupgscanhchanhost@hostshttpsimap2imap3imapsint16int32int64json=kind=labelmatchmheapmkdirmonthmtimename=ndr:"no IPntohsoneofpanicparsepop3srangerouterune schedsleepslicesse41sse42ssse3startsudogsweeptext/tls: traceuint8unameusageutf-8valueweak=write
API String ID: 0-2811292124
Opcode ID: a47648213e44e0b2cd38835db5e7a1d4737406afe4e14a8b1998d1afb585018a
Instruction ID: a87f68f972533781afc27b9d4f258469a9fb0326e302aa0de9417070933130a1
Opcode Fuzzy Hash: a47648213e44e0b2cd38835db5e7a1d4737406afe4e14a8b1998d1afb585018a
Instruction Fuzzy Hash: 6A42AE32618B8496EB15CF65F8803EAB3A5F78AB80F449226DB8D53765EF7DC494C700

Uniqueness

Uniqueness Score: -1.00%

Function 00216E40 Relevance: 4.2, Strings: 3, Instructions: 418COMMON

Download Yara Rule

Strings

@w!, xrefs: 002172BD
G waiting list is corruptedaddress not a stack addresscould not find QPC syscallsexpression nests too deeplyfailed to set sweep barriergcstopm: not waiting for gcgrowslice: len out of rangeinternal lockOSThread errorinvalid profile bucket typemakechan: size ou, xrefs: 002173A4
unreachableabi mismatchbad flushGenbad g statusbad g0 stackbad recoverycan't happencas64 failedchan receivedumping heapentersyscallgcBitsArenaslfstack.pushmheapSpecialmspanSpecialself-preemptspanSetSpinesweepWaiterstraceStringsunexpected ) is nil, not , not po, xrefs: 00216FF0

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: @w!$G waiting list is corruptedaddress not a stack addresscould not find QPC syscallsexpression nests too deeplyfailed to set sweep barriergcstopm: not waiting for gcgrowslice: len out of rangeinternal lockOSThread errorinvalid profile bucket typemakechan: size ou$unreachableabi mismatchbad flushGenbad g statusbad g0 stackbad recoverycan't happencas64 failedchan receivedumping heapentersyscallgcBitsArenaslfstack.pushmheapSpecialmspanSpecialself-preemptspanSetSpinesweepWaiterstraceStringsunexpected ) is nil, not , not po
API String ID: 0-1347575037
Opcode ID: 8df25ac7a03e1fe505576296fe86e7b4d42b685ab5aee26f2dab71778f45e3d4
Instruction ID: a916fa8039cad585aef4e0b22181374240871e7a422f6c1e50e3b51d018ea1db
Opcode Fuzzy Hash: 8df25ac7a03e1fe505576296fe86e7b4d42b685ab5aee26f2dab71778f45e3d4
Instruction Fuzzy Hash: 20029C72628B8486DB24DF25E44439EA7B1F799BC0F589025DE8C47B59CF79C8E5CB00

Uniqueness

Uniqueness Score: -1.00%

Function 002160A0 Relevance: 4.1, Strings: 3, Instructions: 381COMMON

Download Yara Rule

Strings

@w!, xrefs: 002164AE
G waiting list is corruptedaddress not a stack addresscould not find QPC syscallsexpression nests too deeplyfailed to set sweep barriergcstopm: not waiting for gcgrowslice: len out of rangeinternal lockOSThread errorinvalid profile bucket typemakechan: size ou, xrefs: 00216686
unreachableabi mismatchbad flushGenbad g statusbad g0 stackbad recoverycan't happencas64 failedchan receivedumping heapentersyscallgcBitsArenaslfstack.pushmheapSpecialmspanSpecialself-preemptspanSetSpinesweepWaiterstraceStringsunexpected ) is nil, not , not po, xrefs: 0021619B

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: @w!$G waiting list is corruptedaddress not a stack addresscould not find QPC syscallsexpression nests too deeplyfailed to set sweep barriergcstopm: not waiting for gcgrowslice: len out of rangeinternal lockOSThread errorinvalid profile bucket typemakechan: size ou$unreachableabi mismatchbad flushGenbad g statusbad g0 stackbad recoverycan't happencas64 failedchan receivedumping heapentersyscallgcBitsArenaslfstack.pushmheapSpecialmspanSpecialself-preemptspanSetSpinesweepWaiterstraceStringsunexpected ) is nil, not , not po
API String ID: 0-1347575037
Opcode ID: c4751e29e3f97bf0e4f963a0877252c1d2e944dd63c595520dd3de37cfd191db
Instruction ID: 56f4b4b9463fff8e56fe2b612578898d1c151b9562c19650092ecc293b30a577
Opcode Fuzzy Hash: c4751e29e3f97bf0e4f963a0877252c1d2e944dd63c595520dd3de37cfd191db
Instruction Fuzzy Hash: 3AF1D072224B84C6D7109F21E4443DEB7A1F799BE0F985225DA9C47B99CF79C8E4CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00256860 Relevance: 3.9, Strings: 3, Instructions: 124COMMON

Download Yara Rule

Strings

reflect.methodValueCallruntime: internal errorruntime: netpoll faileds.allocCount > s.nelemsschedule: holding locksshrinkstack at bad timespan has no free stacksstack growth after forkwork.nwait > work.nprocbad defer entry in panicbypassed recovery failedcan't, xrefs: 002568CC
reflect mismatchschedule: in cgossh: MAC failureworkbuf is empty0123456789ABCDEFX: missing method GC assist markingbad TinySizeClassentersyscallblockg already scannedgp.waiting != nilkey align too biglocked m0 woke upmark - bad statusmarkBits overflowmissing c, xrefs: 002569DE, 00256A18
reflect.makeFuncStubruntime: double waitselectgo: bad wakeupsemaRoot rotateRighttrace: out of memorywirep: already in goworkbuf is not emptyws2_32.dll not foundExtensionRangeOptionsasync stack too largecheckdead: runnable gconcurrent map writesdefer on system , xrefs: 002568E6

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: reflect mismatchschedule: in cgossh: MAC failureworkbuf is empty0123456789ABCDEFX: missing method GC assist markingbad TinySizeClassentersyscallblockg already scannedgp.waiting != nilkey align too biglocked m0 woke upmark - bad statusmarkBits overflowmissing c$reflect.makeFuncStubruntime: double waitselectgo: bad wakeupsemaRoot rotateRighttrace: out of memorywirep: already in goworkbuf is not emptyws2_32.dll not foundExtensionRangeOptionsasync stack too largecheckdead: runnable gconcurrent map writesdefer on system $reflect.methodValueCallruntime: internal errorruntime: netpoll faileds.allocCount > s.nelemsschedule: holding locksshrinkstack at bad timespan has no free stacksstack growth after forkwork.nwait > work.nprocbad defer entry in panicbypassed recovery failedcan't
API String ID: 0-3319628484
Opcode ID: 6fd36594a6b5bdd9bea86ef5ca11426470dbf57a6e3985906778bc6bc6556db7
Instruction ID: 80bf2e8e89fb062e768b28ff4149b245fb6e0c32f7012d888a9c326282fba485
Opcode Fuzzy Hash: 6fd36594a6b5bdd9bea86ef5ca11426470dbf57a6e3985906778bc6bc6556db7
Instruction Fuzzy Hash: 07518433324A45C6CB10DF19E18125EB761F788BE4F985221EF9D577A9CB38C869CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00240560 Relevance: 2.7, Strings: 2, Instructions: 249COMMON

Download Yara Rule

Strings

runtime.preemptM: duplicatehandle failedruntime: SyscallN has too many argumentsattempted to add zero-sized address rangegcSweep being done but phase is not GCoffmheap.freeSpanLocked - invalid span statemheap.freeSpanLocked - invalid stack freeobjects added ou, xrefs: 002409AE
self-preemptspanSetSpinesweepWaiterstraceStringsunexpected ) is nil, not , not pointerGC sweep waitbad map statedalTLDpSugct?double unlockfilter methodinvalid UTF-8load64 failedmin too largenil stackbaseout of memoryprofMemActiveprofMemFuturetraceStackTabvalue, xrefs: 002409BF

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: runtime.preemptM: duplicatehandle failedruntime: SyscallN has too many argumentsattempted to add zero-sized address rangegcSweep being done but phase is not GCoffmheap.freeSpanLocked - invalid span statemheap.freeSpanLocked - invalid stack freeobjects added ou$self-preemptspanSetSpinesweepWaiterstraceStringsunexpected ) is nil, not , not pointerGC sweep waitbad map statedalTLDpSugct?double unlockfilter methodinvalid UTF-8load64 failedmin too largenil stackbaseout of memoryprofMemActiveprofMemFuturetraceStackTabvalue
API String ID: 0-1298296546
Opcode ID: 2b3f8bfcea3e2a6b3a7f930ef1e7608e0ad8cd1a88b84b946f715cb51b575f27
Instruction ID: d7f682c9fb5a837092eaf2cf61770c4d821e55e3b2f50f08ab9af0b898497222
Opcode Fuzzy Hash: 2b3f8bfcea3e2a6b3a7f930ef1e7608e0ad8cd1a88b84b946f715cb51b575f27
Instruction Fuzzy Hash: FEC17C36615F8082DB15DF25F48139AB760F78AB94F158236EBAC83B99DF39C091CB40

Uniqueness

Uniqueness Score: -1.00%

Function 002433C0 Relevance: 2.7, Strings: 2, Instructions: 246COMMON

Download Yara Rule

Strings

invalid g statusmSpanList.insertmSpanList.removemissing stackmapreflect mismatchschedule: in cgossh: MAC failureworkbuf is empty0123456789ABCDEFX: missing method GC assist markingbad TinySizeClassentersyscallblockg already scannedgp.waiting != nilkey align too, xrefs: 002437D6
suspendG from non-preemptible goroutinetrailing backslash at end of expressionbulkBarrierPreWrite: unaligned argumentscannot free workbufs when work.full != 0deferproc: d.panic != nil after newdeferfailed to acquire lock to reset capacityinvalid span in heapAr, xrefs: 002437E7

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: invalid g statusmSpanList.insertmSpanList.removemissing stackmapreflect mismatchschedule: in cgossh: MAC failureworkbuf is empty0123456789ABCDEFX: missing method GC assist markingbad TinySizeClassentersyscallblockg already scannedgp.waiting != nilkey align too$suspendG from non-preemptible goroutinetrailing backslash at end of expressionbulkBarrierPreWrite: unaligned argumentscannot free workbufs when work.full != 0deferproc: d.panic != nil after newdeferfailed to acquire lock to reset capacityinvalid span in heapAr
API String ID: 0-3430136995
Opcode ID: 4047015615d7494dfac294171a59691806bf92681dbf1bfcac72b4239276a80e
Instruction ID: c038e5be857faeb02e7aa6309bd0b45e44a03686695281d6dccadadb1d82b134
Opcode Fuzzy Hash: 4047015615d7494dfac294171a59691806bf92681dbf1bfcac72b4239276a80e
Instruction Fuzzy Hash: 19A18F76228B80C2C718CF26F0417AABB61F38ABD0F458166EF9D17B59CB79C551CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00245FE0 Relevance: 2.7, Strings: 2, Instructions: 237COMMON

