Edit tour

Windows Analysis Report
p.exe

Overview

General Information

Sample name:	p.exe
Analysis ID:	1586756
MD5:	194e3ca62e9ba481112e59310a00b54b
SHA1:	b847e924e9e0ead4777ee503348e802dd542dccb
SHA256:	03423f8fdb61fd95846125db52094515cb5eb4553be9c14f04e5e25ca9a12ec2
Tags:	exeuser-Sir_XX
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Contain functionality to detect virtual machines

Machine Learning detection for sample

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May check the online IP address of the machine

PE file contains sections with non-standard names

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

p.exe (PID: 7632 cmdline: "C:\Users\user\Desktop\p.exe" MD5: 194E3CA62E9BA481112E59310A00B54B)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: p.exe

ReversingLabs: Detection: 18%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.1% probability

Machine Learning detection for sample

Source: p.exe

Joe Sandbox ML: detected

Source: p.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: C:\Users\user\Desktop\p.exe	Code function: 4x nop then mov edx, dword ptr [esp+64h]		0_2_004E7370
Source: C:\Users\user\Desktop\p.exe	Code function: 4x nop then mov edx, dword ptr [esp+64h]		0_2_004E78B0

Source: global traffic

TCP traffic: 192.168.2.4:49732 -> 87.121.86.2:9090

Source: global traffic

TCP traffic: 192.168.2.4:53260 -> 162.159.36.2:53

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: unknown

DNS query: name: ip-api.com

Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.86.2

Source: C:\Users\user\Desktop\p.exe

Code function: 0_2_004512A0 WSARecv,

0_2_004512A0

Source: global traffic	HTTP traffic detected: GET /csv/?fields=country HTTP/1.1Host: ip-api.comUser-Agent: FYCQrUakUBwkJEwHkxAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /csv/?fields=query HTTP/1.1Host: ip-api.comUser-Agent: FYCQrUakUBwkJEwHkxAccept-Encoding: gzip

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa

Source: p.exe, 00000000.00000002.2905012640.0000000011404000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/csv/?fields=country
Source: p.exe, 00000000.00000002.2905012640.0000000011404000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/csv/?fields=countryhttps://87.121.86.2:9090/register%D1.Qd%0A%1En%B4B%0FvN%F0%28S%
Source: p.exe, 00000000.00000002.2905012640.00000000114BA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/csv/?fields=query
Source: p.exe, 00000000.00000002.2905012640.00000000114D2000.00000004.00001000.00020000.00000000.sdmp, p.exe, 00000000.00000002.2905012640.0000000011404000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://87.121.86.2:9090/getcmd
Source: p.exe, 00000000.00000002.2905012640.00000000114D2000.00000004.00001000.00020000.00000000.sdmp, p.exe, 00000000.00000002.2905012640.0000000011404000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://87.121.86.2:9090/getcmdarch=386&country=
Source: p.exe, 00000000.00000002.2905012640.0000000011404000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://87.121.86.2:9090/register
Source: p.exe	String found in binary or memory: https://87.121.86.2:9090idna:

Source: C:\Users\user\Desktop\p.exe

Code function: 0_2_00451620 NtWaitForSingleObject,

0_2_00451620

Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_004761E0	0_2_004761E0
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_004C81E0	0_2_004C81E0
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_004741F0	0_2_004741F0
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_0052C260	0_2_0052C260
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_004EA270	0_2_004EA270
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_0046C2E0	0_2_0046C2E0
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_004E62A0	0_2_004E62A0
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_0040C310	0_2_0040C310
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_004503D0	0_2_004503D0
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_0052E390	0_2_0052E390
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_0052C4C0	0_2_0052C4C0
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_004A8550	0_2_004A8550
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_00412520	0_2_00412520
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_005285E0	0_2_005285E0
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_00514620	0_2_00514620
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_005306E0	0_2_005306E0
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_0043E770	0_2_0043E770
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_004FC700	0_2_004FC700
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_0053A7D0	0_2_0053A7D0
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_004A47A0	0_2_004A47A0
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_004FE7B0	0_2_004FE7B0
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_00504860	0_2_00504860
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_0041C800	0_2_0041C800
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_00522810	0_2_00522810
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_0052C8C0	0_2_0052C8C0
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_004E6960	0_2_004E6960
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_004F6970	0_2_004F6970
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_004AC930	0_2_004AC930
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_005029A0	0_2_005029A0
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_004589B0	0_2_004589B0
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_00508A50	0_2_00508A50
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_0052CA00	0_2_0052CA00
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_004BAA30	0_2_004BAA30
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_004E6AE0	0_2_004E6AE0
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_00488AF0	0_2_00488AF0
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_00528B10	0_2_00528B10
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_0041CBA0	0_2_0041CBA0
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_0052CC10	0_2_0052CC10
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_00506C20	0_2_00506C20
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_0048CC30	0_2_0048CC30
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_00534D70	0_2_00534D70
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_00410D00	0_2_00410D00
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_004AEDE0	0_2_004AEDE0
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_00406E00	0_2_00406E00
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_004DCEB0	0_2_004DCEB0
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_004EEF40	0_2_004EEF40
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_0052EF40	0_2_0052EF40
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_0051AFF0	0_2_0051AFF0
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_004A8FF0	0_2_004A8FF0
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_004FF250	0_2_004FF250
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_0052F2D0	0_2_0052F2D0
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_004FD2F0	0_2_004FD2F0
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_0052D280	0_2_0052D280
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_004ED350	0_2_004ED350
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_004E7370	0_2_004E7370
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_004E53C0	0_2_004E53C0
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_0052B420	0_2_0052B420
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_0052D5C0	0_2_0052D5C0
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_004B55B0	0_2_004B55B0
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_004BB610	0_2_004BB610
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_005316B0	0_2_005316B0
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_004FF760	0_2_004FF760
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_00445850	0_2_00445850
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_004118D0	0_2_004118D0
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_004198E0	0_2_004198E0
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_00505890	0_2_00505890
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_0053B880	0_2_0053B880
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_004E78B0	0_2_004E78B0
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_0046F9C0	0_2_0046F9C0
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_004E1A40	0_2_004E1A40
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_00535A00	0_2_00535A00
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_004A9AD0	0_2_004A9AD0
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_004CFAD0	0_2_004CFAD0
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_00489BA0	0_2_00489BA0
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_004A7C50	0_2_004A7C50
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_004EDC30	0_2_004EDC30
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_00541DD0	0_2_00541DD0
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_00491DC0	0_2_00491DC0
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_0043BDE0	0_2_0043BDE0
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_004E7DF0	0_2_004E7DF0
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_00513E40	0_2_00513E40
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_004A3E70	0_2_004A3E70
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_0041DE20	0_2_0041DE20
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_00513F10	0_2_00513F10
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_00505F92	0_2_00505F92
Source: C:\Users\user\Desktop\p.exe	Code function: 0_2_004F3FB0	0_2_004F3FB0

Source: C:\Users\user\Desktop\p.exe	Code function: String function: 0042C1F0 appears 451 times
Source: C:\Users\user\Desktop\p.exe	Code function: String function: 0040F420 appears 211 times
Source: C:\Users\user\Desktop\p.exe	Code function: String function: 00450760 appears 207 times
Source: C:\Users\user\Desktop\p.exe	Code function: String function: 0043F080 appears 32 times
Source: C:\Users\user\Desktop\p.exe	Code function: String function: 00459CD0 appears 74 times
Source: C:\Users\user\Desktop\p.exe	Code function: String function: 00407E00 appears 54 times
Source: C:\Users\user\Desktop\p.exe	Code function: String function: 0042A9F0 appears 407 times
Source: C:\Users\user\Desktop\p.exe	Code function: String function: 0045E6E0 appears 175 times

Source: p.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal60.evad.winEXE@1/0@2/2

Source: p.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\p.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: p.exe

ReversingLabs: Detection: 18%

Source: C:\Users\user\Desktop\p.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\p.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\p.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\p.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\p.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\p.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\p.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\p.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\p.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\p.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\p.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\p.exe	Section loaded: rsaenh.dll	Jump to behavior

Source: p.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: p.exe

Static file information: File size 4521472 > 1048576

Source: p.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1f9400
Source: p.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x21da00

Source: p.exe

Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\p.exe

Code function: 0_2_00415BC0 pushfd ; ret

0_2_00415BC1

Source: C:\Users\user\Desktop\p.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\p.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Users\user\Desktop\p.exe	Code function: <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64 <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64 <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64	0_2_0049A0D0
Source: C:\Users\user\Desktop\p.exe	Code function: <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64 <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64 <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64	0_2_004CE0E0
Source: C:\Users\user\Desktop\p.exe	Code function: <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64 <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64 <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64	0_2_0049A260
Source: C:\Users\user\Desktop\p.exe	Code function: LocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13 LocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13 LocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13 LocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13 LocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13 LocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13	0_2_00478390
Source: C:\Users\user\Desktop\p.exe	Code function: , fp:-0930.html.jpeg.wasm.webp1562578125:*@:path<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloat , fp:-0930.html.jpeg.wasm.webp1562578125:@:path<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloat , fp:-0930.html.jpeg.wasm.webp1562578125:**@:path<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloat	0_2_004485E0
Source: C:\Users\user\Desktop\p.exe	Code function: <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64 <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64 <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64	0_2_0049E780
Source: C:\Users\user\Desktop\p.exe	Code function: TypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite (MB) Value addr= base code= ctxt: curg= etRx j TypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite (MB) Value addr= base code= ctxt: curg= etRx j TypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite (MB) Value addr= base code= ctxt: curg= etRx j TypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage:WSARecvWSASendvmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererrefreshrunningserial:signal syscalltraileruintptrunknownupgradew TypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage:WSARecvWSASendvmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererrefreshrunningserial:signal syscalltraileruintptrunknownu TypeTXTTypeWKSUpgradeUsage:WSARecvWSASendvmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererrefreshrunningserial:signal syscalltraileruintptrunknownupgradewaitingwindowsw TypeSRVTypeTXTTypeWKSUpgradeUsage:WSARecvWSASendvmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererrefreshrunningserial:signal syscalltraileruintptrunknownupgradewaitingw TypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage:WSARecvWSASendvmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererrefreshrunningserial:signal syscalltraileruintptru TypeWKSUpgradeUsage:WSARecvWSASendvmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererrefreshrunningserial:signal syscalltraileruintptrunknownupgradewaitingwindowswsarecvw TypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage:WSARecvWSASendvmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererrefreshrunningserial:signal syscalltraileru TypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage:WSARecvWSASendvmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererrefreshrunningserial:signal syscalltraileru TypeWKSUpgradeUsage:WSARecvWSASendvmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-ageni	0_2_0048A850
Source: C:\Users\user\Desktop\p.exe	Code function: ReaddirRefererSharadaShavianSiddhamSinhalaSogdianSoyomboSubjectSwapperTagalogTibetanTirhutaTrailerTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage:WSARecvWSASendvmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32f ReaddirRefererSharadaShavianSiddhamSinhalaSogdianSoyomboSubjectSwapperTagalogTibetanTirhutaTrailerTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage:WSARecvWSASendvmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32f	0_2_0047E9B0
Source: C:\Users\user\Desktop\p.exe	Code function: P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite (MB) P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite (MB) P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite (MB)	0_2_004FE9B0
Source: C:\Users\user\Desktop\p.exe	Code function: ErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleep ErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleep ErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleep	0_2_004CEAC0
Source: C:\Users\user\Desktop\p.exe	Code function: <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64 <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64 <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64	0_2_00492C50
Source: C:\Users\user\Desktop\p.exe	Code function: <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64 <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64 <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64	0_2_0049CE50
Source: C:\Users\user\Desktop\p.exe	Code function: <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64 <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64 <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64	0_2_004EEE00
Source: C:\Users\user\Desktop\p.exe	Code function: AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdir AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdir AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdir BamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohs BamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohs BamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohs BatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanic BatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanic BatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanic BuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparse BuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparse BuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarr	0_2_004B0EA0
Source: C:\Users\user\Desktop\p.exe	Code function: <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64 <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64 <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64	0_2_004EEF40
Source: C:\Users\user\Desktop\p.exe	Code function: <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64 <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64 <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64 <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64 <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64 <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64	0_2_00492F50
Source: C:\Users\user\Desktop\p.exe	Code function: SwapperTagalogTibetanTirhutaTrailerTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage:WSARecvWSASendvmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererr SwapperTagalogTibetanTirhutaTrailerTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage:WSARecvWSASendvmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererr	0_2_00456F10
Source: C:\Users\user\Desktop\p.exe	Code function: <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64 <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64 <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64	0_2_004CF070
Source: C:\Users\user\Desktop\p.exe	Code function: <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64 <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64 <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64	0_2_0053B690
Source: C:\Users\user\Desktop\p.exe	Code function: P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite (MB) Val P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite (MB) Val P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite (MB) Val	0_2_004FB7F0
Source: C:\Users\user\Desktop\p.exe	Code function: , ..., fp:-0930.html.jpeg.wasm.webp1562578125:*@:path<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefault , ..., fp:-0930.html.jpeg.wasm.webp1562578125:@:path<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefault , ..., fp:-0930.html.jpeg.wasm.webp1562578125:**@:path<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefault	0_2_00445850
Source: C:\Users\user\Desktop\p.exe	Code function: P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite (MB) Value ad P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite (MB) Value ad P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite (MB) Value ad	0_2_004FBA40
Source: C:\Users\user\Desktop\p.exe	Code function: <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64 <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64 <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64	0_2_0047FA30
Source: C:\Users\user\Desktop\p.exe	Code function: <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64 <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64 <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64	0_2_004A1A80
Source: C:\Users\user\Desktop\p.exe	Code function: <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64 <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64 <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64	0_2_00499BE0
Source: C:\Users\user\Desktop\p.exe	Code function: <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64 <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64 <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64	0_2_004E1C40
Source: C:\Users\user\Desktop\p.exe	Code function: P-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite P-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite P-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite	0_2_004FBC90
Source: C:\Users\user\Desktop\p.exe	Code function: <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64 <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64 <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64	0_2_00491DC0
Source: C:\Users\user\Desktop\p.exe	Code function: <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64 <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64 <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64	0_2_00493E60
Source: C:\Users\user\Desktop\p.exe	Code function: <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64 <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64 <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64	0_2_0049DF70

Source: C:\Users\user\Desktop\p.exe

Code function: 0_2_00450350 rdtsc

0_2_00450350

Source: C:\Users\user\Desktop\p.exe

Code function: 0_2_00427800 GetProcessAffinityMask,GetSystemInfo,

0_2_00427800

Source: p.exe	Binary or memory string: SinhalaSogdianSoyomboSubjectSwapperTagalogTibetanTirhutaTrailerTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage: WSARecvWSASend vmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup m
Source: p.exe	Binary or memory string: LimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeA qemu vboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/
Source: p.exe	Binary or memory string: OsmanyaPATHEXTRadicalReaddirRefererSharadaShavianSiddhamSinhalaSogdianSoyomboSubjectSwapperTagalogTibetanTirhutaTrailerTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage: WSARecvWSASend vmwaretypes value=abortedcharsetchunkedconnectconsoled
Source: p.exe	Binary or memory string: TamilTypeA qemu vboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite (MB) Value addr= base code= ctxt: curg= et
Source: p.exe	Binary or memory string: TirhutaTrailerTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage: WSARecvWSASend vmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererrefreshrunningserial:s
Source: p.exe	Binary or memory string: RadicalReaddirRefererSharadaShavianSiddhamSinhalaSogdianSoyomboSubjectSwapperTagalogTibetanTirhutaTrailerTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage: WSARecvWSASend vmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresf
Source: p.exe	Binary or memory string: BatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeA qemu vboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanic
Source: p.exe	Binary or memory string: Usage:WSARecvWSASendvmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererrefreshrunningserial:signal syscalltraileruintptrunknownupgradewaitingwindowswsarecvwsasend data=%q
Source: p.exe	Binary or memory string: TypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage: WSARecvWSASend vmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererrefreshrunningserial:signal syscalltraileruintptru
Source: p.exe	Binary or memory string: TypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage:WSARecvWSASendvmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererrefreshrunningserial:signal syscalltraileruintptrunknownu
Source: p.exe	Binary or memory string: WSARecvWSASendvmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererrefreshrunningserial:signal syscalltraileruintptrunknownupgradewaitingwindowswsarecvwsasend data=%q etypes
Source: p.exe	Binary or memory string: TagalogTibetanTirhutaTrailerTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage: WSARecvWSASend vmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererrefreshr
Source: p.exe	Binary or memory string: TypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite (MB) Value addr= base code= ctxt: curg= etRx j
Source: p.exe	Binary or memory string: OriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeA qemu vboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8
Source: p.exe	Binary or memory string: KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeA qemu vboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42
Source: p.exe	Binary or memory string: TakriTamilTypeA qemu vboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite (MB) Value addr= base code= ctxt: cur
Source: p.exe	Binary or memory string: TypeTXTTypeWKSUpgradeUsage: WSARecvWSASend vmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererrefreshrunningserial:signal syscalltraileruintptrunknownupgradewaitingwindowsw
Source: p.exe	Binary or memory string: <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64
Source: p.exe	Binary or memory string: P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeA qemu vboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite (MB)
Source: p.exe	Binary or memory string: TibetanTirhutaTrailerTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage: WSARecvWSASend vmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererrefreshrunnings
Source: p.exe	Binary or memory string: TypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage:WSARecvWSASendvmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererrefreshrunningserial:signal syscalltraileruintptrunknownupgradew
Source: p.exe	Binary or memory string: WSARecvWSASend vmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererrefreshrunningserial:signal syscalltraileruintptrunknownupgradewaitingwindowswsarecvwsasend data=%q etypes
Source: p.exe	Binary or memory string: P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite (MB)
Source: p.exe	Binary or memory string: NushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeA qemu vboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8
Source: p.exe, 00000000.00000002.2905012640.0000000011404000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: qemusandbox
Source: p.exe	Binary or memory string: TypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage: WSARecvWSASend vmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererrefreshrunningserial:signal syscalltraileru
Source: p.exe	Binary or memory string: SharadaShavianSiddhamSinhalaSogdianSoyomboSubjectSwapperTagalogTibetanTirhutaTrailerTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage: WSARecvWSASend vmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctraceh
Source: p.exe	Binary or memory string: BuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeA qemu vboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparse
Source: p.exe, 00000000.00000002.2905012640.0000000011404000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware
Source: p.exe	Binary or memory string: MarchenMultaniMyanmarOctoberOsmanyaPATHEXTRadicalReaddirRefererSharadaShavianSiddhamSinhalaSogdianSoyomboSubjectSwapperTagalogTibetanTirhutaTrailerTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage: WSARecvWSASend vmwaretypes value=abortedc
Source: p.exe	Binary or memory string: MUI_StdMakasarMandaicMarchenMultaniMyanmarOctoberOsmanyaPATHEXTRadicalReaddirRefererSharadaShavianSiddhamSinhalaSogdianSoyomboSubjectSwapperTagalogTibetanTirhutaTrailerTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage:WSARecvWSASendvmware
Source: p.exe	Binary or memory string: TypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage: WSARecvWSASend vmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererrefreshrunningserial:signal syscalltraileruintptrunknownupgradew
Source: p.exe	Binary or memory string: RunicSTermTakriTamilTypeA qemu vboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite (MB) Value addr= base code=
Source: p.exe	Binary or memory string: MakasarMandaicMarchenMultaniMyanmarOctoberOsmanyaPATHEXTRadicalReaddirRefererSharadaShavianSiddhamSinhalaSogdianSoyomboSubjectSwapperTagalogTibetanTirhutaTrailerTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage: WSARecvWSASend vmwaretypes
Source: p.exe	Binary or memory string: SogdianSoyomboSubjectSwapperTagalogTibetanTirhutaTrailerTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage: WSARecvWSASend vmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agen
Source: p.exe	Binary or memory string: TypeA qemu vboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite (MB) Value addr= base code= ctxt: curg= etRx j
Source: p.exe, 00000000.00000002.2905012640.0000000011404000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwaresandbox
Source: p.exe	Binary or memory string: LocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeA qemu vboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13
Source: p.exe	Binary or memory string: OsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeA qemu vboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8value
Source: p.exe	Binary or memory string: ErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeA qemu vboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleep
Source: p.exe	Binary or memory string: <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeA qemu vboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64
Source: p.exe	Binary or memory string: P-384P-521RangeRealmRunicSTermTakriTamilTypeA qemu vboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite (MB) Val
Source: p.exe	Binary or memory string: MUI_StdMakasarMandaicMarchenMultaniMyanmarOctoberOsmanyaPATHEXTRadicalReaddirRefererSharadaShavianSiddhamSinhalaSogdianSoyomboSubjectSwapperTagalogTibetanTirhutaTrailerTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage: WSARecvWSASend vmware
Source: p.exe	Binary or memory string: P-521RangeRealmRunicSTermTakriTamilTypeA qemu vboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite (MB) Value ad
Source: p.exe	Binary or memory string: , ..., fp:-0930.html.jpeg.wasm.webp1562578125:***@:path<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeA qemu vboxallowarraybad nchdirclosefalsefault
Source: p.exe	Binary or memory string: ReaddirRefererSharadaShavianSiddhamSinhalaSogdianSoyomboSubjectSwapperTagalogTibetanTirhutaTrailerTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage:WSARecvWSASendvmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32f
Source: p.exe	Binary or memory string: , ..., fp:-0930.html.jpeg.wasm.webp1562578125:***@:path<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefault
Source: p.exe	Binary or memory string: TypeWKSUpgradeUsage: WSARecvWSASend vmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererrefreshrunningserial:signal syscalltraileruintptrunknownupgradewaitingwindowswsarecvw
Source: p.exe	Binary or memory string: AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeA qemu vboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdir
Source: p.exe	Binary or memory string: TypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage:WSARecvWSASendvmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererrefreshrunningserial:signal syscalltraileru
Source: p.exe	Binary or memory string: ErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleep
Source: p.exe	Binary or memory string: LatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeA qemu vboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3
Source: p.exe	Binary or memory string: SoyomboSubjectSwapperTagalogTibetanTirhutaTrailerTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage: WSARecvWSASend vmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keyp
Source: p.exe	Binary or memory string: OghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeA qemu vboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usage
Source: p.exe	Binary or memory string: MyanmarOctoberOsmanyaPATHEXTRadicalReaddirRefererSharadaShavianSiddhamSinhalaSogdianSoyomboSubjectSwapperTagalogTibetanTirhutaTrailerTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage: WSARecvWSASend vmwaretypes value=abortedcharsetchunkedc
Source: p.exe	Binary or memory string: STermTakriTamilTypeA qemu vboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite (MB) Value addr= base code= ctxt
Source: p.exe	Binary or memory string: P-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeA qemu vboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite
Source: p.exe	Binary or memory string: , fp:-0930.html.jpeg.wasm.webp1562578125:***@:path<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeA qemu vboxallowarraybad nchdirclosefalsefaultfloat
Source: p.exe	Binary or memory string: MandaicMarchenMultaniMyanmarOctoberOsmanyaPATHEXTRadicalReaddirRefererSharadaShavianSiddhamSinhalaSogdianSoyomboSubjectSwapperTagalogTibetanTirhutaTrailerTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage: WSARecvWSASend vmwaretypes value=a
Source: p.exe	Binary or memory string: Usage: WSARecvWSASend vmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererrefreshrunningserial:signal syscalltraileruintptrunknownupgradewaitingwindowswsarecvwsasend data=%q
Source: p.exe, 00000000.00000002.2904240007.0000000000A0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: p.exe	Binary or memory string: AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdir
Source: p.exe	Binary or memory string: P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite (MB) Val
Source: p.exe	Binary or memory string: DograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeA qemu vboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3s
Source: p.exe	Binary or memory string: BamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeA qemu vboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohs
Source: p.exe	Binary or memory string: GreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeA qemu vboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesocks
Source: p.exe	Binary or memory string: ShavianSiddhamSinhalaSogdianSoyomboSubjectSwapperTagalogTibetanTirhutaTrailerTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage: WSARecvWSASend vmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://i
Source: p.exe	Binary or memory string: , fp:-0930.html.jpeg.wasm.webp1562578125:***@:path<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloat
Source: p.exe	Binary or memory string: MultaniMyanmarOctoberOsmanyaPATHEXTRadicalReaddirRefererSharadaShavianSiddhamSinhalaSogdianSoyomboSubjectSwapperTagalogTibetanTirhutaTrailerTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage: WSARecvWSASend vmwaretypes value=abortedcharsetc
Source: p.exe	Binary or memory string: SwapperTagalogTibetanTirhutaTrailerTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage: WSARecvWSASend vmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererr
Source: p.exe	Binary or memory string: vmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererrefreshrunningserial:signal syscalltraileruintptrunknownupgradewaitingwindowswsarecvwsasend data=%q etypes goal
Source: p.exe	Binary or memory string: TypeSRVTypeTXTTypeWKSUpgradeUsage: WSARecvWSASend vmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererrefreshrunningserial:signal syscalltraileruintptrunknownupgradewaitingw
Source: p.exe	Binary or memory string: SiddhamSinhalaSogdianSoyomboSubjectSwapperTagalogTibetanTirhutaTrailerTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage:WSARecvWSASendvmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidl
Source: p.exe	Binary or memory string: SwapperTagalogTibetanTirhutaTrailerTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage:WSARecvWSASendvmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererr
Source: p.exe	Binary or memory string: TypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage: WSARecvWSASend vmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererrefreshrunningserial:signal syscalltraileruintptrunknownu
Source: p.exe	Binary or memory string: TypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage:WSARecvWSASendvmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererrefreshrunningserial:signal syscalltraileruintptru
Source: p.exe	Binary or memory string: P-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite
Source: p.exe	Binary or memory string: ReaddirRefererSharadaShavianSiddhamSinhalaSogdianSoyomboSubjectSwapperTagalogTibetanTirhutaTrailerTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage: WSARecvWSASend vmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32f
Source: p.exe	Binary or memory string: LocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13
Source: p.exe	Binary or memory string: P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite (MB) Value ad
Source: p.exe	Binary or memory string: SiddhamSinhalaSogdianSoyomboSubjectSwapperTagalogTibetanTirhutaTrailerTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage: WSARecvWSASend vmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidl

