Edit tour

Windows Analysis Report
SecuriteInfo.com.FileRepMalware.16004.4080.exe

Overview

General Information

Sample name:	SecuriteInfo.com.FileRepMalware.16004.4080.exe
Analysis ID:	1499608
MD5:	ba890934a4b54976d58c9b92b652bc16
SHA1:	546196a320471c102f8c6f2dcfd08d2743ccfd52
SHA256:	3c5fbcd66798a60ab8c1aad4cbbb36a658533dd78c3ae76f92b9da0898b466fb
Tags:	exe
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

AI detected suspicious sample

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Potentially malicious time measurement code found

Contains functionality for execution timing, often used to detect debuggers

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

PE file contains more sections than normal

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Communication To Uncommon Destination Ports

Classification

Process Tree

System is w10x64

SecuriteInfo.com.FileRepMalware.16004.4080.exe (PID: 5508 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe" MD5: BA890934A4B54976D58C9B92B652BC16)

cmd.exe (PID: 6768 cmdline: cmd.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Sigma Signatures

Sigma detected: Communication To Uncommon Destination Ports

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 95.169.204.138, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe, Initiated: true, ProcessId: 5508, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49705

Suricata Signatures

ET MALWARE Win32/Suspected Reverse Shell Connection - Source IP: 192.168.2.7 - Destination IP: 95.169.204.138

Timestamp:	2024-08-27T09:28:10.355038+0200
SID:	2034945
Severity:	1
Source Port:	49705
Destination Port:	8080
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	ReversingLabs: Detection: 52%
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	Virustotal: Detection: 60%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 94.3% probability

Bitcoin Miner

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe

Code function: 0_2_000B42E0 LoadLibraryExW,

0_2_000B42E0

Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 4x nop then cmp rdx, rbx	0_2_0008C0A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 4x nop then shr r10, 0Dh	0_2_000AC120
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 4x nop then shr r10, 0Dh	0_2_000AD5A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 4x nop then lock or byte ptr [rdx], dil	0_2_000A1640
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 4x nop then cmp rdx, 40h	0_2_000A0F00

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2034945 - Severity 1 - ET MALWARE Win32/Suspected Reverse Shell Connection : 192.168.2.7:49705 -> 95.169.204.138:8080

Source: global traffic

TCP traffic: 192.168.2.7:49705 -> 95.169.204.138:8080

Source: Joe Sandbox View

ASN Name: BTEL-BG-ASBG BTEL-BG-ASBG

Source: unknown	TCP traffic detected without corresponding DNS query: 95.169.204.138
Source: unknown	TCP traffic detected without corresponding DNS query: 95.169.204.138
Source: unknown	TCP traffic detected without corresponding DNS query: 95.169.204.138
Source: unknown	TCP traffic detected without corresponding DNS query: 95.169.204.138
Source: unknown	TCP traffic detected without corresponding DNS query: 95.169.204.138
Source: unknown	TCP traffic detected without corresponding DNS query: 95.169.204.138
Source: unknown	TCP traffic detected without corresponding DNS query: 95.169.204.138
Source: unknown	TCP traffic detected without corresponding DNS query: 95.169.204.138
Source: unknown	TCP traffic detected without corresponding DNS query: 95.169.204.138
Source: unknown	TCP traffic detected without corresponding DNS query: 95.169.204.138
Source: unknown	TCP traffic detected without corresponding DNS query: 95.169.204.138
Source: unknown	TCP traffic detected without corresponding DNS query: 95.169.204.138

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_00082000	0_2_00082000
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_000C0020	0_2_000C0020
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_000C7480	0_2_000C7480
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_000B6500	0_2_000B6500
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_000A9600	0_2_000A9600
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_000A8800	0_2_000A8800
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_000969C0	0_2_000969C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_0008DB60	0_2_0008DB60
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_0008CFC0	0_2_0008CFC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_000BA000	0_2_000BA000
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_000A6100	0_2_000A6100
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_000AC120	0_2_000AC120
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_000A31A0	0_2_000A31A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_000DE1C0	0_2_000DE1C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_0008A260	0_2_0008A260
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_000B32A0	0_2_000B32A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_000BD3A0	0_2_000BD3A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_000D3400	0_2_000D3400
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_0009B480	0_2_0009B480
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_000CB4C0	0_2_000CB4C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_000B0520	0_2_000B0520
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_000E7549	0_2_000E7549
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_000A7540	0_2_000A7540
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_000AD5A0	0_2_000AD5A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_000955E0	0_2_000955E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_000AC5E0	0_2_000AC5E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_000F5680	0_2_000F5680
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_0008E720	0_2_0008E720
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_000AF7A0	0_2_000AF7A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_000B97C0	0_2_000B97C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_0009A8A0	0_2_0009A8A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_000A18C0	0_2_000A18C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_000AE980	0_2_000AE980
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_000C0AA0	0_2_000C0AA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_00099B00	0_2_00099B00
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_00083C00	0_2_00083C00
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_000CEC00	0_2_000CEC00
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_000C1C60	0_2_000C1C60
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_0009EC80	0_2_0009EC80
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_000BDD00	0_2_000BDD00
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_000F4E60	0_2_000F4E60
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_000E4F00	0_2_000E4F00
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_000D1F20	0_2_000D1F20
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: 0_2_0009AF60	0_2_0009AF60

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: String function: 000B8A20 appears 516 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: String function: 000B8B00 appears 31 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: String function: 000BA520 appears 76 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Code function: String function: 000BAD40 appears 636 times

Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe

Static PE information: Number of sections : 15 > 10

Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	Static PE information: Section: /19 ZLIB complexity 1.0003392269736842
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	Static PE information: Section: /32 ZLIB complexity 0.9919731326219512
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	Static PE information: Section: /65 ZLIB complexity 0.9999330357142857
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	Static PE information: Section: /78 ZLIB complexity 0.9954869538834952

Source: classification engine

Classification label: mal68.evad.mine.winEXE@4/0@0/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1240:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe

File opened: C:\Windows\system32\0bf4f85e52a4d13b06ff04b86f048ddd7313241be24d40ec9e81373947a3be7bAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Jump to behavior

Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	ReversingLabs: Detection: 52%
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	Virustotal: Detection: 60%

Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime:
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime:
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable t
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable t
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime:
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime:
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	String found in binary or memory: unsafe.String: len out of rangego package net: hostLookupOrder(resource temporarily unavailablesoftware caused connection abortnumerical argument out of domainCertAddCertificateContextToStoreCertVerifyCertificateChainPolicy28421709430404007434844970703125MapIter.Value called before Nextsync: Unlock of unlocked RWMutexsync: negative WaitGroup counterunexpected character, want colonslice bounds out of range [::%x]slice bounds out of range [:%x:]slice bounds out of range [%x::] (types from different packages)end outside usable address spaceGCProg for type that isn't largeruntime: failed to release pagesruntime: fixalloc size too largeinvalid limiter event type foundscanstack: goroutine not stoppedscavenger state is already wiredsweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = WSAGetOverlappedResult not found_cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runtime: stack split at bad timepanic while printing panic valueruntime: setevent failed; errno=runtime.semasleep wait_abandoneduse of closed network connection" not supported for cpu option "go package net: confVal.netCgo = too many levels of symbolic linksInitializeProcThreadAttributeList142108547152020037174224853515625710542735760100185871124267578125reflect: slice index out of range of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangesync: RUnlock of unlocked RWMutexskip everything and stop the walkslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of rangetoo many Answers to pack (>65535)GetVolumeNameForVolumeMountPointWwaiting for unsupported file typeGODEBUG: no value specified for "NoDefaultCurrentDirectoryInExePathtoo many references: cannot spliceSetFileCompletionNotificationModes3552713678800500929355621337890625reflect: Field of non-struct type reflect: Field index out of boundsreflect: string index out of rangeslice bounds out of range [:%x:%y]slice bounds out of range [%x:%y:]out of memory allocating allArenas/memory/classes/heap/objects:bytesruntime.SetFinalizer: cannot pass too many pages allocated
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	String found in binary or memory: unsafe.String: len out of rangego package net: hostLookupOrder(resource temporarily unavailablesoftware caused connection abortnumerical argument out of domainCertAddCertificateContextToStoreCertVerifyCertificateChainPolicy28421709430404007434844970703125MapIter.Value called before Nextsync: Unlock of unlocked RWMutexsync: negative WaitGroup counterunexpected character, want colonslice bounds out of range [::%x]slice bounds out of range [:%x:]slice bounds out of range [%x::] (types from different packages)end outside usable address spaceGCProg for type that isn't largeruntime: failed to release pagesruntime: fixalloc size too largeinvalid limiter event type foundscanstack: goroutine not stoppedscavenger state is already wiredsweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = WSAGetOverlappedResult not found_cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runtime: stack split at bad timepanic while printing panic valueruntime: setevent failed; errno=runtime.semasleep wait_abandoneduse of closed network connection" not supported for cpu option "go package net: confVal.netCgo = too many levels of symbolic linksInitializeProcThreadAttributeList142108547152020037174224853515625710542735760100185871124267578125reflect: slice index out of range of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangesync: RUnlock of unlocked RWMutexskip everything and stop the walkslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of rangetoo many Answers to pack (>65535)GetVolumeNameForVolumeMountPointWwaiting for unsupported file typeGODEBUG: no value specified for "NoDefaultCurrentDirectoryInExePathtoo many references: cannot spliceSetFileCompletionNotificationModes3552713678800500929355621337890625reflect: Field of non-struct type reflect: Field index out of boundsreflect: string index out of rangeslice bounds out of range [:%x:%y]slice bounds out of range [%x:%y:]out of memory allocating allArenas/memory/classes/heap/objects:bytesruntime.SetFinalizer: cannot pass too many pages allocated
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	String found in binary or memory: C:/Program Files/Go/src/net/addrselect.go

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll	Jump to behavior

Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe

Static file information: File size 3167744 > 1048576

Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x10b000

Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	Static PE information: section name: .xdata
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	Static PE information: section name: /4
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	Static PE information: section name: /19
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	Static PE information: section name: /32
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	Static PE information: section name: /46
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	Static PE information: section name: /65
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	Static PE information: section name: /78
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	Static PE information: section name: /90
Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe	Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe

Code function: 0_2_000EA2A0 rdtscp

0_2_000EA2A0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe

Code function: 0_2_000B4420 GetProcessAffinityMask,GetSystemInfo,

0_2_000B4420

Source: SecuriteInfo.com.FileRepMalware.16004.4080.exe, 00000000.00000002.2532110903.000002366F18C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe

Code function: 0_2_000EA2A0 Start: 000EA2A9 End: 000EA2BF

0_2_000EA2A0

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe

Code function: 0_2_000EA2A0 rdtscp

0_2_000EA2A0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe

Process created: C:\Windows\System32\cmd.exe cmd.exe

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	1 Software Packing	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	2 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.FileRepMalware.16004.4080.exe	53%	ReversingLabs	Win32.Trojan.Generic
SecuriteInfo.com.FileRepMalware.16004.4080.exe	60%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
95.169.204.138	unknown	Bulgaria		44814	BTEL-BG-ASBG	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1499608
Start date and time:	2024-08-27 09:27:12 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.FileRepMalware.16004.4080.exe
Detection:	MAL
Classification:	mal68.evad.mine.winEXE@4/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 12 Number of non-executed functions: 39
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe, UsoClient.exe
Excluded domains from analysis (whitelisted): login.live.com, slscr.update.microsoft.com, settings-win.data.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
BTEL-BG-ASBG	file.exe	Get hash	malicious	GCleaner, Raccoon Stealer v2	Browse	95.169.205.186
	xzQ4Zf3975.exe	Get hash	malicious	Raccoon Stealer v2	Browse	95.169.205.186
	60lAWJYfsL.exe	Get hash	malicious	Raccoon Stealer v2	Browse	95.169.205.186
	http://fwtnp.dfbf.maderclean.cl/giorgiobelfiore@dececco.it	Get hash	malicious	Unknown	Browse	185.7.219.103
	GVlpP9RL5t	Get hash	malicious	Mirai	Browse	95.169.222.123