Download Yara Rule

Strings

casgstatus: waiting for Gwaiting but is Grunnabledelayed zeroing on data that may contain pointersfully empty unfreed span set block found in resetinvalid memory address or nil pointer dereferencepanicwrap: unexpected string after package name: runtime.reflect, xrefs: 00246365
casgstatus: bad incoming valuescheckmark found unmarked objectinternal error - misuse of itabnon in-use span in unswept listresetspinning: not a spinning mruntime: cannot allocate memoryruntime: failed to commit pagesslice bounds out of range [%x:]slice bounds, xrefs: 00246394

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: casgstatus: bad incoming valuescheckmark found unmarked objectinternal error - misuse of itabnon in-use span in unswept listresetspinning: not a spinning mruntime: cannot allocate memoryruntime: failed to commit pagesslice bounds out of range [%x:]slice bounds$casgstatus: waiting for Gwaiting but is Grunnabledelayed zeroing on data that may contain pointersfully empty unfreed span set block found in resetinvalid memory address or nil pointer dereferencepanicwrap: unexpected string after package name: runtime.reflect
API String ID: 0-2061123795
Opcode ID: 064ed48ac336a163d4a04cacae5ddb77ea8e20baa72fe821ae3d1afc97052ea4
Instruction ID: 2a47c49ed398051c8f7835e6bac987b8fb883a925a15eebed17d1642ad7940bd
Opcode Fuzzy Hash: 064ed48ac336a163d4a04cacae5ddb77ea8e20baa72fe821ae3d1afc97052ea4
Instruction Fuzzy Hash: EAA18236715A84C6DB18CF26E08935ABB61F34BB80F148126EF9D43B59CF7AC466CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00253FA0 Relevance: 1.6, Strings: 1, Instructions: 391COMMON

Download Yara Rule

Strings

!"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 00254090, 00254170, 00254290, 0025438E

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
API String ID: 0-2911004680
Opcode ID: d490f03246a5b30dfdb544fd32f5b34de476dc7a2410ef522784b4d820749ba3
Instruction ID: 6c5ef227abe09c26c9b8c409d5940a6453b5b3637958341f1693ed8c22ecf317
Opcode Fuzzy Hash: d490f03246a5b30dfdb544fd32f5b34de476dc7a2410ef522784b4d820749ba3
Instruction Fuzzy Hash: 69E1E3B2324B8482DA049B41E5003A9F366F755BD5F848522EF9E47B98EFBCC5E8C744

Uniqueness

Uniqueness Score: -1.00%

Function 002375A0 Relevance: 1.6, Strings: 1, Instructions: 346COMMON

Download Yara Rule

Strings

bad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpanList.removemissing stackmapreflect mismatchschedule: in cgossh: MAC failureworkbuf is empty0123456789ABCDEFX: missing method GC, xrefs: 00237845, 00237B67

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: bad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpanList.removemissing stackmapreflect mismatchschedule: in cgossh: MAC failureworkbuf is empty0123456789ABCDEFX: missing method GC
API String ID: 0-3708075424
Opcode ID: 5ae685e05d1b9b8b8d5575c60131c33033848ea170c1315dcd455422bf87dff9
Instruction ID: e3f39232a8e8dd6e56bc92a7d04abcb536313c4051093e46ebc22470afdee053
Opcode Fuzzy Hash: 5ae685e05d1b9b8b8d5575c60131c33033848ea170c1315dcd455422bf87dff9
Instruction Fuzzy Hash: 4ED19BB6728BC882DB20CF56E44079AB326F395BC0F544126EE9E57B58DF78C565CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00234980 Relevance: 1.6, Strings: 1, Instructions: 324COMMON

Download Yara Rule

Strings

grew heap, but no adequate free space foundmethodValueCallFrameObjs is not in a modulenon in-use span found with specials bit setroot level max pages doesn't fit in summaryruntime.SetFinalizer: finalizer already setruntime.SetFinalizer: first argument is nilru, xrefs: 00234EC9

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: grew heap, but no adequate free space foundmethodValueCallFrameObjs is not in a modulenon in-use span found with specials bit setroot level max pages doesn't fit in summaryruntime.SetFinalizer: finalizer already setruntime.SetFinalizer: first argument is nilru
API String ID: 0-3933224645
Opcode ID: 2bcce78ac8fd25a6606e37d9f49ddf783ea0a3303cfbbf16289c0a070b1cbd1d
Instruction ID: 11d2f6a9cf9edcd67479ba4b2325a6f83abfa1d441ddb267e159da487d2f8804
Opcode Fuzzy Hash: 2bcce78ac8fd25a6606e37d9f49ddf783ea0a3303cfbbf16289c0a070b1cbd1d
Instruction Fuzzy Hash: 44E17DB2229B8881DB64DF16F49039AB761F789BD0F589156EF8D43B29CF38C464CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00256A40 Relevance: 1.5, Strings: 1, Instructions: 243COMMON

Download Yara Rule

Strings

bad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpanList.removemissing stackmapreflect mismatchschedule: in cgossh: MAC failureworkbuf is empty0123456789ABCDEFX: missing method GC assist markingb, xrefs: 00256D53, 00256D86

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: bad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpanList.removemissing stackmapreflect mismatchschedule: in cgossh: MAC failureworkbuf is empty0123456789ABCDEFX: missing method GC assist markingb
API String ID: 0-989636611
Opcode ID: adb621d7414fd0ba0e1d176b32e54071d796eb703f030779d3d72a2d0cef2f0c
Instruction ID: 8c6d4a0aef98c9cc672a74ed8dce8efccd9469cebed487f06059574c57d4eed4
Opcode Fuzzy Hash: adb621d7414fd0ba0e1d176b32e54071d796eb703f030779d3d72a2d0cef2f0c
Instruction Fuzzy Hash: 16912172324A8086CB14DF15E04435EB772F788BD2F949512EF8D57758DB78C969CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00223E60 Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

bulkBarrierPreWrite: unaligned argumentscannot free workbufs when work.full != 0deferproc: d.panic != nil after newdeferfailed to acquire lock to reset capacityinvalid span in heapArena for user arenamarkWorkerStop: unknown mark worker modemust be able to trac, xrefs: 0022414F

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: bulkBarrierPreWrite: unaligned argumentscannot free workbufs when work.full != 0deferproc: d.panic != nil after newdeferfailed to acquire lock to reset capacityinvalid span in heapArena for user arenamarkWorkerStop: unknown mark worker modemust be able to trac
API String ID: 0-2536305361
Opcode ID: 88134ef427d7ae0eaf0ad3b284a34afd5398f1d8eead483c74f06cfed7c35e41
Instruction ID: 3e46e624d3dbba6286bdbed97ce935ae5912b752b1bef3aa10b10f8bed998ce9
Opcode Fuzzy Hash: 88134ef427d7ae0eaf0ad3b284a34afd5398f1d8eead483c74f06cfed7c35e41
Instruction Fuzzy Hash: 6171ACB2629AA4D2DB14DF96F50039AB3B2F754BC0F549026EF8907B19DF78C5B08B00

Uniqueness

Uniqueness Score: -1.00%

Function 00239120 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

bad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpanList.removemissing stackmapreflect mismatchschedule: in cgossh: MAC failureworkbuf is empty0123456789ABCDEFX: missing method GC, xrefs: 002393A6

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: bad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpanList.removemissing stackmapreflect mismatchschedule: in cgossh: MAC failureworkbuf is empty0123456789ABCDEFX: missing method GC
API String ID: 0-3708075424
Opcode ID: 08e33983636380a5a67685c2feac67b7ef5b256d35803219f3f38bed36a6b0fc
Instruction ID: a46251045cb832e2cda3dd598cb16b3111adb46c89a02089333f27a683e23779
Opcode Fuzzy Hash: 08e33983636380a5a67685c2feac67b7ef5b256d35803219f3f38bed36a6b0fc
Instruction Fuzzy Hash: 0451C0B7620B8882DB109F55E44039A7765F78ABD0F405266EFAD53799CFB8C4E4CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00224B40 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c855b4f64ad143f50b1cb1914096968fa5f728e715130c13c17eeef06de5166
Instruction ID: 66b35d9ae97d4a4f1c8fddf20e1aaf0dddb0c52ae4666c4bb1dc1df573c0787f
Opcode Fuzzy Hash: 6c855b4f64ad143f50b1cb1914096968fa5f728e715130c13c17eeef06de5166
Instruction Fuzzy Hash: 6CC16A66728BE491CA60AB96F84079AA761F389FD0F448126EF9D57B58CF78C460CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00216980 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4185b2927a126eb5136d32091d9c381e43eb3c1cd882dc5af19289a1ab42d665
Instruction ID: 6f357e7df746a791c860bfd55ed351971be9212b156c183baf68061e58ce9e9b
Opcode Fuzzy Hash: 4185b2927a126eb5136d32091d9c381e43eb3c1cd882dc5af19289a1ab42d665
Instruction Fuzzy Hash: FCB1F072229B88C5DB10CF15E1483AEB3A1FB65BC4F189026CA8D53B54CF7AC9E5C780

Uniqueness

Uniqueness Score: -1.00%

Function 00237120 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b77153c868838aadf43734fdc7cd186b0aab42e722069721db3122889ce4c31f
Instruction ID: bb302c96d41becb08f9cdd53340ce8364a9a858b3ce9df0ebc784620089f4837
Opcode Fuzzy Hash: b77153c868838aadf43734fdc7cd186b0aab42e722069721db3122889ce4c31f
Instruction Fuzzy Hash: 9E9138B7628F8482DB108F15F48025AB7A5F78ABD4F545226EBAD53B99CF3CD061CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00237EC0 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a421f0efdab49721a912cdb888e59ca821a688a72a0fe75df184c34d3c508843
Instruction ID: c733598a1d38b41109c888aabd6062c29653f39552468b55e1d97e40a9be5a38
Opcode Fuzzy Hash: a421f0efdab49721a912cdb888e59ca821a688a72a0fe75df184c34d3c508843
Instruction Fuzzy Hash: 2F71AFB3728B8882DB108F15E48076AB762F796BC0F545126EB8D57B59CF7CC0A5CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0022BCA0 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b408b3c690ddcd17396af7acf5866f91f5e8bb82ca619db6911387a38787a58f
Instruction ID: 9f66f8e08c57997e1ecbffe4765169546b2cf65d6f054941c27ca3ae18ea6bbb
Opcode Fuzzy Hash: b408b3c690ddcd17396af7acf5866f91f5e8bb82ca619db6911387a38787a58f
Instruction Fuzzy Hash: BB611532628B9496D7068F75F5403AAA762F796BD0F489222EF9D53B85DF78C064CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00219740 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abead951a813e5358cd0c84ee03dc574c8a30d54d624572e69f322caa0fe7548
Instruction ID: df13b612f2b9bb6ab08cfa85988c1983639865d4644ae8b4e861f4df87514d75
Opcode Fuzzy Hash: abead951a813e5358cd0c84ee03dc574c8a30d54d624572e69f322caa0fe7548
Instruction Fuzzy Hash: 4541D6A6B21A5541AF048E2685200EAE3A1E75BFD0399A233CF2D777A8C67CD5D6C344