Source: C:\Users\user\Desktop\p.exe

Code function: 0_2_00450350 rdtsc

0_2_00450350

Source: C:\Users\user\Desktop\p.exe

Code function: 0_2_0043B070 AddVectoredExceptionHandler,SetUnhandledExceptionFilter,

0_2_0043B070

Source: C:\Users\user\Desktop\p.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	3 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	2 Ingress Tool Transfer	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
p.exe	18%	ReversingLabs
p.exe	100%	Joe Sandbox ML

URLs

Source	Detection	Scanner	Label
https://87.121.86.2:9090idna:	0%	Avira URL Cloud	safe
https://87.121.86.2:9090/getcmdarch=386&country=	0%	Avira URL Cloud	safe
https://87.121.86.2:9090/register	0%	Avira URL Cloud	safe
https://87.121.86.2:9090/getcmd	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false		high
198.187.3.20.in-addr.arpa	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/csv/?fields=query	false		high
http://ip-api.com/csv/?fields=country	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://87.121.86.2:9090idna:	p.exe	false	Avira URL Cloud: safe	unknown
http://ip-api.com/csv/?fields=countryhttps://87.121.86.2:9090/register%D1.Qd%0A%1En%B4B%0FvN%F0%28S%	p.exe, 00000000.00000002.2905012640.0000000011404000.00000004.00001000.00020000.00000000.sdmp	false		high
https://87.121.86.2:9090/getcmdarch=386&country=	p.exe, 00000000.00000002.2905012640.00000000114D2000.00000004.00001000.00020000.00000000.sdmp, p.exe, 00000000.00000002.2905012640.0000000011404000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://87.121.86.2:9090/getcmd	p.exe, 00000000.00000002.2905012640.00000000114D2000.00000004.00001000.00020000.00000000.sdmp, p.exe, 00000000.00000002.2905012640.0000000011404000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://87.121.86.2:9090/register	p.exe, 00000000.00000002.2905012640.0000000011404000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
87.121.86.2	unknown	Bulgaria		34577	SKATTV-ASBG	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1586756
Start date and time:	2025-01-09 15:42:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	p.exe
Detection:	MAL
Classification:	mal60.evad.winEXE@1/0@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 20.3.187.198, 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: p.exe

WriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, SwitchToThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, LoadLibraryA, LoadLibraryW, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatus, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 15:42:58.100315094 CET	49730	80	192.168.2.4	208.95.112.1
Jan 9, 2025 15:42:58.105249882 CET	80	49730	208.95.112.1	192.168.2.4
Jan 9, 2025 15:42:58.105341911 CET	49730	80	192.168.2.4	208.95.112.1
Jan 9, 2025 15:42:58.105635881 CET	49730	80	192.168.2.4	208.95.112.1
Jan 9, 2025 15:42:58.110408068 CET	80	49730	208.95.112.1	192.168.2.4
Jan 9, 2025 15:42:58.579514027 CET	80	49730	208.95.112.1	192.168.2.4
Jan 9, 2025 15:42:58.581597090 CET	49731	80	192.168.2.4	208.95.112.1
Jan 9, 2025 15:42:58.586961985 CET	80	49731	208.95.112.1	192.168.2.4
Jan 9, 2025 15:42:58.587044001 CET	49731	80	192.168.2.4	208.95.112.1
Jan 9, 2025 15:42:58.587469101 CET	49731	80	192.168.2.4	208.95.112.1
Jan 9, 2025 15:42:58.592400074 CET	80	49731	208.95.112.1	192.168.2.4
Jan 9, 2025 15:42:58.619553089 CET	49730	80	192.168.2.4	208.95.112.1
Jan 9, 2025 15:42:59.052544117 CET	80	49731	208.95.112.1	192.168.2.4
Jan 9, 2025 15:42:59.055248022 CET	49732	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:42:59.060291052 CET	9090	49732	87.121.86.2	192.168.2.4
Jan 9, 2025 15:42:59.060378075 CET	49732	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:42:59.064112902 CET	49732	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:42:59.069030046 CET	9090	49732	87.121.86.2	192.168.2.4
Jan 9, 2025 15:42:59.095757008 CET	49731	80	192.168.2.4	208.95.112.1
Jan 9, 2025 15:42:59.875710011 CET	9090	49732	87.121.86.2	192.168.2.4
Jan 9, 2025 15:42:59.875763893 CET	9090	49732	87.121.86.2	192.168.2.4
Jan 9, 2025 15:42:59.875957966 CET	49732	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:42:59.886971951 CET	49732	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:42:59.887103081 CET	49732	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:42:59.891993046 CET	9090	49732	87.121.86.2	192.168.2.4
Jan 9, 2025 15:42:59.892030001 CET	9090	49732	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:00.059168100 CET	9090	49732	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:00.063800097 CET	49733	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:00.068775892 CET	9090	49733	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:00.068857908 CET	49733	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:00.075954914 CET	49733	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:00.080851078 CET	9090	49733	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:00.111124039 CET	49732	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:01.072244883 CET	9090	49733	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:01.072263956 CET	9090	49733	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:01.072329998 CET	49733	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:01.074116945 CET	49733	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:01.074270010 CET	49733	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:01.078846931 CET	9090	49733	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:01.079041958 CET	9090	49733	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:01.334831953 CET	9090	49733	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:01.383133888 CET	49733	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:05.345662117 CET	49734	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:05.350589991 CET	9090	49734	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:05.350840092 CET	49734	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:05.351608992 CET	49734	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:05.356471062 CET	9090	49734	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:06.232021093 CET	9090	49734	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:06.232049942 CET	9090	49734	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:06.232141972 CET	49734	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:06.233799934 CET	49734	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:06.233928919 CET	49734	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:06.239970922 CET	9090	49734	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:06.243386984 CET	9090	49734	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:06.486258030 CET	9090	49734	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:06.534477949 CET	49734	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:10.488270044 CET	49735	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:10.493191004 CET	9090	49735	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:10.493372917 CET	49735	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:10.494050026 CET	49735	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:10.498812914 CET	9090	49735	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:11.356340885 CET	9090	49735	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:11.356368065 CET	9090	49735	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:11.356426954 CET	49735	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:11.372108936 CET	49735	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:11.372236013 CET	49735	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:11.376904011 CET	9090	49735	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:11.377002001 CET	9090	49735	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:11.623033047 CET	9090	49735	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:11.674134016 CET	49735	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:13.580353975 CET	49730	80	192.168.2.4	208.95.112.1
Jan 9, 2025 15:43:13.585326910 CET	80	49730	208.95.112.1	192.168.2.4
Jan 9, 2025 15:43:14.064923048 CET	49731	80	192.168.2.4	208.95.112.1
Jan 9, 2025 15:43:14.069967985 CET	80	49731	208.95.112.1	192.168.2.4
Jan 9, 2025 15:43:15.064738035 CET	49732	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:15.069688082 CET	9090	49732	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:15.628117085 CET	49738	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:15.632976055 CET	9090	49738	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:15.636112928 CET	49738	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:15.637048960 CET	49738	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:15.641901016 CET	9090	49738	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:16.340753078 CET	49733	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:16.345637083 CET	9090	49733	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:16.598170996 CET	9090	49738	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:16.598191023 CET	9090	49738	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:16.598582029 CET	49738	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:16.599920988 CET	49738	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:16.600025892 CET	49738	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:16.605787992 CET	9090	49738	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:16.605797052 CET	9090	49738	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:16.851008892 CET	9090	49738	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:16.905101061 CET	49738	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:20.874437094 CET	49743	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:20.879271030 CET	9090	49743	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:20.879354954 CET	49743	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:20.879879951 CET	49743	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:20.884666920 CET	9090	49743	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:21.490006924 CET	49734	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:21.494990110 CET	9090	49734	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:21.879616022 CET	9090	49743	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:21.879631042 CET	9090	49743	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:21.879709959 CET	49743	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:21.881335974 CET	49743	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:21.881438971 CET	49743	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:21.886893988 CET	9090	49743	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:21.886902094 CET	9090	49743	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:22.055809021 CET	9090	49743	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:22.104088068 CET	49743	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:26.057723999 CET	49744	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:26.062870979 CET	9090	49744	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:26.063059092 CET	49744	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:26.063652039 CET	49744	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:26.068531990 CET	9090	49744	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:26.626640081 CET	49735	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:26.632800102 CET	9090	49735	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:26.893381119 CET	9090	49744	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:26.893429995 CET	9090	49744	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:26.893687963 CET	49744	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:26.895031929 CET	49744	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:26.895122051 CET	49744	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:26.899988890 CET	9090	49744	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:26.900070906 CET	9090	49744	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:27.078588009 CET	9090	49744	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:27.127078056 CET	49744	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:28.595711946 CET	49730	80	192.168.2.4	208.95.112.1
Jan 9, 2025 15:43:28.600708008 CET	80	49730	208.95.112.1	192.168.2.4
Jan 9, 2025 15:43:29.084120989 CET	49731	80	192.168.2.4	208.95.112.1
Jan 9, 2025 15:43:29.089277983 CET	80	49731	208.95.112.1	192.168.2.4
Jan 9, 2025 15:43:30.080353022 CET	49732	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:30.085279942 CET	9090	49732	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:30.088646889 CET	53260	53	192.168.2.4	162.159.36.2
Jan 9, 2025 15:43:30.093585014 CET	53	53260	162.159.36.2	192.168.2.4
Jan 9, 2025 15:43:30.093667984 CET	53260	53	192.168.2.4	162.159.36.2
Jan 9, 2025 15:43:30.098591089 CET	53	53260	162.159.36.2	192.168.2.4
Jan 9, 2025 15:43:30.557763100 CET	53260	53	192.168.2.4	162.159.36.2
Jan 9, 2025 15:43:30.563035965 CET	53	53260	162.159.36.2	192.168.2.4
Jan 9, 2025 15:43:30.563114882 CET	53260	53	192.168.2.4	162.159.36.2
Jan 9, 2025 15:43:31.090362072 CET	53262	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:31.095707893 CET	9090	53262	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:31.095822096 CET	53262	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:31.096637011 CET	53262	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:31.101543903 CET	9090	53262	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:31.347084999 CET	49733	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:31.352380037 CET	9090	49733	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:31.862725019 CET	49738	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:31.868119001 CET	9090	49738	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:31.974567890 CET	9090	53262	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:31.974630117 CET	9090	53262	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:31.974699974 CET	53262	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:31.976977110 CET	53262	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:31.977158070 CET	53262	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:31.981821060 CET	9090	53262	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:31.982018948 CET	9090	53262	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:32.156683922 CET	9090	53262	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:32.204967976 CET	53262	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:36.161556005 CET	53266	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:36.166636944 CET	9090	53266	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:36.166707993 CET	53266	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:36.167269945 CET	53266	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:36.172055960 CET	9090	53266	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:36.510010958 CET	49734	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:36.515137911 CET	9090	49734	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:37.046097994 CET	9090	53266	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:37.046129942 CET	9090	53266	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:37.046192884 CET	53266	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:37.047926903 CET	53266	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:37.048036098 CET	53266	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:37.052815914 CET	9090	53266	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:37.052829027 CET	9090	53266	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:37.064560890 CET	49743	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:37.069416046 CET	9090	49743	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:37.312895060 CET	9090	53266	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:37.361253977 CET	53266	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:41.322788000 CET	53267	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:41.328061104 CET	9090	53267	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:41.328246117 CET	53267	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:41.328861952 CET	53267	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:41.333849907 CET	9090	53267	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:41.642904043 CET	49735	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:41.647933960 CET	9090	49735	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:42.080434084 CET	49744	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:42.085633039 CET	9090	49744	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:43.138493061 CET	9090	53267	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:43.138545036 CET	9090	53267	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:43.138583899 CET	9090	53267	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:43.138845921 CET	53267	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:43.140312910 CET	53267	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:43.140439034 CET	53267	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:43.145081043 CET	9090	53267	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:43.145220041 CET	9090	53267	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:43.610105991 CET	49730	80	192.168.2.4	208.95.112.1
Jan 9, 2025 15:43:43.615262985 CET	80	49730	208.95.112.1	192.168.2.4
Jan 9, 2025 15:43:44.104085922 CET	49731	80	192.168.2.4	208.95.112.1
Jan 9, 2025 15:43:44.109544039 CET	80	49731	208.95.112.1	192.168.2.4
Jan 9, 2025 15:43:44.958172083 CET	9090	53267	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:45.006602049 CET	53267	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:45.092578888 CET	49732	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:45.097584963 CET	9090	49732	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:46.365751028 CET	49733	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:46.370984077 CET	9090	49733	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:46.881537914 CET	49738	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:46.886591911 CET	9090	49738	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:47.162656069 CET	53262	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:47.167602062 CET	9090	53262	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:48.960452080 CET	53268	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:48.965605974 CET	9090	53268	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:48.965831041 CET	53268	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:48.966340065 CET	53268	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:48.971381903 CET	9090	53268	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:49.842042923 CET	9090	53268	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:49.842132092 CET	9090	53268	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:49.842444897 CET	53268	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:49.844100952 CET	53268	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:49.844187021 CET	53268	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:49.849150896 CET	9090	53268	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:49.849168062 CET	9090	53268	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:50.016297102 CET	9090	53268	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:50.064934015 CET	53268	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:51.517853975 CET	49734	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:51.522929907 CET	9090	49734	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:52.080379009 CET	49743	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:52.085417986 CET	9090	49743	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:52.317506075 CET	53266	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:52.323070049 CET	9090	53266	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:54.002757072 CET	53269	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:54.007894993 CET	9090	53269	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:54.007992029 CET	53269	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:54.008594990 CET	53269	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:54.014113903 CET	9090	53269	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:55.111059904 CET	9090	53269	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:55.111093998 CET	9090	53269	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:55.111172915 CET	53269	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:55.112548113 CET	53269	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:55.112673998 CET	53269	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:55.117624998 CET	9090	53269	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:55.118328094 CET	9090	53269	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:55.358846903 CET	9090	53269	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:55.406861067 CET	53269	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:56.657108068 CET	49735	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:56.662957907 CET	9090	49735	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:57.110055923 CET	49744	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:57.115089893 CET	9090	49744	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:58.625657082 CET	49730	80	192.168.2.4	208.95.112.1
Jan 9, 2025 15:43:58.630539894 CET	80	49730	208.95.112.1	192.168.2.4
Jan 9, 2025 15:43:59.110270023 CET	49731	80	192.168.2.4	208.95.112.1
Jan 9, 2025 15:43:59.115299940 CET	80	49731	208.95.112.1	192.168.2.4
Jan 9, 2025 15:43:59.376226902 CET	53281	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:59.381014109 CET	9090	53281	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:59.381077051 CET	53281	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:59.381834984 CET	53281	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:59.386604071 CET	9090	53281	87.121.86.2	192.168.2.4
Jan 9, 2025 15:43:59.960342884 CET	53267	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:43:59.965189934 CET	9090	53267	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:00.101066113 CET	49732	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:00.106002092 CET	9090	49732	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:00.382349014 CET	9090	53281	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:00.382363081 CET	9090	53281	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:00.382431984 CET	53281	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:00.390961885 CET	53281	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:00.391115904 CET	53281	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:00.395682096 CET	9090	53281	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:00.395864010 CET	9090	53281	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:00.565236092 CET	9090	53281	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:00.619366884 CET	53281	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:01.384890079 CET	49733	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:01.392187119 CET	9090	49733	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:01.900641918 CET	49738	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:01.905630112 CET	9090	49738	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:02.181790113 CET	53262	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:02.186743021 CET	9090	53262	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:04.573060036 CET	53316	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:04.578453064 CET	9090	53316	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:04.578540087 CET	53316	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:04.579215050 CET	53316	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:04.584137917 CET	9090	53316	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:05.032912016 CET	53268	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:05.037983894 CET	9090	53268	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:05.467860937 CET	9090	53316	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:05.467889071 CET	9090	53316	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:05.468200922 CET	53316	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:05.469718933 CET	53316	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:05.469841957 CET	53316	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:05.474601030 CET	9090	53316	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:05.474870920 CET	9090	53316	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:05.755861044 CET	9090	53316	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:05.804992914 CET	53316	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:06.377099991 CET	80	49730	208.95.112.1	192.168.2.4
Jan 9, 2025 15:44:06.377161026 CET	49730	80	192.168.2.4	208.95.112.1
Jan 9, 2025 15:44:06.377249956 CET	49730	80	192.168.2.4	208.95.112.1
Jan 9, 2025 15:44:06.382113934 CET	80	49730	208.95.112.1	192.168.2.4
Jan 9, 2025 15:44:06.440887928 CET	80	49731	208.95.112.1	192.168.2.4
Jan 9, 2025 15:44:06.440968990 CET	49731	80	192.168.2.4	208.95.112.1
Jan 9, 2025 15:44:06.441054106 CET	49731	80	192.168.2.4	208.95.112.1
Jan 9, 2025 15:44:06.445867062 CET	80	49731	208.95.112.1	192.168.2.4
Jan 9, 2025 15:44:06.536029100 CET	49734	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:06.541335106 CET	9090	49734	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:07.098432064 CET	49743	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:07.103403091 CET	9090	49743	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:07.332897902 CET	53266	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:07.337795019 CET	9090	53266	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:09.755697966 CET	53350	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:09.760656118 CET	9090	53350	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:09.760732889 CET	53350	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:09.761354923 CET	53350	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:09.766251087 CET	9090	53350	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:10.367557049 CET	53269	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:10.372910976 CET	9090	53269	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:10.631143093 CET	9090	53350	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:10.631203890 CET	9090	53350	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:10.631233931 CET	9090	53350	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:10.631388903 CET	53350	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:10.632682085 CET	53350	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:10.632786989 CET	53350	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:10.637561083 CET	9090	53350	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:10.637590885 CET	9090	53350	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:10.816246986 CET	9090	53350	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:10.864531994 CET	53350	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:11.676990986 CET	49735	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:11.682360888 CET	9090	49735	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:12.130048990 CET	49744	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:12.134990931 CET	9090	49744	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:14.820141077 CET	53384	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:14.825587034 CET	9090	53384	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:14.825782061 CET	53384	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:14.830009937 CET	53384	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:14.835019112 CET	9090	53384	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:14.975083113 CET	53267	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:14.980350971 CET	9090	53267	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:15.115722895 CET	49732	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:15.121030092 CET	9090	49732	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:15.568820000 CET	53281	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:15.573878050 CET	9090	53281	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:16.136634111 CET	9090	53384	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:16.136687994 CET	9090	53384	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:16.136889935 CET	53384	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:16.138150930 CET	53384	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:16.138150930 CET	53384	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:16.143300056 CET	9090	53384	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:16.143372059 CET	9090	53384	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:16.404038906 CET	49733	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:16.408960104 CET	9090	49733	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:16.444896936 CET	9090	53384	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:16.493576050 CET	53384	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:16.915354967 CET	49738	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:16.920661926 CET	9090	49738	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:17.196692944 CET	53262	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:17.202208042 CET	9090	53262	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:20.040530920 CET	53268	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:20.045819044 CET	9090	53268	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:20.447113991 CET	53420	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:20.451961040 CET	9090	53420	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:20.452053070 CET	53420	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:20.452589989 CET	53420	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:20.457353115 CET	9090	53420	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:20.765677929 CET	53316	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:20.770683050 CET	9090	53316	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:21.293495893 CET	9090	53420	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:21.293565989 CET	9090	53420	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:21.293720961 CET	53420	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:21.295277119 CET	53420	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:21.295386076 CET	53420	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:21.300635099 CET	9090	53420	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:21.301171064 CET	9090	53420	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:21.555414915 CET	49734	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:21.560316086 CET	9090	49734	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:21.575874090 CET	9090	53420	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:21.624373913 CET	53420	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:22.108753920 CET	49743	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:22.113609076 CET	9090	49743	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:22.343236923 CET	53266	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:22.348155022 CET	9090	53266	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:25.374521971 CET	53269	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:25.379898071 CET	9090	53269	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:25.578277111 CET	53453	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:25.583549976 CET	9090	53453	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:25.583744049 CET	53453	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:25.584438086 CET	53453	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:25.589778900 CET	9090	53453	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:25.819241047 CET	53350	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:25.824388981 CET	9090	53350	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:26.363365889 CET	9090	53453	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:26.363428116 CET	9090	53453	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:26.363622904 CET	53453	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:26.364991903 CET	53453	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:26.364991903 CET	53453	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:26.369931936 CET	9090	53453	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:26.369961023 CET	9090	53453	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:26.544527054 CET	9090	53453	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:26.593010902 CET	53453	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:26.686661005 CET	49735	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:26.691951036 CET	9090	49735	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:27.139806986 CET	49744	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:27.145127058 CET	9090	49744	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:29.983768940 CET	53267	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:29.988713980 CET	9090	53267	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:30.124336004 CET	49732	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:30.129365921 CET	9090	49732	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:30.546653032 CET	53486	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:30.551845074 CET	9090	53486	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:30.551934958 CET	53486	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:30.558753014 CET	53486	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:30.563551903 CET	9090	53486	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:30.574616909 CET	53281	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:30.579674959 CET	9090	53281	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:31.418253899 CET	49733	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:31.423479080 CET	9090	49733	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:31.426867008 CET	9090	53486	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:31.426922083 CET	9090	53486	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:31.427098036 CET	53486	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:31.428611994 CET	53486	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:31.428611994 CET	53486	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:31.434115887 CET	9090	53486	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:31.434155941 CET	9090	53486	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:31.460050106 CET	53384	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:31.465199947 CET	9090	53384	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:31.613245010 CET	9090	53486	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:31.661667109 CET	53486	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:31.927177906 CET	49738	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:31.931982040 CET	9090	49738	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:32.208514929 CET	53262	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:32.213857889 CET	9090	53262	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:35.052205086 CET	53268	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:35.057060003 CET	9090	53268	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:35.618522882 CET	53518	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:35.624433041 CET	9090	53518	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:35.624535084 CET	53518	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:35.627736092 CET	53518	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:35.632484913 CET	9090	53518	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:35.784610987 CET	53316	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:35.789675951 CET	9090	53316	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:36.381943941 CET	9090	53518	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:36.381968975 CET	9090	53518	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:36.382147074 CET	53518	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:36.383549929 CET	53518	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:36.383641005 CET	53518	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:36.388252974 CET	9090	53518	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:36.388361931 CET	9090	53518	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:36.571239948 CET	49734	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:36.576139927 CET	9090	49734	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:36.586859941 CET	53420	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:36.591650009 CET	9090	53420	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:36.634452105 CET	9090	53518	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:36.682605028 CET	53518	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:37.120811939 CET	49743	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:37.125668049 CET	9090	49743	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:37.354566097 CET	53266	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:37.359441042 CET	9090	53266	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:40.385826111 CET	53269	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:40.390696049 CET	9090	53269	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:40.636188030 CET	53543	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:40.641278028 CET	9090	53543	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:40.641338110 CET	53543	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:40.641952991 CET	53543	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:40.646759987 CET	9090	53543	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:40.830815077 CET	53350	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:40.835791111 CET	9090	53350	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:41.447772026 CET	9090	53543	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:41.447796106 CET	9090	53543	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:41.448045015 CET	53543	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:41.449601889 CET	53543	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:41.449727058 CET	53543	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:41.454400063 CET	9090	53543	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:41.454545975 CET	9090	53543	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:41.560328960 CET	53453	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:41.565345049 CET	9090	53453	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:41.701051950 CET	49735	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:41.706322908 CET	9090	49735	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:41.727353096 CET	9090	53543	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:41.777044058 CET	53543	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:42.152132034 CET	49744	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:42.157164097 CET	9090	49744	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:44.995914936 CET	53267	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:45.001019955 CET	9090	53267	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:45.136538982 CET	49732	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:45.141680002 CET	9090	49732	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:45.589678049 CET	53281	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:45.656161070 CET	9090	53281	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:45.730801105 CET	53544	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:45.735744953 CET	9090	53544	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:45.735848904 CET	53544	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:45.736469030 CET	53544	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:45.741317987 CET	9090	53544	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:46.424459934 CET	49733	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:46.429502010 CET	9090	49733	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:46.471524000 CET	53384	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:46.476562977 CET	9090	53384	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:46.627660036 CET	53486	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:46.632529020 CET	9090	53486	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:46.671041012 CET	9090	53544	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:46.671051979 CET	9090	53544	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:46.671351910 CET	53544	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:46.672482967 CET	53544	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:46.672588110 CET	53544	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:46.677294016 CET	9090	53544	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:46.677330971 CET	9090	53544	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:46.938366890 CET	49738	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:46.938486099 CET	9090	53544	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:46.943249941 CET	9090	49738	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:46.986773968 CET	53544	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:47.223329067 CET	53262	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:47.228184938 CET	9090	53262	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:50.064943075 CET	53268	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:50.069900036 CET	9090	53268	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:50.799247026 CET	53316	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:50.804577112 CET	9090	53316	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:50.940308094 CET	53545	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:50.947962046 CET	9090	53545	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:50.948075056 CET	53545	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:50.948576927 CET	53545	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:50.954030991 CET	9090	53545	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:51.589888096 CET	49734	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:51.594860077 CET	9090	49734	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:51.605463028 CET	53420	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:51.610266924 CET	9090	53420	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:51.636650085 CET	53518	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:51.641640902 CET	9090	53518	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:51.783035994 CET	9090	53545	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:51.783076048 CET	9090	53545	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:51.783363104 CET	53545	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:51.784583092 CET	53545	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:51.784687042 CET	53545	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:51.789452076 CET	9090	53545	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:51.789467096 CET	9090	53545	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:52.045624018 CET	9090	53545	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:52.093832970 CET	53545	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:52.140700102 CET	49743	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:52.145641088 CET	9090	49743	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:52.359565020 CET	53266	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:52.364527941 CET	9090	53266	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:55.390763998 CET	53269	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:55.395776987 CET	9090	53269	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:55.843944073 CET	53350	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:55.848956108 CET	9090	53350	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:56.048206091 CET	53546	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:56.053225040 CET	9090	53546	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:56.053322077 CET	53546	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:56.053904057 CET	53546	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:56.058708906 CET	9090	53546	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:56.570679903 CET	53453	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:56.575613976 CET	9090	53453	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:56.711292028 CET	49735	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:56.716239929 CET	9090	49735	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:56.742547989 CET	53543	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:56.747490883 CET	9090	53543	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:57.024224997 CET	9090	53546	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:57.024240971 CET	9090	53546	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:57.024629116 CET	53546	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:57.025959969 CET	53546	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:57.026160955 CET	53546	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:57.032807112 CET	9090	53546	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:57.032815933 CET	9090	53546	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:57.167956114 CET	49744	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:44:57.173084974 CET	9090	49744	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:57.204190969 CET	9090	53546	87.121.86.2	192.168.2.4
Jan 9, 2025 15:44:57.252543926 CET	53546	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:45:00.002368927 CET	53267	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:45:00.007683039 CET	9090	53267	87.121.86.2	192.168.2.4
Jan 9, 2025 15:45:00.143250942 CET	49732	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:45:00.148406982 CET	9090	49732	87.121.86.2	192.168.2.4
Jan 9, 2025 15:45:00.658755064 CET	53281	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:45:00.664066076 CET	9090	53281	87.121.86.2	192.168.2.4
Jan 9, 2025 15:45:01.212078094 CET	53547	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:45:01.218374968 CET	9090	53547	87.121.86.2	192.168.2.4
Jan 9, 2025 15:45:01.218478918 CET	53547	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:45:01.220587015 CET	53547	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:45:01.226594925 CET	9090	53547	87.121.86.2	192.168.2.4
Jan 9, 2025 15:45:01.440601110 CET	49733	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:45:01.445669889 CET	9090	49733	87.121.86.2	192.168.2.4
Jan 9, 2025 15:45:01.487556934 CET	53384	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:45:01.492590904 CET	9090	53384	87.121.86.2	192.168.2.4
Jan 9, 2025 15:45:01.643675089 CET	53486	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:45:01.648647070 CET	9090	53486	87.121.86.2	192.168.2.4
Jan 9, 2025 15:45:01.940485954 CET	53544	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:45:01.945550919 CET	9090	53544	87.121.86.2	192.168.2.4
Jan 9, 2025 15:45:01.956105947 CET	49738	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:45:01.961025953 CET	9090	49738	87.121.86.2	192.168.2.4
Jan 9, 2025 15:45:02.237467051 CET	53262	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:45:02.242613077 CET	9090	53262	87.121.86.2	192.168.2.4
Jan 9, 2025 15:45:02.387305975 CET	9090	53547	87.121.86.2	192.168.2.4
Jan 9, 2025 15:45:02.387440920 CET	9090	53547	87.121.86.2	192.168.2.4
Jan 9, 2025 15:45:02.387635946 CET	53547	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:45:02.389477015 CET	53547	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:45:02.389652014 CET	53547	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:45:02.394299984 CET	9090	53547	87.121.86.2	192.168.2.4
Jan 9, 2025 15:45:02.394417048 CET	9090	53547	87.121.86.2	192.168.2.4
Jan 9, 2025 15:45:02.650511026 CET	9090	53547	87.121.86.2	192.168.2.4
Jan 9, 2025 15:45:02.702765942 CET	53547	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:45:05.071944952 CET	53268	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:45:05.078107119 CET	9090	53268	87.121.86.2	192.168.2.4
Jan 9, 2025 15:45:05.806242943 CET	53316	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:45:05.811418056 CET	9090	53316	87.121.86.2	192.168.2.4
Jan 9, 2025 15:45:06.603240967 CET	49734	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:45:06.608270884 CET	9090	49734	87.121.86.2	192.168.2.4
Jan 9, 2025 15:45:06.618851900 CET	53420	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:45:06.623689890 CET	9090	53420	87.121.86.2	192.168.2.4
Jan 9, 2025 15:45:06.649987936 CET	53518	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:45:06.654792070 CET	9090	53518	87.121.86.2	192.168.2.4
Jan 9, 2025 15:45:07.056375027 CET	53545	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:45:07.061655998 CET	9090	53545	87.121.86.2	192.168.2.4
Jan 9, 2025 15:45:07.150160074 CET	49743	9090	192.168.2.4	87.121.86.2
Jan 9, 2025 15:45:07.156256914 CET	9090	49743	87.121.86.2	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 15:42:58.090686083 CET	50197	53	192.168.2.4	1.1.1.1
Jan 9, 2025 15:42:58.097858906 CET	53	50197	1.1.1.1	192.168.2.4
Jan 9, 2025 15:43:30.087654114 CET	53	53453	162.159.36.2	192.168.2.4
Jan 9, 2025 15:43:30.569802999 CET	62814	53	192.168.2.4	1.1.1.1
Jan 9, 2025 15:43:30.577219963 CET	53	62814	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 9, 2025 15:42:58.090686083 CET	192.168.2.4	1.1.1.1	0x654d	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:43:30.569802999 CET	192.168.2.4	1.1.1.1	0x6e40	Standard query (0)	198.187.3.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 9, 2025 15:42:58.097858906 CET	1.1.1.1	192.168.2.4	0x654d	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 15:43:30.577219963 CET	1.1.1.1	192.168.2.4	0x6e40	Name error (3)	198.187.3.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	208.95.112.1	80	7632	C:\Users\user\Desktop\p.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 15:42:58.105635881 CET	110	OUT	GET /csv/?fields=country HTTP/1.1 Host: ip-api.com User-Agent: FYCQrUakUBwkJEwHkx Accept-Encoding: gzip
Jan 9, 2025 15:42:58.579514027 CET	184	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 14:42:57 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 14 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 55 6e 69 74 65 64 20 53 74 61 74 65 73 0a Data Ascii: United States
Jan 9, 2025 15:43:13.580353975 CET	6	OUT	Data Raw: 00 Data Ascii:
Jan 9, 2025 15:43:28.595711946 CET	6	OUT	Data Raw: 00 Data Ascii:
Jan 9, 2025 15:43:43.610105991 CET	6	OUT	Data Raw: 00 Data Ascii:
Jan 9, 2025 15:43:58.625657082 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	208.95.112.1	80	7632	C:\Users\user\Desktop\p.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 15:42:58.587469101 CET	108	OUT	GET /csv/?fields=query HTTP/1.1 Host: ip-api.com User-Agent: FYCQrUakUBwkJEwHkx Accept-Encoding: gzip
Jan 9, 2025 15:42:59.052544117 CET	183	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 14:42:58 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 13 Access-Control-Allow-Origin: * X-Ttl: 59 X-Rl: 43 Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 0a Data Ascii: 8.46.123.189
Jan 9, 2025 15:43:14.064923048 CET	6	OUT	Data Raw: 00 Data Ascii:
Jan 9, 2025 15:43:29.084120989 CET	6	OUT	Data Raw: 00 Data Ascii:
Jan 9, 2025 15:43:44.104085922 CET	6	OUT	Data Raw: 00 Data Ascii:
Jan 9, 2025 15:43:59.110270023 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	09:42:57
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\p.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\p.exe"
Imagebase:	0x400000
File size:	4'521'472 bytes
MD5 hash:	194E3CA62E9BA481112E59310A00B54B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	1
Total number of Limit Nodes:	0