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.852924175654013
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.FileRepMalware.16004.4080.exe
File size:	3'167'744 bytes
MD5:	ba890934a4b54976d58c9b92b652bc16
SHA1:	546196a320471c102f8c6f2dcfd08d2743ccfd52
SHA256:	3c5fbcd66798a60ab8c1aad4cbbb36a658533dd78c3ae76f92b9da0898b466fb
SHA512:	89906df2c970b9e6f01fcdb907cea7461dc5a6696af3f8d1d3628733a3e5d99bb92d0646ca6fc8586039801978ffbda344c54197db219037399124182642efe9
SSDEEP:	49152:tqxuZ+Ae/NRZutrXyB1fsrDWBHSm7Cm7XUiNnoYH90b:uvIrXgfs/6XCKEiNnoYd0b
TLSH:	51E57C47BC9105A9D4ADA33289A652927B75BC590F3223D32F90F73C2FB2BD45A79340
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........"........"......J.......... .........@..............................p9...........`... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x46ba20
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	c2d457ad8ac36fc9f18d45bffcd450c2

Entrypoint Preview

Instruction
jmp 00007FA8E9423360h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
dec eax
mov ebp, esp
pushfd
cld
dec eax
sub esp, 000000E0h
dec eax
mov dword ptr [esp], edi
dec eax
mov dword ptr [esp+08h], esi
dec eax
mov dword ptr [esp+10h], ebp
dec eax
mov dword ptr [esp+18h], ebx
dec esp
mov dword ptr [esp+20h], esp
dec esp
mov dword ptr [esp+28h], ebp
dec esp
mov dword ptr [esp+30h], esi
dec esp
mov dword ptr [esp+38h], edi
movups dqword ptr [esp+40h], xmm6
movups dqword ptr [esp+50h], xmm7
inc esp
movups dqword ptr [esp+60h], xmm0
inc esp
movups dqword ptr [esp+70h], xmm1
inc esp
movups dqword ptr [esp+00000080h], xmm2
inc esp
movups dqword ptr [esp+00000090h], xmm3
inc esp
movups dqword ptr [esp+000000A0h], xmm4
inc esp
movups dqword ptr [esp+000000B0h], xmm5
inc esp
movups dqword ptr [esp+000000C0h], xmm6
inc esp
movups dqword ptr [esp+000000D0h], xmm7
inc ebp
xorps xmm7, xmm7
dec ebp
xor esi, esi
dec eax
mov eax, dword ptr [0021A642h]
dec eax
mov eax, dword ptr [eax]
dec eax
cmp eax, 00000000h
je 00007FA8E9426C45h
dec esp
mov esi, dword ptr [eax]
dec eax
sub esp, 10h
dec eax
mov eax, ecx
dec eax
mov ebx, edx
call 00007FA8E9428D3Bh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x36d000	0x554	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x28a000	0x66e4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x36e000	0x4e1a	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1f1120	0x180	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xe4804	0xe4a00	5e808603953b2d6a5c5d43e9e560867c	False	0.46402896904045926	data	6.2032775151750466	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xe6000	0x10af30	0x10b000	351af7bba1bc08bc685abb529308a0f3	False	0.40874809808052437	data	5.411179509946513	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1f1000	0x98bc0	0xfc00	5bcda861944e5059dd8b2f9990904c00	False	0.3745969742063492	data	3.9008977853402564	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x28a000	0x66e4	0x6800	63bd5415359791899177dc39150c2dd7	False	0.4001277043269231	data	5.287494441711501	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x291000	0xb4	0x200	4cd30e042194b77b59e05afb61fd9da5	False	0.22265625	shared library	1.7674869226373504	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
/4	0x292000	0x129	0x200	17f62672c8506464ae13eccc2eb6cb94	False	0.623046875	data	5.081946473254993	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/19	0x293000	0x2f7f6	0x2f800	6ec796d31d9d9a84707bd13c84fba77d	False	1.0003392269736842	data	7.992799711132943	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/32	0x2c3000	0xa315	0xa400	3a315ac91a95d7b1f85b32b6caf27eb3	False	0.9919731326219512	data	7.926163609431176	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/46	0x2ce000	0x30	0x200	40cca7c46fc713b4f088e5d440ca7931	False	0.103515625	data	0.8556848540171443	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/65	0x2cf000	0x57760	0x57800	b6e9c56030c50e148ac67941925a38de	False	0.9999330357142857	data	7.997876638245526	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/78	0x327000	0x336b1	0x33800	2b82f33c986cc784447534845f815dfc	False	0.9954869538834952	data	7.990177163520869	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/90	0x35b000	0x11473	0x11600	f03fcd2c9a3fbd12d97cc1b4e53d6f58	False	0.9705064073741008	data	7.786974959795352	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.idata	0x36d000	0x554	0x600	6c74da8b995d5f352bfc30df737454d3	False	0.3821614583333333	data	4.052123772628214	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x36e000	0x4e1a	0x5000	17501a5aa0b3bc3f60cf25a725b45302	False	0.313916015625	data	5.409881175266257	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0x373000	0x2325d	0x23400	f5bd35f44bd12620b693e571538fc231	False	0.2534837655141844	data	5.089571979379327	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, RtlVirtualUnwind, RtlLookupFunctionEntry, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler, AddVectoredContinueHandler

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-27T09:28:10.355038+0200	TCP	2034945	ET MALWARE Win32/Suspected Reverse Shell Connection	1	49705	8080	192.168.2.7	95.169.204.138

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 27, 2024 09:28:13.816214085 CEST	49705	8080	192.168.2.7	95.169.204.138
Aug 27, 2024 09:28:13.821201086 CEST	8080	49705	95.169.204.138	192.168.2.7
Aug 27, 2024 09:28:13.821286917 CEST	49705	8080	192.168.2.7	95.169.204.138
Aug 27, 2024 09:28:13.911406994 CEST	49705	8080	192.168.2.7	95.169.204.138
Aug 27, 2024 09:28:13.911483049 CEST	49705	8080	192.168.2.7	95.169.204.138
Aug 27, 2024 09:28:13.916241884 CEST	8080	49705	95.169.204.138	192.168.2.7
Aug 27, 2024 09:28:13.916254997 CEST	8080	49705	95.169.204.138	192.168.2.7
Aug 27, 2024 09:28:28.927803040 CEST	49705	8080	192.168.2.7	95.169.204.138
Aug 27, 2024 09:28:28.932612896 CEST	8080	49705	95.169.204.138	192.168.2.7
Aug 27, 2024 09:28:35.430927992 CEST	8080	49705	95.169.204.138	192.168.2.7
Aug 27, 2024 09:28:35.431086063 CEST	49705	8080	192.168.2.7	95.169.204.138
Aug 27, 2024 09:28:35.431704044 CEST	8080	49705	95.169.204.138	192.168.2.7
Aug 27, 2024 09:28:35.435694933 CEST	49705	8080	192.168.2.7	95.169.204.138
Aug 27, 2024 09:28:50.443502903 CEST	49705	8080	192.168.2.7	95.169.204.138
Aug 27, 2024 09:28:50.448537111 CEST	8080	49705	95.169.204.138	192.168.2.7
Aug 27, 2024 09:29:05.459230900 CEST	49705	8080	192.168.2.7	95.169.204.138
Aug 27, 2024 09:29:05.464121103 CEST	8080	49705	95.169.204.138	192.168.2.7
Aug 27, 2024 09:29:20.475552082 CEST	49705	8080	192.168.2.7	95.169.204.138
Aug 27, 2024 09:29:20.480614901 CEST	8080	49705	95.169.204.138	192.168.2.7
Aug 27, 2024 09:29:35.491214991 CEST	49705	8080	192.168.2.7	95.169.204.138
Aug 27, 2024 09:29:35.497229099 CEST	8080	49705	95.169.204.138	192.168.2.7
Aug 27, 2024 09:29:50.507004023 CEST	49705	8080	192.168.2.7	95.169.204.138
Aug 27, 2024 09:29:50.511960983 CEST	8080	49705	95.169.204.138	192.168.2.7

Target ID:	0
Start time:	03:28:12
Start date:	27/08/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16004.4080.exe"
Imagebase:	0x80000
File size:	3'167'744 bytes
MD5 hash:	BA890934A4B54976D58C9B92B652BC16
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	03:28:12
Start date:	27/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe
Imagebase:	0x7ff74f190000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	03:28:12
Start date:	27/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	18.8%
Total number of Nodes:	819
Total number of Limit Nodes:	66

Executed Functions

Function 0008CFC0 Relevance: 12.9, Strings: 10, Instructions: 384
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-c, xrefs: 0008D631
region exceeds uintptr range/gc/heap/frees-by-size:bytes/gc/heap/tiny/allocs:objects/sched/goroutines:goroutinesgcBgMarkWorker: mode not setmspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: m, xrefs: 0008D607
) not in usable address space: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: , xrefs: 0008D705
out of memory allocating heap arena metadata/cpu/classes/scavenge/background:cpu-secondsruntime: unexpected metric registration for gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbi, xrefs: 0008D376
, xrefs: 0008D64F
arena already initialized to unused region of span bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p , xrefs: 0008D387
end outside usable address spaceGCProg for type that isn't largeruntime: failed to release pagesruntime: fixalloc size too largeinvalid limiter event type foundscanstack: goroutine not stoppedscavenger state is already wiredsweep increased allocation countremo, xrefs: 0008D65F
out of memory allocating heap arena map/cpu/classes/gc/mark/assist:cpu-seconds/cpu/classes/scavenge/total:cpu-seconds/memory/classes/profiling/buckets:bytesmspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResume, xrefs: 0008D398
out of memory allocating allArenas/memory/classes/heap/objects:bytesruntime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning wit, xrefs: 0008D365
memory reservation exceeds address space limittried to park scavenger from another goroutinereleased less than one physical page of memory (bad use of unsafe.Pointer? try -d=checkptr)sysGrow bounds not aligned to pallocChunkBytesruntime: failed to create new , xrefs: 0008D732

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $) not in usable address space: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: $arena already initialized to unused region of span bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p $base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-c$end outside usable address spaceGCProg for type that isn't largeruntime: failed to release pagesruntime: fixalloc size too largeinvalid limiter event type foundscanstack: goroutine not stoppedscavenger state is already wiredsweep increased allocation countremo$memory reservation exceeds address space limittried to park scavenger from another goroutinereleased less than one physical page of memory (bad use of unsafe.Pointer? try -d=checkptr)sysGrow bounds not aligned to pallocChunkBytesruntime: failed to create new $out of memory allocating allArenas/memory/classes/heap/objects:bytesruntime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning wit$out of memory allocating heap arena map/cpu/classes/gc/mark/assist:cpu-seconds/cpu/classes/scavenge/total:cpu-seconds/memory/classes/profiling/buckets:bytesmspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResume$out of memory allocating heap arena metadata/cpu/classes/scavenge/background:cpu-secondsruntime: unexpected metric registration for gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbi$region exceeds uintptr range/gc/heap/frees-by-size:bytes/gc/heap/tiny/allocs:objects/sched/goroutines:goroutinesgcBgMarkWorker: mode not setmspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: m
API String ID: 0-847506971
Opcode ID: 057a7a31fafec66853e4b29281f4ed3b1f171f28010f22d085ea3e7f77cd9d3f
Instruction ID: 1e49a89bd3291a0825332c47f8f233209b0e0b581e0e47b0a5c1a4dc18f51c0c
Opcode Fuzzy Hash: 057a7a31fafec66853e4b29281f4ed3b1f171f28010f22d085ea3e7f77cd9d3f
Instruction Fuzzy Hash: DB028B72209B8482DBA09B56F4507EAB7A4F38AB90F448226EFDD5779ACF3CC544C701