Uniqueness

Uniqueness Score: -1.00%

Function 002580A0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef435d2d98081d9a422bf937df34a2aa5badf140908dd2b871aa1c4f62ec28
Instruction ID: a75868c93531e0950098984a2957a05403e90a7edb439c5bb3a5d331deb13e0f
Opcode Fuzzy Hash: 3cef435d2d98081d9a422bf937df34a2aa5badf140908dd2b871aa1c4f62ec28
Instruction Fuzzy Hash: 9E413622724E40CADF14DF669481366A791E784795F888A31DF6C937C7DEBCC4B98B08

Uniqueness

Uniqueness Score: -1.00%

Function 0022E260 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78c911a257e2ceaf146d54302eb0be7e122805c1a027953a31ca8bf9802f1fc0
Instruction ID: c2f8a8787f398e052008af710c739ee0f45821337cefb246dab524c1e9d895cf
Opcode Fuzzy Hash: 78c911a257e2ceaf146d54302eb0be7e122805c1a027953a31ca8bf9802f1fc0
Instruction Fuzzy Hash: 0F510372628F5485DB16DF66E44036AA7A5FBDABC0F09C736AA4D63715CF38C0A1C700

Uniqueness

Uniqueness Score: -1.00%

Function 0022F520 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d7cb5e507824b451ec2b02ca2b1d33ca0787a346b45afad07f40c0701454faa
Instruction ID: ff12b3bc09c385ba784a1cebd5fea9561b31a41ebc98619aa6307ee7592469bc
Opcode Fuzzy Hash: 5d7cb5e507824b451ec2b02ca2b1d33ca0787a346b45afad07f40c0701454faa
Instruction Fuzzy Hash: CD415171B2BE1445CD4BDFBAA1603A4922BDF93BE0F94C3325D3B771E4EB1990628600

Uniqueness

Uniqueness Score: -1.00%

Function 0021D120 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5641b2b2fffe9dda90e46c084dac493856925f9ddbc345431e64ba720e045fe3
Instruction ID: 35327f8513aea0c05d4034ba209e706b0544c87ea77c0421e7ffd7e8b02bb6eb
Opcode Fuzzy Hash: 5641b2b2fffe9dda90e46c084dac493856925f9ddbc345431e64ba720e045fe3
Instruction Fuzzy Hash: 182139A2E25E444ACA47DB3A8400351921AAFA6BD0F58C722AD1E77796EB38D0D34640

Uniqueness

Uniqueness Score: -1.00%

Function 00233CC0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa24e09daec39e20bf3908c6b9e245ebd066cf3f1dd348db90e21d9525ad61a2
Instruction ID: 5d2616009211133fc58e26f5d76bf0e6e7387ee47ae6105469bde4b99454fc1f
Opcode Fuzzy Hash: aa24e09daec39e20bf3908c6b9e245ebd066cf3f1dd348db90e21d9525ad61a2
Instruction Fuzzy Hash: 3831867A328B4991DB48CF15F4813EA6761E789BC4F849022EF4E43769DF38C659C700

Uniqueness

Uniqueness Score: -1.00%

Function 0026B7A0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78e9a4d800102f051f1374f6cf9acaf25a51bd3c7dc6cf284cbda8c1ded95b6d
Instruction ID: 189b1c5a9cd134826171f3521dd87568583c921d1f4c97854dc443273693135b
Opcode Fuzzy Hash: 78e9a4d800102f051f1374f6cf9acaf25a51bd3c7dc6cf284cbda8c1ded95b6d
Instruction Fuzzy Hash: 6BC02BF2A2BBC628FB13C70079003C0B9C18FA53C0D80C084835880215E76C92D08208

Uniqueness

Uniqueness Score: -1.00%

Function 002275C0 Relevance: 12.9, Strings: 10, Instructions: 351COMMON

Download Yara Rule

Strings

, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa, xrefs: 00227B5D
, not pointerGC sweep waitbad map statedalTLDpSugct?double unlockfilter methodinvalid UTF-8load64 failedmin too largenil stackbaseout of memoryprofMemActiveprofMemFuturetraceStackTabvalue method xadd64 failedxchg64 failed to finalizer GC assist waitGC worker i, xrefs: 00227C46
runtime.SetFinalizer: pointer not in allocated blockspan set block with unpopped elements found in resetcompileCallback: argument size is larger than uintptrgcControllerState.findRunnable: blackening not enabledno goroutines (main called runtime.Goexit) - dead, xrefs: 00227C02
runtime.SetFinalizer: first argument is runtime.preemptM: duplicatehandle failedruntime: SyscallN has too many argumentsattempted to add zero-sized address rangegcSweep being done but phase is not GCoffmheap.freeSpanLocked - invalid span statemheap.freeSpanLoc, xrefs: 00227C55
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma, xrefs: 00227B6C
because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping, xrefs: 00227AFC
runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not , xrefs: 00227A76, 00227ACD, 00227B37
to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND, xrefs: 00227A61, 00227AB8, 00227B22
runtime.SetFinalizer: first argument was allocated into an arenaruntime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizecannot convert slice with length %y to array or pointer to array w, xrefs: 00227C13
runtime.SetFinalizer: first argument is nilruntime: releaseSudog with non-nil gp.paramunfinished open-coded defers in deferreturnunknown runnable goroutine during bootstrapactive sweepers found at start of mark phasecompileCallback: float results not supported, xrefs: 00227C6A

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping$ to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND$, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa$, not pointerGC sweep waitbad map statedalTLDpSugct?double unlockfilter methodinvalid UTF-8load64 failedmin too largenil stackbaseout of memoryprofMemActiveprofMemFuturetraceStackTabvalue method xadd64 failedxchg64 failed to finalizer GC assist waitGC worker i$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not $runtime.SetFinalizer: first argument is nilruntime: releaseSudog with non-nil gp.paramunfinished open-coded defers in deferreturnunknown runnable goroutine during bootstrapactive sweepers found at start of mark phasecompileCallback: float results not supported$runtime.SetFinalizer: first argument is runtime.preemptM: duplicatehandle failedruntime: SyscallN has too many argumentsattempted to add zero-sized address rangegcSweep being done but phase is not GCoffmheap.freeSpanLocked - invalid span statemheap.freeSpanLoc$runtime.SetFinalizer: first argument was allocated into an arenaruntime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizecannot convert slice with length %y to array or pointer to array w$runtime.SetFinalizer: pointer not in allocated blockspan set block with unpopped elements found in resetcompileCallback: argument size is larger than uintptrgcControllerState.findRunnable: blackening not enabledno goroutines (main called runtime.Goexit) - dead$runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma
API String ID: 0-4046867270
Opcode ID: 9fe49c7fa6cf1ce59d96bbacc926ee0f51fdda7826cc0c4f21e7022bb69b3bf4
Instruction ID: 94a73a61962ebe3671477cefbf768ceb559381efc843d3c413f6d6b642400c67
Opcode Fuzzy Hash: 9fe49c7fa6cf1ce59d96bbacc926ee0f51fdda7826cc0c4f21e7022bb69b3bf4
Instruction Fuzzy Hash: F2F1B03262DB90D2EB209F51F4413AEB7A4F385B80F488526DB8D53B99DF78C4A5CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00217A60 Relevance: 12.7, Strings: 10, Instructions: 194COMMON

Download Yara Rule

Strings

debugCal, xrefs: 00217C0E
runtime., xrefs: 00217CB6
debugCal, xrefs: 00217AF3
debugCal, xrefs: 00217C50
call from unknown functioncorrupted semaphore ticketforEachP: P did not run fnfreedefer with d.fn != nilnegative idle mark workersnotewakeup - double wakeupout of memory (stackalloc)persistentalloc: size == 0shrinking stack in libcallssh: invalid packet length, xrefs: 00217AAD, 00217AB9
debugCal, xrefs: 00217BB8
call from within the Go runtimecasgstatus: bad incoming valuescheckmark found unmarked objectinternal error - misuse of itabnon in-use span in unswept listresetspinning: not a spinning mruntime: cannot allocate memoryruntime: failed to commit pagesslice bounds, xrefs: 00217CDB, 00217CE7
call not at safe pointcompileCallabck: type duplicated defer entryfreeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversion: kernel32.dll not foundminpc or maxpc invalidnon-positive dimensionoldoverflow is not, xrefs: 00217D62, 00217D6E
l655, xrefs: 00217C95
debugCal, xrefs: 00217B52

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: call from unknown functioncorrupted semaphore ticketforEachP: P did not run fnfreedefer with d.fn != nilnegative idle mark workersnotewakeup - double wakeupout of memory (stackalloc)persistentalloc: size == 0shrinking stack in libcallssh: invalid packet length$call from within the Go runtimecasgstatus: bad incoming valuescheckmark found unmarked objectinternal error - misuse of itabnon in-use span in unswept listresetspinning: not a spinning mruntime: cannot allocate memoryruntime: failed to commit pagesslice bounds$call not at safe pointcompileCallabck: type duplicated defer entryfreeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversion: kernel32.dll not foundminpc or maxpc invalidnon-positive dimensionoldoverflow is not$debugCal$debugCal$debugCal$debugCal$debugCal$l655$runtime.
API String ID: 0-3127990129
Opcode ID: f253991a83c8dafcf89b434333db8bb481c17af3d0fe48d6e9be4fc8624f821b
Instruction ID: 028c6e6ecffe019ffeb80fd3202bc6ee0bea21670681141eb29739cafbef8e6a
Opcode Fuzzy Hash: f253991a83c8dafcf89b434333db8bb481c17af3d0fe48d6e9be4fc8624f821b
Instruction Fuzzy Hash: 43715976A2DA8285DE349F14D0403A977F1E7E5BD4F58C427D64A03724EB78C9E4CB82