Executed Functions

Function 004512A0 Relevance: 1.5, APIs: 1, Instructions: 19
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSARecv.WS2_32 ref: 004512C3

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID: Recv
String ID:
API String ID: 4192927123-0
Opcode ID: 85b07341f977adfd1331a972d0bd069f00081ffb41b5367fe339be9e9d3b190f
Instruction ID: 933be8071f0d6d3a30d3a4238a8b18ece7488d0241ab979ff6528888495a31a8
Opcode Fuzzy Hash: 85b07341f977adfd1331a972d0bd069f00081ffb41b5367fe339be9e9d3b190f
Instruction Fuzzy Hash: 82E09275505B40CFCB15DF28C2C5606BBF0EB88A00F0485A8DE098F70AE774EE10DAD2

Non-executed Functions

Function 0048A850 Relevance: 57.1, Strings: 45, Instructions: 870
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage:WSARecvWSASendvmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererrefreshrunningserial:signal syscalltraileru, xrefs: 0048AC9D, 0048B7C0
ClassINETCuneiformDiacriticFindCloseForbiddenHex_DigitInheritedInterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanNot FoundPalmyreneParseUintSamaritanSee OtherSeptemberSundaneseToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyWSASendToWednesda, xrefs: 0048ACF5, 0048B7B0
RCodeSuccessReadConsoleWRevertToSelfSERIALNUMBERSetEndOfFileSora_SompengSyloti_NagriTransitionalTransmitFileUnauthorizedUnlockFileExX-ImforwardsX-Powered-Byabi mismatchadvapi32.dllbad flushGenbad g statusbad g0 stackbad recoveryc ap trafficc hs trafficcaller e, xrefs: 0048AE65, 0048B751
TypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage:WSARecvWSASendvmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererrefreshrunningserial:signal syscalltraileruintptru, xrefs: 0048AB3F, 0048B81F
ClassHESIODCloseHandleCookie.PathCreateFileWDeleteFileWENABLE_PUSHEND_HEADERSEarly HintsExitProcessFreeLibraryGOTRACEBACKGetFileTypeHTTPS_PROXYIdeographicIn-Reply-ToMedefaidrinMoveFileExWNetShareAddNetShareDelNew_Tai_LueOld_PersianOld_SogdianOpenProcessPRIVATE, xrefs: 0048ADC7, 0048B780
AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticFindCloseForbiddenHex_DigitInheritedInterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanNot FoundPalmyreneParseUintSamaritanSee OtherSeptemberSundaneseToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINF, xrefs: 0048B509, 0048B57B
RCodeFormatErrorRegQueryInfoKeyWRegQueryValueExWRemoveDirectoryWSETTINGS_TIMEOUTSetFilePointerExTerminateProcessUpgrade RequiredUser-Agent: %sWww-AuthenticateZanabazar_SquareRZmuFRC stack:application/wasmbad SAN sequencebad special kindbad symbol tablecast, xrefs: 0048AEAB, 0048B741
RCodeNotImplementedRussia Time Zone 10Russia Time Zone 11Samoa Standard TimeService UnavailableSetTokenInformationSudan Standard TimeSwitching ProtocolsSyria Standard TimeTokyo Standard TimeTomsk Standard TimeTonga Standard TimeWaitForSingleObjectbad file desc, xrefs: 0048AF7D, 0048B711
character string exceeds maximum length (255)context: internal error: missing cancel errorexitsyscall: syscall frame is no longer validheapBitsSetType: called with non-pointer typehttp: no Client.Transport or DefaultTransporthttp: putIdleConn: connection is in, xrefs: 0048B38D
insufficient data for base length typeinternal error: unknown string type %dmakechan: invalid channel element typemime: expected slash after first tokennet/http: invalid header field name %qRZmuFRC: blocked read on free polldescRZmuFRC: sudog with non-false is, xrefs: 0048B045
segment prefix is reservedstartlockedm: locked to mestopped after 10 redirectstoo many colons in addresstruncated base 128 integerunexpected type in connectx509: invalid simple chain is not assignable to type 363797880709171295166015625AddVectoredContinueHandl, xrefs: 0048B0B5
RCodeServerFailureRFS specific errorRegional_IndicatorRussia Time Zone 3SetFileAttributesWSystemFunction036, xrefs: 0048AEF1, 0048B731
too many pointers (>10)truncated tag or lengthunexpected address typeunknown error code 0x%xunsupported certificatevarint integer overflowwork.nwait > work.nproc116415321826934814453125582076609134674072265625Azerbaijan Standard TimeBangladesh Standard TimeCap, xrefs: 0048B0ED
invalid pointerkey has expiredmalloc deadlockmissing addressmissing mcache?ms: gomaxprocs=network is downno medium foundno such processnon-minimal tagrecord overflowrecovery failedRZmuFRC error: RZmuFRC.gopanicRZmuFRC: frame scan missed a gserver finishedstart, xrefs: 0048B125
AnswerArabicAugustBasic BrahmiCANCELCarianChakmaCommonCookieCopticDELETEExpectFormatFridayGOAWAYGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLockedLycianLydianMondayPADDEDPragmaRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTy, xrefs: 0048B4C9, 0048B588
too many Questions to pack (>65535)traceback did not unwind completelytransform: short destination buffertransport endpoint is not connectedx509: decryption password incorrectx509: wrong Ed25519 public key size LastStreamID=%v ErrCode=%v Debug=%qMWPOhDPhHPxJQx, xrefs: 0048B275
TypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite (MB) Value addr= base code= ctxt: curg= etRx j, xrefs: 0048A8C9, 0048B8AF
parsing/packing of this type isn't available yetRZmuFRC: waitforsingleobject unexpected; result=RZmuFRC: waitforsingleobject wait_failed; errno=slice bounds out of range [:%x] with capacity %ystrconv: illegal AppendFloat/FormatFloat bitSizesyscall: string with, xrefs: 0048AFD5
TypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage:WSARecvWSASendvmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererrefreshrunningserial:signal syscalltraileruintptrunknownupgradew, xrefs: 0048A99B, 0048B87F
ClassANYConflictContinueCyrillicDNS nameDOWNGRD, xrefs: 0048AE0D, 0048B761
parsing/packing of this section has completedreflect: internal error: invalid method indexreflect: nil type passed to Type.AssignableToRZmuFRC: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected ren, xrefs: 0048B00D
RCodeNameErrorREFUSED_STREAMREQUEST_METHODRegSetValueExWSetFilePointerTranslateNameWarch: 386accept-charsetallocfreetracebad allocCountbad record MACbad span statebad stack sizecontent-lengthdata truncatedfile too largefinalizer waitgcstoptheworldgetproto, xrefs: 0048AF37, 0048B721
$, xrefs: 0048B3CE
RCodeRefusedRCodeSuccessReadConsoleWRevertToSelfSERIALNUMBERSetEndOfFileSora_SompengSyloti_NagriTransitionalTransmitFileUnauthorizedUnlockFileExX-ImforwardsX-Powered-Byabi mismatchadvapi32.dllbad flushGenbad g statusbad g0 stackbad recoveryc ap trafficc hs tra, xrefs: 0048AFC3, 0048B6F2
nil resource bodyno data availablenotetsleepg on g0permission deniedreflect.Value.Intreflect.Value.Lenreflect: New(nil)reflect: call of RZmuFRC.newosprocRZmuFRC: a.base= RZmuFRC: b.base= RZmuFRC: nameOff RZmuFRC: next_gc=RZmuFRC: pointer RZmuFRC: textOff RZmuF, xrefs: 0048B15D
too many Answers to pack (>65535)too many levels of symbolic linkstreap insert finds a broken treapunsupported transfer encoding: %qwaiting for unsupported file type%s %q is excluded by constraint %q3552713678800500929355621337890625: day-of-year does not matc, xrefs: 0048B2AD
insufficient data for resource body lengthinvalid HTTP header value %q for header %qmix of request and response pseudo headersnon-empty mark queue after concurrent markon a locked thread with no template threadpersistentalloc: align is not a power of 2RZmuFRC:, xrefs: 0048B195
TypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11[]byte acceptactivechan<-closedcookiedomainefenceexec: expectgopherhangupheaderip+netkilledlistenminuteobjectpopcntremovescvg: secondsecureselectserversocketsocks socks5statusstringstructsweep telnetuint16ui, xrefs: 0048AA27, 0048B85F
too many Authorities to pack (>65535)unexpected CONTINUATION for stream %dvalue too large for defined data typex509: RSA key missing NULL parameters1110223024625156540423631668090820312555511151231257827021181583404541015625Unable to determine system directory, xrefs: 0048B2E5
AdditionalCancelIoExClassCHAOSClassCSNETConnectionContent-IdCreateFileCreatePipeDSA-SHA256DeprecatedDevanagariDnsQuery_WECDSA-SHA1END_STREAMException GC forcedGOMAXPROCSGetIfEntryGetVersionGlagoliticHTTP_PROXYHost: %sIP addressKeep-AliveKharoshthiLockFileEx, xrefs: 0048B549, 0048B55F
compressed name in SRV resource datacrypto/cipher: input not full blockscrypto/rand: argument to Int is <= 0crypto/sha1: invalid hash state sizecrypto/sha512: invalid hash functionhttp: no Location header in responsehttp: unexpected EOF reading trailerinvalid , xrefs: 0048B3C5
ClassCHAOSClassCSNETConnectionContent-IdCreateFileCreatePipeDSA-SHA256DeprecatedDevanagariDnsQuery_WECDSA-SHA1END_STREAMException GC forcedGOMAXPROCSGetIfEntryGetVersionGlagoliticHTTP_PROXYHost: %sIP addressKeep-AliveKharoshthiLockFileExManichaeanMessage-Id, xrefs: 0048AD81, 0048B790
TypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage:WSARecvWSASendvmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererrefreshrunningserial:signal syscalltraileruintptrunknownu, xrefs: 0048A9E1, 0048B86F
TypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11[]byte acceptactivechan<-closedcookiedomainefenceexec: expectgopherhangupheaderip+netkilledlistenminuteobjectpopcntremovescvg: secondsecureselectserversocketsocks socks5statusstringstructsweep telnetuint16uint32ui, xrefs: 0048A90F, 0048B89F
QuestionReadFileReceivedSETTINGSSHA1-RSASaturdayTagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUgariticWSAIoctl[signal stack=[address cgocheckcs default:durationeax ebp ebx ecx edi edx eflags eip esi esp expo, xrefs: 0048B485, 0048B598
segment length too longspan has no free stacksstack growth after forksyntax error in patternsystem huge page size (text/css; charset=utf-8text/xml; charset=utf-8time: invalid duration tls: invalid PSK bindertoo many pointers (>10)truncated tag or lengthunexpec, xrefs: 0048B1CD
zero length segment markroot jobs done to unallocated span%%!%c(*big.Float=%s)37252902984619140625Arabic Standard TimeAzores Standard TimeCertOpenSystemStoreWCreateProcessAsUserWCryptAcquireContextWEgyptian_HieroglyphsGetAcceptExSockaddrsGetAdaptersAddressesG, xrefs: 0048B205
ClassCSNETConnectionContent-IdCreateFileCreatePipeDSA-SHA256DeprecatedDevanagariDnsQuery_WECDSA-SHA1END_STREAMException GC forcedGOMAXPROCSGetIfEntryGetVersionGlagoliticHTTP_PROXYHost: %sIP addressKeep-AliveKharoshthiLockFileExManichaeanMessage-IdNo Content, xrefs: 0048AD3B, 0048B7A0
TypeCNAMETypeHINFOTypeMINFOUse ProxyWSASendToWednesdayWriteFileZ07:00:00[%v = %d]analysisatomicor8bad indirbroadcastbus errorchan sendcomplex64connectexcopystackctxt != 0d.nx != 0empty urlfork/execfuncargs(image/gifimage/pnginterfaceinterruptipv6-icmplocalhos, xrefs: 0048A955, 0048B88F
insufficient data for calculated length typemime: unexpected content after media subtypeout of memory allocating heap arena metadatareflect: funcLayout with interface receiver tls: failed to verify client's certificate: tls: invalid certificate signature algor, xrefs: 0048B07D
resource length too longrunqsteal: runq overflowRZmuFRC: VirtualFree of RZmuFRC: found obj at *(span has no free objectsstack trace unavailablestreamSafe was not resetstructure needs cleaningtext/html; charset=utf-8unexpected buffer len=%v bytes failed with e, xrefs: 0048B23D
too many Additionals to pack (>65535)too many Authorities to pack (>65535)unexpected CONTINUATION for stream %dvalue too large for defined data typex509: RSA key missing NULL parameters111022302462515654042363166809082031255551115123125782702118158340454101562, xrefs: 0048B31D
name is not in canonical format (it must end with a .)net/http: can't write control character in Request.URLno goroutines (main called RZmuFRC.Goexit) - deadlock!read loop ending; caller owns writable underlying connreflect.FuncOf does not support more than 50, xrefs: 0048B355
), xrefs: 0048AB01
TypeAAAATypeAXFRUgariticWSAIoctl[signal stack=[address cgocheckcs default:durationeax ebp ebx ecx edi edx eflags eip esi esp exporterfinishedfs go1.13.8gs hijackedhttp/1.1if-matchif-rangeinfinityinvalid loca, xrefs: 0048AAB3, 0048B83F