Function 0008DB60 Relevance: 9.3, Strings: 7, Instructions: 547COMMON

Download Yara Rule

Strings

mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= , xrefs: 0008E3E5
!"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 0008DEF3
malloc during signalclose of nil channelinconsistent lockedmnotetsleep not on g0bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=, xrefs: 0008E3F6
malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no , xrefs: 0008E407
unexpected malloc header in delayed zeroing of large objectsync/atomic: store of inconsistently typed value into Valuereflect: call of reflect.Value.Len on ptr to non-array Valuemanual span allocation called with non-manually-managed typeaddr range base and li, xrefs: 0008E38C
delayed zeroing on data that may contain pointerssweeper left outstanding across sweep generationsfully empty unfreed span set block found in resetcasgstatus: waiting for Gwaiting but is Grunnablego package net: dynamic selection of DNS resolverruntime: unabl, xrefs: 0008E39D
mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largegodebug: Value of name not listed in godebugs.All: limiterEv, xrefs: 0008E418

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC$delayed zeroing on data that may contain pointerssweeper left outstanding across sweep generationsfully empty unfreed span set block found in resetcasgstatus: waiting for Gwaiting but is Grunnablego package net: dynamic selection of DNS resolverruntime: unabl$malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no $malloc during signalclose of nil channelinconsistent lockedmnotetsleep not on g0bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=$mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largegodebug: Value of name not listed in godebugs.All: limiterEv$mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= $unexpected malloc header in delayed zeroing of large objectsync/atomic: store of inconsistently typed value into Valuereflect: call of reflect.Value.Len on ptr to non-array Valuemanual span allocation called with non-manually-managed typeaddr range base and li
API String ID: 0-4232524965
Opcode ID: da2bbaa67c562ba26ac261374c034288e3f78ed16917584ebca6a65a39202a6f
Instruction ID: 9f0a9eb039d2ab972d3b645765c9a0c8b85bfb7e7a247ef68df33bbc9efd624f
Opcode Fuzzy Hash: da2bbaa67c562ba26ac261374c034288e3f78ed16917584ebca6a65a39202a6f
Instruction Fuzzy Hash: 9332E3723187D0C2DB60AF15E4447AEBBA5F785B94F489216EEDD07B96CB78C984CB00

Function 00082000 Relevance: 9.2, Strings: 7, Instructions: 474
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

pclmulqdqmath/randtlsrsakex.localhostsetsockoptunixpacket netGo = /dev/stdinCreateFileexecerrdotSYSTEMROOTterminatedowner diedDnsQuery_WGetIfEntryCancelIoExCreatePipeGetVersionWSACleanupWSAStartupgetsockoptdnsapi.dllws2_32.dll%!Weekday(12207031256103515625com, xrefs: 0008207F
ermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatntohsMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Local1562578125int16int32int64uint8arrayslice and (at defersweeptestRtestWexecWexecRschedhchansudoggscan, xrefs: 00082061
avx512bwavx512vlgo/typesnet/httpgo/buildx509sha1files,dnsdns,filesipv6-icmp_outboundlocalhostconnectexfork/exec#execwaitinterruptbus errorFindCloseLocalFreeMoveFileWWriteFileWSASendTontdll.dllWednesdaySeptember244140625complex64interfaceinvalid nfuncargs(bad i, xrefs: 00082651
avx512f#internos/execruntimeGoString[::1]:53continue_gatewayshutdownaddress readfromwsaioctlunixgramFullPathno anodeCancelIoReadFileAcceptExWSAIoctlThursdaySaturdayFebruaryNovemberDecember%!Month(48828125nil PoolscavengepollDesctraceBufdeadlockraceFinipanicnil, xrefs: 00082604
sse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localreturnlisten.onionsocketexec: hangupkilledSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13390625uint16uint32uint64structchan<-<-chan Valuesysmontimersefenceselect, not object next, xrefs: 00082288
rdtscppopcntcmd/gocmd.exefloat32float64windowsrunningwsarecvwsasendconnectlookup writetoconsolePATHEXTabortedCopySidWSARecvWSASendsignal TuesdayJanuaryOctoberMUI_StdMUI_Dlt19531259765625invaliduintptrChanDir Value>::ffff::eventsforcegcallocmWcpuprofallocmRunkn, xrefs: 000820A0
adxaesshaavxfmanettrueicmpigmpftpshttppop3smtp) = dialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathquitJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDT3125-Inf+Infboolint8uintchanfunccallkindallgallprootitabsbrkidledead is LEAFbase of <==GO, xrefs: 00082026

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: adxaesshaavxfmanettrueicmpigmpftpshttppop3smtp) = dialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathquitJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDT3125-Inf+Infboolint8uintchanfunccallkindallgallprootitabsbrkidledead is LEAFbase of <==GO$avx512bwavx512vlgo/typesnet/httpgo/buildx509sha1files,dnsdns,filesipv6-icmp_outboundlocalhostconnectexfork/exec#execwaitinterruptbus errorFindCloseLocalFreeMoveFileWWriteFileWSASendTontdll.dllWednesdaySeptember244140625complex64interfaceinvalid nfuncargs(bad i$avx512f#internos/execruntimeGoString[::1]:53continue_gatewayshutdownaddress readfromwsaioctlunixgramFullPathno anodeCancelIoReadFileAcceptExWSAIoctlThursdaySaturdayFebruaryNovemberDecember%!Month(48828125nil PoolscavengepollDesctraceBufdeadlockraceFinipanicnil$ermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatntohsMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Local1562578125int16int32int64uint8arrayslice and (at defersweeptestRtestWexecWexecRschedhchansudoggscan$pclmulqdqmath/randtlsrsakex.localhostsetsockoptunixpacket netGo = /dev/stdinCreateFileexecerrdotSYSTEMROOTterminatedowner diedDnsQuery_WGetIfEntryCancelIoExCreatePipeGetVersionWSACleanupWSAStartupgetsockoptdnsapi.dllws2_32.dll%!Weekday(12207031256103515625com$rdtscppopcntcmd/gocmd.exefloat32float64windowsrunningwsarecvwsasendconnectlookup writetoconsolePATHEXTabortedCopySidWSARecvWSASendsignal TuesdayJanuaryOctoberMUI_StdMUI_Dlt19531259765625invaliduintptrChanDir Value>::ffff::eventsforcegcallocmWcpuprofallocmRunkn$sse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localreturnlisten.onionsocketexec: hangupkilledSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13390625uint16uint32uint64structchan<-<-chan Valuesysmontimersefenceselect, not object next
API String ID: 0-3884367468
Opcode ID: a733fc57116830d4ba8e9c5d4a08556a702607ca87a1b3894f2fb782e87ec457
Instruction ID: 7ba91f10f8d5db022cef67012fff7d95f76fdd2cf58249721887f4dd59265af6
Opcode Fuzzy Hash: a733fc57116830d4ba8e9c5d4a08556a702607ca87a1b3894f2fb782e87ec457
Instruction Fuzzy Hash: D142EF7A505F84C5E702EF25F45A3993BA8F359B84F458226DA8D4B3A2CF79C5B9C300

Function 000B6500 Relevance: 4.0, Strings: 3, Instructions: 273COMMON

Download Yara Rule

Strings

runtime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject wait_failed; errno=parsing/packing of this type isn't available yetinvalid or incomplete multibyte or wide characternot enough significant bits after mult128bitPow10the :: must expand, xrefs: 000B6967
runtime.preemptM: duplicatehandle failedglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentstime: Reset called on uninitialized Timer34694469519536141888238489627838134765625strconv: illegal A, xrefs: 000B698F
self-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchRCodeSuccessRCodeRefusedOpenServiceWRevertToSelfCreateEventWGetConsoleCPUnlockFi, xrefs: 000B69A5

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: runtime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject wait_failed; errno=parsing/packing of this type isn't available yetinvalid or incomplete multibyte or wide characternot enough significant bits after mult128bitPow10the :: must expand$runtime.preemptM: duplicatehandle failedglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentstime: Reset called on uninitialized Timer34694469519536141888238489627838134765625strconv: illegal A$self-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchRCodeSuccessRCodeRefusedOpenServiceWRevertToSelfCreateEventWGetConsoleCPUnlockFi
API String ID: 0-415551899
Opcode ID: 35510305851e0a9e24c91dcdb51bef7da327acc365fd75831f14c7eb82e6e4e8
Instruction ID: ca1ecacd150ef2cef4663f07b970dc998dfa1f1e1e305cb358739346f252d560
Opcode Fuzzy Hash: 35510305851e0a9e24c91dcdb51bef7da327acc365fd75831f14c7eb82e6e4e8
Instruction Fuzzy Hash: 29C17D36609F8081DB60DF25E8513AEB764F78AB95F149236DAAC43795DF3DC492CB00

Function 000B42E0 Relevance: 2.6, Strings: 2, Instructions: 65COMMON

Download Yara Rule

Strings

powrprof.dll, xrefs: 000B42F9
PowerRegisterSuspendResumeNotification, xrefs: 000B4349

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: PowerRegisterSuspendResumeNotification$powrprof.dll
API String ID: 0-3247360486
Opcode ID: 0ca7604da4be8dba76a6591a73da43a390b9cd816cfa32df4dff7193863a1b66
Instruction ID: de61ac4ea723590991f6e9088bd8e534425ed6f20b588e6f204fb87d305c0b22
Opcode Fuzzy Hash: 0ca7604da4be8dba76a6591a73da43a390b9cd816cfa32df4dff7193863a1b66
Instruction Fuzzy Hash: E9215A36609F84C5D701CF11F44639AB7A8F78AB80F588116EA9C47B6ADF79C295CB00

Function 000A9600 Relevance: 1.6, Strings: 1, Instructions: 332COMMON

Download Yara Rule

Strings

grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me, xrefs: 000A9B62

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me
API String ID: 0-3724787384
Opcode ID: 7deb650ee75a32f5f179b2158fd6e989aa8a66ac30dfd03c8aca688517996cef
Instruction ID: 86344ad892ca00e104cf89116785639a04edf44baabcd415ba69eddad3c3562d
Opcode Fuzzy Hash: 7deb650ee75a32f5f179b2158fd6e989aa8a66ac30dfd03c8aca688517996cef
Instruction Fuzzy Hash: BAE18A72319B8485DB60CF56F49079EABA4F786BD0F589116EE8D47B6ACF38C494CB00

Function 000C7480 Relevance: 1.6, Strings: 1, Instructions: 306COMMON

Download Yara Rule

Strings

@(, xrefs: 000C7744

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @(
API String ID: 0-264274533
Opcode ID: 9ad9deb0131571d2aa0f4c12203aede69082fc8905b08a804acd2583aad22aa1
Instruction ID: 0c009644337a362e0f66cf7d822b57fd74b0570d2cd307d412c994d537f5151e
Opcode Fuzzy Hash: 9ad9deb0131571d2aa0f4c12203aede69082fc8905b08a804acd2583aad22aa1
Instruction Fuzzy Hash: C4C1BF3620AB40C6EB04DF25F49576EB7A4F78AB80F549129EA8D47B6ADF7CC445CB00

Function 000969C0 Relevance: 1.5, Strings: 1, Instructions: 282COMMON

Download Yara Rule

Strings

span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor, xrefs: 00096B70

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor
API String ID: 0-1712010102
Opcode ID: 42a7fb43c484a04e1ea61767d8ea9b71954507a0e48498c14f0c9db79f026a1b
Instruction ID: 19b7af2ccf8ae9e8d496b749347614d66dd75e25769c41fa232351cd726ba61a
Opcode Fuzzy Hash: 42a7fb43c484a04e1ea61767d8ea9b71954507a0e48498c14f0c9db79f026a1b
Instruction Fuzzy Hash: 97C1C272309B4186DF54CF14E4903AEB7A5F785B94F448126EB9E43BA9EF39C885DB00