Uniqueness

Uniqueness Score: -1.00%

Function 002184E0 Relevance: 11.4, Strings: 9, Instructions: 167COMMON

Download Yara Rule

Strings

is not pointer00000000BAD RANK_UNKNOWNdeadlockpollDescrwmutexRrwmutexWscavengetraceBufatomicor8bad prunechan sendctxt != 0hchanLeafinterfacemSpanDeadmap_entrypanicwaitpclmulqdqpreemptedprofBlockrwxrwxrwxstackpooltracebackwbufSpansBad varintGOMAXPROCSGOMEMLIM, xrefs: 0021879F
interface conversion: kernel32.dll not foundminpc or maxpc invalidnon-positive dimensionoldoverflow is not nilruntime.main not on m0s.freeindex > s.nelemsscanstack - bad statussend on closed channelspan has no free spacestack not a power of 2trace reader (bloc, xrefs: 002185BD, 00218774, 00218859
(types from different scopes)GODEBUG: unknown cpu feature "assignment to entry in nil mapcheckdead: inconsistent countsfailed to get system page sizefreedefer with d._panic != nilinvalid pointer found on stackndr:"varying,X-subStringArray"notetsleep - waitm o, xrefs: 00218734
is on %04x><) = +Inf-Inf-inf...:.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.xml000001000x%x100010803125: %s:464:88*ABRTACDTACSTAEDTAESTAKDTAKSTALRMAWSTAhomArgsAtoiCASECESTCHARCOWSCZARCallChamDATADashEESTEnumFOZYGOGCGrayHKCCHKCRHKCUHKLMHKPDHORNHigh, xrefs: 002185F2
interfacemSpanDeadmap_entrypanicwaitpclmulqdqpreemptedprofBlockrwxrwxrwxstackpooltracebackwbufSpansBad varintGOMAXPROCSGOMEMLIMITatomicand8debug callexitThreadfloat32nanfloat64nanmSpanInUsenotifyListprofInsertsemacquirestackLargeunknown pcassistQueuebad m valu, xrefs: 0021851B
: missing method GC assist markingbad TinySizeClassentersyscallblockg already scannedgp.waiting != nilkey align too biglocked m0 woke upmark - bad statusmarkBits overflowmissing closing )missing closing ]notetsleepg on g0runtime.newosprocruntime/internal/scano, xrefs: 002187D7
, not , val .local.onion.proto0x%08x390625; and <-chanACARIDALIYOSARGALSASLOPEAnswerArabicAugustBIOGASBOINGSBOSQUEBinaryBitBltBrahmiCANCELCHAKRACHINASCINQUECarianChakmaClosedCommonCopticDREARYEMETINEndDocExpectFieldsFormatFridayGAMMEDGOAWAYGOWANSGUIROSGetACPGo, xrefs: 0021861D
(types from different packages)WSAGetOverlappedResult not found" not supported for cpu option "invalid limiter event type foundremovespecial on invalid pointerruntime.semasleep wait_abandonedruntime: failed to release pagesruntime: fixalloc size too largerunt, xrefs: 00218715
is nil, not , not pointerGC sweep waitbad map statedalTLDpSugct?double unlockfilter methodinvalid UTF-8load64 failedmin too largenil stackbaseout of memoryprofMemActiveprofMemFuturetraceStackTabvalue method xadd64 failedxchg64 failed to finalizer GC assist wa, xrefs: 00218844

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: (types from different packages)WSAGetOverlappedResult not found" not supported for cpu option "invalid limiter event type foundremovespecial on invalid pointerruntime.semasleep wait_abandonedruntime: failed to release pagesruntime: fixalloc size too largerunt$ (types from different scopes)GODEBUG: unknown cpu feature "assignment to entry in nil mapcheckdead: inconsistent countsfailed to get system page sizefreedefer with d._panic != nilinvalid pointer found on stackndr:"varying,X-subStringArray"notetsleep - waitm o$ is on %04x><) = +Inf-Inf-inf...:.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.xml000001000x%x100010803125: %s:464:88*ABRTACDTACSTAEDTAESTAKDTAKSTALRMAWSTAhomArgsAtoiCASECESTCHARCOWSCZARCallChamDATADashEESTEnumFOZYGOGCGrayHKCCHKCRHKCUHKLMHKPDHORNHigh$ is nil, not , not pointerGC sweep waitbad map statedalTLDpSugct?double unlockfilter methodinvalid UTF-8load64 failedmin too largenil stackbaseout of memoryprofMemActiveprofMemFuturetraceStackTabvalue method xadd64 failedxchg64 failed to finalizer GC assist wa$ is not pointer00000000BAD RANK_UNKNOWNdeadlockpollDescrwmutexRrwmutexWscavengetraceBufatomicor8bad prunechan sendctxt != 0hchanLeafinterfacemSpanDeadmap_entrypanicwaitpclmulqdqpreemptedprofBlockrwxrwxrwxstackpooltracebackwbufSpansBad varintGOMAXPROCSGOMEMLIM$, not , val .local.onion.proto0x%08x390625; and <-chanACARIDALIYOSARGALSASLOPEAnswerArabicAugustBIOGASBOINGSBOSQUEBinaryBitBltBrahmiCANCELCHAKRACHINASCINQUECarianChakmaClosedCommonCopticDREARYEMETINEndDocExpectFieldsFormatFridayGAMMEDGOAWAYGOWANSGUIROSGetACPGo$: missing method GC assist markingbad TinySizeClassentersyscallblockg already scannedgp.waiting != nilkey align too biglocked m0 woke upmark - bad statusmarkBits overflowmissing closing )missing closing ]notetsleepg on g0runtime.newosprocruntime/internal/scano$interface conversion: kernel32.dll not foundminpc or maxpc invalidnon-positive dimensionoldoverflow is not nilruntime.main not on m0s.freeindex > s.nelemsscanstack - bad statussend on closed channelspan has no free spacestack not a power of 2trace reader (bloc$interfacemSpanDeadmap_entrypanicwaitpclmulqdqpreemptedprofBlockrwxrwxrwxstackpooltracebackwbufSpansBad varintGOMAXPROCSGOMEMLIMITatomicand8debug callexitThreadfloat32nanfloat64nanmSpanInUsenotifyListprofInsertsemacquirestackLargeunknown pcassistQueuebad m valu
API String ID: 0-657713465
Opcode ID: 5ecc1f15737a933ec44d783d3ee3754b69804aa2dacc9502bed77240ac9861ec
Instruction ID: 89602dbb57a87b94f807bce7e3bf49b59f160d950f0bf1e04af529b21b898ab4
Opcode Fuzzy Hash: 5ecc1f15737a933ec44d783d3ee3754b69804aa2dacc9502bed77240ac9861ec
Instruction Fuzzy Hash: 0891C076218BC585DB60DB15F4803DAB3A5F388B84F548126DACD97B19EF79C4A9CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0023DEE0 Relevance: 10.1, Strings: 8, Instructions: 68COMMON

Download Yara Rule

Strings

PowerReg, xrefs: 0023DF3F
rof.dll, xrefs: 0023DF15
7&, xrefs: 0023DFBD
ication, xrefs: 0023DF7B
powrprof, xrefs: 0023DF06
spendRes, xrefs: 0023DF5D
gisterSu, xrefs: 0023DF4E
umeNotif, xrefs: 0023DF6C

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: 7&$PowerReg$gisterSu$ication$powrprof$rof.dll$spendRes$umeNotif
API String ID: 0-3821198036
Opcode ID: 666069df797119817a7d83d56717bc1da16c08bfd8d4b7f1a21d27dcb0b38b1d
Instruction ID: f3aa147af92bc0ce27cd4943df7f75135a7959c0f67315b11f89a8399ba9d15f
Opcode Fuzzy Hash: 666069df797119817a7d83d56717bc1da16c08bfd8d4b7f1a21d27dcb0b38b1d
Instruction Fuzzy Hash: 583126B6218B8085D624DB11F44039AB7A5F785BC4F988126EBDC47B5ADF7DC164CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00211060 Relevance: 9.1, Strings: 7, Instructions: 306COMMON

Download Yara Rule

Strings

GODEBUG: unknown cpu feature "assignment to entry in nil mapcheckdead: inconsistent countsfailed to get system page sizefreedefer with d._panic != nilinvalid pointer found on stackndr:"varying,X-subStringArray"notetsleep - waitm out of syncrunqputslow: queue i, xrefs: 002114B5
cpu., xrefs: 002110F3
GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpanList.removemissing stackmapreflect mismatchschedule: in cgossh: MAC failurework, xrefs: 00211211
", missing CPU supportchan receive (nil chan)close of closed channelfatal: morestack on g0garbage collection scangcDrain phase incorrectindex out of range [%x]invalid escape sequenceleft over markroot jobsmakechan: bad alignmentmissing type in runfinqnanotim, xrefs: 0021134C
GODEBUG: no value specified for "concurrent map read and map writefindrunnable: negative nmspinningfreeing stack not in a stack spanmin must be a non-zero power of 2misrounded allocation in sysAllocruntime: failed to decommit pagesruntime: name offset out of r, xrefs: 00211288
GODEBUG: can not enable "PLTE, color type mismatch_cgo_thread_start missingallgadd: bad status Gidlearena already initializedbad status in shrinkstackbad system huge page sizechansend: spurious wakeupcheckdead: no m for timercheckdead: no p for timermissing st, xrefs: 0021132C
" not supported for cpu option "invalid limiter event type foundremovespecial on invalid pointerruntime.semasleep wait_abandonedruntime: failed to release pagesruntime: fixalloc size too largeruntime: mcall function returnedruntime: stack split at bad timerunt, xrefs: 00211234

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: " not supported for cpu option "invalid limiter event type foundremovespecial on invalid pointerruntime.semasleep wait_abandonedruntime: failed to release pagesruntime: fixalloc size too largeruntime: mcall function returnedruntime: stack split at bad timerunt$", missing CPU supportchan receive (nil chan)close of closed channelfatal: morestack on g0garbage collection scangcDrain phase incorrectindex out of range [%x]invalid escape sequenceleft over markroot jobsmakechan: bad alignmentmissing type in runfinqnanotim$GODEBUG: can not enable "PLTE, color type mismatch_cgo_thread_start missingallgadd: bad status Gidlearena already initializedbad status in shrinkstackbad system huge page sizechansend: spurious wakeupcheckdead: no m for timercheckdead: no p for timermissing st$GODEBUG: no value specified for "concurrent map read and map writefindrunnable: negative nmspinningfreeing stack not in a stack spanmin must be a non-zero power of 2misrounded allocation in sysAllocruntime: failed to decommit pagesruntime: name offset out of r$GODEBUG: unknown cpu feature "assignment to entry in nil mapcheckdead: inconsistent countsfailed to get system page sizefreedefer with d._panic != nilinvalid pointer found on stackndr:"varying,X-subStringArray"notetsleep - waitm out of syncrunqputslow: queue i$GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpanList.removemissing stackmapreflect mismatchschedule: in cgossh: MAC failurework$cpu.
API String ID: 0-511654176
Opcode ID: c06d1901140b517624a829965726b2cb0e9dd642d1ec2c11e6c533e180d9720e
Instruction ID: 7729e3ec71489e8018bdadaf718eafaddf93e038854629ebacf5eeb7c638a5cd
Opcode Fuzzy Hash: c06d1901140b517624a829965726b2cb0e9dd642d1ec2c11e6c533e180d9720e
Instruction Fuzzy Hash: 10C1AF72629B8481DB04DB65E0403EEB7A5F3A9BD0F944512EF8E47B59DF78C8B08B50