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: $$)$AdditionalCancelIoExClassCHAOSClassCSNETConnectionContent-IdCreateFileCreatePipeDSA-SHA256DeprecatedDevanagariDnsQuery_WECDSA-SHA1END_STREAMException GC forcedGOMAXPROCSGetIfEntryGetVersionGlagoliticHTTP_PROXYHost: %sIP addressKeep-AliveKharoshthiLockFileEx$AnswerArabicAugustBasic BrahmiCANCELCarianChakmaCommonCookieCopticDELETEExpectFormatFridayGOAWAYGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLockedLycianLydianMondayPADDEDPragmaRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTy$AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticFindCloseForbiddenHex_DigitInheritedInterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanNot FoundPalmyreneParseUintSamaritanSee OtherSeptemberSundaneseToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINF$ClassANYConflictContinueCyrillicDNS nameDOWNGRD$ClassCHAOSClassCSNETConnectionContent-IdCreateFileCreatePipeDSA-SHA256DeprecatedDevanagariDnsQuery_WECDSA-SHA1END_STREAMException GC forcedGOMAXPROCSGetIfEntryGetVersionGlagoliticHTTP_PROXYHost: %sIP addressKeep-AliveKharoshthiLockFileExManichaeanMessage-Id$ClassCSNETConnectionContent-IdCreateFileCreatePipeDSA-SHA256DeprecatedDevanagariDnsQuery_WECDSA-SHA1END_STREAMException GC forcedGOMAXPROCSGetIfEntryGetVersionGlagoliticHTTP_PROXYHost: %sIP addressKeep-AliveKharoshthiLockFileExManichaeanMessage-IdNo Content$ClassHESIODCloseHandleCookie.PathCreateFileWDeleteFileWENABLE_PUSHEND_HEADERSEarly HintsExitProcessFreeLibraryGOTRACEBACKGetFileTypeHTTPS_PROXYIdeographicIn-Reply-ToMedefaidrinMoveFileExWNetShareAddNetShareDelNew_Tai_LueOld_PersianOld_SogdianOpenProcessPRIVATE$ClassINETCuneiformDiacriticFindCloseForbiddenHex_DigitInheritedInterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanNot FoundPalmyreneParseUintSamaritanSee OtherSeptemberSundaneseToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyWSASendToWednesda$QuestionReadFileReceivedSETTINGSSHA1-RSASaturdayTagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUgariticWSAIoctl[signal stack=[address cgocheckcs default:durationeax ebp ebx ecx edi edx eflags eip esi esp expo$RCodeFormatErrorRegQueryInfoKeyWRegQueryValueExWRemoveDirectoryWSETTINGS_TIMEOUTSetFilePointerExTerminateProcessUpgrade RequiredUser-Agent: %sWww-AuthenticateZanabazar_SquareRZmuFRC stack:application/wasmbad SAN sequencebad special kindbad symbol tablecast$RCodeNameErrorREFUSED_STREAMREQUEST_METHODRegSetValueExWSetFilePointerTranslateNameWarch: 386accept-charsetallocfreetracebad allocCountbad record MACbad span statebad stack sizecontent-lengthdata truncatedfile too largefinalizer waitgcstoptheworldgetproto$RCodeNotImplementedRussia Time Zone 10Russia Time Zone 11Samoa Standard TimeService UnavailableSetTokenInformationSudan Standard TimeSwitching ProtocolsSyria Standard TimeTokyo Standard TimeTomsk Standard TimeTonga Standard TimeWaitForSingleObjectbad file desc$RCodeRefusedRCodeSuccessReadConsoleWRevertToSelfSERIALNUMBERSetEndOfFileSora_SompengSyloti_NagriTransitionalTransmitFileUnauthorizedUnlockFileExX-ImforwardsX-Powered-Byabi mismatchadvapi32.dllbad flushGenbad g statusbad g0 stackbad recoveryc ap trafficc hs tra$RCodeServerFailureRFS specific errorRegional_IndicatorRussia Time Zone 3SetFileAttributesWSystemFunction036$RCodeSuccessReadConsoleWRevertToSelfSERIALNUMBERSetEndOfFileSora_SompengSyloti_NagriTransitionalTransmitFileUnauthorizedUnlockFileExX-ImforwardsX-Powered-Byabi mismatchadvapi32.dllbad flushGenbad g statusbad g0 stackbad recoveryc ap trafficc hs trafficcaller e$TypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite (MB) Value addr= base code= ctxt: curg= etRx j$TypeAAAATypeAXFRUgariticWSAIoctl[signal stack=[address cgocheckcs default:durationeax ebp ebx ecx edi edx eflags eip esi esp exporterfinishedfs go1.13.8gs hijackedhttp/1.1if-matchif-rangeinfinityinvalid loca$TypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage:WSARecvWSASendvmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererrefreshrunningserial:signal syscalltraileru$TypeCNAMETypeHINFOTypeMINFOUse ProxyWSASendToWednesdayWriteFileZ07:00:00[%v = %d]analysisatomicor8bad indirbroadcastbus errorchan sendcomplex64connectexcopystackctxt != 0d.nx != 0empty urlfork/execfuncargs(image/gifimage/pnginterfaceinterruptipv6-icmplocalhos$TypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11[]byte acceptactivechan<-closedcookiedomainefenceexec: expectgopherhangupheaderip+netkilledlistenminuteobjectpopcntremovescvg: secondsecureselectserversocketsocks socks5statusstringstructsweep telnetuint16ui$TypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11[]byte acceptactivechan<-closedcookiedomainefenceexec: expectgopherhangupheaderip+netkilledlistenminuteobjectpopcntremovescvg: secondsecureselectserversocketsocks socks5statusstringstructsweep telnetuint16uint32ui$TypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage:WSARecvWSASendvmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererrefreshrunningserial:signal syscalltraileruintptru$TypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage:WSARecvWSASendvmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererrefreshrunningserial:signal syscalltraileruintptrunknownu$TypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage:WSARecvWSASendvmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererrefreshrunningserial:signal syscalltraileruintptrunknownupgradew$character string exceeds maximum length (255)context: internal error: missing cancel errorexitsyscall: syscall frame is no longer validheapBitsSetType: called with non-pointer typehttp: no Client.Transport or DefaultTransporthttp: putIdleConn: connection is in$compressed name in SRV resource datacrypto/cipher: input not full blockscrypto/rand: argument to Int is <= 0crypto/sha1: invalid hash state sizecrypto/sha512: invalid hash functionhttp: no Location header in responsehttp: unexpected EOF reading trailerinvalid $insufficient data for base length typeinternal error: unknown string type %dmakechan: invalid channel element typemime: expected slash after first tokennet/http: invalid header field name %qRZmuFRC: blocked read on free polldescRZmuFRC: sudog with non-false is$insufficient data for calculated length typemime: unexpected content after media subtypeout of memory allocating heap arena metadatareflect: funcLayout with interface receiver tls: failed to verify client's certificate: tls: invalid certificate signature algor$insufficient data for resource body lengthinvalid HTTP header value %q for header %qmix of request and response pseudo headersnon-empty mark queue after concurrent markon a locked thread with no template threadpersistentalloc: align is not a power of 2RZmuFRC:$invalid pointerkey has expiredmalloc deadlockmissing addressmissing mcache?ms: gomaxprocs=network is downno medium foundno such processnon-minimal tagrecord overflowrecovery failedRZmuFRC error: RZmuFRC.gopanicRZmuFRC: frame scan missed a gserver finishedstart$name is not in canonical format (it must end with a .)net/http: can't write control character in Request.URLno goroutines (main called RZmuFRC.Goexit) - deadlock!read loop ending; caller owns writable underlying connreflect.FuncOf does not support more than 50$nil resource bodyno data availablenotetsleepg on g0permission deniedreflect.Value.Intreflect.Value.Lenreflect: New(nil)reflect: call of RZmuFRC.newosprocRZmuFRC: a.base= RZmuFRC: b.base= RZmuFRC: nameOff RZmuFRC: next_gc=RZmuFRC: pointer RZmuFRC: textOff RZmuF$parsing/packing of this section has completedreflect: internal error: invalid method indexreflect: nil type passed to Type.AssignableToRZmuFRC: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected ren$parsing/packing of this type isn't available yetRZmuFRC: waitforsingleobject unexpected; result=RZmuFRC: waitforsingleobject wait_failed; errno=slice bounds out of range [:%x] with capacity %ystrconv: illegal AppendFloat/FormatFloat bitSizesyscall: string with$resource length too longrunqsteal: runq overflowRZmuFRC: VirtualFree of RZmuFRC: found obj at *(span has no free objectsstack trace unavailablestreamSafe was not resetstructure needs cleaningtext/html; charset=utf-8unexpected buffer len=%v bytes failed with e$segment length too longspan has no free stacksstack growth after forksyntax error in patternsystem huge page size (text/css; charset=utf-8text/xml; charset=utf-8time: invalid duration tls: invalid PSK bindertoo many pointers (>10)truncated tag or lengthunexpec$segment prefix is reservedstartlockedm: locked to mestopped after 10 redirectstoo many colons in addresstruncated base 128 integerunexpected type in connectx509: invalid simple chain is not assignable to type 363797880709171295166015625AddVectoredContinueHandl$too many Additionals to pack (>65535)too many Authorities to pack (>65535)unexpected CONTINUATION for stream %dvalue too large for defined data typex509: RSA key missing NULL parameters111022302462515654042363166809082031255551115123125782702118158340454101562$too many Answers to pack (>65535)too many levels of symbolic linkstreap insert finds a broken treapunsupported transfer encoding: %qwaiting for unsupported file type%s %q is excluded by constraint %q3552713678800500929355621337890625: day-of-year does not matc$too many Authorities to pack (>65535)unexpected CONTINUATION for stream %dvalue too large for defined data typex509: RSA key missing NULL parameters1110223024625156540423631668090820312555511151231257827021181583404541015625Unable to determine system directory$too many Questions to pack (>65535)traceback did not unwind completelytransform: short destination buffertransport endpoint is not connectedx509: decryption password incorrectx509: wrong Ed25519 public key size LastStreamID=%v ErrCode=%v Debug=%qMWPOhDPhHPxJQx$too many pointers (>10)truncated tag or lengthunexpected address typeunknown error code 0x%xunsupported certificatevarint integer overflowwork.nwait > work.nproc116415321826934814453125582076609134674072265625Azerbaijan Standard TimeBangladesh Standard TimeCap$zero length segment markroot jobs done to unallocated span%%!%c(*big.Float=%s)37252902984619140625Arabic Standard TimeAzores Standard TimeCertOpenSystemStoreWCreateProcessAsUserWCryptAcquireContextWEgyptian_HieroglyphsGetAcceptExSockaddrsGetAdaptersAddressesG
API String ID: 0-3093411646
Opcode ID: a07bb64727b9209c736b848f0366abc6ded85475a85463964ca08148a195eb98
Instruction ID: 390146d29ac929b496d42a7ea256fef061ba0daa3835111001d477e736bd5b5f
Opcode Fuzzy Hash: a07bb64727b9209c736b848f0366abc6ded85475a85463964ca08148a195eb98
Instruction Fuzzy Hash: F69204B8109705DFD304EF15D991A5ABBF1FB88744F40982FE89983361E778A948CF86

Function 004B0EA0 Relevance: 54.0, Strings: 40, Instructions: 4029COMMON

Download Yara Rule

Strings

Anatolian_HieroglyphsArabian Standard TimeBelarus Standard TimeCentral Standard TimeEastern Standard TimeFloat.SetFloat64(NaN)GetProfilesDirectoryWInscriptional_PahlaviInternal Server ErrorLookupPrivilegeValueWMagadan Standard TimeMorocco Standard TimeMyanmar , xrefs: 004B18FC
", xrefs: 004B43DC
DevanagariDnsQuery_WECDSA-SHA1END_STREAMException GC forcedGOMAXPROCSGetIfEntryGetVersionGlagoliticHTTP_PROXYHost: %sIP addressKeep-AliveKharoshthiLockFileExManichaeanMessage-IdNo ContentOld_ItalicOld_PermicOld_TurkicOther_MathPOSTALCODEParseFloatPhoenician, xrefs: 004B2028
Bidi_ControlCIDR addressCONTINUATIONContent TypeContent-TypeCookie.ValueECDSA-SHA256ECDSA-SHA384ECDSA-SHA512FindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetStdHandleGetTempPathWI'm a teapotJoin_ControlLoadLibraryWMax-ForwardsMeetei_MayekMime-Ver, xrefs: 004B401A
Other_Default_Ignorable_Code_PointSetFileCompletionNotificationModesTLS 1.3, client CertificateVerify, xrefs: 004B43D2
Variation_Selectorbad Content-Lengthbad manualFreeListbufio: buffer fullconnection refusedcontext.Backgrounddecoding error: %vfile name too longflag redefined: %sforEachP: not donegarbage collectionhttp: no such fileidentifier removedindex out of rangeinput/ou, xrefs: 004B489A
Imperial_AramaicMeroitic_CursiveMultiple ChoicesNetApiBufferFreeOpenProcessTokenOther_AlphabeticPayment RequiredProxy-ConnectionRCodeFormatErrorRegQueryInfoKeyWRegQueryValueExWRemoveDirectoryWSETTINGS_TIMEOUTSetFilePointerExTerminateProcessUpgrade RequiredUser, xrefs: 004B25BC
Prepended_Concatenation_MarkTransfer-Encoding: chunked[originating from goroutine asn1: string not valid UTF-8can't preserve unlinked spancomparing uncomparable type crypto/rsa: decryption errordestination address requiredfatal: morestack on gsignalfile des, xrefs: 004B4636
DuployanEthiopicExtenderFebruaryFullPathGeorgianGoStringGujaratiGurmukhiHTTP/1.1HTTP/2.0HiraganaJavaneseKatakanaKayah_LiLinear_ALinear_BLocationMahajaniNO_ERRORNO_PROXYNovemberOl_ChikiPRIORITYParseIntPhags_PaQuestionReadFileReceivedSETTINGSSHA1-RSASaturdayTagb, xrefs: 004B20B0
Regional_IndicatorRussia Time Zone 3SetFileAttributesWSystemFunction036, xrefs: 004B4702
DeprecatedDevanagariDnsQuery_WECDSA-SHA1END_STREAMException GC forcedGOMAXPROCSGetIfEntryGetVersionGlagoliticHTTP_PROXYHost: %sIP addressKeep-AliveKharoshthiLockFileExManichaeanMessage-IdNo ContentOld_ItalicOld_PermicOld_TurkicOther_MathPOSTALCODEParseFloat, xrefs: 004B40A2
Zanabazar_SquareRZmuFRC stack:application/wasmbad SAN sequencebad special kindbad symbol tablecastogscanstatuscontent-encodingcontent-languagecontent-locationcontext canceleddivision by zerogc: unswept spangcshrinkstackoffhost unreachableinteger overflowinva, xrefs: 004B3F80
ArabicAugustBasic BrahmiCANCELCarianChakmaCommonCookieCopticDELETEExpectFormatFridayGOAWAYGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLockedLycianLydianMondayPADDEDPragmaRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTy, xrefs: 004B1940
SiddhamSinhalaSogdianSoyomboSubjectSwapperTagalogTibetanTirhutaTrailerTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage:WSARecvWSASendvmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidl, xrefs: 004B3854
SaurashtraSet-CookieUser-AgentWSACleanupWSASocketWWSAStartupatomicand8casgstatuscomplex128connectiondnsapi.dllexitThreadexp mastergetsockoptgoroutine http_proxyimage/jpegimage/webpinvalidptrkeep-alivemSpanInUseowner diedres binderres masterresumptionRZmuFRC: g, xrefs: 004B3788
Meetei_MayekMime-VersionMulti-StatusNot ExtendedNot ModifiedPUSH_PROMISEPahawh_HmongRCodeRefusedRCodeSuccessReadConsoleWRevertToSelfSERIALNUMBERSetEndOfFileSora_SompengSyloti_NagriTransitionalTransmitFileUnauthorizedUnlockFileExX-ImforwardsX-Powered-Byabi mism, xrefs: 004B2DB4
Other_Grapheme_ExtendPacific Standard TimePrecondition RequiredReadDirectoryChangesWRomance Standard TimeRoundTrip failure: %vRussian Standard TimeSE Asia Standard TimeSaratov Standard TimeUNKNOWN_FRAME_TYPE_%dUnhandled Setting: %vYakutsk Standard Timebad type, xrefs: 004B4416
IdeographicIn-Reply-ToMedefaidrinMoveFileExWNetShareAddNetShareDelNew_Tai_LueOld_PersianOld_SogdianOpenProcessPRIVATE KEYPau_Cin_HauRegCloseKeyReturn-PathSYSTEMROOT=SetFileTimeSignWritingSoft_DottedTESTING KEYTTL expiredVirtualLockWSARecvFromWarang_CitiWhite_S, xrefs: 004B427E
Bassa_VahBhaiksukiClassINETCuneiformDiacriticFindCloseForbiddenHex_DigitInheritedInterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanNot FoundPalmyreneParseUintSamaritanSee OtherSeptemberSundaneseToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse Prox, xrefs: 004B1A94
Logical_Order_ExceptionLord Howe Standard TimeMB during sweep; swept Marquesas Standard TimeMauritius Standard TimeNoncharacter_Code_PointSERVER_TRAFFIC_SECRET_0SetEnvironmentVariableWSingapore Standard TimeSri Lanka Standard TimeTocantins Standard TimeVariant, xrefs: 004B4306
AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdir, xrefs: 004B1874
Old_North_ArabianOld_South_ArabianOther_ID_ContinueRegLoadMUIStringWSentence_TerminalToo Many RequestsTransfer-EncodingUnified_IdeographWSAEnumProtocolsWX-Idempotency-Keybad TinySizeClassdecryption failedentersyscallblockexec format errorexec: not startedfract, xrefs: 004B32C0
Pattern_White_SpacePrecondition FailedProxy-AuthorizationRCodeNotImplementedRussia Time Zone 10Russia Time Zone 11Samoa Standard TimeService UnavailableSetTokenInformationSudan Standard TimeSwitching ProtocolsSyria Standard TimeTokyo Standard TimeTomsk Standar, xrefs: 004B45F2
Canadian_AboriginalChina Standard TimeConnection: closeCreateSymbolicLinkWCryptAcquireContextCryptReleaseContextEgypt Standard TimeGetCurrentProcessIdGetSystemDirectoryWGetTokenInformationHaiti Standard TimeIDS_Binary_OperatorINADEQUATE_SECURITYINITIAL_WINDO, xrefs: 004B1CF8
Egyptian_HieroglyphsGetAcceptExSockaddrsGetAdaptersAddressesGetCurrentDirectoryWGetFileAttributesExWGetProcessMemoryInfoIDS_Trinary_OperatorInsufficient StorageIsrael Standard TimeJordan Standard TimeMAX_HEADER_LIST_SIZEMeroitic_HieroglyphsRequest URI Too Long, xrefs: 004B20F4
Gunjala_GondiIf-None-MatchLast-ModifiedLoop DetectedMapViewOfFileMasaram_GondiMende_KikakuiNewFloat(NaN)Old_HungarianRegDeleteKeyWRegEnumKeyExWRegEnumValueWRegOpenKeyExWReset ContentRoundingMode(SHA256-RSAPSSSHA384-RSAPSSSHA512-RSAPSSSTREAM_CLOSEDUsage of %s:, xrefs: 004B2358
Other_ID_StartPROTOCOL_ERRORPattern_SyntaxProcess32NextWQuotation_MarkRCodeNameErrorREFUSED_STREAMREQUEST_METHODRegSetValueExWSetFilePointerTranslateNameWarch: 386accept-charsetallocfreetracebad allocCountbad record MACbad span statebad stack sizecontent-, xrefs: 004B449E
Caucasian_AlbanianCommandLineToArgvWCreateFileMappingWCuba Standard TimeExpectation FailedFLOW_CONTROL_ERRORFiji Standard TimeGetComputerNameExWGetExitCodeProcessGetFileAttributesWGetModuleFileNameWFYCQrUakUBwkJEwHkxHuFxJigopDrHCcmNNXIran Standard TimeLookupAc, xrefs: 004B1D80
Hanifi_RohingyaIdempotency-KeyImpersonateSelfLength RequiredLoadLibraryExA, xrefs: 004B2468
Psalter_PahlaviRegCreateKeyExWRegDeleteValueWRequest TimeoutUnmapViewOfFileX-Forwarded-For]morebuf={pc:accept-encodingaccept-languageadvertise errorapplication/pdfbad certificatebad debugCallV1bad trailer keyclient finishedforce gc (idle)invalid booleaninval, xrefs: 004B3678
ArmenianBalineseBopomofoBugineseCancelIoCherokeeClassANYConflictContinueCyrillicDNS nameDOWNGRD, xrefs: 004B1984
CDEFGHIJKLMNOPQRSTUVWXYZ["\, xrefs: 004B0ED2
ASCII_Hex_DigitAccept-EncodingAccept-LanguageBelowExactAboveCreateHardLinkWDeviceIoControlDuplicateHandleFailed to find Failed to load FlushViewOfFileGateway TimeoutGetAdaptersInfoGetCommandLineWGetProcessTimesGetStartupInfoWHanifi_RohingyaIdempotency-KeyImper, xrefs: 004B3FD6
Tai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUgariticWSAIoctl[signal stack=[address cgocheckcs default:durationeax ebp ebx ecx edi edx eflags eip esi esp exporterfinishedfs go1.13.8gs hijackedhttp/1.1if-m, xrefs: 004B3B84
Terminal_PunctuationTurkey Standard TimeUnprocessable Entityasn1: syntax error: bad defer size classbad font file formatbad system page sizebad use of bucket.bpbad use of bucket.mpchan send (nil chan)close of nil channelconnection error: %sconnection timed out, xrefs: 004B4812
Inscriptional_ParthianMAX_CONCURRENT_STREAMSMountain Standard TimeNtWaitForSingleObject, xrefs: 004B2688
AhomAtoiCESTChamDATADashDateEESTEtagFromGOGCGoneHEADHostJulyJuneLisuMiaoModiNZDTNZSTNewaPINGPOSTSASTStatThaiWESTm=] n=asn1avx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandatedeaddialermsetagfilefromftpsfuncgziphosthourhttpicmpidleigmpint8kindlinknone, xrefs: 004B18B8
Other_LowercaseOther_UppercasePartial ContentProcess32FirstWPsalter_PahlaviRegCreateKeyExWRegDeleteValueWRequest TimeoutUnmapViewOfFileX-Forwarded-For]morebuf={pc:accept-encodingaccept-languageadvertise errorapplication/pdfbad certificatebad debugCallV1bad t, xrefs: 004B44E2
MedefaidrinMoveFileExWNetShareAddNetShareDelNew_Tai_LueOld_PersianOld_SogdianOpenProcessPRIVATE KEYPau_Cin_HauRegCloseKeyReturn-PathSYSTEMROOT=SetFileTimeSignWritingSoft_DottedTESTING KEYTTL expiredVirtualLockWSARecvFromWarang_CitiWhite_Spacehostname: peName, xrefs: 004B2D70
AvestanBengaliBrailleCONNECTChanDirCookie2CopySidCreatedCypriotDeseretEd25519ElbasanExpiresGODEBUGGranthaHEADERSHanunooIM UsedIO waitJanuaryKannadaMD2-RSAMD5-RSAMUI_DltMUI_StdMakasarMandaicMarchenMultaniMyanmarOctoberOsmanyaPATHEXTRadicalReaddirRefererSharadaS, xrefs: 004B19C8