Function 000C0020 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e5850d8019bfc67086f9422dafeff4a70f1d9572b6fe6b222a61cb728887cd7
Instruction ID: 56aecef22c8ea2e493f9baef1e4fd936ca146a479ea230c9c28d052085a30ace
Opcode Fuzzy Hash: 8e5850d8019bfc67086f9422dafeff4a70f1d9572b6fe6b222a61cb728887cd7
Instruction Fuzzy Hash: C991F535702600CAEB559F54E898BAE77A6F781B84F98D039CA4C0B725DF3DC989C740

Function 000A8800 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42d1efb46876a6f6dea4b58e21979764e1304e31da2df60fb8f9443e62291970
Instruction ID: 229df09829c90f17f88ec9f9775921cf52d8dbe35603b9bbfcd04901172fe6c1
Opcode Fuzzy Hash: 42d1efb46876a6f6dea4b58e21979764e1304e31da2df60fb8f9443e62291970
Instruction Fuzzy Hash: C23183BA30AB8991DF449B19E4913EA6762E385BC0F85D032DE4E57729DF38C64AD340

Function 000B4420 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a6656e34ca20be08636318360ec6f1665e19558cec1999f428763c6384c16b5
Instruction ID: d846f4067821c53d09e64e95f22620e0ac8191d75435b331fb3586e670081ae2
Opcode Fuzzy Hash: 3a6656e34ca20be08636318360ec6f1665e19558cec1999f428763c6384c16b5
Instruction Fuzzy Hash: B4216033A08F8582DB50CB25F4423AAB764F346BD4F549222EEAD47B9ADF38C191C740

Function 000EBB80 Relevance: 1.3, APIs: 1, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 000EBC18

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d0420e7b245c68536b1289b904fe6097933a37c154ff1c15fd575de53d0a58cb
Instruction ID: 7569c35654e8a40e545f3d791dbe32cfe99dbd9ff0793f84a1e1eb1ecd30dd1f
Opcode Fuzzy Hash: d0420e7b245c68536b1289b904fe6097933a37c154ff1c15fd575de53d0a58cb
Instruction Fuzzy Hash: A5115236A05B80C5DB218B1FE8413697374E348BE4F244215DFAD67BA4DB29E192C740

Non-executed Functions

Function 000AC5E0 Relevance: 16.8, Strings: 13, Instructions: 542COMMON

Download Yara Rule

Strings

, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= (...) m=nil base , val headerAnswerLengthGetACPCommonrdtscppopcntcmd/gocmd.exefloat32float64windowsrunningwsarecvwsasendconnectlookup writetoconsolePATHEXTabortedCopySidWSARecvWSASendsignal TuesdayJa, xrefs: 000ACE65
][}]> +])idLlLtLuMn"tcpnilEOFcgodnsudpftpssh::1set\\?NUL:\/MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDlt125625NaNintmapptr...): f, xrefs: 000AC8FA, 000ACD3B
runtime: npages = runtime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr cleantimers: bad p frames elided..., locked to threadruntime.semacreateruntime.semawakeupcontext., xrefs: 000AC98F
) @s Pn=][}]> +])idLlLtLuMn"tcpnilEOFcgodnsudpftpssh::1set\\?NUL:\/MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDlt125625NaNintmap, xrefs: 000AC96F
, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by .WithCancelClassHESIODauthori, xrefs: 000ACDDC
] = (usageinit ms, fault tab= top=[...], fp:ClassGreeksse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localreturnlisten.onionsocketexec: hangupkilledSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13390625uint16uint32uint64structchan, xrefs: 000AC918
runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 000AC8DF, 000ACD16
, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type nil keyanswers\\.\UNCavx512f#internos/execruntimeGoString[::1]:53continue_gatewayshutdownaddress readfromwsaioctlunixgramFullPathno anodeCanc, xrefs: 000ACDFA
runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSrunqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockresource length too longunpacking Question.Classinvalid pattern syntax: Failed to get stdin , xrefs: 000ACE45
bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 000AC9BC, 000AD10C
] = pc=: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=bitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatntohsMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Local1562578125int16i, xrefs: 000ACD56
runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foundruntime: sudog with non-nil cgfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon, xrefs: 000ACEC5
, levelBits[level] = runtime: searchIdx = defer on system stackpanic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:, xrefs: 000ACEE5

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ) @s Pn=][}]> +])idLlLtLuMn"tcpnilEOFcgodnsudpftpssh::1set\\?NUL:\/MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDlt125625NaNintmap$, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= (...) m=nil base , val headerAnswerLengthGetACPCommonrdtscppopcntcmd/gocmd.exefloat32float64windowsrunningwsarecvwsasendconnectlookup writetoconsolePATHEXTabortedCopySidWSARecvWSASendsignal TuesdayJa$, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type nil keyanswers\\.\UNCavx512f#internos/execruntimeGoString[::1]:53continue_gatewayshutdownaddress readfromwsaioctlunixgramFullPathno anodeCanc$, levelBits[level] = runtime: searchIdx = defer on system stackpanic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:$, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by .WithCancelClassHESIODauthori$] = pc=: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=bitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatntohsMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Local1562578125int16i$] = (usageinit ms, fault tab= top=[...], fp:ClassGreeksse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localreturnlisten.onionsocketexec: hangupkilledSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13390625uint16uint32uint64structchan$][}]> +])idLlLtLuMn"tcpnilEOFcgodnsudpftpssh::1set\\?NUL:\/MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDlt125625NaNintmapptr...): f$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foundruntime: sudog with non-nil cgfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon$runtime: npages = runtime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr cleantimers: bad p frames elided..., locked to threadruntime.semacreateruntime.semawakeupcontext.$runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSrunqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockresource length too longunpacking Question.Classinvalid pattern syntax: Failed to get stdin $runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
API String ID: 0-2411249604
Opcode ID: 6e1279d31108f6ad6df76d02c77e7a1330ccf95155d1bc6d65149e431d9ae572
Instruction ID: f5cb239fbdec332ae2e163bbe62e381febe7e4be104f14409e1c6df5439b41e9
Opcode Fuzzy Hash: 6e1279d31108f6ad6df76d02c77e7a1330ccf95155d1bc6d65149e431d9ae572
Instruction Fuzzy Hash: 9232BB76718BC481EB20AB55E8417DAB365F78ABC0F408122EE9E17B5ADF3CC945C741

Function 0009B480 Relevance: 15.7, Strings: 12, Instructions: 703COMMON

Download Yara Rule

Strings

gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:ClassGreeksse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localreturnlisten.onionsocketexec: hangupkilledSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+1, xrefs: 0009B544
ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32, xrefs: 0009BD8A
MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, xrefs: 0009C065
, xrefs: 0009BA5F
failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre, xrefs: 0009C269
gc %: gp *(in n= ) - P MPC= < end > ]:???pc= GTTL\\.\??adxaesshaavxfmanettrueicmpigmpftpshttppop3smtp) = dialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathquitJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDT3125-Inf+Infboolint8uintcha, xrefs: 0009BBEE
non-concurrent sweep failed to drain all sweep queuescompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not enabledno goroutines (main called runtime.Goexit) - d, xrefs: 0009C258
MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException , xrefs: 0009C025
ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = bad prune, tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=, xrefs: 0009BFAB
gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foun, xrefs: 0009C27A
@s Pn=][}]> +])idLlLtLuMn"tcpnilEOFcgodnsudpftpssh::1set\\?NUL:\/MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDlt125625NaNintmappt, xrefs: 0009BC0C
., xrefs: 0009BB6A

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $ @s Pn=][}]> +])idLlLtLuMn"tcpnilEOFcgodnsudpftpssh::1set\\?NUL:\/MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDlt125625NaNintmappt$ MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:$ MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException $ ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32$ ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = bad prune, tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=$.$failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre$gc %: gp *(in n= ) - P MPC= < end > ]:???pc= GTTL\\.\??adxaesshaavxfmanettrueicmpigmpftpshttppop3smtp) = dialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathquitJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDT3125-Inf+Infboolint8uintcha$gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foun$gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:ClassGreeksse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localreturnlisten.onionsocketexec: hangupkilledSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+1$non-concurrent sweep failed to drain all sweep queuescompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not enabledno goroutines (main called runtime.Goexit) - d
API String ID: 0-2499080590
Opcode ID: 23bad3db8ada1d69216ff3b9526ca93bdb5bec1ff4771c01ccc511fb10cbf2fd
Instruction ID: b5312706416daaa19a651cdd78f7b48c48ebba352fb07ddf5fc564bad92a4acc
Opcode Fuzzy Hash: 23bad3db8ada1d69216ff3b9526ca93bdb5bec1ff4771c01ccc511fb10cbf2fd
Instruction Fuzzy Hash: F672AB3630ABC085EB21DB25F8953DA73A8F78AB80F448126DA8C17B6ADF3CC555C751

Function 00099B00 Relevance: 14.1, Strings: 11, Instructions: 368COMMON

Download Yara Rule

Strings

, not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failed, xrefs: 0009A150
runtime.SetFinalizer: second argument is gcSweep being done but phase is not GCoffobjects added out of order or overlappingmheap.freeSpanLocked - invalid stack freemheap.freeSpanLocked - invalid span stateattempted to add zero-sized address rangeruntime: block, xrefs: 0009A074
runtime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already , xrefs: 00099F83, 00099FD7, 0009A041
runtime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unknown mark worker modecannot free workbufs when work.full != 0runtime: out of memory: cannot allocate runtime.preemptM: duplicatehandle failedglobal runq empty wi, xrefs: 0009A15F
runtime.SetFinalizer: first argument is nilruntime.SetFinalizer: finalizer already setgcBgMarkWorker: unexpected gcMarkWorkerModenon in-use span found with specials bit setgrew heap, but no adequate free space foundroot level max pages doesn't fit in summaryru, xrefs: 0009A170
runtime.SetFinalizer: pointer not at beginning of allocated blockunable to query buffer size from InitializeProcThreadAttributeListreflect: reflect.Value.UnsafePointer on an invalid notinheap pointerembedded IPv4 address must replace the final 2 fields of the , xrefs: 0009A08A
because dotdotdotruntime: npages = runtime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr cleantimers: bad p frames elided..., locked to threadruntime.semacreateruntime., xrefs: 0009A006
runtime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= casfrom_Gscanstatus: gp->status is not in scan state, xrefs: 0009A10B
nil elem type! to finalizer GC worker initruntime: full=runtime: want=MB; allocated timeEndPeriod, xrefs: 0009A12D
runtime.SetFinalizer: first argument was allocated into an arenacompileCallback: expected function with one uintptr-sized resultuser arena chunk size is not a multiple of the physical page sizeruntime: function marked with #cgo nocallback called back into Goru, xrefs: 0009A11C
, not a functiongc: unswept span KiB work (bg), mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 0009A065

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: because dotdotdotruntime: npages = runtime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr cleantimers: bad p frames elided..., locked to threadruntime.semacreateruntime.$, not a functiongc: unswept span KiB work (bg), mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$, not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failed$nil elem type! to finalizer GC worker initruntime: full=runtime: want=MB; allocated timeEndPeriod$runtime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already $runtime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unknown mark worker modecannot free workbufs when work.full != 0runtime: out of memory: cannot allocate runtime.preemptM: duplicatehandle failedglobal runq empty wi$runtime.SetFinalizer: first argument is nilruntime.SetFinalizer: finalizer already setgcBgMarkWorker: unexpected gcMarkWorkerModenon in-use span found with specials bit setgrew heap, but no adequate free space foundroot level max pages doesn't fit in summaryru$runtime.SetFinalizer: first argument was allocated into an arenacompileCallback: expected function with one uintptr-sized resultuser arena chunk size is not a multiple of the physical page sizeruntime: function marked with #cgo nocallback called back into Goru$runtime.SetFinalizer: pointer not at beginning of allocated blockunable to query buffer size from InitializeProcThreadAttributeListreflect: reflect.Value.UnsafePointer on an invalid notinheap pointerembedded IPv4 address must replace the final 2 fields of the $runtime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= casfrom_Gscanstatus: gp->status is not in scan state$runtime.SetFinalizer: second argument is gcSweep being done but phase is not GCoffobjects added out of order or overlappingmheap.freeSpanLocked - invalid stack freemheap.freeSpanLocked - invalid span stateattempted to add zero-sized address rangeruntime: block
API String ID: 0-1037468882
Opcode ID: 49876bb94a67bd50a053f18b37489318f79a8a294974ffdc60d6c3f5756132cc
Instruction ID: 998a4feea36b2155dccfbe3aa4e794aec1ba8c7f5ca17efd70ca8bc71872349a
Opcode Fuzzy Hash: 49876bb94a67bd50a053f18b37489318f79a8a294974ffdc60d6c3f5756132cc
Instruction Fuzzy Hash: 3AF1C232305BC085EF609F25E4913EEB7A4F786B80F48862ADA8D177A6DF38C494D751