Uniqueness

Uniqueness Score: -1.00%

Function 00219080 Relevance: 8.9, Strings: 7, Instructions: 170COMMON

Download Yara Rule

Strings

value method xadd64 failedxchg64 failed to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.W, xrefs: 00219253
pointer00000000BAD RANK_UNKNOWNdeadlockpollDescrwmutexRrwmutexWscavengetraceBufatomicor8bad prunechan sendctxt != 0hchanLeafinterfacemSpanDeadmap_entrypanicwaitpclmulqdqpreemptedprofBlockrwxrwxrwxstackpooltracebackwbufSpansBad varintGOMAXPROCSGOMEMLIMITatomic, xrefs: 00219321
panicwrap: no ( in panicwrap: no ) in runtime: preempt g0semaRoot rotateLeftstopm holding lockssysMemStat overflowtoo much pixel dataunexpected g statusunknown wait reasonwinmm.dll not foundbad system page sizebad use of bucket.bpbad use of bucket.mpchan send , xrefs: 002193C2
panicwrap: no ) in runtime: preempt g0semaRoot rotateLeftstopm holding lockssysMemStat overflowtoo much pixel dataunexpected g statusunknown wait reasonwinmm.dll not foundbad system page sizebad use of bucket.bpbad use of bucket.mpchan send (nil chan)close of , xrefs: 0021937F
), xrefs: 002191AE
panicwrap: unexpected string after type name: released less than one physical page of memoryruntime: name offset base pointer out of rangeruntime: text offset base pointer out of rangeruntime: type offset base pointer out of rangeslice bounds out of range [:%x, xrefs: 002191E8
panicwrap: unexpected string after package name: runtime.reflect_makemap: unsupported map key typeruntime: unexpected waitm - semaphore out of syncs.allocCount != s.nelems && freeIndex == s.nelemsslice bounds out of range [::%x] with capacity %ysweeper left ou, xrefs: 00219118

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: pointer00000000BAD RANK_UNKNOWNdeadlockpollDescrwmutexRrwmutexWscavengetraceBufatomicor8bad prunechan sendctxt != 0hchanLeafinterfacemSpanDeadmap_entrypanicwaitpclmulqdqpreemptedprofBlockrwxrwxrwxstackpooltracebackwbufSpansBad varintGOMAXPROCSGOMEMLIMITatomic$)$panicwrap: no ( in panicwrap: no ) in runtime: preempt g0semaRoot rotateLeftstopm holding lockssysMemStat overflowtoo much pixel dataunexpected g statusunknown wait reasonwinmm.dll not foundbad system page sizebad use of bucket.bpbad use of bucket.mpchan send $panicwrap: no ) in runtime: preempt g0semaRoot rotateLeftstopm holding lockssysMemStat overflowtoo much pixel dataunexpected g statusunknown wait reasonwinmm.dll not foundbad system page sizebad use of bucket.bpbad use of bucket.mpchan send (nil chan)close of $panicwrap: unexpected string after package name: runtime.reflect_makemap: unsupported map key typeruntime: unexpected waitm - semaphore out of syncs.allocCount != s.nelems && freeIndex == s.nelemsslice bounds out of range [::%x] with capacity %ysweeper left ou$panicwrap: unexpected string after type name: released less than one physical page of memoryruntime: name offset base pointer out of rangeruntime: text offset base pointer out of rangeruntime: type offset base pointer out of rangeslice bounds out of range [:%x$value method xadd64 failedxchg64 failed to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.W
API String ID: 0-1423911815
Opcode ID: eb956182fa5163eea33046fb9f301504e65ee5012e1e2ffe90e1e8bdd22cf353
Instruction ID: 57ac93a5bbd0cffbafefccc8db2445d80026f28e47038d6a30a301fc64b15611
Opcode Fuzzy Hash: eb956182fa5163eea33046fb9f301504e65ee5012e1e2ffe90e1e8bdd22cf353
Instruction Fuzzy Hash: 63819C32228BC084CB64DB21F4553DAB3A5F788780F848626EADD47B59DF7DC1A8CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00229A60 Relevance: 6.4, Strings: 5, Instructions: 198COMMON

Download Yara Rule

Strings

:&, xrefs: 00229B27
work.nwait > work.nprocbad defer entry in panicbypassed recovery failedcan't scan our own stackdouble traceGCSweepStartgcDrainN phase incorrecthash of unhashable type invalid interlace methodpageAlloc: out of memoryqueuefinalizer during GCrange partially overl, xrefs: 00229DAA
gcBgMarkWorker: blackening not enabledindex out of range [%x] with length %yinternal error: exit hook invoked exitm changed unexpectedly in cgocallbackgmakechan: invalid channel element typeruntime: blocked read on free polldescruntime: sudog with non-false is, xrefs: 00229DE0
GC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND lengthbad IHDR lengthbad PL, xrefs: 00229A95, 00229AAC
work.nwait was > work.nprocFixedStack is not power-of-2comparing uncomparable type fatal: morestack on gsignalfindrunnable: netpoll with pfound pointer to free objectgcBgMarkWorker: mode not setgcstopm: negative nmspinninginvalid runtime symbol tablemissing s, xrefs: 00229DBB

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: :&$GC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND lengthbad IHDR lengthbad PL$gcBgMarkWorker: blackening not enabledindex out of range [%x] with length %yinternal error: exit hook invoked exitm changed unexpectedly in cgocallbackgmakechan: invalid channel element typeruntime: blocked read on free polldescruntime: sudog with non-false is$work.nwait > work.nprocbad defer entry in panicbypassed recovery failedcan't scan our own stackdouble traceGCSweepStartgcDrainN phase incorrecthash of unhashable type invalid interlace methodpageAlloc: out of memoryqueuefinalizer during GCrange partially overl$work.nwait was > work.nprocFixedStack is not power-of-2comparing uncomparable type fatal: morestack on gsignalfindrunnable: netpoll with pfound pointer to free objectgcBgMarkWorker: mode not setgcstopm: negative nmspinninginvalid runtime symbol tablemissing s
API String ID: 0-3519515180
Opcode ID: a5689a80199a90c3486cc5c3704e8705597710103685e9ba522c6149b0999854
Instruction ID: 53801beb08a1c0472d2f5446e6b8e03ca251f27ae56d1acb9d36ff477b62c1e9
Opcode Fuzzy Hash: a5689a80199a90c3486cc5c3704e8705597710103685e9ba522c6149b0999854
Instruction Fuzzy Hash: DD91A832224B94D2EB00DF65F4843DAB765F34AB94F105226EB8C43BA8CF79C4A5CB40

Uniqueness

Uniqueness Score: -1.00%

Function 002277A4 Relevance: 6.4, Strings: 5, Instructions: 113COMMON

Download Yara Rule

Strings

, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa, xrefs: 00227B5D
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma, xrefs: 00227B6C
because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping, xrefs: 00227AFC
runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not , xrefs: 00227A76, 00227ACD, 00227B37
to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND, xrefs: 00227A61, 00227AB8, 00227B22

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping$ to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND$, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not $runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma
API String ID: 0-3085556167
Opcode ID: fafa3d2ee3402aea57f22b72b652a51cefc60fad68c1575d605e5817d01d6243
Instruction ID: 06264732c14586138eb8ab11de9f155e97383279872b14fc09f9ed8524ba91ef
Opcode Fuzzy Hash: fafa3d2ee3402aea57f22b72b652a51cefc60fad68c1575d605e5817d01d6243
Instruction Fuzzy Hash: 8C41F03122CB9591E720AF92F44179E77A1F384BC0F588572EA4993B18EF78C475CB41

Uniqueness

Uniqueness Score: -1.00%

Function 002277AA Relevance: 6.4, Strings: 5, Instructions: 113COMMON

Download Yara Rule

Strings

, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa, xrefs: 00227B5D
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma, xrefs: 00227B6C
because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping, xrefs: 00227AFC
runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not , xrefs: 00227A76, 00227ACD, 00227B37
to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND, xrefs: 00227A61, 00227AB8, 00227B22

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping$ to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND$, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not $runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma
API String ID: 0-3085556167
Opcode ID: 623f1a3bab27a598d6f2aba8c2cf4bfcd3a03ce480cb820423a6d559dbd1cdeb
Instruction ID: 9b19c1f9a36df7856776da436d0f2077f58d24bdb17b09b12a1fe45e39d6f169
Opcode Fuzzy Hash: 623f1a3bab27a598d6f2aba8c2cf4bfcd3a03ce480cb820423a6d559dbd1cdeb
Instruction Fuzzy Hash: 9041F13122CB9591E720AF92F44179EB7A1F384BC0F588572EA4993B18EF78C475CB41

Uniqueness

Uniqueness Score: -1.00%

Function 002277B0 Relevance: 6.4, Strings: 5, Instructions: 113COMMON

Download Yara Rule

Strings

, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa, xrefs: 00227B5D
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma, xrefs: 00227B6C
because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping, xrefs: 00227AFC
runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not , xrefs: 00227A76, 00227ACD, 00227B37
to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND, xrefs: 00227A61, 00227AB8, 00227B22

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping$ to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND$, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not $runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma
API String ID: 0-3085556167
Opcode ID: cab50c7570de346aaa23623bac989bcf592f128a898acff34fade60b8248ca23
Instruction ID: c3835ceeadb4464383897583f50e95e86fd93b1bd8167a659e54d37fee1d7a6a
Opcode Fuzzy Hash: cab50c7570de346aaa23623bac989bcf592f128a898acff34fade60b8248ca23
Instruction Fuzzy Hash: 6841F13122CB9591E720AF92F44179EB7A1F384BC0F588572EA4993B18EF78C475CB41

Uniqueness

Uniqueness Score: -1.00%

Function 002277B6 Relevance: 6.4, Strings: 5, Instructions: 113COMMON

Download Yara Rule

Strings

, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa, xrefs: 00227B5D
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma, xrefs: 00227B6C
because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping, xrefs: 00227AFC
runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not , xrefs: 00227A76, 00227ACD, 00227B37
to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND, xrefs: 00227A61, 00227AB8, 00227B22