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: "$ASCII_Hex_DigitAccept-EncodingAccept-LanguageBelowExactAboveCreateHardLinkWDeviceIoControlDuplicateHandleFailed to find Failed to load FlushViewOfFileGateway TimeoutGetAdaptersInfoGetCommandLineWGetProcessTimesGetStartupInfoWHanifi_RohingyaIdempotency-KeyImper$AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdir$AhomAtoiCESTChamDATADashDateEESTEtagFromGOGCGoneHEADHostJulyJuneLisuMiaoModiNZDTNZSTNewaPINGPOSTSASTStatThaiWESTm=] n=asn1avx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandatedeaddialermsetagfilefromftpsfuncgziphosthourhttpicmpidleigmpint8kindlinknone$Anatolian_HieroglyphsArabian Standard TimeBelarus Standard TimeCentral Standard TimeEastern Standard TimeFloat.SetFloat64(NaN)GetProfilesDirectoryWInscriptional_PahlaviInternal Server ErrorLookupPrivilegeValueWMagadan Standard TimeMorocco Standard TimeMyanmar $ArabicAugustBasic BrahmiCANCELCarianChakmaCommonCookieCopticDELETEExpectFormatFridayGOAWAYGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLockedLycianLydianMondayPADDEDPragmaRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTy$ArmenianBalineseBopomofoBugineseCancelIoCherokeeClassANYConflictContinueCyrillicDNS nameDOWNGRD$AvestanBengaliBrailleCONNECTChanDirCookie2CopySidCreatedCypriotDeseretEd25519ElbasanExpiresGODEBUGGranthaHEADERSHanunooIM UsedIO waitJanuaryKannadaMD2-RSAMD5-RSAMUI_DltMUI_StdMakasarMandaicMarchenMultaniMyanmarOctoberOsmanyaPATHEXTRadicalReaddirRefererSharadaS$Bassa_VahBhaiksukiClassINETCuneiformDiacriticFindCloseForbiddenHex_DigitInheritedInterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanNot FoundPalmyreneParseUintSamaritanSee OtherSeptemberSundaneseToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse Prox$Bidi_ControlCIDR addressCONTINUATIONContent TypeContent-TypeCookie.ValueECDSA-SHA256ECDSA-SHA384ECDSA-SHA512FindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetStdHandleGetTempPathWI'm a teapotJoin_ControlLoadLibraryWMax-ForwardsMeetei_MayekMime-Ver$CDEFGHIJKLMNOPQRSTUVWXYZ["\$Canadian_AboriginalChina Standard TimeConnection: closeCreateSymbolicLinkWCryptAcquireContextCryptReleaseContextEgypt Standard TimeGetCurrentProcessIdGetSystemDirectoryWGetTokenInformationHaiti Standard TimeIDS_Binary_OperatorINADEQUATE_SECURITYINITIAL_WINDO$Caucasian_AlbanianCommandLineToArgvWCreateFileMappingWCuba Standard TimeExpectation FailedFLOW_CONTROL_ERRORFiji Standard TimeGetComputerNameExWGetExitCodeProcessGetFileAttributesWGetModuleFileNameWFYCQrUakUBwkJEwHkxHuFxJigopDrHCcmNNXIran Standard TimeLookupAc$DeprecatedDevanagariDnsQuery_WECDSA-SHA1END_STREAMException GC forcedGOMAXPROCSGetIfEntryGetVersionGlagoliticHTTP_PROXYHost: %sIP addressKeep-AliveKharoshthiLockFileExManichaeanMessage-IdNo ContentOld_ItalicOld_PermicOld_TurkicOther_MathPOSTALCODEParseFloat$DevanagariDnsQuery_WECDSA-SHA1END_STREAMException GC forcedGOMAXPROCSGetIfEntryGetVersionGlagoliticHTTP_PROXYHost: %sIP addressKeep-AliveKharoshthiLockFileExManichaeanMessage-IdNo ContentOld_ItalicOld_PermicOld_TurkicOther_MathPOSTALCODEParseFloatPhoenician$DuployanEthiopicExtenderFebruaryFullPathGeorgianGoStringGujaratiGurmukhiHTTP/1.1HTTP/2.0HiraganaJavaneseKatakanaKayah_LiLinear_ALinear_BLocationMahajaniNO_ERRORNO_PROXYNovemberOl_ChikiPRIORITYParseIntPhags_PaQuestionReadFileReceivedSETTINGSSHA1-RSASaturdayTagb$Egyptian_HieroglyphsGetAcceptExSockaddrsGetAdaptersAddressesGetCurrentDirectoryWGetFileAttributesExWGetProcessMemoryInfoIDS_Trinary_OperatorInsufficient StorageIsrael Standard TimeJordan Standard TimeMAX_HEADER_LIST_SIZEMeroitic_HieroglyphsRequest URI Too Long$Gunjala_GondiIf-None-MatchLast-ModifiedLoop DetectedMapViewOfFileMasaram_GondiMende_KikakuiNewFloat(NaN)Old_HungarianRegDeleteKeyWRegEnumKeyExWRegEnumValueWRegOpenKeyExWReset ContentRoundingMode(SHA256-RSAPSSSHA384-RSAPSSSHA512-RSAPSSSTREAM_CLOSEDUsage of %s:$Hanifi_RohingyaIdempotency-KeyImpersonateSelfLength RequiredLoadLibraryExA$IdeographicIn-Reply-ToMedefaidrinMoveFileExWNetShareAddNetShareDelNew_Tai_LueOld_PersianOld_SogdianOpenProcessPRIVATE KEYPau_Cin_HauRegCloseKeyReturn-PathSYSTEMROOT=SetFileTimeSignWritingSoft_DottedTESTING KEYTTL expiredVirtualLockWSARecvFromWarang_CitiWhite_S$Imperial_AramaicMeroitic_CursiveMultiple ChoicesNetApiBufferFreeOpenProcessTokenOther_AlphabeticPayment RequiredProxy-ConnectionRCodeFormatErrorRegQueryInfoKeyWRegQueryValueExWRemoveDirectoryWSETTINGS_TIMEOUTSetFilePointerExTerminateProcessUpgrade RequiredUser$Inscriptional_ParthianMAX_CONCURRENT_STREAMSMountain Standard TimeNtWaitForSingleObject$Logical_Order_ExceptionLord Howe Standard TimeMB during sweep; swept Marquesas Standard TimeMauritius Standard TimeNoncharacter_Code_PointSERVER_TRAFFIC_SECRET_0SetEnvironmentVariableWSingapore Standard TimeSri Lanka Standard TimeTocantins Standard TimeVariant$MedefaidrinMoveFileExWNetShareAddNetShareDelNew_Tai_LueOld_PersianOld_SogdianOpenProcessPRIVATE KEYPau_Cin_HauRegCloseKeyReturn-PathSYSTEMROOT=SetFileTimeSignWritingSoft_DottedTESTING KEYTTL expiredVirtualLockWSARecvFromWarang_CitiWhite_Spacehostname: peName$Meetei_MayekMime-VersionMulti-StatusNot ExtendedNot ModifiedPUSH_PROMISEPahawh_HmongRCodeRefusedRCodeSuccessReadConsoleWRevertToSelfSERIALNUMBERSetEndOfFileSora_SompengSyloti_NagriTransitionalTransmitFileUnauthorizedUnlockFileExX-ImforwardsX-Powered-Byabi mism$Old_North_ArabianOld_South_ArabianOther_ID_ContinueRegLoadMUIStringWSentence_TerminalToo Many RequestsTransfer-EncodingUnified_IdeographWSAEnumProtocolsWX-Idempotency-Keybad TinySizeClassdecryption failedentersyscallblockexec format errorexec: not startedfract$Other_Default_Ignorable_Code_PointSetFileCompletionNotificationModesTLS 1.3, client CertificateVerify$Other_Grapheme_ExtendPacific Standard TimePrecondition RequiredReadDirectoryChangesWRomance Standard TimeRoundTrip failure: %vRussian Standard TimeSE Asia Standard TimeSaratov Standard TimeUNKNOWN_FRAME_TYPE_%dUnhandled Setting: %vYakutsk Standard Timebad type$Other_ID_StartPROTOCOL_ERRORPattern_SyntaxProcess32NextWQuotation_MarkRCodeNameErrorREFUSED_STREAMREQUEST_METHODRegSetValueExWSetFilePointerTranslateNameWarch: 386accept-charsetallocfreetracebad allocCountbad record MACbad span statebad stack sizecontent-$Other_LowercaseOther_UppercasePartial ContentProcess32FirstWPsalter_PahlaviRegCreateKeyExWRegDeleteValueWRequest TimeoutUnmapViewOfFileX-Forwarded-For]morebuf={pc:accept-encodingaccept-languageadvertise errorapplication/pdfbad certificatebad debugCallV1bad t$Pattern_White_SpacePrecondition FailedProxy-AuthorizationRCodeNotImplementedRussia Time Zone 10Russia Time Zone 11Samoa Standard TimeService UnavailableSetTokenInformationSudan Standard TimeSwitching ProtocolsSyria Standard TimeTokyo Standard TimeTomsk Standar$Prepended_Concatenation_MarkTransfer-Encoding: chunked[originating from goroutine asn1: string not valid UTF-8can't preserve unlinked spancomparing uncomparable type crypto/rsa: decryption errordestination address requiredfatal: morestack on gsignalfile des$Psalter_PahlaviRegCreateKeyExWRegDeleteValueWRequest TimeoutUnmapViewOfFileX-Forwarded-For]morebuf={pc:accept-encodingaccept-languageadvertise errorapplication/pdfbad certificatebad debugCallV1bad trailer keyclient finishedforce gc (idle)invalid booleaninval$Regional_IndicatorRussia Time Zone 3SetFileAttributesWSystemFunction036$SaurashtraSet-CookieUser-AgentWSACleanupWSASocketWWSAStartupatomicand8casgstatuscomplex128connectiondnsapi.dllexitThreadexp mastergetsockoptgoroutine http_proxyimage/jpegimage/webpinvalidptrkeep-alivemSpanInUseowner diedres binderres masterresumptionRZmuFRC: g$SiddhamSinhalaSogdianSoyomboSubjectSwapperTagalogTibetanTirhutaTrailerTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage:WSARecvWSASendvmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidl$Tai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUgariticWSAIoctl[signal stack=[address cgocheckcs default:durationeax ebp ebx ecx edi edx eflags eip esi esp exporterfinishedfs go1.13.8gs hijackedhttp/1.1if-m$Terminal_PunctuationTurkey Standard TimeUnprocessable Entityasn1: syntax error: bad defer size classbad font file formatbad system page sizebad use of bucket.bpbad use of bucket.mpchan send (nil chan)close of nil channelconnection error: %sconnection timed out$Variation_Selectorbad Content-Lengthbad manualFreeListbufio: buffer fullconnection refusedcontext.Backgrounddecoding error: %vfile name too longflag redefined: %sforEachP: not donegarbage collectionhttp: no such fileidentifier removedindex out of rangeinput/ou$Zanabazar_SquareRZmuFRC stack:application/wasmbad SAN sequencebad special kindbad symbol tablecastogscanstatuscontent-encodingcontent-languagecontent-locationcontext canceleddivision by zerogc: unswept spangcshrinkstackoffhost unreachableinteger overflowinva
API String ID: 0-1616769575
Opcode ID: 3f6f5febbe279a1e040d1fc45def8c4f3cfdb2386a298297c798bd5035bb0d8c
Instruction ID: 3d36e647c46eb361ba53b2a2ee475ba70da337b85f2516aa4fe49b5ba8878c39
Opcode Fuzzy Hash: 3f6f5febbe279a1e040d1fc45def8c4f3cfdb2386a298297c798bd5035bb0d8c
Instruction Fuzzy Hash: B3931475209746CFC308DF25D48069ABBF1BF98708F51982FE89A93351E778A908CF56

Function 00445850 Relevance: 25.0, Strings: 19, Instructions: 1286COMMON

Download Yara Rule

Strings

gentraceback callback cannot be used with non-zero skipnet/http: invalid byte %q in %s; dropping invalid bytesnet/http: request canceled while waiting for connectionnewproc: function arguments too large for new goroutineos: invalid use of WriteAt on file opene, xrefs: 00446EEA
RZmuFRC.gopanicRZmuFRC: frame scan missed a gserver finishedstartm: m has pstopm holding punexpected typeunknown Go typeunknown networkunknown versionwrite error: %v already; errno= mheap.sweepgen= not in ranges: t.span.base()= untyped locals %s %s HTTP/1.1, xrefs: 0044618D
top= u_a= u_g=%s %q%s*%d%s=%s"'&+0330+0430+0530+0545+0630+0845+1030+1245+1345, ..., fp:-0930.html.jpeg.wasm.webp1562578125:***@:path<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256, xrefs: 00446D54
7, xrefs: 00446EF3
: frame.sp=; Max-Age=0Bad GatewayBad RequestClassHESIODCloseHandleCookie.PathCreateFileWDeleteFileWENABLE_PUSHEND_HEADERSEarly HintsExitProcessFreeLibraryGOTRACEBACKGetFileTypeHTTPS_PROXYIdeographicIn-Reply-ToMedefaidrinMoveFileExWNetShareAddNetShareDelNew_Tai, xrefs: 00446D2A
, ..., fp:-0930.html.jpeg.wasm.webp1562578125:***@:path<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefault, xrefs: 00445F5A
called from flushedWork gcscanvalid heap_marked= idlethreads= in duration in host name is nil, not nStackRoots= out of range s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625:UseSTD3Rules, xrefs: 00446967
max= ptr siz= tab= top= u_a= u_g=%s %q%s*%d%s=%s"'&+0330+0430+0530+0545+0630+0845+1030+1245+1345, ..., fp:-0930.html.jpeg.wasm.webp1562578125:***@:path<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOgham, xrefs: 00446E1E
traceback did not unwind completelytransform: short destination buffertransport endpoint is not connectedx509: decryption password incorrectx509: wrong Ed25519 public key size LastStreamID=%v ErrCode=%v Debug=%qMWPOhDPhHPxJQxCeruTiIVmAwwnQUgYgIFvmJjtfATMTSIHtI, xrefs: 00446E54
fp= is lr: of on pc= sp: sp=$pid%x><) = ) m=+Inf+inf, n -Inf-inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.xml0x%x10803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCESTChamDATADashDateEESTEtagFromGOGCGoneHEADHostJulyJuneLisuMiaoModiNZDTNZSTNewa, xrefs: 00446059
stack=[address cgocheckcs default:durationeax ebp ebx ecx edi edx eflags eip esi esp exporterfinishedfs go1.13.8gs hijackedhttp/1.1if-matchif-rangeinfinityinvalid locationloopbackno anodeno-cacheno_proxyopen, xrefs: 00446DA1
()*+,-./023456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ["\, xrefs: 00445EAB
RZmuFRC: unexpected return pc for schedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]stream error: stream ID %d; %v; %vtimeout waiting for client prefacetls: invalid certificate signaturetls: malformed key_sha, xrefs: 0044693A
RZmuFRC: unknown pc semaRoot rotateRighttime: invalid numbertrace: out of memoryunexpected network: unknown address typewirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not found gp.gcscanvalid=true of unexported method previous allocCou, xrefs: 00446BF5
unknown caller pcwait for GC cyclewine_get_version, xrefs: 00446EA8
] n=asn1avx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandatedeaddialermsetagfilefromftpsfuncgziphosthourhttpicmpidleigmpint8kindlinknoneopenpathpipepop3quitreadsbrksmtpsse2sse3tag:tcp4tcp6trueudp6uintunixvaryxn-- -%s ... H_T= H_a= H_g= MB, W_a= and , xrefs: 00446DF5
RZmuFRC: gschedtracesemacquireset-cookiesetsockoptsocks bindterminatedtracefree(tracegc()unixpacketunknown pcuser-agentws2_32.dll of size (targetpc= ErrCode=%v a.npages= b.npages= gcwaiting= gp.status= heap_live= idleprocs= in status m->mcache= mallocin, xrefs: 00446D00
gentraceback cannot trace user goroutine on its own stackhttp: Request.RequestURI can't be set in client requests.received record with version %x when expecting version %xRZmuFRC:stoplockedm: g is not Grunnable or Gscanrunnablesync: WaitGroup misuse: Add call, xrefs: 00446ED4
panicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite (MB) Value addr= base code= ctxt: curg= etRx jobs= list= m->p= next= p->m= prev= span=(...), not , val 390625<-chanAcceptAnswerArabicAugustBasic BrahmiCANCELCarianCh, xrefs: 004461A9

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: stack=[address cgocheckcs default:durationeax ebp ebx ecx edi edx eflags eip esi esp exporterfinishedfs go1.13.8gs hijackedhttp/1.1if-matchif-rangeinfinityinvalid locationloopbackno anodeno-cacheno_proxyopen$ called from flushedWork gcscanvalid heap_marked= idlethreads= in duration in host name is nil, not nStackRoots= out of range s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625:UseSTD3Rules$ fp= is lr: of on pc= sp: sp=$pid%x><) = ) m=+Inf+inf, n -Inf-inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.xml0x%x10803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCESTChamDATADashDateEESTEtagFromGOGCGoneHEADHostJulyJuneLisuMiaoModiNZDTNZSTNewa$ max= ptr siz= tab= top= u_a= u_g=%s %q%s*%d%s=%s"'&+0330+0430+0530+0545+0630+0845+1030+1245+1345, ..., fp:-0930.html.jpeg.wasm.webp1562578125:***@:path<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOgham$ top= u_a= u_g=%s %q%s*%d%s=%s"'&+0330+0430+0530+0545+0630+0845+1030+1245+1345, ..., fp:-0930.html.jpeg.wasm.webp1562578125:***@:path<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256$()*+,-./023456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ["\$, ..., fp:-0930.html.jpeg.wasm.webp1562578125:***@:path<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefault$7$: frame.sp=; Max-Age=0Bad GatewayBad RequestClassHESIODCloseHandleCookie.PathCreateFileWDeleteFileWENABLE_PUSHEND_HEADERSEarly HintsExitProcessFreeLibraryGOTRACEBACKGetFileTypeHTTPS_PROXYIdeographicIn-Reply-ToMedefaidrinMoveFileExWNetShareAddNetShareDelNew_Tai$RZmuFRC.gopanicRZmuFRC: frame scan missed a gserver finishedstartm: m has pstopm holding punexpected typeunknown Go typeunknown networkunknown versionwrite error: %v already; errno= mheap.sweepgen= not in ranges: t.span.base()= untyped locals %s %s HTTP/1.1$RZmuFRC: gschedtracesemacquireset-cookiesetsockoptsocks bindterminatedtracefree(tracegc()unixpacketunknown pcuser-agentws2_32.dll of size (targetpc= ErrCode=%v a.npages= b.npages= gcwaiting= gp.status= heap_live= idleprocs= in status m->mcache= mallocin$RZmuFRC: unexpected return pc for schedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]stream error: stream ID %d; %v; %vtimeout waiting for client prefacetls: invalid certificate signaturetls: malformed key_sha$RZmuFRC: unknown pc semaRoot rotateRighttime: invalid numbertrace: out of memoryunexpected network: unknown address typewirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not found gp.gcscanvalid=true of unexported method previous allocCou$] n=asn1avx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandatedeaddialermsetagfilefromftpsfuncgziphosthourhttpicmpidleigmpint8kindlinknoneopenpathpipepop3quitreadsbrksmtpsse2sse3tag:tcp4tcp6trueudp6uintunixvaryxn-- -%s ... H_T= H_a= H_g= MB, W_a= and $gentraceback callback cannot be used with non-zero skipnet/http: invalid byte %q in %s; dropping invalid bytesnet/http: request canceled while waiting for connectionnewproc: function arguments too large for new goroutineos: invalid use of WriteAt on file opene$gentraceback cannot trace user goroutine on its own stackhttp: Request.RequestURI can't be set in client requests.received record with version %x when expecting version %xRZmuFRC:stoplockedm: g is not Grunnable or Gscanrunnablesync: WaitGroup misuse: Add call$panicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite (MB) Value addr= base code= ctxt: curg= etRx jobs= list= m->p= next= p->m= prev= span=(...), not , val 390625<-chanAcceptAnswerArabicAugustBasic BrahmiCANCELCarianCh$traceback did not unwind completelytransform: short destination buffertransport endpoint is not connectedx509: decryption password incorrectx509: wrong Ed25519 public key size LastStreamID=%v ErrCode=%v Debug=%qMWPOhDPhHPxJQxCeruTiIVmAwwnQUgYgIFvmJjtfATMTSIHtI$unknown caller pcwait for GC cyclewine_get_version
API String ID: 0-593783710
Opcode ID: c8f61b90f68e36cc8c2d9b14ad82ac0cd085abfcab502b401276cea079f969e1
Instruction ID: e65b36b4053c73a53c96dadcf1b2e60e03b4e6029cc828c0e850b95196cef500
Opcode Fuzzy Hash: c8f61b90f68e36cc8c2d9b14ad82ac0cd085abfcab502b401276cea079f969e1
Instruction Fuzzy Hash: AED216746087918FE764DF29C08069FBBE1BF89304F55891EE8C887342DB78A945CB97

Function 0051AFF0 Relevance: 24.0, Strings: 14, Instructions: 6494
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

}o, xrefs: 0051ED1C
}o, xrefs: 0051EED8
}o, xrefs: 0051F186
}o, xrefs: 0052030F
}o, xrefs: 00521D0B
}o, xrefs: 00520403
}o, xrefs: 0051F092
}o, xrefs: 00521496
}o, xrefs: 0051EFB3
}o, xrefs: 0051EDFC
}o, xrefs: 00520077
}o, xrefs: 00520234
}o, xrefs: 00520157
}o, xrefs: 005204F7

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: }o$}o$}o$}o$}o$}o$}o$}o$}o$}o$}o$}o$}o$}o
API String ID: 0-3741111851
Opcode ID: 556ba710a6909e95a6e84774cf5f05a04822c5ce88ab5a7839f5041473a735db
Instruction ID: 437a3e6303599c571024139b5b767194deca5311f49f9b41ce3973f9a6cb98dc
Opcode Fuzzy Hash: 556ba710a6909e95a6e84774cf5f05a04822c5ce88ab5a7839f5041473a735db
Instruction Fuzzy Hash: 35E3B071A0C7948FD378CF1DC98079AFBE2AFC8204F598A2EC58C97355DA7468158F86