Function 000D1F20 Relevance: 14.1, Strings: 11, Instructions: 365COMMON

Download Yara Rule

Strings

untyped args out of range no module dataruntime: seq1=runtime: goid= in goroutine .WithDeadline(<not Stringer>RCodeNameErrorResourceHeaderOpenSCManagerWModule32FirstWunreachable: RegSetValueExWmime/multipartmissing address/etc/mdns.allowunknown networkGetPr, xrefs: 000D2397
missing stackmapbad symbol tablenon-Go function not in ranges:context canceled.WithValue(type invalid dns nameRCodeFormatErrorunpacking headerDuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "0123456789ABCDEFX0123456789abcdefxreflect.Value.Inte, xrefs: 000D23D9, 000D2559
(targetpc= , plugin: runtime: g : frame.sp=created by .WithCancelClassHESIODauthoritiesadditionalsProcessPrngMoveFileExWNetShareAddNetShareDelgocachehashgocachetesthttp2clienthttp2serverarchive/tartls10servercrypto/x509archive/zipshort buffermultipathtcp127.0, xrefs: 000D22F7, 000D2478
args stack map entries for invalid runtime symbol tableruntime: no module data for traceRegion: alloc too large[originating from goroutine abi.NewName: name too long: mismatched local address typeexec: Wait was already calledoperation already in progressno XE, xrefs: 000D22D0
bad symbol tablenon-Go function not in ranges:context canceled.WithValue(type invalid dns nameRCodeFormatErrorunpacking headerDuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "0123456789ABCDEFX0123456789abcdefxreflect.Value.Intexec: killing Cmd, xrefs: 000D232A, 000D24AA
runtime: frame runtimer: bad ptraceback stuckinvalid pointerImpersonateSelfOpenThreadTokenRegCreateKeyExWRegDeleteValueWjstmpllitinterptarinsecurepathx509usepolicieszipinsecurepathhostLookupOrder=/etc/resolv.conf0123456789abcdefnon-IPv4 addressnon-IPv6 address, xrefs: 000D2374, 000D24E9
) @s Pn=][}]> +])idLlLtLuMn"tcpnilEOFcgodnsudpftpssh::1set\\?NUL:\/MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDlt125625NaNintmap, xrefs: 000D2312, 000D2493
locals stack map entries for abi mismatch detected between runtime: impossible type kind unsafe.Slice: len out of rangereflect: Len of non-array typeGODEBUG: unknown cpu feature "fmt: unknown base; can't happencannot assign requested address.lib section in a., xrefs: 000D2455
runtime: pcdata is bad ABI descriptiondodeltimer: wrong Padjusttimers: bad pzero length segmentRCodeNotImplementedSetTokenInformationMultiByteToWideCharfile already existsfile does not existfile already closedmultipartmaxheadersinvalid write resultinvalid DNS , xrefs: 000D229A, 000D241F
untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:context canceled.WithValue(type invalid dns nameRCodeFormatErrorunpacking headerDuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "0123456789ABCDEFX0123456789abcdefxre, xrefs: 000D250C
and (at defersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleep cnt=gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:ClassGreeksse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localreturnlisten.oni, xrefs: 000D22B5, 000D243A

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: (targetpc= , plugin: runtime: g : frame.sp=created by .WithCancelClassHESIODauthoritiesadditionalsProcessPrngMoveFileExWNetShareAddNetShareDelgocachehashgocachetesthttp2clienthttp2serverarchive/tartls10servercrypto/x509archive/zipshort buffermultipathtcp127.0$ and (at defersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleep cnt=gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:ClassGreeksse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localreturnlisten.oni$ args stack map entries for invalid runtime symbol tableruntime: no module data for traceRegion: alloc too large[originating from goroutine abi.NewName: name too long: mismatched local address typeexec: Wait was already calledoperation already in progressno XE$ locals stack map entries for abi mismatch detected between runtime: impossible type kind unsafe.Slice: len out of rangereflect: Len of non-array typeGODEBUG: unknown cpu feature "fmt: unknown base; can't happencannot assign requested address.lib section in a.$ untyped args out of range no module dataruntime: seq1=runtime: goid= in goroutine .WithDeadline(<not Stringer>RCodeNameErrorResourceHeaderOpenSCManagerWModule32FirstWunreachable: RegSetValueExWmime/multipartmissing address/etc/mdns.allowunknown networkGetPr$ untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:context canceled.WithValue(type invalid dns nameRCodeFormatErrorunpacking headerDuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "0123456789ABCDEFX0123456789abcdefxre$) @s Pn=][}]> +])idLlLtLuMn"tcpnilEOFcgodnsudpftpssh::1set\\?NUL:\/MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDlt125625NaNintmap$bad symbol tablenon-Go function not in ranges:context canceled.WithValue(type invalid dns nameRCodeFormatErrorunpacking headerDuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "0123456789ABCDEFX0123456789abcdefxreflect.Value.Intexec: killing Cmd$missing stackmapbad symbol tablenon-Go function not in ranges:context canceled.WithValue(type invalid dns nameRCodeFormatErrorunpacking headerDuplicateTokenExGetCurrentThreadRtlVirtualUnwindGODEBUG: value "0123456789ABCDEFX0123456789abcdefxreflect.Value.Inte$runtime: frame runtimer: bad ptraceback stuckinvalid pointerImpersonateSelfOpenThreadTokenRegCreateKeyExWRegDeleteValueWjstmpllitinterptarinsecurepathx509usepolicieszipinsecurepathhostLookupOrder=/etc/resolv.conf0123456789abcdefnon-IPv4 addressnon-IPv6 address$runtime: pcdata is bad ABI descriptiondodeltimer: wrong Padjusttimers: bad pzero length segmentRCodeNotImplementedSetTokenInformationMultiByteToWideCharfile already existsfile does not existfile already closedmultipartmaxheadersinvalid write resultinvalid DNS
API String ID: 0-3915066741
Opcode ID: 92aec546fd9acb352dc7908ab64c04877c58ddd64a48136678ec2a8e8399e5af
Instruction ID: 204cb916547bc57c817abad1c951beb4b46f01da3e2665d67e62020c58f33f0b
Opcode Fuzzy Hash: 92aec546fd9acb352dc7908ab64c04877c58ddd64a48136678ec2a8e8399e5af
Instruction Fuzzy Hash: 52F18C36308B8096DB64EF25E4903DEB765F789B80F548122EE8D47B66DF38C944CB61

Function 000A6100 Relevance: 13.3, Strings: 10, Instructions: 810COMMON

Download Yara Rule

Strings

sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executionattempte, xrefs: 000A6B06
sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = WSAGetOverlappedResult not found_cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevrunt, xrefs: 000A6C4F
mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 000A6B73, 000A6F45
swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 000A6B17
mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcinternal lockOSThread errorruntime: checkdea, xrefs: 000A6F6A
nalloc= nfreed=[signal newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes ClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1files,dnsdns,filesipv6-icmp_outboundlocalhostconnectexfork/exec#execwaitinterruptbus errorFindCloseL, xrefs: 000A6BE8
sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine ClassCSNET, xrefs: 000A6B58, 000A6F25
previous allocCount=, levelBits[level] = runtime: searchIdx = defer on system stackpanic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime:, xrefs: 000A6C05
mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1, xrefs: 000A6F7B
mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification, xrefs: 000A6B98

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$ nalloc= nfreed=[signal newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes ClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1files,dnsdns,filesipv6-icmp_outboundlocalhostconnectexfork/exec#execwaitinterruptbus errorFindCloseL$ previous allocCount=, levelBits[level] = runtime: searchIdx = defer on system stackpanic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime:$ sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine ClassCSNET$mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification$mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcinternal lockOSThread errorruntime: checkdea$mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1$sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = WSAGetOverlappedResult not found_cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevrunt$sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executionattempte$swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
API String ID: 0-696490638
Opcode ID: 277a93767f9728aa7b32e7236715a18984be0eaac811491dbb0277bfb43c3549
Instruction ID: 49603b954c842122e15e4d159a2538bf766f4e08f009a1cdced7641a8062082b
Opcode Fuzzy Hash: 277a93767f9728aa7b32e7236715a18984be0eaac811491dbb0277bfb43c3549
Instruction Fuzzy Hash: F8829D73608BC086DB61CB61E4503AEB7B5F78AB84F489116EACD13B5ADF39C594CB10

Function 000C0AA0 Relevance: 8.4, Strings: 6, Instructions: 943COMMON

Download Yara Rule

Strings

findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=too many Questions to pack (>65535)file type does not support deadlineaccessing a corrupted shared library44408920985006, xrefs: 000C19DB
global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentstime: Reset called on uninitialized Timer34694469519536141888238489627838134765625strconv: illegal AppendInt/FormatInt basecan't call pointe, xrefs: 000C19CA
findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionkey is not comparableAdjustTokenPrivilegesLookupPrivilegeValueWNetUserG, xrefs: 000C1A0E
findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for traceReg, xrefs: 000C19EC
@(, xrefs: 000C0C9B
findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of r, xrefs: 000C19FD

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @($findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of r$findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for traceReg$findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=too many Questions to pack (>65535)file type does not support deadlineaccessing a corrupted shared library44408920985006$findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionkey is not comparableAdjustTokenPrivilegesLookupPrivilegeValueWNetUserG$global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentstime: Reset called on uninitialized Timer34694469519536141888238489627838134765625strconv: illegal AppendInt/FormatInt basecan't call pointe
API String ID: 0-92365905
Opcode ID: 85154040e281edc95f303b408e11d955c7724d6bb53b57bead1843b9925774ce
Instruction ID: b76b3893a5cff6c9c1fa9eb3871912d206396bf9c6574522046405ebfcd2c027
Opcode Fuzzy Hash: 85154040e281edc95f303b408e11d955c7724d6bb53b57bead1843b9925774ce
Instruction Fuzzy Hash: 5692923620AB84C5EB75CB55E4847DEB3A4F786B80F48812ACA8D57B56DF3DC885CB40

Function 000DE1C0 Relevance: 8.0, Strings: 6, Instructions: 451COMMON

Download Yara Rule

Strings

pc=: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=bitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatntohsMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Local1562578125int16int32, xrefs: 000DE852
fp= gp= mp=) m=bitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatntohsMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Local1562578125int16int32int64uint8arrayslice and (at defersweeptestRtestWex, xrefs: 000DE812
...): finobjgc %: gp *(in n= ) - P MPC= < end > ]:???pc= GTTL\\.\??adxaesshaavxfmanettrueicmpigmpftpshttppop3smtp) = dialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathquitJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDT3125-Inf+Infboo, xrefs: 000DE657
non-Go function at pc=skipping Question Nameskipping Question TypeRtlLookupFunctionEntryCreateEnvironmentBlock%SystemRoot%\system32\<invalid reflect.Value>unexpected address typemissing port in addressexec: Stdin already setdevice or resource busyinterrupted s, xrefs: 000DE97B
) @s Pn=][}]> +])idLlLtLuMn"tcpnilEOFcgodnsudpftpssh::1set\\?NUL:\/MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDlt125625NaNintmap, xrefs: 000DE6AD
sp= sp: lr: fp= gp= mp=) m=bitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatntohsMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Local1562578125int16int32int64uint8arrayslice and (at defersweep, xrefs: 000DE832