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping$ to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND$, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not $runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma
API String ID: 0-3085556167
Opcode ID: fafa3d2ee3402aea57f22b72b652a51cefc60fad68c1575d605e5817d01d6243
Instruction ID: 06264732c14586138eb8ab11de9f155e97383279872b14fc09f9ed8524ba91ef
Opcode Fuzzy Hash: fafa3d2ee3402aea57f22b72b652a51cefc60fad68c1575d605e5817d01d6243
Instruction Fuzzy Hash: 8C41F03122CB9591E720AF92F44179E77A1F384BC0F588572EA4993B18EF78C475CB41

Uniqueness

Uniqueness Score: -1.00%

Function 002277BC Relevance: 6.4, Strings: 5, Instructions: 113COMMON

Download Yara Rule

Strings

, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa, xrefs: 00227B5D
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma, xrefs: 00227B6C
because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping, xrefs: 00227AFC
runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not , xrefs: 00227A76, 00227ACD, 00227B37
to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND, xrefs: 00227A61, 00227AB8, 00227B22

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping$ to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND$, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not $runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma
API String ID: 0-3085556167
Opcode ID: fafa3d2ee3402aea57f22b72b652a51cefc60fad68c1575d605e5817d01d6243
Instruction ID: 06264732c14586138eb8ab11de9f155e97383279872b14fc09f9ed8524ba91ef
Opcode Fuzzy Hash: fafa3d2ee3402aea57f22b72b652a51cefc60fad68c1575d605e5817d01d6243
Instruction Fuzzy Hash: 8C41F03122CB9591E720AF92F44179E77A1F384BC0F588572EA4993B18EF78C475CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00227798 Relevance: 6.4, Strings: 5, Instructions: 113COMMON

Download Yara Rule

Strings

, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa, xrefs: 00227B5D
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma, xrefs: 00227B6C
because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping, xrefs: 00227AFC
runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not , xrefs: 00227A76, 00227ACD, 00227B37
to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND, xrefs: 00227A61, 00227AB8, 00227B22

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping$ to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND$, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not $runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma
API String ID: 0-3085556167
Opcode ID: e4fddce0eeeca1a3932a80fdf0005c55a797b852647a44de061333f59ec6a853
Instruction ID: 72ef6b426d407b49b60e87935f18038d4dd79fec44f95f6371edef43ac605250
Opcode Fuzzy Hash: e4fddce0eeeca1a3932a80fdf0005c55a797b852647a44de061333f59ec6a853
Instruction Fuzzy Hash: 3741F13122CB9591E720AF92F44179E77A1F384BC0F588572EA4993B18EF78C475CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0022779E Relevance: 6.4, Strings: 5, Instructions: 113COMMON

Download Yara Rule

Strings

, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa, xrefs: 00227B5D
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma, xrefs: 00227B6C
because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping, xrefs: 00227AFC
runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not , xrefs: 00227A76, 00227ACD, 00227B37
to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND, xrefs: 00227A61, 00227AB8, 00227B22

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping$ to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND$, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not $runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma
API String ID: 0-3085556167
Opcode ID: 8ac3d9750a6f5688bb300b0914bdeff912661b696897f441c81a3cfa47450ba2
Instruction ID: 4c7602e8e2b5042e80f8b345f31acbf8bb14c0ac690208b5725ffdad9360f0be
Opcode Fuzzy Hash: 8ac3d9750a6f5688bb300b0914bdeff912661b696897f441c81a3cfa47450ba2
Instruction Fuzzy Hash: 3541F13122CB9591E720AF92F44179E77A1F384BC0F588572EA4993B18EF78C475CB41

Uniqueness

Uniqueness Score: -1.00%

Function 002277C2 Relevance: 6.4, Strings: 5, Instructions: 113COMMON

Download Yara Rule

Strings

, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa, xrefs: 00227B5D
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma, xrefs: 00227B6C
because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping, xrefs: 00227AFC
runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not , xrefs: 00227A76, 00227ACD, 00227B37
to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND, xrefs: 00227A61, 00227AB8, 00227B22

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping$ to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND$, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not $runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma
API String ID: 0-3085556167
Opcode ID: 374622e9d73ef88742abf8a191313526f3c7d6a6862eb5495a855e7bab303dac
Instruction ID: 8f634c7e5dbdb955ae2868aba256e90a6791de68120cfe9b77f303aec19034af
Opcode Fuzzy Hash: 374622e9d73ef88742abf8a191313526f3c7d6a6862eb5495a855e7bab303dac
Instruction Fuzzy Hash: 9941F13122CB9591E720AF92F44179E77A1F384BC0F588572EA4993B18EF78C475CB41

Uniqueness

Uniqueness Score: -1.00%

Function 002277C8 Relevance: 6.4, Strings: 5, Instructions: 112COMMON

Download Yara Rule

Strings

, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa, xrefs: 00227B5D
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma, xrefs: 00227B6C
because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping, xrefs: 00227AFC
runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not , xrefs: 00227A76, 00227ACD, 00227B37
to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND, xrefs: 00227A61, 00227AB8, 00227B22

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping$ to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND$, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not $runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma
API String ID: 0-3085556167
Opcode ID: deeb3df0b0a500d43f5f8fbf64467ffcd5b2413eb5fb63024dc07a3a02dde824
Instruction ID: d138fb1b7bb56501120c70d7d9b3ac04d32ffe82276fec0d9d88168323dd7807
Opcode Fuzzy Hash: deeb3df0b0a500d43f5f8fbf64467ffcd5b2413eb5fb63024dc07a3a02dde824
Instruction Fuzzy Hash: C841E03222CB9591E720AF92F44179E77A5F384BC0F588572EA8993B18EF78C475CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00227823 Relevance: 6.4, Strings: 5, Instructions: 106COMMON

Download Yara Rule

Strings

, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa, xrefs: 00227B5D
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma, xrefs: 00227B6C
because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping, xrefs: 00227AFC
runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not , xrefs: 00227A76, 00227ACD, 00227B37
to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND, xrefs: 00227A61, 00227AB8, 00227B22

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping$ to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND$, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not $runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma
API String ID: 0-3085556167
Opcode ID: 8717d5d5c81b41f4a189a809dfa1ee01c0294baed470aa70b1172c7c3df26b48
Instruction ID: 7fdbed369fa84481572da84f5186d6cbb5bea0e06b9674a5ef1e75484551a317
Opcode Fuzzy Hash: 8717d5d5c81b41f4a189a809dfa1ee01c0294baed470aa70b1172c7c3df26b48
Instruction Fuzzy Hash: 7041D132228B9491E720AF92F44179E77A4F344BC0F488572EA4D93B18EF78C475CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00227805 Relevance: 6.4, Strings: 5, Instructions: 106COMMON

Download Yara Rule

Strings

, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa, xrefs: 00227B5D
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma, xrefs: 00227B6C
because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping, xrefs: 00227AFC
runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not , xrefs: 00227A76, 00227ACD, 00227B37
to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND, xrefs: 00227A61, 00227AB8, 00227B22

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping$ to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND$, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not $runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma
API String ID: 0-3085556167
Opcode ID: 54b82f681e5831b7bcf5832cae3918faf19944e40c15aee7b2e710561c25eac5
Instruction ID: c158ea98877ae81678a124da2c7f615712cae2d2b5332b855d453366b8c3098f
Opcode Fuzzy Hash: 54b82f681e5831b7bcf5832cae3918faf19944e40c15aee7b2e710561c25eac5
Instruction Fuzzy Hash: D741E132228B9491E720AF92F44179E77A4F384BC0F488572EA4D93B18EF78C875CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0022780B Relevance: 6.4, Strings: 5, Instructions: 106COMMON

Download Yara Rule

Strings

, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa, xrefs: 00227B5D
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma, xrefs: 00227B6C
because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping, xrefs: 00227AFC
runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not , xrefs: 00227A76, 00227ACD, 00227B37
to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND, xrefs: 00227A61, 00227AB8, 00227B22

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping$ to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND$, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not $runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma
API String ID: 0-3085556167
Opcode ID: 8717d5d5c81b41f4a189a809dfa1ee01c0294baed470aa70b1172c7c3df26b48
Instruction ID: 7fdbed369fa84481572da84f5186d6cbb5bea0e06b9674a5ef1e75484551a317
Opcode Fuzzy Hash: 8717d5d5c81b41f4a189a809dfa1ee01c0294baed470aa70b1172c7c3df26b48
Instruction Fuzzy Hash: 7041D132228B9491E720AF92F44179E77A4F344BC0F488572EA4D93B18EF78C475CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00227811 Relevance: 6.4, Strings: 5, Instructions: 106COMMON

Download Yara Rule

Strings

, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa, xrefs: 00227B5D
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma, xrefs: 00227B6C
because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping, xrefs: 00227AFC
runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not , xrefs: 00227A76, 00227ACD, 00227B37
to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND, xrefs: 00227A61, 00227AB8, 00227B22

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping$ to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND$, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not $runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma
API String ID: 0-3085556167
Opcode ID: a818b87021d12e8ded9d61e2e13c1b598fa051760c244deaadac948cbe2f5b43
Instruction ID: c8e5be256e4ec83b824d41f51c66866e4c53a2bfdac34dc44aff52fb5a2bd707
Opcode Fuzzy Hash: a818b87021d12e8ded9d61e2e13c1b598fa051760c244deaadac948cbe2f5b43
Instruction Fuzzy Hash: A341E232228B9491E720AF92F44179E77A4F344BC0F488572EA4D93B18EF78C875CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00227817 Relevance: 6.4, Strings: 5, Instructions: 106COMMON

Download Yara Rule

Strings

, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa, xrefs: 00227B5D
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma, xrefs: 00227B6C
because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping, xrefs: 00227AFC
runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not , xrefs: 00227A76, 00227ACD, 00227B37
to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND, xrefs: 00227A61, 00227AB8, 00227B22

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping$ to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND$, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not $runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma
API String ID: 0-3085556167
Opcode ID: 54b82f681e5831b7bcf5832cae3918faf19944e40c15aee7b2e710561c25eac5
Instruction ID: c158ea98877ae81678a124da2c7f615712cae2d2b5332b855d453366b8c3098f
Opcode Fuzzy Hash: 54b82f681e5831b7bcf5832cae3918faf19944e40c15aee7b2e710561c25eac5
Instruction Fuzzy Hash: D741E132228B9491E720AF92F44179E77A4F384BC0F488572EA4D93B18EF78C875CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0022781D Relevance: 6.4, Strings: 5, Instructions: 106COMMON