Function 00508A50 Relevance: 23.8, Strings: 17, Instructions: 2545COMMON

Download Yara Rule

Strings

explicit tag has no childhttp2: Framer %p: read %vhttp2: invalid header: %vhttp2: unsupported schemeinconsistent poll.fdMutexinvalid cross-device linkinvalid network interfaceinvalid object identifierinvalid proxy URL port %qinvalid username/passwordmissing st, xrefs: 0050B79C
struct contains unexported fieldssync: RUnlock of unlocked RWMutextls: Ed25519 verification failuretls: failed to write to key log: tls: invalid client finished hashtls: invalid server finished hashtls: unexpected ServerKeyExchangetoo many Answers to pack (>65, xrefs: 0050A0FD
unsupported: user canceledvalue method xadd64 failedxchg64 failed}sched={pc: but progSize nmidlelocked= on zero Value out of range procedure in to finalizer untyped args -thread limit.WithDeadline(1907348632812595367431640625: extra text: ; SameSite=Lax, xrefs: 00509D3B
b, xrefs: 0050A4B6, 0050A583
zero length explicit tag was not an asn1.Flagbytes.Reader.UnreadByte: at beginning of slicecipher.NewCTR: IV length must equal block sizecipher.newCFB: IV length must equal block sizefirst path segment in URL cannot contain colonhttp2: Transport creating clien, xrefs: 00509540
sequence truncatedstreams pipe errorsystem page size (tracebackancestorstruncated sequenceunexpected messageuse of closed filevalue out of range (%d bytes omitted) already registered called using nil *, g->atomicstatus=, gp->atomicstatus=, physHugePageSize=14, xrefs: 00508B1B
%, xrefs: 0050B77C
explicitly tagged member didn't matchinternal error: unknown network type reflect.Value.Bytes of non-byte slicereflect.Value.Bytes of non-rune slicereflect: Bits of non-arithmetic Type RZmuFRC: allocation size out of rangeRZmuFRC: failed mSpanList.insertBack s, xrefs: 0050B773
unknown Go type: %vunknown certificateunknown cipher typeunknown status codeunknown wait reasonwinmm.dll not foundx509: unknown errorzero length segment markroot jobs done to unallocated span%%!%c(*big.Float=%s)37252902984619140625Arabic Standard TimeAzores S, xrefs: 0050B5E7
invalid booleaninvalid paddinginvalid pointerkey has expiredmalloc deadlockmissing addressmissing mcache?ms: gomaxprocs=network is downno medium foundno such processnon-minimal tagrecord overflowrecovery failedRZmuFRC error: RZmuFRC.gopanicRZmuFRC: frame scan , xrefs: 00509B2E, 00509B63
internal error: unknown string type %dmakechan: invalid channel element typemime: expected slash after first tokennet/http: invalid header field name %qRZmuFRC: blocked read on free polldescRZmuFRC: sudog with non-false isSelecttime: missing Location in call t, xrefs: 00509E0B
invalid padding bits in BIT STRINGmspan.ensureSwept: m is not lockedout of memory allocating allArenasreflect.FuncOf: too many argumentsreflect: Field index out of boundsreflect: Method index out of rangereflect: string index out of rangeRZmuFRC.SetFinalizer: , xrefs: 00508DFA, 0050ADB8
asn1: invalid UTF-8 stringbase 128 integer too largebidirule: failed Bidi Rulechacha20: counter overflowcorrupted semaphore ticketcryptobyte: internal errorduplicate pseudo-header %qentersyscall inconsistent failed to find ConnectEx: forEachP: P did not run fn, xrefs: 0050906B, 00509FBE
data truncatedfile too largefinalizer waitgcstoptheworldgetprotobynameinternal errorinvalid syntaxis a directorylevel 2 haltedlevel 3 haltedmemprofilerateneed more datanil elem type!no module datano such deviceprotocol errorRZmuFRC: base=RZmuFRC: full=s.allocC, xrefs: 005093A3, 0050B404
asn1avx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandatedeaddialermsetagfilefromftpsfuncgziphosthourhttpicmpidleigmpint8kindlinknoneopenpathpipepop3quitreadsbrksmtpsse2sse3tag:tcp4tcp6trueudp6uintunixvaryxn-- -%s ... H_T= H_a= H_g= MB, W_a= and h_a, xrefs: 0050A3D3
zero length BIT STRING) must be a power of 223283064365386962890625<invalid reflect.Value>Argentina Standard TimeAstrakhan Standard TimeCLIENT_TRAFFIC_SECRET_0CertGetCertificateChainDestroyEnvironmentBlockE. Africa Standard TimeE. Europe Standard TimeFreeEnvi, xrefs: 00508F09, 0050AF7E
tags don't match (%d vs %+v) %+v %s @%dtls: internal error: wrong nonce lengthtls: unsupported certificate curve (%s)transport endpoint is already connectedusername/password authentication failedx509: failed to parse URI constraint %qx509: invalid NameConstrai, xrefs: 0050996B

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: b$%$asn1: invalid UTF-8 stringbase 128 integer too largebidirule: failed Bidi Rulechacha20: counter overflowcorrupted semaphore ticketcryptobyte: internal errorduplicate pseudo-header %qentersyscall inconsistent failed to find ConnectEx: forEachP: P did not run fn$asn1avx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandatedeaddialermsetagfilefromftpsfuncgziphosthourhttpicmpidleigmpint8kindlinknoneopenpathpipepop3quitreadsbrksmtpsse2sse3tag:tcp4tcp6trueudp6uintunixvaryxn-- -%s ... H_T= H_a= H_g= MB, W_a= and h_a$data truncatedfile too largefinalizer waitgcstoptheworldgetprotobynameinternal errorinvalid syntaxis a directorylevel 2 haltedlevel 3 haltedmemprofilerateneed more datanil elem type!no module datano such deviceprotocol errorRZmuFRC: base=RZmuFRC: full=s.allocC$explicit tag has no childhttp2: Framer %p: read %vhttp2: invalid header: %vhttp2: unsupported schemeinconsistent poll.fdMutexinvalid cross-device linkinvalid network interfaceinvalid object identifierinvalid proxy URL port %qinvalid username/passwordmissing st$explicitly tagged member didn't matchinternal error: unknown network type reflect.Value.Bytes of non-byte slicereflect.Value.Bytes of non-rune slicereflect: Bits of non-arithmetic Type RZmuFRC: allocation size out of rangeRZmuFRC: failed mSpanList.insertBack s$internal error: unknown string type %dmakechan: invalid channel element typemime: expected slash after first tokennet/http: invalid header field name %qRZmuFRC: blocked read on free polldescRZmuFRC: sudog with non-false isSelecttime: missing Location in call t$invalid booleaninvalid paddinginvalid pointerkey has expiredmalloc deadlockmissing addressmissing mcache?ms: gomaxprocs=network is downno medium foundno such processnon-minimal tagrecord overflowrecovery failedRZmuFRC error: RZmuFRC.gopanicRZmuFRC: frame scan $invalid padding bits in BIT STRINGmspan.ensureSwept: m is not lockedout of memory allocating allArenasreflect.FuncOf: too many argumentsreflect: Field index out of boundsreflect: Method index out of rangereflect: string index out of rangeRZmuFRC.SetFinalizer: $sequence truncatedstreams pipe errorsystem page size (tracebackancestorstruncated sequenceunexpected messageuse of closed filevalue out of range (%d bytes omitted) already registered called using nil *, g->atomicstatus=, gp->atomicstatus=, physHugePageSize=14$struct contains unexported fieldssync: RUnlock of unlocked RWMutextls: Ed25519 verification failuretls: failed to write to key log: tls: invalid client finished hashtls: invalid server finished hashtls: unexpected ServerKeyExchangetoo many Answers to pack (>65$tags don't match (%d vs %+v) %+v %s @%dtls: internal error: wrong nonce lengthtls: unsupported certificate curve (%s)transport endpoint is already connectedusername/password authentication failedx509: failed to parse URI constraint %qx509: invalid NameConstrai$unknown Go type: %vunknown certificateunknown cipher typeunknown status codeunknown wait reasonwinmm.dll not foundx509: unknown errorzero length segment markroot jobs done to unallocated span%%!%c(*big.Float=%s)37252902984619140625Arabic Standard TimeAzores S$unsupported: user canceledvalue method xadd64 failedxchg64 failed}sched={pc: but progSize nmidlelocked= on zero Value out of range procedure in to finalizer untyped args -thread limit.WithDeadline(1907348632812595367431640625: extra text: ; SameSite=Lax$zero length BIT STRING) must be a power of 223283064365386962890625<invalid reflect.Value>Argentina Standard TimeAstrakhan Standard TimeCLIENT_TRAFFIC_SECRET_0CertGetCertificateChainDestroyEnvironmentBlockE. Africa Standard TimeE. Europe Standard TimeFreeEnvi$zero length explicit tag was not an asn1.Flagbytes.Reader.UnreadByte: at beginning of slicecipher.NewCTR: IV length must equal block sizecipher.newCFB: IV length must equal block sizefirst path segment in URL cannot contain colonhttp2: Transport creating clien
API String ID: 0-1252687447
Opcode ID: 1229c7f0c678ba9517dbd6387c466ec90a3ba8029ee1ec9576c9041e28ff1ba0
Instruction ID: 70239f4ee425d11304121d1bdd5c6600d1abab477dce177235b7ff8749cc3a7c
Opcode Fuzzy Hash: 1229c7f0c678ba9517dbd6387c466ec90a3ba8029ee1ec9576c9041e28ff1ba0
Instruction Fuzzy Hash: 1F43B3746093818FC764DF29C594AAEBBE1BFC8300F108D2EE9C987391D734A945CB96

Function 00522810 Relevance: 20.9, Strings: 14, Instructions: 3448
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

}o, xrefs: 00522E40
}o, xrefs: 005240A7
}o, xrefs: 0052591A
}o, xrefs: 00522B05
}o, xrefs: 00523E0D
}o, xrefs: 00524301
}o, xrefs: 005250B1
}o, xrefs: 005232B7
}o, xrefs: 005241FC
}o, xrefs: 00523CC7
}o, xrefs: 00523F5D
}o, xrefs: 00522FA6
}o, xrefs: 00522CAE
}o, xrefs: 00523139

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: }o$}o$}o$}o$}o$}o$}o$}o$}o$}o$}o$}o$}o$}o
API String ID: 0-3741111851
Opcode ID: 2917c72b7ff7fd625baee6b3c17d65c7a8f46c0610392bbd7aaaa2833ca7d500
Instruction ID: 6c16c61b92cab77dc0acef310ab748a2faebe72a0e399fc05c399ce6f83c32da
Opcode Fuzzy Hash: 2917c72b7ff7fd625baee6b3c17d65c7a8f46c0610392bbd7aaaa2833ca7d500
Instruction Fuzzy Hash: 8F730671A093948FD378DF5DC89829EFBE2AFC8300F558A2ED59C93355DA706805CB86

Function 0046C2E0 Relevance: 17.5, Strings: 13, Instructions: 1234COMMON

Download Yara Rule

Strings

Z070, xrefs: 0046CCC2
-07:, xrefs: 0046C3FB
2006, xrefs: 0046C829
-07:00:00-infinity244140625: status=; Domain=Accuracy(AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticFindCloseForbiddenHex_DigitInheritedInterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanNot FoundPalmyreneParseUintSamaritanSee OtherSeptembe, xrefs: 0046C544
Z070, xrefs: 0046CC5C
-070, xrefs: 0046C354
2006, xrefs: 0046CF87
Mond, xrefs: 0046CA9A
-070, xrefs: 0046C3BA
Z07:00:00[%v = %d]analysisatomicor8bad indirbroadcastbus errorchan sendcomplex64connectexcopystackctxt != 0d.nx != 0empty urlfork/execfuncargs(image/gifimage/pnginterfaceinterruptipv6-icmplocalhostmSpanDeadmSpanFreemulticastnil erroromitemptypanicwaitpclmulqd, xrefs: 0046CE4C
!, xrefs: 0046C508
Janu, xrefs: 0046C967
Z07:, xrefs: 0046CD03

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: !$-070$-070$-07:$-07:00:00-infinity244140625: status=; Domain=Accuracy(AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticFindCloseForbiddenHex_DigitInheritedInterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanNot FoundPalmyreneParseUintSamaritanSee OtherSeptembe$2006$2006$Janu$Mond$Z070$Z070$Z07:$Z07:00:00[%v = %d]analysisatomicor8bad indirbroadcastbus errorchan sendcomplex64connectexcopystackctxt != 0d.nx != 0empty urlfork/execfuncargs(image/gifimage/pnginterfaceinterruptipv6-icmplocalhostmSpanDeadmSpanFreemulticastnil erroromitemptypanicwaitpclmulqd
API String ID: 0-4249815642
Opcode ID: d9b284bb614da5e85ddd23d64f902fce67a690f3313151c534d38e60aac9ee5c
Instruction ID: 596960284f4dfb292b5bb26e0e31de92650547399425fc153859a356571ca3c4
Opcode Fuzzy Hash: d9b284bb614da5e85ddd23d64f902fce67a690f3313151c534d38e60aac9ee5c
Instruction Fuzzy Hash: 2F920971E0D3294FC725AF5988D156EB6D16B84304F85443FE899CB343F7B8984A8BCA

Function 004CFAD0 Relevance: 17.1, Strings: 12, Instructions: 2104COMMON

Download Yara Rule

Strings

<nil, xrefs: 004D1791
@, xrefs: 004D1A56
(nil, xrefs: 004D0DFD
reflect.Value.Uintreflect: Zero(nil)RZmuFRC.semacreateRZmuFRC.semawakeupsegmentation faultsequence truncatedstreams pipe errorsystem page size (tracebackancestorstruncated sequenceunexpected messageuse of closed filevalue out of range (%d bytes omitted) alread, xrefs: 004CFD1B, 004CFD28, 004D198A, 004D1997
reflect.Value.IsNilreflect.Value.Slicerevoked certificatersa: internal errorRZmuFRC: g0 stack [RZmuFRC: insert t= RZmuFRC: pcdata is RZmuFRC: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssync.Cond is copiedtime: unknown unit too many open, xrefs: 004D0C05, 004D0C12
<invalid reflect.Value>Argentina Standard TimeAstrakhan Standard TimeCLIENT_TRAFFIC_SECRET_0CertGetCertificateChainDestroyEnvironmentBlockE. Africa Standard TimeE. Europe Standard TimeFreeEnvironmentStringsWGetEnvironmentVariableWGetSystemTimeAsFileTimeGreenla, xrefs: 004D16E9
@, xrefs: 004D1A15
(nil, xrefs: 004D0B62
map[, xrefs: 004D05A5
reflect.Value.Intreflect.Value.Lenreflect: New(nil)reflect: call of RZmuFRC.newosprocRZmuFRC: a.base= RZmuFRC: b.base= RZmuFRC: nameOff RZmuFRC: next_gc=RZmuFRC: pointer RZmuFRC: textOff RZmuFRC: typeOff scanobject n == 0seeker can't seekselect (no cases)stack, xrefs: 004D18EC, 004D18F9
<nil, xrefs: 004D0CC6
(nil, xrefs: 004D03E4

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: (nil$(nil$(nil$<invalid reflect.Value>Argentina Standard TimeAstrakhan Standard TimeCLIENT_TRAFFIC_SECRET_0CertGetCertificateChainDestroyEnvironmentBlockE. Africa Standard TimeE. Europe Standard TimeFreeEnvironmentStringsWGetEnvironmentVariableWGetSystemTimeAsFileTimeGreenla$<nil$<nil$@$@$map[$reflect.Value.Intreflect.Value.Lenreflect: New(nil)reflect: call of RZmuFRC.newosprocRZmuFRC: a.base= RZmuFRC: b.base= RZmuFRC: nameOff RZmuFRC: next_gc=RZmuFRC: pointer RZmuFRC: textOff RZmuFRC: typeOff scanobject n == 0seeker can't seekselect (no cases)stack$reflect.Value.IsNilreflect.Value.Slicerevoked certificatersa: internal errorRZmuFRC: g0 stack [RZmuFRC: insert t= RZmuFRC: pcdata is RZmuFRC: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssync.Cond is copiedtime: unknown unit too many open$reflect.Value.Uintreflect: Zero(nil)RZmuFRC.semacreateRZmuFRC.semawakeupsegmentation faultsequence truncatedstreams pipe errorsystem page size (tracebackancestorstruncated sequenceunexpected messageuse of closed filevalue out of range (%d bytes omitted) alread
API String ID: 0-2682825604
Opcode ID: 27d24d16cec4d791461b149349bb79d188fa9ac9bcf0d896e3680bfccc2f7428
Instruction ID: 41b70201b5058fd43240b1cf9b0fed6badb4b3c7609b4beb988ba5a5d687d80e
Opcode Fuzzy Hash: 27d24d16cec4d791461b149349bb79d188fa9ac9bcf0d896e3680bfccc2f7428
Instruction Fuzzy Hash: D123C2B4608746DFC324DF19D190A5AFBE1BB88704F64C92FE89987311E738A845CF96

Function 0043E770 Relevance: 16.7, Strings: 13, Instructions: 420
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

bad symbol tablecastogscanstatuscontent-encodingcontent-languagecontent-locationcontext canceleddivision by zerogc: unswept spangcshrinkstackoffhost unreachableinteger overflowinvalid argumentinvalid encodinginvalid exchangeinvalid spdelta length too largemSpa, xrefs: 0043EB28, 0043ECFB
locals stack map entries for 227373675443232059478759765625Central European Standard TimeCentral Standard Time (Mexico)E. South America Standard TimeEastern Standard Time (Mexico)GODEBUG: unknown cpu feature "HEADERS frame with stream ID 0MapIter.Key called b, xrefs: 0043EC8C
RZmuFRC: debugCallV1 called by unknown caller RZmuFRC: failed to create new OS thread (have RZmuFRC: name offset base pointer out of rangeRZmuFRC: panic before malloc heap initializedRZmuFRC: text offset base pointer out of rangeRZmuFRC: type offset base poin, xrefs: 0043EDE6
+,-./023456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ["\, xrefs: 0043EBC5, 0043ED97
RZmuFRC: frame scan missed a gserver finishedstartm: m has pstopm holding punexpected typeunknown Go typeunknown networkunknown versionwrite error: %v already; errno= mheap.sweepgen= not in ranges: t.span.base()= untyped locals %s %s HTTP/1.1, not a functi, xrefs: 0043EB71, 0043ED3D
bad debugCallV1bad trailer keyclient finishedforce gc (idle)invalid booleaninvalid paddinginvalid pointerkey has expiredmalloc deadlockmissing addressmissing mcache?ms: gomaxprocs=network is downno medium foundno such processnon-minimal tagrecord overflowrecov, xrefs: 0043EE1A
., xrefs: 0043EDEF
(targetpc= ErrCode=%v a.npages= b.npages= gcwaiting= gp.status= heap_live= idleprocs= in status m->mcache= mallocing= ms clock, nBSSRoots= p->mcache= p->status= pageSize= s.nelems= schedtick= span.list=%!(BADPREC), s.base()=, s.npages=, settings:.WithCa, xrefs: 0043EAE3, 0043ECB6
RZmuFRC: pcdata is RZmuFRC: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssync.Cond is copiedtime: unknown unit too many open filesunknown Go type: %vunknown certificateunknown cipher typeunknown status codeunknown wait reasonwinmm.dll not, xrefs: 0043EA67, 0043EC3A
untyped args -thread limit.WithDeadline(1907348632812595367431640625: extra text: ; SameSite=Lax<not Stringer>Accept-CharsetCertCloseStoreComputerNameExContent-LengthCreateProcessWCryptGenRandomDkim-SignatureFindFirstFileWFormatMessageWGC assist waitGC worke, xrefs: 0043EB9B
missing stackmapno renegotiationno route to hostnon-Go functionnon-IPv4 addressnon-IPv6 addressobject is remotepacer: H_m_prev=proxy-connectionreflect mismatchremote I/O errorRZmuFRC: g: g=RZmuFRC: gp: gp=RZmuFRC: nelems=schedule: in cgotime: bad [0-9]*time, xrefs: 0043EBF9, 0043EDCB
args stack map entries for 18189894035458564758300781259094947017729282379150390625Aus Central W. Standard TimeCanada Central Standard TimeCen. Australia Standard TimeCentral Europe Standard TimeCertCreateCertificateContextEnglish name for time zone "FixedSta, xrefs: 0043EAB9
and h_a= h_g= h_t= max= ptr siz= tab= top= u_a= u_g=%s %q%s*%d%s=%s"'&+0330+0430+0530+0545+0630+0845+1030+1245+1345, ..., fp:-0930.html.jpeg.wasm.webp1562578125:***@:path<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbu, xrefs: 0043EA90, 0043EC63

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: (targetpc= ErrCode=%v a.npages= b.npages= gcwaiting= gp.status= heap_live= idleprocs= in status m->mcache= mallocing= ms clock, nBSSRoots= p->mcache= p->status= pageSize= s.nelems= schedtick= span.list=%!(BADPREC), s.base()=, s.npages=, settings:.WithCa$ and h_a= h_g= h_t= max= ptr siz= tab= top= u_a= u_g=%s %q%s*%d%s=%s"'&+0330+0430+0530+0545+0630+0845+1030+1245+1345, ..., fp:-0930.html.jpeg.wasm.webp1562578125:***@:path<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbu$ args stack map entries for 18189894035458564758300781259094947017729282379150390625Aus Central W. Standard TimeCanada Central Standard TimeCen. Australia Standard TimeCentral Europe Standard TimeCertCreateCertificateContextEnglish name for time zone "FixedSta$ locals stack map entries for 227373675443232059478759765625Central European Standard TimeCentral Standard Time (Mexico)E. South America Standard TimeEastern Standard Time (Mexico)GODEBUG: unknown cpu feature "HEADERS frame with stream ID 0MapIter.Key called b$ untyped args -thread limit.WithDeadline(1907348632812595367431640625: extra text: ; SameSite=Lax<not Stringer>Accept-CharsetCertCloseStoreComputerNameExContent-LengthCreateProcessWCryptGenRandomDkim-SignatureFindFirstFileWFormatMessageWGC assist waitGC worke$+,-./023456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ["\$.$RZmuFRC: debugCallV1 called by unknown caller RZmuFRC: failed to create new OS thread (have RZmuFRC: name offset base pointer out of rangeRZmuFRC: panic before malloc heap initializedRZmuFRC: text offset base pointer out of rangeRZmuFRC: type offset base poin$RZmuFRC: frame scan missed a gserver finishedstartm: m has pstopm holding punexpected typeunknown Go typeunknown networkunknown versionwrite error: %v already; errno= mheap.sweepgen= not in ranges: t.span.base()= untyped locals %s %s HTTP/1.1, not a functi$RZmuFRC: pcdata is RZmuFRC: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssync.Cond is copiedtime: unknown unit too many open filesunknown Go type: %vunknown certificateunknown cipher typeunknown status codeunknown wait reasonwinmm.dll not$bad debugCallV1bad trailer keyclient finishedforce gc (idle)invalid booleaninvalid paddinginvalid pointerkey has expiredmalloc deadlockmissing addressmissing mcache?ms: gomaxprocs=network is downno medium foundno such processnon-minimal tagrecord overflowrecov$bad symbol tablecastogscanstatuscontent-encodingcontent-languagecontent-locationcontext canceleddivision by zerogc: unswept spangcshrinkstackoffhost unreachableinteger overflowinvalid argumentinvalid encodinginvalid exchangeinvalid spdelta length too largemSpa$missing stackmapno renegotiationno route to hostnon-Go functionnon-IPv4 addressnon-IPv6 addressobject is remotepacer: H_m_prev=proxy-connectionreflect mismatchremote I/O errorRZmuFRC: g: g=RZmuFRC: gp: gp=RZmuFRC: nelems=schedule: in cgotime: bad [0-9]*time
API String ID: 0-577783027
Opcode ID: 8c70505b59bd13de4d72330ce2c1fcb28ae7954eaf38ed81b533aea493cd3555
Instruction ID: 58d02356bf96f8f0c832c5ed8437db1395df74c140e0a77013a1dad10cf59490
Opcode Fuzzy Hash: 8c70505b59bd13de4d72330ce2c1fcb28ae7954eaf38ed81b533aea493cd3555
Instruction Fuzzy Hash: E01214B4609745DFD344EF69D08161EBBE0BF88708F41992EE88887352D778E885DF86