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: fp= gp= mp=) m=bitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatntohsMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Local1562578125int16int32int64uint8arrayslice and (at defersweeptestRtestWex$ pc=: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=bitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatntohsMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Local1562578125int16int32$ sp= sp: lr: fp= gp= mp=) m=bitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatntohsMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Local1562578125int16int32int64uint8arrayslice and (at defersweep$) @s Pn=][}]> +])idLlLtLuMn"tcpnilEOFcgodnsudpftpssh::1set\\?NUL:\/MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDlt125625NaNintmap$...): finobjgc %: gp *(in n= ) - P MPC= < end > ]:???pc= GTTL\\.\??adxaesshaavxfmanettrueicmpigmpftpshttppop3smtp) = dialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathquitJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDT3125-Inf+Infboo$non-Go function at pc=skipping Question Nameskipping Question TypeRtlLookupFunctionEntryCreateEnvironmentBlock%SystemRoot%\system32\<invalid reflect.Value>unexpected address typemissing port in addressexec: Stdin already setdevice or resource busyinterrupted s
API String ID: 0-3924790059
Opcode ID: ceaa52f3713af1aa0533690551ac8f0f051e6bd0084da031ff4312814880c5b5
Instruction ID: 03491e18603d538c1e26ee5c251e6f0ca4c7da57a904709994910c052b6a8097
Opcode Fuzzy Hash: ceaa52f3713af1aa0533690551ac8f0f051e6bd0084da031ff4312814880c5b5
Instruction Fuzzy Hash: E0224A32209BC086DB70AB25F4943EEB7A0F78AB90F445126EE8D47B5ADF39C544CB11

Function 000A0F00 Relevance: 7.7, Strings: 6, Instructions: 177COMMON

Download Yara Rule

Strings

objgc %: gp *(in n= ) - P MPC= < end > ]:???pc= GTTL\\.\??adxaesshaavxfmanettrueicmpigmpftpshttppop3smtp) = dialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathquitJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDT3125-Inf+Infboolint8uint, xrefs: 000A1156
runtime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foundruntime: sudog with non-nil cgfput: bad status (not Gdead)LockOSThread nesting overflo, xrefs: 000A10C7
) @s Pn=][}]> +])idLlLtLuMn"tcpnilEOFcgodnsudpftpssh::1set\\?NUL:\/MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDlt125625NaNintmap, xrefs: 000A1125
greyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freeattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlinefindrunnable: netpoll with spinningpidleput: P has, xrefs: 000A118F
marking free object KiB work (eager), [controller reset]mspan.sweep: state=sysMemStat overflowbad sequence numberntdll.dll not foundwinmm.dll not foundruntime: g0 stack [panic during mallocpanic holding locksmissing deferreturnunexpected gp.parampanic during , xrefs: 000A117E
base of <==GOGC] = pc=: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=bitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatntohsMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Local, xrefs: 000A113B

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ) @s Pn=][}]> +])idLlLtLuMn"tcpnilEOFcgodnsudpftpssh::1set\\?NUL:\/MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDlt125625NaNintmap$base of <==GOGC] = pc=: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=bitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatntohsMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Local$greyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freeattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlinefindrunnable: netpoll with spinningpidleput: P has$marking free object KiB work (eager), [controller reset]mspan.sweep: state=sysMemStat overflowbad sequence numberntdll.dll not foundwinmm.dll not foundruntime: g0 stack [panic during mallocpanic holding locksmissing deferreturnunexpected gp.parampanic during $objgc %: gp *(in n= ) - P MPC= < end > ]:???pc= GTTL\\.\??adxaesshaavxfmanettrueicmpigmpftpshttppop3smtp) = dialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathquitJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDT3125-Inf+Infboolint8uint$runtime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foundruntime: sudog with non-nil cgfput: bad status (not Gdead)LockOSThread nesting overflo
API String ID: 0-3635432498
Opcode ID: 7f57dd81400a5619f69b985d39baee82d7a0c39c28040f797dddd94d2b8d2434
Instruction ID: f77d40386ab29668749159ef888f669e6141342b891fbc2f2020f519b00fa09d
Opcode Fuzzy Hash: 7f57dd81400a5619f69b985d39baee82d7a0c39c28040f797dddd94d2b8d2434
Instruction Fuzzy Hash: 5161EAB2708B8086DB109F51E4407EDBBA9F74ABC0F885126EF8D07B66CB78C5A4C741

Function 000B97C0 Relevance: 6.5, Strings: 5, Instructions: 298COMMON

Download Yara Rule

Strings

suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function time: Stop called on uninitialized Timeraddress family not supported by protocol138777878078144567552953, xrefs: 000B9CEA
runtime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr cleantimers: bad p frames elided..., locked to threadruntime.semacreateruntime.semawakeupcontext.BackgroundRCodeServerFailureQueryServiceStatusGetCompu, xrefs: 000B9BFA
invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:context canceled.WithValue(type invalid dns nameRCodeFormatErrorunpacking headerDuplicateTokenExGetC, xrefs: 000B9CD9
, goid= s=nil (scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type nil keyanswers\\.\UNCavx512f#internos/execruntimeGoString[::1]:53continue_gatewayshutdownadd, xrefs: 000B9C15, 000B9C97
, gp->atomicstatus=marking free object KiB work (eager), [controller reset]mspan.sweep: state=sysMemStat overflowbad sequence numberntdll.dll not foundwinmm.dll not foundruntime: g0 stack [panic during mallocpanic holding locksmissing deferreturnunexpected gp, xrefs: 000B9C30

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: , goid= s=nil (scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type nil keyanswers\\.\UNCavx512f#internos/execruntimeGoString[::1]:53continue_gatewayshutdownadd$, gp->atomicstatus=marking free object KiB work (eager), [controller reset]mspan.sweep: state=sysMemStat overflowbad sequence numberntdll.dll not foundwinmm.dll not foundruntime: g0 stack [panic during mallocpanic holding locksmissing deferreturnunexpected gp$invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:context canceled.WithValue(type invalid dns nameRCodeFormatErrorunpacking headerDuplicateTokenExGetC$runtime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr cleantimers: bad p frames elided..., locked to threadruntime.semacreateruntime.semawakeupcontext.BackgroundRCodeServerFailureQueryServiceStatusGetCompu$suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function time: Stop called on uninitialized Timeraddress family not supported by protocol138777878078144567552953
API String ID: 0-1902727314
Opcode ID: a6d4fd5efe39392ec96a545131735e2dcd6b18581cbd0a2218f3606f7c1646a0
Instruction ID: 830bff1648cdfa1dc7504f6d1cc5b0be289e8d0f5f788155a2b9ad146af91359
Opcode Fuzzy Hash: a6d4fd5efe39392ec96a545131735e2dcd6b18581cbd0a2218f3606f7c1646a0
Instruction Fuzzy Hash: 65D16076208B8086D714CB26E0817EEBBA1F38ABD0F044166EF9D17B6ACF79C441CB51

Function 0008C0A0 Relevance: 6.3, Strings: 5, Instructions: 80COMMON

Download Yara Rule

Strings

runtime: lfstack.push invalid packing: node=out of memory allocating heap arena metadata/cpu/classes/scavenge/background:cpu-secondsruntime: unexpected metric registration for gcmarknewobject called while doing checkmarkactive sweepers found at start of mark p, xrefs: 0008C125
lfstack.push span.limit= span.state=bad flushGen MB stacks, worker mode nDataRoots= nSpanRoots= wbuf1=<nil> wbuf2=<nil> gcscandone runtime: gp= found at *( s.elemsize= B (goal , cons/mark maxTrigger= pages/byte s.sweepgen= allocCount end tracegcProces, xrefs: 0008C1AF
-> node= ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = bad prune, tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)tracebac, xrefs: 0008C185
cnt=gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:ClassGreeksse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localreturnlisten.onionsocketexec: hangupkilledSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12, xrefs: 0008C145
packed=BAD RANK status unknown(trigger= npages= nalloc= nfreed=[signal newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes ClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1files,dnsdns,filesipv6-icmp_outboundlocalhostconnect, xrefs: 0008C165

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: -> node= ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = bad prune, tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)tracebac$ cnt=gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:ClassGreeksse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localreturnlisten.onionsocketexec: hangupkilledSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12$ packed=BAD RANK status unknown(trigger= npages= nalloc= nfreed=[signal newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes ClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1files,dnsdns,filesipv6-icmp_outboundlocalhostconnect$lfstack.push span.limit= span.state=bad flushGen MB stacks, worker mode nDataRoots= nSpanRoots= wbuf1=<nil> wbuf2=<nil> gcscandone runtime: gp= found at *( s.elemsize= B (goal , cons/mark maxTrigger= pages/byte s.sweepgen= allocCount end tracegcProces$runtime: lfstack.push invalid packing: node=out of memory allocating heap arena metadata/cpu/classes/scavenge/background:cpu-secondsruntime: unexpected metric registration for gcmarknewobject called while doing checkmarkactive sweepers found at start of mark p
API String ID: 0-2867761353
Opcode ID: 4e228f0a588964a4f513f7419f90982d66a043feb808198e276d984b018b3535
Instruction ID: 035f5bb06171fb667fdffcedf022adafdb5eb70812483bfbb211923bf7a7e56c
Opcode Fuzzy Hash: 4e228f0a588964a4f513f7419f90982d66a043feb808198e276d984b018b3535
Instruction Fuzzy Hash: 2E212B32319B44D6DA10AF11F8913EEAB68F78EB80F489921EA9D07B27DF38C551C751

Function 0009A8A0 Relevance: 5.3, Strings: 4, Instructions: 334COMMON

Download Yara Rule

Strings

!= sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase, xrefs: 0009AE11
flushGen MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nan, xrefs: 0009ADF6
p mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitws2_32.dll not foundpreempt off reason: forcegc: phase errorgopark: bad g statusgo of nil func valueselectgo: bad wakeup, xrefs: 0009AE38
runtime: p ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64, xrefs: 0009ADDB

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase$ flushGen MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nan$p mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitws2_32.dll not foundpreempt off reason: forcegc: phase errorgopark: bad g statusgo of nil func valueselectgo: bad wakeup$runtime: p ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64
API String ID: 0-3407218033
Opcode ID: 4ec4b46ef33f8ecdc021da7c782f45736ae218d40abeaa34b66c373d56146229
Instruction ID: 0f265c73c8dc32cc84d02b35c54801d18b120adb189f26581a46e45879b84a2c
Opcode Fuzzy Hash: 4ec4b46ef33f8ecdc021da7c782f45736ae218d40abeaa34b66c373d56146229
Instruction Fuzzy Hash: 87E1D236309B80C6DB10DF25E48139EB7A5F786B90F458226EA9D43BA6DF3CC495CB41

Function 00083C00 Relevance: 5.3, Strings: 4, Instructions: 294COMMON

Download Yara Rule

Strings

nd 3, xrefs: 00083C17
te k, xrefs: 00083C35
2-by, xrefs: 00083C26
expa, xrefs: 00083C08

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 2-by$expa$nd 3$te k
API String ID: 0-3581043453
Opcode ID: d0a0678b136faf6cdae2b5bb443573c909990b14ac4f0b67f8b4f134291ae36c
Instruction ID: 49cbdb18ce186c43620f287ef4a905ebfac6c969d790b8b31a0c9b63292b6e76
Opcode Fuzzy Hash: d0a0678b136faf6cdae2b5bb443573c909990b14ac4f0b67f8b4f134291ae36c
Instruction Fuzzy Hash: 2BB1B066F25FD94AF323A63810036B7EB185FFB9C9A40E327FC9474A87D72095036254