Download Yara Rule

Strings

, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa, xrefs: 00227B5D
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma, xrefs: 00227B6C
because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping, xrefs: 00227AFC
runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not , xrefs: 00227A76, 00227ACD, 00227B37
to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND, xrefs: 00227A61, 00227AB8, 00227B22

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping$ to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND$, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not $runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma
API String ID: 0-3085556167
Opcode ID: 54b82f681e5831b7bcf5832cae3918faf19944e40c15aee7b2e710561c25eac5
Instruction ID: c158ea98877ae81678a124da2c7f615712cae2d2b5332b855d453366b8c3098f
Opcode Fuzzy Hash: 54b82f681e5831b7bcf5832cae3918faf19944e40c15aee7b2e710561c25eac5
Instruction Fuzzy Hash: D741E132228B9491E720AF92F44179E77A4F384BC0F488572EA4D93B18EF78C875CB41

Uniqueness

Uniqueness Score: -1.00%

Function 002277F9 Relevance: 6.4, Strings: 5, Instructions: 106COMMON

Download Yara Rule

Strings

, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa, xrefs: 00227B5D
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma, xrefs: 00227B6C
because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping, xrefs: 00227AFC
runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not , xrefs: 00227A76, 00227ACD, 00227B37
to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND, xrefs: 00227A61, 00227AB8, 00227B22

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping$ to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND$, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not $runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma
API String ID: 0-3085556167
Opcode ID: 5faa10e4f9aa72227332cd8c11eee83d01737487d9bd9e4a22de04f04af51bda
Instruction ID: 8bea7cee9c8c7148befadb188f9603bb9549fc411bd3c89455802765d9134e5e
Opcode Fuzzy Hash: 5faa10e4f9aa72227332cd8c11eee83d01737487d9bd9e4a22de04f04af51bda
Instruction Fuzzy Hash: F141E132228B9491E720AF92F44179E77A4F384BC0F488572EA4D93B18EF78C875CB41

Uniqueness

Uniqueness Score: -1.00%

Function 002277FF Relevance: 6.4, Strings: 5, Instructions: 106COMMON

Download Yara Rule

Strings

, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa, xrefs: 00227B5D
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma, xrefs: 00227B6C
because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping, xrefs: 00227AFC
runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not , xrefs: 00227A76, 00227ACD, 00227B37
to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND, xrefs: 00227A61, 00227AB8, 00227B22

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping$ to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND$, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not $runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma
API String ID: 0-3085556167
Opcode ID: b0df9786d9a1e6e5ce4cecd4bdaddb6bb91a8ce63d35fa4dc2fc6f909a9ca8e1
Instruction ID: c58fa6aeee89c63ce03f7fd9e43c5c0a92daede87c6b8786dfed19213351f778
Opcode Fuzzy Hash: b0df9786d9a1e6e5ce4cecd4bdaddb6bb91a8ce63d35fa4dc2fc6f909a9ca8e1
Instruction Fuzzy Hash: 4C41D032228B9491E720AF92F44179E77A4F384BC0F488572EA4D93B18EF78C875CB41

Uniqueness

Uniqueness Score: -1.00%

Function 002115C0 Relevance: 5.4, Strings: 4, Instructions: 445COMMON

Download Yara Rule

Strings

pclmulqdqpreemptedprofBlockrwxrwxrwxstackpooltracebackwbufSpansBad varintGOMAXPROCSGOMEMLIMITatomicand8debug callexitThreadfloat32nanfloat64nanmSpanInUsenotifyListprofInsertsemacquirestackLargeunknown pcassistQueuebad m valuebad timedivcgocall nilfloat32nan2fl, xrefs: 00211646
sse41sse42ssse3startsudogsweeptext/tls: traceuint8unameusageutf-8valueweak=writexxxxx Value%s: %s%s: %v%v: %v, not , val .local.onion.proto0x%08x390625; and <-chanACARIDALIYOSARGALSASLOPEAnswerArabicAugustBIOGASBOINGSBOSQUEBinaryBitBltBrahmiCANCELCHAKRACHINASC, xrefs: 0021189F, 002118BC
popcntproto2proto3rdrandrdseedrdtscpreadatrealmsremoverenamereturnrune1 secondselectsendtoserversetenvsint32sint64socketsocks5stringstructswitchsyntaxsysmontelnettimersuint16uint32uint64unusedustar ustar, xrefs: 002117F1, 0021180F
avx2basebindbitsbmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6casechancx16datedef=dialelseenumermsetagexecfailfilefromftpsfuncgotogziphosthourhttpicmpidleigmpint8itabkindlazylinklistnamenoneopenpathpipepop3quitreadrootseeksizesmtpspansse2sse3synctRNStar, xrefs: 00211AB5, 00211AD2

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: avx2basebindbitsbmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6casechancx16datedef=dialelseenumermsetagexecfailfilefromftpsfuncgotogziphosthourhttpicmpidleigmpint8itabkindlazylinklistnamenoneopenpathpipepop3quitreadrootseeksizesmtpspansse2sse3synctRNStar$pclmulqdqpreemptedprofBlockrwxrwxrwxstackpooltracebackwbufSpansBad varintGOMAXPROCSGOMEMLIMITatomicand8debug callexitThreadfloat32nanfloat64nanmSpanInUsenotifyListprofInsertsemacquirestackLargeunknown pcassistQueuebad m valuebad timedivcgocall nilfloat32nan2fl$popcntproto2proto3rdrandrdseedrdtscpreadatrealmsremoverenamereturnrune1 secondselectsendtoserversetenvsint32sint64socketsocks5stringstructswitchsyntaxsysmontelnettimersuint16uint32uint64unusedustar ustar$sse41sse42ssse3startsudogsweeptext/tls: traceuint8unameusageutf-8valueweak=writexxxxx Value%s: %s%s: %v%v: %v, not , val .local.onion.proto0x%08x390625; and <-chanACARIDALIYOSARGALSASLOPEAnswerArabicAugustBIOGASBOINGSBOSQUEBinaryBitBltBrahmiCANCELCHAKRACHINASC
API String ID: 0-719224210
Opcode ID: e8cb1977e327ab16620129423f53fe442ce9874a075bfd53106aaacc3e25ed8b
Instruction ID: 85a341348b8591f73b806d0419797a713682e81d050a58fa60928b94f026f8c4
Opcode Fuzzy Hash: e8cb1977e327ab16620129423f53fe442ce9874a075bfd53106aaacc3e25ed8b
Instruction Fuzzy Hash: CD32ECB6228A48D1EB00DF25F8457D97BB0F750B84F894626DB8E87725EF79C5A8C700

Uniqueness

Uniqueness Score: -1.00%

Function 0022C620 Relevance: 5.3, Strings: 4, Instructions: 314COMMON

Download Yara Rule

Strings

mark - bad statusmarkBits overflowmissing closing )missing closing ]notetsleepg on g0runtime.newosprocruntime/internal/scanobject n == 0select (no cases)swept cached spansync.RWMutex.Lockthread exhaustionunknown caller pcwait for GC cycle because dotdotdotGC w, xrefs: 0022C824
scanstack - bad statussend on closed channelspan has no free spacestack not a power of 2trace reader (blocked)trace: alloc too largeunexpected length codewirep: invalid p state", missing CPU supportchan receive (nil chan)close of closed channelfatal: morestac, xrefs: 0022CB80
can't scan our own stackdouble traceGCSweepStartgcDrainN phase incorrecthash of unhashable type invalid interlace methodpageAlloc: out of memoryqueuefinalizer during GCrange partially overlapsrunqsteal: runq overflowspan has no free objectsupdate during transi, xrefs: 0022CB45
scanstack: goroutine not stoppedscavenger state is already wiredslice bounds out of range [%x::]slice bounds out of range [:%x:]slice bounds out of range [::%x]sweep increased allocation countGODEBUG: no value specified for "concurrent map read and map writefi, xrefs: 0022CB67

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: can't scan our own stackdouble traceGCSweepStartgcDrainN phase incorrecthash of unhashable type invalid interlace methodpageAlloc: out of memoryqueuefinalizer during GCrange partially overlapsrunqsteal: runq overflowspan has no free objectsupdate during transi$mark - bad statusmarkBits overflowmissing closing )missing closing ]notetsleepg on g0runtime.newosprocruntime/internal/scanobject n == 0select (no cases)swept cached spansync.RWMutex.Lockthread exhaustionunknown caller pcwait for GC cycle because dotdotdotGC w$scanstack - bad statussend on closed channelspan has no free spacestack not a power of 2trace reader (blocked)trace: alloc too largeunexpected length codewirep: invalid p state", missing CPU supportchan receive (nil chan)close of closed channelfatal: morestac$scanstack: goroutine not stoppedscavenger state is already wiredslice bounds out of range [%x::]slice bounds out of range [:%x:]slice bounds out of range [::%x]sweep increased allocation countGODEBUG: no value specified for "concurrent map read and map writefi
API String ID: 0-2201561079
Opcode ID: b296483e89fecba6371d670f251d573ec4074a287cda3bad7c701cec9208ec5d
Instruction ID: 1a46a878a950a55a06d53d174b7247114fcd5c83daf0a7ee09dad4145e36188c
Opcode Fuzzy Hash: b296483e89fecba6371d670f251d573ec4074a287cda3bad7c701cec9208ec5d
Instruction Fuzzy Hash: 98D18D32228BD595DB24CF55F0807EEB7A1F789B84F689126DA8C13B59CF38C4A5CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00255B40 Relevance: 5.2, Strings: 4, Instructions: 209COMMON

Download Yara Rule

Strings

stack growth not allowed in system callsuspendG from non-preemptible goroutinetrailing backslash at end of expressionbulkBarrierPreWrite: unaligned argumentscannot free workbufs when work.full != 0deferproc: d.panic != nil after newdeferfailed to acquire lock , xrefs: 00255EE5
nil stackbaseout of memoryprofMemActiveprofMemFuturetraceStackTabvalue method xadd64 failedxchg64 failed to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filese, xrefs: 00255ECF
@U%, xrefs: 00255E21
racy sudog adjustment due to parking on channelslice bounds out of range [::%x] with length %ytried to sleep scavenger from another goroutineCreateWaitableTimerEx when creating timer failedcould not find GetSystemTimeAsFileTime() syscallslice bounds out of ran, xrefs: 00255E57