Function 0041CBA0 Relevance: 14.1, Strings: 11, Instructions: 355COMMON

Download Yara Rule

Strings

greyobject: obj not pointer-alignedhpack: invalid Huffman-encoded datahttp: server closed idle connectionmheap.freeSpanLocked - invalid freemime: bogus characters after %%: %qmime: invalid RFC 2047 encoded-wordnetwork dropped connection on resetno such multica, xrefs: 0041D0C0
RZmuFRC:greyobject: checkmarks finds unexpected unmarked object obj=http2: Transport closing idle conn %p (forSingleUse=%v, maxStream=%v)tls: handshake message of length %d bytes exceeds maximum of %d bytesToNearestEvenToNearestAwayToZeroAwayFromZeroToNegative, xrefs: 0041CF9F
#, xrefs: 0041D0C9
RZmuFRC: found obj at *(span has no free objectsstack trace unavailablestreamSafe was not resetstructure needs cleaningtext/html; charset=utf-8unexpected buffer len=%v bytes failed with errno= to unused region of span2910383045673370361328125AUS Central Stand, xrefs: 0041CFD8
found at *( gcscandone m->gsignal= minTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>%!(BADWIDTH)) p->status=, consumed: , released: -byte limit100-continue15258789, xrefs: 0041CE97
basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandatedeaddialermsetagfilefromftpsfuncgziphosthourhttpicmpidleigmpint8kindlinknoneopenpathpipepop3quitreadsbrksmtpsse2sse3tag:tcp4tcp6trueudp6uintunixvaryxn-- -%s ... H_T= H_a= H_g= MB, W_a= and h_a= h_g= h, xrefs: 0041CF06, 0041D047
RZmuFRC: marking free object RZmuFRC: p.gcMarkWorkerMode= RZmuFRC: split stack overflowRZmuFRC: stat underflow: val RZmuFRC: sudog with non-nil cRZmuFRC: unknown pc in defer semacquire not on the G stackstring concatenation too longsyntax error scanning boolea, xrefs: 0041CE6D
marking free objectmarkroot: bad indexmime: no media typemissing ']' in hostmspan.sweep: state=network unreachablenotesleep not on g0ntdll.dll not foundnwait > work.nprocspanic during mallocpanic during panicpanic holding lockspanicwrap: no ( in panicwrap: no, xrefs: 0041CF69
+,-./023456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ["\, xrefs: 0041CEC1, 0041D002
checkmark found unmarked objectencoding/hex: invalid byte: %#Uentersyscallblock inconsistent fmt: unknown base; can't happenhttp2: connection error: %v: %vinserting span already in treapinternal error - misuse of itabinvalid network interface indexmalformed ti, xrefs: 0041D0AA
setCheckmarked and isCheckmarked disagreestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basetime: Reset called on uninitialized Timertls: failed to parse client certificate: tls: handshake has not yet been performedtls: internal , xrefs: 0041CF7F

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: found at *( gcscandone m->gsignal= minTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>%!(BADWIDTH)) p->status=, consumed: , released: -byte limit100-continue15258789$#$+,-./023456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ["\$RZmuFRC: found obj at *(span has no free objectsstack trace unavailablestreamSafe was not resetstructure needs cleaningtext/html; charset=utf-8unexpected buffer len=%v bytes failed with errno= to unused region of span2910383045673370361328125AUS Central Stand$RZmuFRC: marking free object RZmuFRC: p.gcMarkWorkerMode= RZmuFRC: split stack overflowRZmuFRC: stat underflow: val RZmuFRC: sudog with non-nil cRZmuFRC: unknown pc in defer semacquire not on the G stackstring concatenation too longsyntax error scanning boolea$RZmuFRC:greyobject: checkmarks finds unexpected unmarked object obj=http2: Transport closing idle conn %p (forSingleUse=%v, maxStream=%v)tls: handshake message of length %d bytes exceeds maximum of %d bytesToNearestEvenToNearestAwayToZeroAwayFromZeroToNegative$basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandatedeaddialermsetagfilefromftpsfuncgziphosthourhttpicmpidleigmpint8kindlinknoneopenpathpipepop3quitreadsbrksmtpsse2sse3tag:tcp4tcp6trueudp6uintunixvaryxn-- -%s ... H_T= H_a= H_g= MB, W_a= and h_a= h_g= h$checkmark found unmarked objectencoding/hex: invalid byte: %#Uentersyscallblock inconsistent fmt: unknown base; can't happenhttp2: connection error: %v: %vinserting span already in treapinternal error - misuse of itabinvalid network interface indexmalformed ti$greyobject: obj not pointer-alignedhpack: invalid Huffman-encoded datahttp: server closed idle connectionmheap.freeSpanLocked - invalid freemime: bogus characters after %%: %qmime: invalid RFC 2047 encoded-wordnetwork dropped connection on resetno such multica$marking free objectmarkroot: bad indexmime: no media typemissing ']' in hostmspan.sweep: state=network unreachablenotesleep not on g0ntdll.dll not foundnwait > work.nprocspanic during mallocpanic during panicpanic holding lockspanicwrap: no ( in panicwrap: no$setCheckmarked and isCheckmarked disagreestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt basetime: Reset called on uninitialized Timertls: failed to parse client certificate: tls: handshake has not yet been performedtls: internal
API String ID: 0-3329556234
Opcode ID: 556f889252f2c73ee208651c83257eb4351add84c3a268b7f43f2e017595778c
Instruction ID: 9a53e548eb99b15547471e20228bd780b169234cbd0164f89d0174857a183603
Opcode Fuzzy Hash: 556f889252f2c73ee208651c83257eb4351add84c3a268b7f43f2e017595778c
Instruction Fuzzy Hash: 2CE192716493518FC340EF29D4C175EBBE1BF89708F45892EE88887382D778D985CB96

Function 0046F9C0 Relevance: 14.0, Strings: 9, Instructions: 2799COMMON

Download Yara Rule

Strings

monthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite (MB) Value addr= base code= ctxt: curg= etRx jobs= list= m->p= next= p->m= prev= span=(...), not , val 390625<-chanAcceptAnswerArabicAugustBasic BrahmiCANC, xrefs: 004709C5
: day out of rangeArab Standard TimeCaucasian_AlbanianCommandLineToArgvWCreateFileMappingWCuba Standard TimeExpectation FailedFLOW_CONTROL_ERRORFiji Standard TimeGetComputerNameExWGetExitCodeProcessGetFileAttributesWGetModuleFileNameWFYCQrUakUBwkJEwHkxHuFxJigo, xrefs: 00471653, 00471694
minuteobjectpopcntremovescvg: secondsecureselectserversocketsocks socks5statusstringstructsweep telnetuint16uint32uint64unused %v=%v, (conn) (scan (scan) MB in Value> dying= flags= len=%d locks= m->g0= nmsys= s=nil$pename$random, etRx=, size=, sys: 19531252, xrefs: 00470DF0
hourhttpicmpidleigmpint8kindlinknoneopenpathpipepop3quitreadsbrksmtpsse2sse3tag:tcp4tcp6trueudp6uintunixvaryxn-- -%s ... H_T= H_a= H_g= MB, W_a= and h_a= h_g= h_t= max= ptr siz= tab= top= u_a= u_g=%s %q%s*%d%s=%s"'&+0330+0430+0530+0545+0630+08, xrefs: 00470D2A, 00470E8C
: day-of-year does not match monthOther_Default_Ignorable_Code_PointSetFileCompletionNotificationModesTLS 1.3, client CertificateVerify, xrefs: 00472387, 004723C8
out of range s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625:UseSTD3RulesAccept-RangesAuthorizationCLIENT_RANDOMCONNECT_ERRORCache-ControlCertOpenStoreContent-RangeFQDN too longFindFirstFile, xrefs: 0046FEB2
: day-of-year does not match dayCertAddCertificateContextToStoreCertVerifyCertificateChainPolicyMapIter.Value called before NextWSAGetOverlappedResult not found" not supported for cpu option "bufio: invalid use of UnreadBytebufio: invalid use of UnreadRunebufi, xrefs: 0047223D, 0047227E
: day-of-year out of rangeBougainville Standard TimeCentral Asia Standard TimeCertFreeCertificateContextE. Australia Standard TimeEkaterinburg Standard TimeGODEBUG: can not disable "GetFileInformationByHandleHTTP Version Not SupportedLine Islands Standard Time, xrefs: 00471483, 004714C4
: extra text: ; SameSite=Lax<not Stringer>Accept-CharsetCertCloseStoreComputerNameExContent-LengthCreateProcessWCryptGenRandomDkim-SignatureFindFirstFileWFormatMessageWGC assist waitGC worker initGetConsoleModeGetProcAddressGetUserNameExWINTERNAL_ERRORMAX_FRAM, xrefs: 00472595

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: out of range s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625:UseSTD3RulesAccept-RangesAuthorizationCLIENT_RANDOMCONNECT_ERRORCache-ControlCertOpenStoreContent-RangeFQDN too longFindFirstFile$: day out of rangeArab Standard TimeCaucasian_AlbanianCommandLineToArgvWCreateFileMappingWCuba Standard TimeExpectation FailedFLOW_CONTROL_ERRORFiji Standard TimeGetComputerNameExWGetExitCodeProcessGetFileAttributesWGetModuleFileNameWFYCQrUakUBwkJEwHkxHuFxJigo$: day-of-year does not match dayCertAddCertificateContextToStoreCertVerifyCertificateChainPolicyMapIter.Value called before NextWSAGetOverlappedResult not found" not supported for cpu option "bufio: invalid use of UnreadBytebufio: invalid use of UnreadRunebufi$: day-of-year does not match monthOther_Default_Ignorable_Code_PointSetFileCompletionNotificationModesTLS 1.3, client CertificateVerify$: day-of-year out of rangeBougainville Standard TimeCentral Asia Standard TimeCertFreeCertificateContextE. Australia Standard TimeEkaterinburg Standard TimeGODEBUG: can not disable "GetFileInformationByHandleHTTP Version Not SupportedLine Islands Standard Time$: extra text: ; SameSite=Lax<not Stringer>Accept-CharsetCertCloseStoreComputerNameExContent-LengthCreateProcessWCryptGenRandomDkim-SignatureFindFirstFileWFormatMessageWGC assist waitGC worker initGetConsoleModeGetProcAddressGetUserNameExWINTERNAL_ERRORMAX_FRAM$hourhttpicmpidleigmpint8kindlinknoneopenpathpipepop3quitreadsbrksmtpsse2sse3tag:tcp4tcp6trueudp6uintunixvaryxn-- -%s ... H_T= H_a= H_g= MB, W_a= and h_a= h_g= h_t= max= ptr siz= tab= top= u_a= u_g=%s %q%s*%d%s=%s"'&+0330+0430+0530+0545+0630+08$minuteobjectpopcntremovescvg: secondsecureselectserversocketsocks socks5statusstringstructsweep telnetuint16uint32uint64unused %v=%v, (conn) (scan (scan) MB in Value> dying= flags= len=%d locks= m->g0= nmsys= s=nil$pename$random, etRx=, size=, sys: 19531252$monthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite (MB) Value addr= base code= ctxt: curg= etRx jobs= list= m->p= next= p->m= prev= span=(...), not , val 390625<-chanAcceptAnswerArabicAugustBasic BrahmiCANC
API String ID: 0-2320553888
Opcode ID: fcdfe61d75423b5b1c0969dbc528aa021e909c2ae1f1cfce03a0cb0a14e326b6
Instruction ID: 7b326777c7c6e0264b0f8bbedc77bf09a36c18819e4e1b18381d79717df7294e
Opcode Fuzzy Hash: fcdfe61d75423b5b1c0969dbc528aa021e909c2ae1f1cfce03a0cb0a14e326b6
Instruction Fuzzy Hash: 8C535774A09781CFC328CF19C5906AAF7E2BBC8310F54892EE99D97351DB74A845CF86

Function 0048CC30 Relevance: 13.4, Strings: 10, Instructions: 949COMMON

Download Yara Rule

Strings

dial, xrefs: 0048CCB4
dial, xrefs: 0048DB62
gram, xrefs: 0048D033
unix, xrefs: 0048CCE0
unixpacketunknown pcuser-agentws2_32.dll of size (targetpc= ErrCode=%v a.npages= b.npages= gcwaiting= gp.status= heap_live= idleprocs= in status m->mcache= mallocing= ms clock, nBSSRoots= p->mcache= p->status= pageSize= s.nelems= schedtick= span.list=, xrefs: 0048CFFC, 0048DB77
mismatched local address typeno XENIX semaphores availablenotesleep - waitm out of syncnumerical result out of rangeoperation already in progresspadding contained in alphabetprotocol family not supportedreflect: Elem of invalid typereflect: Out of non-func typ, xrefs: 0048CDE4, 0048CE5C, 0048D808, 0048D880
unix, xrefs: 0048D02B
dial, xrefs: 0048CD7A
unix, xrefs: 0048CCF5
unix, xrefs: 0048CFC2

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: dial$dial$dial$gram$mismatched local address typeno XENIX semaphores availablenotesleep - waitm out of syncnumerical result out of rangeoperation already in progresspadding contained in alphabetprotocol family not supportedreflect: Elem of invalid typereflect: Out of non-func typ$unix$unix$unix$unix$unixpacketunknown pcuser-agentws2_32.dll of size (targetpc= ErrCode=%v a.npages= b.npages= gcwaiting= gp.status= heap_live= idleprocs= in status m->mcache= mallocing= ms clock, nBSSRoots= p->mcache= p->status= pageSize= s.nelems= schedtick= span.list=
API String ID: 0-3522755340
Opcode ID: a8831129e7fbb3ea01b781ad3026d2bb840278fde6df4548c9e9bbb75c4195d7
Instruction ID: 93d91f60b3ac4dec2a54fe8cdfb7efa162455aaaff0d3ed6a4db117295c29ec5
Opcode Fuzzy Hash: a8831129e7fbb3ea01b781ad3026d2bb840278fde6df4548c9e9bbb75c4195d7
Instruction Fuzzy Hash: B3A2F674A09345CFC724EF15C490B6EBBE2BBC8304F548C2EE89987391D778A945CB96

Function 00541DD0 Relevance: 10.4, Strings: 7, Instructions: 1625COMMON

Download Yara Rule

Strings

x509: trailing data after X.509 certificate policiesTime.MarshalBinary: zone offset has fractional minutecompileCallback: argument size is larger than uintptrfunction symbol table not sorted by program counter: http2: Framer %p: failed to decode just-written f, xrefs: 005432A9
x509: trailing data after X.509 BasicConstraintsx509: trailing data after X.509 ExtendedKeyUsagex509: trailing data after X.509 authority key-id (Client.Timeout exceeded while awaiting headers)casgstatus: waiting for Gwaiting but is Grunnablechacha20poly1305: , xrefs: 00542778
x509: trailing data after X.509 KeyUsage34694469519536141888238489627838134765625MapIter.Next called on exhausted iteratorTime.UnmarshalBinary: unsupported versionasn1: internal error in parseTagAndLengthbinary: varint overflows a 64-bit integerbytes.Buffer.Wr, xrefs: 00542515
x509: trailing data after X.509 subject%s %q is not permitted by any constraint13877787807814456755295395851135253906256938893903907228377647697925567626953125Frame accessor called on non-owned FrameMapIter.Key called on exhausted iteratorNumericString contain, xrefs: 00543843, 005438AA
x509: trailing data after X.509 authority informationURI with IP (%q) cannot be matched against constraintsgoroutine running on other thread; stack unavailablebytes.Buffer: reader returned negative count from Readcryptobyte: Builder is exceeding its fixed-si, xrefs: 005436E4
x509: trailing data after X.509 CRL distribution pointSOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zonesbufio.Scanner: SplitFunc returns negative advance countcasfrom_Gscanstatus:top gp->status is not in scan statecipher.NewCBCDecrypter: IV length must eq, xrefs: 00542C54
x509: trailing data after X.509 key-id because it doesn't contain any IP SANs2006-01-02 15:04:05.999999999 -0700 MST277555756156289135105907917022705078125PowerRegisterSuspendResumeNotification, xrefs: 00542643

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: x509: trailing data after X.509 BasicConstraintsx509: trailing data after X.509 ExtendedKeyUsagex509: trailing data after X.509 authority key-id (Client.Timeout exceeded while awaiting headers)casgstatus: waiting for Gwaiting but is Grunnablechacha20poly1305: $x509: trailing data after X.509 CRL distribution pointSOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zonesbufio.Scanner: SplitFunc returns negative advance countcasfrom_Gscanstatus:top gp->status is not in scan statecipher.NewCBCDecrypter: IV length must eq$x509: trailing data after X.509 KeyUsage34694469519536141888238489627838134765625MapIter.Next called on exhausted iteratorTime.UnmarshalBinary: unsupported versionasn1: internal error in parseTagAndLengthbinary: varint overflows a 64-bit integerbytes.Buffer.Wr$x509: trailing data after X.509 authority informationURI with IP (%q) cannot be matched against constraintsgoroutine running on other thread; stack unavailablebytes.Buffer: reader returned negative count from Readcryptobyte: Builder is exceeding its fixed-si$x509: trailing data after X.509 certificate policiesTime.MarshalBinary: zone offset has fractional minutecompileCallback: argument size is larger than uintptrfunction symbol table not sorted by program counter: http2: Framer %p: failed to decode just-written f$x509: trailing data after X.509 key-id because it doesn't contain any IP SANs2006-01-02 15:04:05.999999999 -0700 MST277555756156289135105907917022705078125PowerRegisterSuspendResumeNotification$x509: trailing data after X.509 subject%s %q is not permitted by any constraint13877787807814456755295395851135253906256938893903907228377647697925567626953125Frame accessor called on non-owned FrameMapIter.Key called on exhausted iteratorNumericString contain
API String ID: 0-3081508657
Opcode ID: 7b289b516ab46e273a8200d60547a3a3c8d50f7082da98bba95417d07c6c9a42
Instruction ID: 7886de5cd7bd40fda7ab63459f8d822d32a6fe131b088a2af2230c1247910bb2
Opcode Fuzzy Hash: 7b289b516ab46e273a8200d60547a3a3c8d50f7082da98bba95417d07c6c9a42
Instruction Fuzzy Hash: 57031678609345CFD768DF15C094A9ABBE2FFC8304F54892EE88987361DB74A945CF82

Function 004198E0 Relevance: 10.2, Strings: 8, Instructions: 215COMMON

Download Yara Rule

Strings

t.key= %!Month(, idle: 2.5.4.102.5.4.112.5.4.1748828125AcceptExAcceptedArmenianBalineseBopomofoBugineseCancelIoCherokeeClassANYConflictContinueCyrillicDNS nameDOWNGRD, xrefs: 00419B08
inserting span already in treapinternal error - misuse of itabinvalid network interface indexmalformed time zone informationnet/http: TLS handshake timeoutnon in-use span in unswept listpacer: sweep done at heap size reflect.MakeSlice: negative capreflect.Make, xrefs: 00419BBF
/, xrefs: 00419BB2
RZmuFRC: t.span= RZmuFRC: physPageSize=RZmuFRC: work.nwait = RZmuFRC:scanstack: gp=s.freeindex > s.nelemsscanstack - bad statussend on closed channelspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too l, xrefs: 00419B53
t.span.base()= untyped locals %s %s HTTP/1.1, not a function.WithValue(type 0123456789ABCDEF0123456789abcdef2384185791015625: value of type :VerifyDNSLengthAddDllDirectory, xrefs: 00419B75
span and treap node base addresses do not matchtls: handshake did not verify certificate chaintls: incorrect renegotiation extension contentstls: internal error: pskBinders length mismatchtls: server selected TLS 1.3 in a renegotiationtls: server sent two Hell, xrefs: 00419BA9
treap insert finds a broken treapunsupported transfer encoding: %qwaiting for unsupported file type%s %q is excluded by constraint %q3552713678800500929355621337890625: day-of-year does not match monthOther_Default_Ignorable_Code_PointSetFileCompletionNotifica, xrefs: 00419AC7
RZmuFRC: insert t= RZmuFRC: pcdata is RZmuFRC: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssync.Cond is copiedtime: unknown unit too many open filesunknown Go type: %vunknown certificateunknown cipher typeunknown status codeunknown wait , xrefs: 00419AE6

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: t.key= %!Month(, idle: 2.5.4.102.5.4.112.5.4.1748828125AcceptExAcceptedArmenianBalineseBopomofoBugineseCancelIoCherokeeClassANYConflictContinueCyrillicDNS nameDOWNGRD$ t.span.base()= untyped locals %s %s HTTP/1.1, not a function.WithValue(type 0123456789ABCDEF0123456789abcdef2384185791015625: value of type :VerifyDNSLengthAddDllDirectory$/$RZmuFRC: t.span= RZmuFRC: physPageSize=RZmuFRC: work.nwait = RZmuFRC:scanstack: gp=s.freeindex > s.nelemsscanstack - bad statussend on closed channelspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too l$RZmuFRC: insert t= RZmuFRC: pcdata is RZmuFRC: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssync.Cond is copiedtime: unknown unit too many open filesunknown Go type: %vunknown certificateunknown cipher typeunknown status codeunknown wait $inserting span already in treapinternal error - misuse of itabinvalid network interface indexmalformed time zone informationnet/http: TLS handshake timeoutnon in-use span in unswept listpacer: sweep done at heap size reflect.MakeSlice: negative capreflect.Make$span and treap node base addresses do not matchtls: handshake did not verify certificate chaintls: incorrect renegotiation extension contentstls: internal error: pskBinders length mismatchtls: server selected TLS 1.3 in a renegotiationtls: server sent two Hell$treap insert finds a broken treapunsupported transfer encoding: %qwaiting for unsupported file type%s %q is excluded by constraint %q3552713678800500929355621337890625: day-of-year does not match monthOther_Default_Ignorable_Code_PointSetFileCompletionNotifica
API String ID: 0-2759059620
Opcode ID: 48533b613d6b2916151c23ad819ecaa4e5988a9343c10165cf5099428eb9c105
Instruction ID: 79f726f5e496393302af0cee1dfabffe4b61e183455224e72c6a452c4d0470e5
Opcode Fuzzy Hash: 48533b613d6b2916151c23ad819ecaa4e5988a9343c10165cf5099428eb9c105
Instruction Fuzzy Hash: 62913CB46083458FC308EF65D091A6AB7E1FF88304F15896EE88987312D778DD85DF9A

Function 004CF070 Relevance: 9.4, Strings: 7, Instructions: 662COMMON

Download Yara Rule

Strings

[]byte acceptactivechan<-closedcookiedomainefenceexec: expectgopherhangupheaderip+netkilledlistenminuteobjectpopcntremovescvg: secondsecureselectserversocketsocks socks5statusstringstructsweep telnetuint16uint32uint64unused %v=%v, (conn) (scan (scan) MB , xrefs: 004CF4AB
, xrefs: 004CF670
<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64, xrefs: 004CFA59
_B>f, xrefs: 004CF4F2
p, xrefs: 004CF186
@, xrefs: 004CF57F
@Ef, xrefs: 004CF0FC

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: $<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64$@$@Ef$[]byte acceptactivechan<-closedcookiedomainefenceexec: expectgopherhangupheaderip+netkilledlistenminuteobjectpopcntremovescvg: secondsecureselectserversocketsocks socks5statusstringstructsweep telnetuint16uint32uint64unused %v=%v, (conn) (scan (scan) MB $_B>f$p
API String ID: 0-4082715488
Opcode ID: 0cc87c6091b2f0f0133facd6889545c9218171225a82ae11bc870cae932fe56c
Instruction ID: ce3610a3068ec06a8699bfd7b8b002c99809e3d681505c17e6102e2f82b9b4ff
Opcode Fuzzy Hash: 0cc87c6091b2f0f0133facd6889545c9218171225a82ae11bc870cae932fe56c
Instruction Fuzzy Hash: DA42A0B8908301DBC794EF15D080B2ABBE2BB84304F15887FE4D597391E77D98499B8B

Function 00491DC0 Relevance: 8.1, Strings: 6, Instructions: 601COMMON

Download Yara Rule

Strings

., xrefs: 00492196
., xrefs: 00492156
<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64, xrefs: 00492560
?@ABCDEFGHIJKLMNOPQRSTUVWXYZ["\, xrefs: 004920E1
d, xrefs: 004924DF
., xrefs: 004921D3

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: .$.$.$<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64$?@ABCDEFGHIJKLMNOPQRSTUVWXYZ["\$d
API String ID: 0-1365527697
Opcode ID: 7ed783084107051a0e9cadb5a7c3c6e1d60ee0f52f0b0ffce383fae994ad5766
Instruction ID: 6964d885607e3aad49a77d3f0cd756c9a0d83b6b4a7f849f8ee306f34a2bb497
Opcode Fuzzy Hash: 7ed783084107051a0e9cadb5a7c3c6e1d60ee0f52f0b0ffce383fae994ad5766
Instruction Fuzzy Hash: 7332B2356483459FC714DF29C59066AFBE1BB85304F80493EE8998B383D778E90ECB96