Function 000BD3A0 Relevance: 5.3, Strings: 4, Instructions: 266COMMON

Download Yara Rule

Strings

casgstatus: bad incoming valuesresetspinning: not a spinning mentersyscallblock inconsistent runtime: split stack overflow: ...additional frames elided...unsafe.String: len out of rangego package net: hostLookupOrder(resource temporarily unavailablesoftware c, xrefs: 000BD7AF
casgstatus: waiting for Gwaiting but is Grunnablego package net: dynamic selection of DNS resolverruntime: unable to acquire - semaphore out of syncmallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to , xrefs: 000BD71B
newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes ClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1files,dnsdns,filesipv6-icmp_outboundlocalhostconnectexfork/exec#execwaitinterruptbus errorFindCloseLocalFreeMoveFileWWriteFi, xrefs: 000BD785
runtime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid , xrefs: 000BD767

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes ClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1files,dnsdns,filesipv6-icmp_outboundlocalhostconnectexfork/exec#execwaitinterruptbus errorFindCloseLocalFreeMoveFileWWriteFi$casgstatus: bad incoming valuesresetspinning: not a spinning mentersyscallblock inconsistent runtime: split stack overflow: ...additional frames elided...unsafe.String: len out of rangego package net: hostLookupOrder(resource temporarily unavailablesoftware c$casgstatus: waiting for Gwaiting but is Grunnablego package net: dynamic selection of DNS resolverruntime: unable to acquire - semaphore out of syncmallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to $runtime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid
API String ID: 0-3908657165
Opcode ID: ce0e42c8f8122ffc6fac854552b51c2d4013a6ac7e7d33906cffb8204b016d52
Instruction ID: 04551287db177eb39804273fffa2e65feb7206865f9ed8493afb447904d1efee
Opcode Fuzzy Hash: ce0e42c8f8122ffc6fac854552b51c2d4013a6ac7e7d33906cffb8204b016d52
Instruction Fuzzy Hash: 9BB18136705A84C6D714CB25E4953AEBB61F34AB84F188223DE9C57B66EF39D492CB00

Function 000BA000 Relevance: 5.2, Strings: 4, Instructions: 220COMMON

Download Yara Rule

Strings

bad restart PC-thread limitstopm spinning nmidlelocked= needspinning=randinit twicestore64 failedsemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module dataruntime: seq1=runtime: goid= in goroutine .WithDeadline(<not Str, xrefs: 000BA2B3
runtime., xrefs: 000BA192
reflect., xrefs: 000BA1EC
runtime/internal/thread exhaustionlocked m0 woke upentersyscallblock spinningthreads=gp.waiting != nilunknown caller pcstack: frame={sp:runtime: nameOff runtime: typeOff runtime: textOff RegLoadMUIStringWmultipartmaxpartsreflect.Value.Uintserver misbehaving/Dr, xrefs: 000BA1C5

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: bad restart PC-thread limitstopm spinning nmidlelocked= needspinning=randinit twicestore64 failedsemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module dataruntime: seq1=runtime: goid= in goroutine .WithDeadline(<not Str$reflect.$runtime.$runtime/internal/thread exhaustionlocked m0 woke upentersyscallblock spinningthreads=gp.waiting != nilunknown caller pcstack: frame={sp:runtime: nameOff runtime: typeOff runtime: textOff RegLoadMUIStringWmultipartmaxpartsreflect.Value.Uintserver misbehaving/Dr
API String ID: 0-3734416240
Opcode ID: 9eaaab83300626b96d08431020a4032f209c8640780e713d5c6bb19c8548273e
Instruction ID: 1370293828e5bb4c3570a65f6174f8efb7ab42edd9a684f38e76ec51fabdf2b8
Opcode Fuzzy Hash: 9eaaab83300626b96d08431020a4032f209c8640780e713d5c6bb19c8548273e
Instruction Fuzzy Hash: 4F71DE32B04A408ADBA4CF28E4803EA77A1F78AB94F488535EF9D57B55DB39D891C701

Function 000BDD00 Relevance: 4.0, Strings: 3, Instructions: 245COMMON

Download Yara Rule

Strings

stopTheWorld: not stopped (stopwait != 0)Failed to connect, retrying in 10 seconds:173472347597680709441192448139190673828125867361737988403547205962240695953369140625MapIter.Value called on exhausted iteratorpersistentalloc: align is not a power of 2out of me, xrefs: 000BE020
stopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executioncompileCallback: float arguments not supportedruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base poin, xrefs: 000BE09B
stopTheWorld: holding locksgcstopm: not waiting for gcinternal lockOSThread errorruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len ou, xrefs: 000BE0E5

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: stopTheWorld: holding locksgcstopm: not waiting for gcinternal lockOSThread errorruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len ou$stopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executioncompileCallback: float arguments not supportedruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base poin$stopTheWorld: not stopped (stopwait != 0)Failed to connect, retrying in 10 seconds:173472347597680709441192448139190673828125867361737988403547205962240695953369140625MapIter.Value called on exhausted iteratorpersistentalloc: align is not a power of 2out of me
API String ID: 0-2843949824
Opcode ID: c4ccde6fd60597dec569ec8ebff7d0fb791cdef186e2fa61b576593d72eb97eb
Instruction ID: 69a8aace181668c2bb0784b62efd77dd3d522cc6c7543f8376b88af47fe30ce7
Opcode Fuzzy Hash: c4ccde6fd60597dec569ec8ebff7d0fb791cdef186e2fa61b576593d72eb97eb
Instruction Fuzzy Hash: C2A1D03620AB80C6DB65DF21E4543EAB7B5F38AB80F448126DA9D47766DF7DC485CB00

Function 000A18C0 Relevance: 3.9, Strings: 3, Instructions: 179COMMON

Download Yara Rule

Strings

pacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitws2_32.dll not foundpreempt off reason: forcegc: phase errorgopark: bad g statusgo of nil func valueselectgo: bad wakeupsemaRoot rotateRightreflect.makeFuncStub, xrefs: 000A1AC6
MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= runtime: pid=: unknown pc called from name too longGetTempPath2W, xrefs: 000A1B45
(scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type nil keyanswers\\.\UNCavx512f#internos/execruntimeGoString[::1]:53continue_gatewayshutdownaddress readfromw, xrefs: 000A1AE5

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: (scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type nil keyanswers\\.\UNCavx512f#internos/execruntimeGoString[::1]:53continue_gatewayshutdownaddress readfromw$ MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= runtime: pid=: unknown pc called from name too longGetTempPath2W$pacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitws2_32.dll not foundpreempt off reason: forcegc: phase errorgopark: bad g statusgo of nil func valueselectgo: bad wakeupsemaRoot rotateRightreflect.makeFuncStub
API String ID: 0-218468025
Opcode ID: 84f0e0909286ec2c1ad9946f0831750b2676cbd54d150b413c032ac39ec172a6
Instruction ID: 7bc4d4617c22907c8d760c3a97f960163e71f988490a9e854e75042f57e0d201
Opcode Fuzzy Hash: 84f0e0909286ec2c1ad9946f0831750b2676cbd54d150b413c032ac39ec172a6
Instruction Fuzzy Hash: 6E71C432609F9489D611EF65E4403DAB7A4FB9BBC0F448326EA8E27726CF38C491C751

Function 000CB4C0 Relevance: 3.6, Strings: 2, Instructions: 1095COMMON

Download Yara Rule

Strings

gp.waiting != nilunknown caller pcstack: frame={sp:runtime: nameOff runtime: typeOff runtime: textOff RegLoadMUIStringWmultipartmaxpartsreflect.Value.Uintserver misbehaving/Drivers/etc/hosts/etc/nsswitch.confinvalid criteria: GetExitCodeProcesssegmentation fau, xrefs: 000CC145
selectgo: bad wakeupsemaRoot rotateRightreflect.makeFuncStubdodeltimer0: wrong Ptrace: out of memorywirep: already in goGetAdaptersAddressesGetProcessMemoryInfobcryptprimitives.dllhttplaxcontentlengthx509usefallbackrootsreflect.Value.Complexlocalhost.localdoma, xrefs: 000CC11B

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: gp.waiting != nilunknown caller pcstack: frame={sp:runtime: nameOff runtime: typeOff runtime: textOff RegLoadMUIStringWmultipartmaxpartsreflect.Value.Uintserver misbehaving/Drivers/etc/hosts/etc/nsswitch.confinvalid criteria: GetExitCodeProcesssegmentation fau$selectgo: bad wakeupsemaRoot rotateRightreflect.makeFuncStubdodeltimer0: wrong Ptrace: out of memorywirep: already in goGetAdaptersAddressesGetProcessMemoryInfobcryptprimitives.dllhttplaxcontentlengthx509usefallbackrootsreflect.Value.Complexlocalhost.localdoma
API String ID: 0-3742976696
Opcode ID: ae9d8f7971eb2a52591606be0193b92b4b0d1420a6726b595a574a9e3818d750
Instruction ID: 3cbf036e8c02ab1f72e00f78ba9d299ed2d89d8623b2fe951b53496af597b603
Opcode Fuzzy Hash: ae9d8f7971eb2a52591606be0193b92b4b0d1420a6726b595a574a9e3818d750
Instruction Fuzzy Hash: DAB28932208B90C2D760CF12E845B9E77A8F389BD4F56922AEE9D47759CF78C894C701

Function 000B32A0 Relevance: 2.7, Strings: 2, Instructions: 165COMMON

Download Yara Rule

Strings

runtime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime:, xrefs: 000B3445
runtime: inconsistent read deadlinefindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=too many Questions to pack (>65535)file type does not support deadlineaccessing a cor, xrefs: 000B34B5

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: runtime: inconsistent read deadlinefindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=too many Questions to pack (>65535)file type does not support deadlineaccessing a cor$runtime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime:
API String ID: 0-3710291014
Opcode ID: c3874d1af17edd436e19f864c1ea5c86ed87217a4c13a96cbd030434ce4feef9
Instruction ID: 161ac6784209a784d5a36a504aefccfd1aba65ab8d6805ef9075e6feb774b1e1
Opcode Fuzzy Hash: c3874d1af17edd436e19f864c1ea5c86ed87217a4c13a96cbd030434ce4feef9
Instruction Fuzzy Hash: 4651C23220978086DB65CF25E0503BFBBE0F786F90F688669EA9E43755CF38D6448B50

Function 000CEC00 Relevance: 1.7, Strings: 1, Instructions: 441COMMON

Download Yara Rule

Strings

!"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 000CED0D, 000CEE16, 000CEF57, 000CF07F

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
API String ID: 0-2911004680
Opcode ID: 4be74bb2a3af82dd6e751f104b3d654bd5791f494ba1521ae9a45193b2344d83
Instruction ID: 3e95607bcdaea98c4c9d84a129c5300cb6513df18247b30680bc7e9eaca02594
Opcode Fuzzy Hash: 4be74bb2a3af82dd6e751f104b3d654bd5791f494ba1521ae9a45193b2344d83
Instruction Fuzzy Hash: 6FF11132719AC186DB10DB25E805BBEAB66F745BD0F99403AEE5E03795CF78C845C306

Function 000AF7A0 Relevance: 1.5, Strings: 1, Instructions: 266COMMON

Download Yara Rule

Strings

runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin, xrefs: 000AFB45

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin
API String ID: 0-429552053
Opcode ID: e0f4cb79ac64f3c4ab3180c89e960b512914cd2e1a70145847cbae2897cc7e3f
Instruction ID: cc5eff81fc4d2fe5d110936c11cfb01e3bb3fa189648e5b8f8875c3c8c0f1758
Opcode Fuzzy Hash: e0f4cb79ac64f3c4ab3180c89e960b512914cd2e1a70145847cbae2897cc7e3f
Instruction Fuzzy Hash: 8BA16B76719B85C2CA60CF92E45066EA7B5F39ABC0F485122EF8D57B29CF38C591CB40

Function 000955E0 Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

bulkBarrierPreWrite: unaligned argumentsrefill of span with free space remaining/cpu/classes/scavenge/assist:cpu-secondsruntime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unknown mark worker modecannot free workbufs, xrefs: 00095987