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: @U%$nil stackbaseout of memoryprofMemActiveprofMemFuturetraceStackTabvalue method xadd64 failedxchg64 failed to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filese$racy sudog adjustment due to parking on channelslice bounds out of range [::%x] with length %ytried to sleep scavenger from another goroutineCreateWaitableTimerEx when creating timer failedcould not find GetSystemTimeAsFileTime() syscallslice bounds out of ran$stack growth not allowed in system callsuspendG from non-preemptible goroutinetrailing backslash at end of expressionbulkBarrierPreWrite: unaligned argumentscannot free workbufs when work.full != 0deferproc: d.panic != nil after newdeferfailed to acquire lock
API String ID: 0-998930552
Opcode ID: ddcee5d16b1c67d331e4f5fd98dd97754531278def651aa983d65cd0e65256d2
Instruction ID: 69590393572afdf6089081cea9fd04cb2471cd5d542cb6fcad7b422c5476dbb9
Opcode Fuzzy Hash: ddcee5d16b1c67d331e4f5fd98dd97754531278def651aa983d65cd0e65256d2
Instruction Fuzzy Hash: C4915772229FD082CA649F21E15039EB365F789BC1F988126DF9C57B19DF38C4A8CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00254DE0 Relevance: 5.2, Strings: 4, Instructions: 180COMMON

Download Yara Rule

Strings

stack size not a power of 2stopTheWorld: holding lockstimer when must be positivetoo many callback functionswork.nwait was > work.nprocFixedStack is not power-of-2comparing uncomparable type fatal: morestack on gsignalfindrunnable: netpoll with pfound pointer, xrefs: 0025507C
out of memoryprofMemActiveprofMemFuturetraceStackTabvalue method xadd64 failedxchg64 failed to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queues, xrefs: 00254F5D
out of memory (stackalloc)persistentalloc: size == 0shrinking stack in libcallssh: invalid packet lengthstartlockedm: locked to meuse of invalid sweepLockerwakep: negative nmspinningCurveP256CurveP384CurveP521G waiting list is corruptedaddress not a stack addr, xrefs: 00254E84
stackalloc not on scheduler stackstoplockedm: inconsistent lockingtimer period must be non-negativeVirtualQuery for stack base faileddoaddtimer: P already set in timerforEachP: sched.safePointWait != 0invalid nested repetition operatorinvalid or unsupported Pe, xrefs: 0025508D

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: out of memory (stackalloc)persistentalloc: size == 0shrinking stack in libcallssh: invalid packet lengthstartlockedm: locked to meuse of invalid sweepLockerwakep: negative nmspinningCurveP256CurveP384CurveP521G waiting list is corruptedaddress not a stack addr$out of memoryprofMemActiveprofMemFuturetraceStackTabvalue method xadd64 failedxchg64 failed to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queues$stack size not a power of 2stopTheWorld: holding lockstimer when must be positivetoo many callback functionswork.nwait was > work.nprocFixedStack is not power-of-2comparing uncomparable type fatal: morestack on gsignalfindrunnable: netpoll with pfound pointer$stackalloc not on scheduler stackstoplockedm: inconsistent lockingtimer period must be non-negativeVirtualQuery for stack base faileddoaddtimer: P already set in timerforEachP: sched.safePointWait != 0invalid nested repetition operatorinvalid or unsupported Pe
API String ID: 0-1500535864
Opcode ID: 52cd4ebccff17126e19d1be650daf554e385d92afc861928d5a2f45a107950f7
Instruction ID: 6eb956b197b1d9ece591c539f5bdd34f50b4c85932955f908dce5cbcb40bd9a9
Opcode Fuzzy Hash: 52cd4ebccff17126e19d1be650daf554e385d92afc861928d5a2f45a107950f7
Instruction Fuzzy Hash: 7661AD32224B9086DB04EF15E0913AEB7A5F789BD4F544125EF8E47B64DF38C4A9CB44

Uniqueness

Uniqueness Score: -1.00%

Function 0021D3A0 Relevance: 5.2, Strings: 4, Instructions: 163COMMON

Download Yara Rule

Strings

runtime: cannot allocate memoryruntime: failed to commit pagesslice bounds out of range [%x:]slice bounds out of range [:%x]unsafe.String: len out of rangewriteBytes with unfinished bits (types from different packages)WSAGetOverlappedResult not found" not supp, xrefs: 0021D5DE
persistentalloc: align is not a power of 2runtime: blocked write on closing polldescsweep: tried to preserve a user arena spanunexpected signal during runtime executiongcBgMarkWorker: unexpected gcMarkWorkerModegrew heap, but no adequate free space foundmethod, xrefs: 0021D610
persistentalloc: align is too largepidleput: P has non-empty run queueruntime: close polldesc w/o unblockruntime: inconsistent read deadlinessh: invalid packet length multipletraceback did not unwind completely0123456789abcdefghijklmnopqrstuvwxyzGo pointer sto, xrefs: 0021D5FF
persistentalloc: size == 0shrinking stack in libcallssh: invalid packet lengthstartlockedm: locked to meuse of invalid sweepLockerwakep: negative nmspinningCurveP256CurveP384CurveP521G waiting list is corruptedaddress not a stack addresscould not find QPC sysc, xrefs: 0021D625

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: persistentalloc: align is not a power of 2runtime: blocked write on closing polldescsweep: tried to preserve a user arena spanunexpected signal during runtime executiongcBgMarkWorker: unexpected gcMarkWorkerModegrew heap, but no adequate free space foundmethod$persistentalloc: align is too largepidleput: P has non-empty run queueruntime: close polldesc w/o unblockruntime: inconsistent read deadlinessh: invalid packet length multipletraceback did not unwind completely0123456789abcdefghijklmnopqrstuvwxyzGo pointer sto$persistentalloc: size == 0shrinking stack in libcallssh: invalid packet lengthstartlockedm: locked to meuse of invalid sweepLockerwakep: negative nmspinningCurveP256CurveP384CurveP521G waiting list is corruptedaddress not a stack addresscould not find QPC sysc$runtime: cannot allocate memoryruntime: failed to commit pagesslice bounds out of range [%x:]slice bounds out of range [:%x]unsafe.String: len out of rangewriteBytes with unfinished bits (types from different packages)WSAGetOverlappedResult not found" not supp
API String ID: 0-479432679
Opcode ID: d641be48612bc93a50ae821f5ab9001ab2ce75e661bb052c84cb71dcfc847045
Instruction ID: 224b2ad849e4afb504ceaaaa64481ee7afe2d039aa90002b12ad8debc0c49be2
Opcode Fuzzy Hash: d641be48612bc93a50ae821f5ab9001ab2ce75e661bb052c84cb71dcfc847045
Instruction Fuzzy Hash: 69618772629B85D2DB14CF05E4803DAB7B5F798B84F849122EB9D13B29DF39C4A5CB00

Uniqueness

Uniqueness Score: -1.00%

Function 002622C0 Relevance: 5.2, Strings: 4, Instructions: 160COMMON

Download Yara Rule

Strings

q$&, xrefs: 00262466
w%&, xrefs: 0026256D
l"&, xrefs: 00262F2B
runtime: impossible type kindruntime: split stack overflowruntime: sudog with non-nil cscanobject of a noscan objectsemacquire not on the G stackstring concatenation too longtimeBegin/EndPeriod not found (types from different scopes)GODEBUG: unknown cpu featur, xrefs: 00262F05

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: l"&$q$&$runtime: impossible type kindruntime: split stack overflowruntime: sudog with non-nil cscanobject of a noscan objectsemacquire not on the G stackstring concatenation too longtimeBegin/EndPeriod not found (types from different scopes)GODEBUG: unknown cpu featur$w%&
API String ID: 0-158268585
Opcode ID: a9336e4f7acd8f23f3cec7b81ec6dd3ef9fc09bb7020892334f83d75d68174f1
Instruction ID: eec694ee11ed06c0b5c417c013246ed84b100e291209ff594c94ed417e0182c6
Opcode Fuzzy Hash: a9336e4f7acd8f23f3cec7b81ec6dd3ef9fc09bb7020892334f83d75d68174f1
Instruction Fuzzy Hash: 93619C32A28ED5C5DB759F14E4413DAA360F398790F880522DBEC47B9ADF28C8E4CB50

Uniqueness

Uniqueness Score: -1.00%

Function 002258E0 Relevance: 5.1, Strings: 4, Instructions: 131COMMON

Download Yara Rule

Strings

bad sweepgen in refillcall not at safe pointcompileCallabck: type duplicated defer entryfreeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversion: kernel32.dll not foundminpc or maxpc invalidnon-positive dimen, xrefs: 00225AE5
refill of span with free space remainingruntime.SetFinalizer: first argument is runtime.preemptM: duplicatehandle failedruntime: SyscallN has too many argumentsattempted to add zero-sized address rangegcSweep being done but phase is not GCoffmheap.freeSpanLock, xrefs: 00225AF6
out of memoryprofMemActiveprofMemFuturetraceStackTabvalue method xadd64 failedxchg64 failed to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queues, xrefs: 00225AC5
span has no free spacestack not a power of 2trace reader (blocked)trace: alloc too largeunexpected length codewirep: invalid p state", missing CPU supportchan receive (nil chan)close of closed channelfatal: morestack on g0garbage collection scangcDrain phase, xrefs: 00225AB1

Memory Dump Source

Source File: 00000000.00000002.3278312667.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.3278294522.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279172615.00000000010CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279185545.00000000010DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279195325.00000000010DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279206570.00000000010DF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279229186.0000000001102000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279242042.0000000001107000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000110A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000113D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001143000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.000000000116A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279252169.0000000001172000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279329929.000000000117F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279340387.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_FQElDjFG5t.jbxd

Yara matches

Similarity

API ID:
String ID: bad sweepgen in refillcall not at safe pointcompileCallabck: type duplicated defer entryfreeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversion: kernel32.dll not foundminpc or maxpc invalidnon-positive dimen$out of memoryprofMemActiveprofMemFuturetraceStackTabvalue method xadd64 failedxchg64 failed to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queues$refill of span with free space remainingruntime.SetFinalizer: first argument is runtime.preemptM: duplicatehandle failedruntime: SyscallN has too many argumentsattempted to add zero-sized address rangegcSweep being done but phase is not GCoffmheap.freeSpanLock$span has no free spacestack not a power of 2trace reader (blocked)trace: alloc too largeunexpected length codewirep: invalid p state", missing CPU supportchan receive (nil chan)close of closed channelfatal: morestack on g0garbage collection scangcDrain phase
API String ID: 0-3123902989
Opcode ID: 9d01ea8adf5bca23fe989c9e266f49bc981f0a33fdbe011c93073904d730ac25
Instruction ID: 86d9c5cbbf4eda87b8f3ece5c5b675a0f21262aaf33505a7ba68e199f38f3229
Opcode Fuzzy Hash: 9d01ea8adf5bca23fe989c9e266f49bc981f0a33fdbe011c93073904d730ac25
Instruction Fuzzy Hash: BC518D73224BA4C6DB10DF05E48039EB765F789B94F949122EB8D03B69DF38C966CB50

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report FQElDjFG5t.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: FQElDjFG5t.exePID: 616, Parent PID: 1028

Windows Analysis Report
FQElDjFG5t.exe