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: bulkBarrierPreWrite: unaligned argumentsrefill of span with free space remaining/cpu/classes/scavenge/assist:cpu-secondsruntime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unknown mark worker modecannot free workbufs
API String ID: 0-866072839
Opcode ID: 5e63c635f6a1cbcdf421f33817da09c46ef9748f3fe9f9161f56e776133da53b
Instruction ID: 029acc1321f0d99bc11912a49893f1fba40732d0babce3450b3ecc776d8f7c7c
Opcode Fuzzy Hash: 5e63c635f6a1cbcdf421f33817da09c46ef9748f3fe9f9161f56e776133da53b
Instruction Fuzzy Hash: 7791ADB661AE84C2DF518B57E84039EA7A5F349FD0F988126EE8D57B18DF38C491D700

Function 000AE980 Relevance: 1.4, Strings: 1, Instructions: 189COMMON

Download Yara Rule

Strings

bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 000AEC47

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod
API String ID: 0-2099802129
Opcode ID: 68d0c870a4bee6b7d388721aed2e0dbb5c68d192d77f8d343b611ca257bf0eac
Instruction ID: bc1987bea98fd57d8dc6e6b348fa87ee82150248e876f12d887cca1d6ad255ce
Opcode Fuzzy Hash: 68d0c870a4bee6b7d388721aed2e0dbb5c68d192d77f8d343b611ca257bf0eac
Instruction Fuzzy Hash: B961CEB3710BC882DB009B56E08039A7766F78ABE0F459226EF9D1779ACF78D585C740

Function 0009AF60 Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:ClassGreeksse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localreturnlisten.onionsocketexec: hangupkilledSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+1, xrefs: 0009B134

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:ClassGreeksse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localreturnlisten.onionsocketexec: hangupkilledSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+1
API String ID: 0-2253090878
Opcode ID: 2c89acb7df54badbe7f7b030f8e87ec9266f44cee2020a570bbdea4abff077a5
Instruction ID: 9bba29fa9df08e224a2ac6f62dc0765a88fcdaffa7008be3740f9cbb6102ead3
Opcode Fuzzy Hash: 2c89acb7df54badbe7f7b030f8e87ec9266f44cee2020a570bbdea4abff077a5
Instruction Fuzzy Hash: CC81E336209B80C6EB01CF61F49539E77A8F789B94F418236EA9D437A6DF39C155C700

Function 000F5680 Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 000F57BB

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
API String ID: 0-2272463933
Opcode ID: 962a67eee0b602eecad488230f7cdf56b7a62fa40f41457f2d3c1dbc1268bfc9
Instruction ID: 357e0d43a980dafd3fe6cf3aaca5431bb726836e5ad7141c4c6b9296910ba9a8
Opcode Fuzzy Hash: 962a67eee0b602eecad488230f7cdf56b7a62fa40f41457f2d3c1dbc1268bfc9
Instruction Fuzzy Hash: 90413A3274CF9CC2CB28E619AC1177C6652E384BD2F994159DF1B57F81CA28DC46E780

Function 000A1640 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackunsafe.Slice: ptr is nil and len is not , xrefs: 000A1730

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackunsafe.Slice: ptr is nil and len is not
API String ID: 0-3110597650
Opcode ID: f34b7c70077d611d1e48c8ee1f42409d142bbc89a37c08a1d2619ce3a0175e15
Instruction ID: e913b49123c6b366063ac6c7018519974e8dafc0ef51ccfdb7a87d7cabec42c7
Opcode Fuzzy Hash: f34b7c70077d611d1e48c8ee1f42409d142bbc89a37c08a1d2619ce3a0175e15
Instruction Fuzzy Hash: AE21CFF3B16A8447EB058F19D4803E86722E35AFD8F4AA076CF4957756CA68C596C300

Function 000F4E60 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36367d039bf5b8a94d582237131b1f6b1468226631fb77cea5539d91509fccf5
Instruction ID: df44b47eda7dc4b8e9129f26bb619860cb00877811044f01edf58a6b14807baf
Opcode Fuzzy Hash: 36367d039bf5b8a94d582237131b1f6b1468226631fb77cea5539d91509fccf5
Instruction Fuzzy Hash: 47C1C533B08A9882CA64CB56E8017BAA7A0F395FC5F484111EF8E87F19CA79C945D740

Function 000E4F00 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4823dba6b010bcf96dd7e5006e1311c9d58c3e7ee25c48879726f5f0c97ef7e
Instruction ID: 2bb52d135e604b8191c231bec997b2138e86a8cf84dd245bea4a6d4d161c55c9
Opcode Fuzzy Hash: a4823dba6b010bcf96dd7e5006e1311c9d58c3e7ee25c48879726f5f0c97ef7e
Instruction Fuzzy Hash: FCF1AF32209FC489DBA4CB16E8403AEB7A5F385B89F598436DE8D53B69DF78C484C700

Function 0009EC80 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d735b3a9fada370ea0a80ab9c0847dd8a0e8d3555b6e09cc7efd0ccf2a79ff9b
Instruction ID: b752aa73da60571584871e90e9d94aecd6e2dceae8d32e92124def5cd94adccc
Opcode Fuzzy Hash: d735b3a9fada370ea0a80ab9c0847dd8a0e8d3555b6e09cc7efd0ccf2a79ff9b
Instruction Fuzzy Hash: CCB1D17230ABC086DF55CB25E0643BAB7A5F386B94F188236EA9D53795DF39D881C700

Function 000C1C60 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e320233f45a64736a7ebc42c47296d4ed0310813035a12d3647b7ff81ddfdc8
Instruction ID: 28390c9365d93f2ade1acb0aa66073737377bff57f037700da4e63600c8feb59
Opcode Fuzzy Hash: 5e320233f45a64736a7ebc42c47296d4ed0310813035a12d3647b7ff81ddfdc8
Instruction Fuzzy Hash: AD91EC7671969086C764CB26A450FAEB7A1F78ABC0F589029FF8D47F16CB38C851CB40

Function 000E7549 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dddf41139b8b9964a7bb6e9c573705330120f840811474652f327d8baf031897
Instruction ID: 9938c96b11757fffc49caaf97794b02ccbf120e45f6885c7b4be04b76627c50d
Opcode Fuzzy Hash: dddf41139b8b9964a7bb6e9c573705330120f840811474652f327d8baf031897
Instruction Fuzzy Hash: B6B12C16D1CFCA20E61357789403B762A146FF36C4F01D73ABAC6F16A3E7566A00B922

Function 000AC120 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a7ab688ef2f1014f4f70562c6fed2f09b7a25cb09ce9ae44d3d7ce429aa117
Instruction ID: 528f1c17b5f3693c8404a8db610f101c52f81642f6d5cd1dbe3a35c7fd1a3283
Opcode Fuzzy Hash: e9a7ab688ef2f1014f4f70562c6fed2f09b7a25cb09ce9ae44d3d7ce429aa117
Instruction Fuzzy Hash: 16A13A77618B8482DB10CB55F08029AB7A1F78ABD4F555226EFAD53B9ACF78D051CB00

Function 000AD5A0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e651639c8da07ec92557ddb63b80b8fa8ab8863476a5a1e85344663284c391fd
Instruction ID: bf1288fcb9b39bd1238d52b869a90687bb4e270b848d6c8e71e15b8b7ad94cc4
Opcode Fuzzy Hash: e651639c8da07ec92557ddb63b80b8fa8ab8863476a5a1e85344663284c391fd
Instruction Fuzzy Hash: 8481A077B18B8482DB508B56E4803AEB762F78ABC0F055126EF9E17B5ACF78D095C740

Function 0008A260 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd5eaef1891a3166696db807e1a908e064ae6d0dde7898a1d2038b51461edb01
Instruction ID: a1015475347fa6c1d64e3f9add1a8f0af377e7d554ab2e444a7fa8e283799527
Opcode Fuzzy Hash: dd5eaef1891a3166696db807e1a908e064ae6d0dde7898a1d2038b51461edb01
Instruction Fuzzy Hash: 7241F5A6701A9881AE148F6796241AEA361F74BFD0398F233DE2D77F68C63CD5429344

Function 000D3400 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c2b2928033d2529241f6be9ba439d8e99271e984d07d3f782014a7ad47b1d98
Instruction ID: ad3327ddecff926987d6aa3296611cd72bb136aa0b07ad437d2c8aa8870060f8
Opcode Fuzzy Hash: 3c2b2928033d2529241f6be9ba439d8e99271e984d07d3f782014a7ad47b1d98
Instruction Fuzzy Hash: CE41E722BC1B448ACB519F34A4413BA62C69780734FCC8676DF2D473CAE66CD7D59632

Function 000A7540 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d73faa1be92c811b4a140fafccfbbcb1386a42d82bf140f92a40d0dfdbf1567c
Instruction ID: 5d56bfc3321c22c4cfafa07ad7f9fb7ac3696d52624c55a049dd077bc388f308
Opcode Fuzzy Hash: d73faa1be92c811b4a140fafccfbbcb1386a42d82bf140f92a40d0dfdbf1567c
Instruction Fuzzy Hash: AF51D67271DF8085DA15CB75E84435AB3A1F78BBE0F28C726EA5D27B95EB78C0818700

Function 000A31A0 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdc9605a9e47c2b3a22a8b2bf486ec8071dcd474258c9aebab711ad1ddd26a79
Instruction ID: bb703cc0e32f896d43acea3ff84a7e329382b36abd1b7bb263f5949117433e26
Opcode Fuzzy Hash: fdc9605a9e47c2b3a22a8b2bf486ec8071dcd474258c9aebab711ad1ddd26a79
Instruction Fuzzy Hash: 76313BB2B0BE448ADD47DBBA5471325920E6F93BE4F54C7226C3B761E9EB1D82528300

Function 000B0520 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d559122a1f6f0b69832be9421c7c214fb777efde5fa0d191de61b1ee1601c01b
Instruction ID: 0acb7f2fae7899b6eba025b9291f23af7a65846b9befec839c8e20c957e628fc
Opcode Fuzzy Hash: d559122a1f6f0b69832be9421c7c214fb777efde5fa0d191de61b1ee1601c01b
Instruction Fuzzy Hash: A831F7B6711B8446DF98CB225A247CA639BF798BC0F0AD1759F0C93718EB38E5A1C340

Function 0008E720 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 278db59523a6b7a46389b36101403447da7d08f010916bc1b870765c92c3ec42
Instruction ID: 4dfb958ab2b654241b29da40f8b21815837346b48753fe8d57cb2d210e5ff177
Opcode Fuzzy Hash: 278db59523a6b7a46389b36101403447da7d08f010916bc1b870765c92c3ec42
Instruction Fuzzy Hash: 1E1100F1E36F444AEA47D73A9551351810B5FD6BD0F28D322BD1FB6796EB2590D38200

Function 000EA2A0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2529213304.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2529149421.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529489705.0000000000166000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529771324.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529820355.0000000000273000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529891200.0000000000279000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2529942564.000000000027E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.000000000029E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530008344.0000000000306000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000030A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530217139.000000000034F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530431401.00000000003ED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2530466102.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7f6c5f5c41e7fd14ef66086bec5c8d2dce69e90909111207d9ec1b253c8fb8b
Instruction ID: 0a6bffef69d6e6b249fccb5df2d2474ad460bbdccc7e87965df918fa09a96b5d
Opcode Fuzzy Hash: a7f6c5f5c41e7fd14ef66086bec5c8d2dce69e90909111207d9ec1b253c8fb8b
Instruction Fuzzy Hash: D1C08CA4A07AC51DFB20830961013583AC58B0A380D808088D348202289A2EA6944114

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.FileRepMalware.16004.4080.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.FileRepMalware.16004.4080.exePID: 5508, Parent PID: 4056

General

Chronological Activities

Analysis Process: cmd.exePID: 6768, Parent PID: 5508

Windows Analysis Report
SecuriteInfo.com.FileRepMalware.16004.4080.exe

Function 0008CFC0 Relevance: 12.9, Strings: 10, Instructions: 384
COMMON

Function 00082000 Relevance: 9.2, Strings: 7, Instructions: 474
COMMON