Function 004FE9B0 Relevance: 7.7, Strings: 6, Instructions: 156COMMON

Download Yara Rule

Strings

115792089210356248762697446949407573530086143415290314195533631308867097853951x509: signature check attempts limit reached while verifying certificate chaintls: client certificate private key of type %T does not implement crypto.SignerQueryPerformanceFrequency, xrefs: 004FEA14
5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c2967fffffff00000001fffffffe8000000100000000ffffffff0000000180000000ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ABCD, xrefs: 004FEAB5
115792089210356248762697446949407573529996955224135760342422259061068512044369115792089210356248762697446949407573530086143415290314195533631308867097853951x509: signature check attempts limit reached while verifying certificate chaintls: client certificate pr, xrefs: 004FEA64
4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f55ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c2967fffffff00000001fffffffe8000000100000000ffffffff0000000180000000ABCD, xrefs: 004FEB57
@, xrefs: 004FEBBF
P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite (MB), xrefs: 004FE9E2

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: 115792089210356248762697446949407573529996955224135760342422259061068512044369115792089210356248762697446949407573530086143415290314195533631308867097853951x509: signature check attempts limit reached while verifying certificate chaintls: client certificate pr$115792089210356248762697446949407573530086143415290314195533631308867097853951x509: signature check attempts limit reached while verifying certificate chaintls: client certificate private key of type %T does not implement crypto.SignerQueryPerformanceFrequency$4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f55ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c2967fffffff00000001fffffffe8000000100000000ffffffff0000000180000000ABCD$5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c2967fffffff00000001fffffffe8000000100000000ffffffff0000000180000000ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ABCD$@$P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite (MB)
API String ID: 0-3165735005
Opcode ID: 2b2ccbf7ff794b1a66573015b582bb716e5c2a68843e5e959cb81e0d48e10eae
Instruction ID: 1fed6ad120930d179be2cf830b20704cc6456922714a2b56651a329ac838e5ab
Opcode Fuzzy Hash: 2b2ccbf7ff794b1a66573015b582bb716e5c2a68843e5e959cb81e0d48e10eae
Instruction Fuzzy Hash: E5712D78208744CFC704EF26D58466B7BE1BB84706F01982EE98687361E7BCE909DF46

Function 004FB7F0 Relevance: 7.6, Strings: 6, Instructions: 129COMMON

Download Yara Rule

Strings

aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aefasn1: time did not serialize back to the original value and may be i, xrefs: 004FB946
3940200619639447921227904010014361380507973927046544666794829340424572177149687032904726608825893800186160697311231939402006196394479212279040100143613805079739270465446667946905279627659399113263569398956308152294913554433653942643c6858e06b70404e9cd9e3ecb6623, xrefs: 004FB854
b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aefasn1: time did not serialize back to the original value and may be invalid: given %q, but serialized as %qhttp2: Transport: cannot retry err [%v] after Request.Body, xrefs: 004FB8F5
P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite (MB) Val, xrefs: 004FB822
`, xrefs: 004FB99D
3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5faa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656, xrefs: 004FB993

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: 3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5faa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656$3940200619639447921227904010014361380507973927046544666794829340424572177149687032904726608825893800186160697311231939402006196394479212279040100143613805079739270465446667946905279627659399113263569398956308152294913554433653942643c6858e06b70404e9cd9e3ecb6623$P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite (MB) Val$`$aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aefasn1: time did not serialize back to the original value and may be i$b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aefasn1: time did not serialize back to the original value and may be invalid: given %q, but serialized as %qhttp2: Transport: cannot retry err [%v] after Request.Body
API String ID: 0-4286356955
Opcode ID: c55c66ff4f50c6359394b2b25f44a29d6faca70c3387d6981eaed5b99021c824
Instruction ID: ed4a34ae3db2ba15840705ba5778bf9f6a788ba45fa9bd220955f7117db3ee2b
Opcode Fuzzy Hash: c55c66ff4f50c6359394b2b25f44a29d6faca70c3387d6981eaed5b99021c824
Instruction Fuzzy Hash: 5D512A78608748CFC304EF25D485A6B7BE1FB89705F01882EE98587361E778E949DF86

Function 004C81E0 Relevance: 7.5, Strings: 5, Instructions: 1242COMMON

Download Yara Rule

Strings

reflect.Value.Complexreflect.Value.Pointerreleasep: invalid argRZmuFRC: confused by RZmuFRC: newstack at RZmuFRC: newstack sp=RZmuFRC: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestopg: i, xrefs: 004C8C2D, 004C8C3A, 004C8CB1, 004C8CBE
reflect.Value.Floatreflect.Value.Indexreflect.Value.IsNilreflect.Value.Slicerevoked certificatersa: internal errorRZmuFRC: g0 stack [RZmuFRC: insert t= RZmuFRC: pcdata is RZmuFRC: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssync.Cond is , xrefs: 004C88FB, 004C8908, 004C8965, 004C8972
reflect.Value.Uintreflect: Zero(nil)RZmuFRC.semacreateRZmuFRC.semawakeupsegmentation faultsequence truncatedstreams pipe errorsystem page size (tracebackancestorstruncated sequenceunexpected messageuse of closed filevalue out of range (%d bytes omitted) alread, xrefs: 004C866A, 004C8677, 004C8754, 004C8761
bad type in compare: block device requiredbufio: negative countcheckdead: runnable gcommand not supportedconcurrent map writesdecompression failuredefer on system stackexec: already startedfindrunnable: wrong phttp: Handler timeouthttp: nil Request.URLkey is n, xrefs: 004C95A9
reflect.Value.Intreflect.Value.Lenreflect: New(nil)reflect: call of RZmuFRC.newosprocRZmuFRC: a.base= RZmuFRC: b.base= RZmuFRC: nameOff RZmuFRC: next_gc=RZmuFRC: pointer RZmuFRC: textOff RZmuFRC: typeOff scanobject n == 0seeker can't seekselect (no cases)stack, xrefs: 004C83C8, 004C83D5, 004C846B, 004C8478

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: bad type in compare: block device requiredbufio: negative countcheckdead: runnable gcommand not supportedconcurrent map writesdecompression failuredefer on system stackexec: already startedfindrunnable: wrong phttp: Handler timeouthttp: nil Request.URLkey is n$reflect.Value.Complexreflect.Value.Pointerreleasep: invalid argRZmuFRC: confused by RZmuFRC: newstack at RZmuFRC: newstack sp=RZmuFRC: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestopg: i$reflect.Value.Floatreflect.Value.Indexreflect.Value.IsNilreflect.Value.Slicerevoked certificatersa: internal errorRZmuFRC: g0 stack [RZmuFRC: insert t= RZmuFRC: pcdata is RZmuFRC: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssync.Cond is $reflect.Value.Intreflect.Value.Lenreflect: New(nil)reflect: call of RZmuFRC.newosprocRZmuFRC: a.base= RZmuFRC: b.base= RZmuFRC: nameOff RZmuFRC: next_gc=RZmuFRC: pointer RZmuFRC: textOff RZmuFRC: typeOff scanobject n == 0seeker can't seekselect (no cases)stack$reflect.Value.Uintreflect: Zero(nil)RZmuFRC.semacreateRZmuFRC.semawakeupsegmentation faultsequence truncatedstreams pipe errorsystem page size (tracebackancestorstruncated sequenceunexpected messageuse of closed filevalue out of range (%d bytes omitted) alread
API String ID: 0-1368721512
Opcode ID: 794c39c2257e7c65e40d4b60b774bdb71543d7342c78991c2c9cbff2eb3f11e4
Instruction ID: d3a21e269187fff54f4c042bb32a5c3e78e40d98f4fdac79a3e9a19d348905f5
Opcode Fuzzy Hash: 794c39c2257e7c65e40d4b60b774bdb71543d7342c78991c2c9cbff2eb3f11e4
Instruction Fuzzy Hash: 04C21AB8A087429FC364DF14D580BAEBBE1BB89340F508C2EE4D997355EB389854DB47

Function 004CEAC0 Relevance: 6.6, Strings: 5, Instructions: 311COMMON

Download Yara Rule

Strings

GoStringGujaratiGurmukhiHTTP/1.1HTTP/2.0HiraganaJavaneseKatakanaKayah_LiLinear_ALinear_BLocationMahajaniNO_ERRORNO_PROXYNovemberOl_ChikiPRIORITYParseIntPhags_PaQuestionReadFileReceivedSETTINGSSHA1-RSASaturdayTagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAAType, xrefs: 004CEE2A
StringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11[]byte acceptactivechan<-closedcookiedomainefenceexec: expectgopherhangupheaderip+netkilledlistenminuteobjectpopcntremovescvg: secondsecureselectserversocketsocks so, xrefs: 004CED07
ErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleep, xrefs: 004CEC19
FormatFridayGOAWAYGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLockedLycianLydianMondayPADDEDPragmaRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11[]byte acceptactivechan<-cl, xrefs: 004CEEEF
PL, xrefs: 004CEBEF, 004CECE6, 004CEDFA, 004CEEBF

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: ErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleep$FormatFridayGOAWAYGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLockedLycianLydianMondayPADDEDPragmaRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11[]byte acceptactivechan<-cl$GoStringGujaratiGurmukhiHTTP/1.1HTTP/2.0HiraganaJavaneseKatakanaKayah_LiLinear_ALinear_BLocationMahajaniNO_ERRORNO_PROXYNovemberOl_ChikiPRIORITYParseIntPhags_PaQuestionReadFileReceivedSETTINGSSHA1-RSASaturdayTagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAAType$PL$StringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11[]byte acceptactivechan<-closedcookiedomainefenceexec: expectgopherhangupheaderip+netkilledlistenminuteobjectpopcntremovescvg: secondsecureselectserversocketsocks so
API String ID: 0-3112220672
Opcode ID: bc3d81f17e034352e38837b2c22cd893c6de02158b1d7c7c1641253288bd9686
Instruction ID: 25a58f4fb728225ecabeb4dbc34820bd49928b295b0cb59416cd6a3c4256664a
Opcode Fuzzy Hash: bc3d81f17e034352e38837b2c22cd893c6de02158b1d7c7c1641253288bd9686
Instruction Fuzzy Hash: ACE129B85083858FC368DF16D481BAABBE1BF89304F448C6EE99987351D7389948CF56

Function 004FBC90 Relevance: 6.4, Strings: 5, Instructions: 146COMMON

Download Yara Rule

Strings

26959946667150639794667015087019630673557916260026308143510066298881http2: Transport conn %p received error from processing frame %v: %vhttp2: Transport received unsolicited DATA frame; closing connectionhttp: message cannot contain multiple Content-Length hea, xrefs: 004FBCF4
2695994666715063979466701508701962594045780771442439172168272236806126959946667150639794667015087019630673557916260026308143510066298881http2: Transport conn %p received error from processing frame %v: %vhttp2: Transport received unsolicited DATA frame; closin, xrefs: 004FBD44
P-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite, xrefs: 004FBCC2
8, xrefs: 004FBE41
b4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21bd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34failed to allocate aligned heap memory; too many retrieshttp2: response header list larger t, xrefs: 004FBD95

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: 2695994666715063979466701508701962594045780771442439172168272236806126959946667150639794667015087019630673557916260026308143510066298881http2: Transport conn %p received error from processing frame %v: %vhttp2: Transport received unsolicited DATA frame; closin$26959946667150639794667015087019630673557916260026308143510066298881http2: Transport conn %p received error from processing frame %v: %vhttp2: Transport received unsolicited DATA frame; closing connectionhttp: message cannot contain multiple Content-Length hea$8$P-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite$b4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21bd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34failed to allocate aligned heap memory; too many retrieshttp2: response header list larger t
API String ID: 0-3257118710
Opcode ID: 0fc280cc420ed10decf594cc1bd6ee186bdc1af58c73023457984031ac63e999
Instruction ID: 07ddccd0f219e11db79b38ad98a27dc778540642da442aea7a074ea55e4dec81
Opcode Fuzzy Hash: 0fc280cc420ed10decf594cc1bd6ee186bdc1af58c73023457984031ac63e999
Instruction Fuzzy Hash: 73612074508305DFC304EF25D984A6ABBF1FB8A705F41882EE98587361DB78E909CF96

Function 0053B690 Relevance: 6.4, Strings: 5, Instructions: 109COMMON

Download Yara Rule

Strings

<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64, xrefs: 0053B7B6
S, xrefs: 0053B748
-, xrefs: 0053B786
(possibly because of %q while trying to verify candidate authority certificate %q)x509: issuer has name constraints but leaf contains unknown or unconstrained name: x509: signature algorithm specifies an %s public key, but have public key of type %Treflect.Va, xrefs: 0053B73F
x509: certificate signed by unknown authorityzero length explicit tag was not an asn1.Flagbytes.Reader.UnreadByte: at beginning of slicecipher.NewCTR: IV length must equal block sizecipher.newCFB: IV length must equal block sizefirst path segment in URL cannot, xrefs: 0053B77C, 0053B863

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: (possibly because of %q while trying to verify candidate authority certificate %q)x509: issuer has name constraints but leaf contains unknown or unconstrained name: x509: signature algorithm specifies an %s public key, but have public key of type %Treflect.Va$-$<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64$S$x509: certificate signed by unknown authorityzero length explicit tag was not an asn1.Flagbytes.Reader.UnreadByte: at beginning of slicecipher.NewCTR: IV length must equal block sizecipher.newCFB: IV length must equal block sizefirst path segment in URL cannot
API String ID: 0-673660172
Opcode ID: a13a3bf17c6fb36ef7bd381bfdee8f1b47bb80a18d231dc2386543a129ac5783
Instruction ID: 02819db941ae369f8678198872ccedb7077a9bb67307d9c6ff400717027c2103
Opcode Fuzzy Hash: a13a3bf17c6fb36ef7bd381bfdee8f1b47bb80a18d231dc2386543a129ac5783
Instruction Fuzzy Hash: 5D518FB46083418FD308DF15C190B5ABBF1BF89704F10896EE9998B351D77AE949CF92

Function 004118D0 Relevance: 5.6, Strings: 4, Instructions: 627COMMON

Download Yara Rule

Strings

heapBitsSetType: unexpected shifthttp2: invalid header field valuehttp2: invalid pseudo headers: %vhttp2: recursive push not allowedhttp: CloseIdleConnections calledhttp: invalid Read on closed Bodyindefinite length found (not DER)invalid username/password ver, xrefs: 004120C4
-, xrefs: 0041213A
RZmuFRC: invalid type RZmuFRC: netpoll failedRZmuFRC: physPageSize= RZmuFRC: s.allocCount= s.allocCount > s.nelemsschedule: holding lockssegment length too longspan has no free stacksstack growth after forksyntax error in patternsystem huge page size (text/cs, xrefs: 004120FA
heapBitsSetType: called with non-pointer typehttp: no Client.Transport or DefaultTransporthttp: putIdleConn: connection is in bad stateinvalid request :path %q from URL.Opaque = %qnet/http: internal error: connCount underflowparsing/packing of this section has, xrefs: 00412131

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: -$RZmuFRC: invalid type RZmuFRC: netpoll failedRZmuFRC: physPageSize= RZmuFRC: s.allocCount= s.allocCount > s.nelemsschedule: holding lockssegment length too longspan has no free stacksstack growth after forksyntax error in patternsystem huge page size (text/cs$heapBitsSetType: called with non-pointer typehttp: no Client.Transport or DefaultTransporthttp: putIdleConn: connection is in bad stateinvalid request :path %q from URL.Opaque = %qnet/http: internal error: connCount underflowparsing/packing of this section has$heapBitsSetType: unexpected shifthttp2: invalid header field valuehttp2: invalid pseudo headers: %vhttp2: recursive push not allowedhttp: CloseIdleConnections calledhttp: invalid Read on closed Bodyindefinite length found (not DER)invalid username/password ver
API String ID: 0-2579891262
Opcode ID: 27fc85ef0d0d04c1f4eab7a89e4561f2bb4d6b0ed5286dd236ee26a78de6dc6d
Instruction ID: 80fe5fdadd83bf018cb98be3785be842a952cc93ae19a9202b3121ce02ce27e3
Opcode Fuzzy Hash: 27fc85ef0d0d04c1f4eab7a89e4561f2bb4d6b0ed5286dd236ee26a78de6dc6d
Instruction Fuzzy Hash: 2F329E72A083558FD724CF69C48069AF7E2BFC9300F15892EE989D7351E774AC85CB86

Function 0053A7D0 Relevance: 5.5, Strings: 4, Instructions: 483COMMON

Download Yara Rule

Strings

x509: internal error: system verifier returned an empty chain0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZURI with empty host (%q) cannot be matched against constraintsfound bad pointer in Go heap (incorrect use of unsafe or cgo?)http2: reques, xrefs: 0053AD86
,, xrefs: 0053A8BF
GF, xrefs: 0053A889
d, xrefs: 0053A9FA

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: ,$d$x509: internal error: system verifier returned an empty chain0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZURI with empty host (%q) cannot be matched against constraintsfound bad pointer in Go heap (incorrect use of unsafe or cgo?)http2: reques$GF
API String ID: 0-899853385
Opcode ID: 449f01cd607e373b108c92b0ba863b43bbedea69087b8820fe6061bdfaff7a04
Instruction ID: 5758e634d78a0b850233fbd840496d77e4b87daf4bdc5c72c03992b9dfebfa87
Opcode Fuzzy Hash: 449f01cd607e373b108c92b0ba863b43bbedea69087b8820fe6061bdfaff7a04
Instruction Fuzzy Hash: D52206B86093418FD728DF25C4957ABBBE1BB89304F508D2DE99987341E775A904CF83

Function 004EEF40 Relevance: 5.4, Strings: 4, Instructions: 419COMMON

Download Yara Rule

Strings

, xrefs: 004EF3C1
<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64, xrefs: 004EF48B
#%&'()*+,-./023456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ["\, xrefs: 004EF141, 004EF237, 004EF3D4
%%!%c(big.Int=%s)0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method ; SameSite=StrictCOMPRESSION_ERRORDnsRecordListFreeENHANCE_YOUR_CALMFLE Standard TimeFailed DependencyGC assist markingGMT Standard TimeGTB S, xrefs: 004EF53A

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: $ #%&'()*+,-./023456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ["\$%%!%c(big.Int=%s)0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method ; SameSite=StrictCOMPRESSION_ERRORDnsRecordListFreeENHANCE_YOUR_CALMFLE Standard TimeFailed DependencyGC assist markingGMT Standard TimeGTB S$<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64
API String ID: 0-2435441015
Opcode ID: d674cc00491ef089781352837a594551cbcf489be81b1d60d5c219ad69c7d1c4
Instruction ID: d2f78d0aca29b7dbf30b9bcbb4bd9b1d840235c045de19dab2f0792e059a9f68
Opcode Fuzzy Hash: d674cc00491ef089781352837a594551cbcf489be81b1d60d5c219ad69c7d1c4
Instruction Fuzzy Hash: A512E3746083819FD328DF26C080B6BBBE1BFC8305F50892EE8D987352D7799949DB56

Function 004FBA40 Relevance: 5.1, Strings: 4, Instructions: 129COMMON

Download Yara Rule

Strings

P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite (MB) Value ad, xrefs: 004FBA72
051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f0011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd166, xrefs: 004FBB45
68647976601306097149819007990813932172694353001433054093944634591855431833976560521225596406614545549772963113914808580371219879997166438125740282911150571516864797660130609714981900799081393217269435300143305409394463459185543183397655394245057746333217197532, xrefs: 004FBAA4
c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd667265672061646420484b43555c536f6674776172655c436c61737365735c6d732d73657474696e67735c5368656c6c5c4f70656e5c636f6d6d616e64202f660d0a, xrefs: 004FBB96

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: 051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f0011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd166$68647976601306097149819007990813932172694353001433054093944634591855431833976560521225596406614545549772963113914808580371219879997166438125740282911150571516864797660130609714981900799081393217269435300143305409394463459185543183397655394245057746333217197532$P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13tls: uint8usageutf-8valuewrite (MB) Value ad$c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd667265672061646420484b43555c536f6674776172655c436c61737365735c6d732d73657474696e67735c5368656c6c5c4f70656e5c636f6d6d616e64202f660d0a
API String ID: 0-968410267
Opcode ID: 481f8616670263b3c8a9172c73eccd1ccd02431839105d984920d19a421c888c
Instruction ID: 6be1cc16e1925a7fe58d9805a740332497f52e8e0e76505ebc35eb87e713038e
Opcode Fuzzy Hash: 481f8616670263b3c8a9172c73eccd1ccd02431839105d984920d19a421c888c
Instruction Fuzzy Hash: 2B511A78508744CFC304EF25D485A6B7BE1FB89705F41886EE88587362E778E909CF86

Function 004761E0 Relevance: 4.2, Strings: 3, Instructions: 403COMMON

Download Yara Rule

Strings

Time.UnmarshalBinary: unsupported versionasn1: internal error in parseTagAndLengthbinary: varint overflows a 64-bit integerbytes.Buffer.WriteTo: invalid Write countbytes.Reader.WriteTo: invalid Write countcan't call pointer on a non-pointer Valuecrypto/md5: in, xrefs: 00476711
Time.UnmarshalBinary: no dataUnavailable For Legal Reasonsaddspecial on invalid pointerbufio.Scanner: token too longcrypto/aes: invalid key size crypto/des: invalid key size crypto/rc4: invalid key size dup idle pconn %p in freelistexec: Wait was already calle, xrefs: 00476744
Time.UnmarshalBinary: invalid lengthUnable to determine system directoryaccessing a corrupted shared librarycompressed name in SRV resource datacrypto/cipher: input not full blockscrypto/rand: argument to Int is <= 0crypto/sha1: invalid hash state sizecrypto/s, xrefs: 004766DE

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: Time.UnmarshalBinary: invalid lengthUnable to determine system directoryaccessing a corrupted shared librarycompressed name in SRV resource datacrypto/cipher: input not full blockscrypto/rand: argument to Int is <= 0crypto/sha1: invalid hash state sizecrypto/s$Time.UnmarshalBinary: no dataUnavailable For Legal Reasonsaddspecial on invalid pointerbufio.Scanner: token too longcrypto/aes: invalid key size crypto/des: invalid key size crypto/rc4: invalid key size dup idle pconn %p in freelistexec: Wait was already calle$Time.UnmarshalBinary: unsupported versionasn1: internal error in parseTagAndLengthbinary: varint overflows a 64-bit integerbytes.Buffer.WriteTo: invalid Write countbytes.Reader.WriteTo: invalid Write countcan't call pointer on a non-pointer Valuecrypto/md5: in
API String ID: 0-1601252603
Opcode ID: a8bd5105786e8ffe5fcd370abdbc7c77082d1ed9c899dcf166bd4dbc8a19a6c3
Instruction ID: 1ca5c7e16b587242d9df6de07133f87a4e994c6f44bd8f8bbdedb2d79e3f26ab
Opcode Fuzzy Hash: a8bd5105786e8ffe5fcd370abdbc7c77082d1ed9c899dcf166bd4dbc8a19a6c3
Instruction Fuzzy Hash: 1CF13874A047048FD314DF69C8C066ABBE2BB84304F95C66EEC594F396E7B8D806CB85

Function 00506C20 Relevance: 3.9, Strings: 3, Instructions: 189COMMON

Download Yara Rule

Strings

integer too largeinvalid bit size invalid stream IDlocked m0 woke upmark - bad statusmarkBits overflowmissing extensionnil resource bodyno data availablenotetsleepg on g0permission deniedreflect.Value.Intreflect.Value.Lenreflect: New(nil)reflect: call of RZmuF, xrefs: 00506D91
empty integerexchange fullfatal error: gethostbynamegetservbynamegzip, deflatehttp2client=0if-none-matchimage/svg+xmlinvalid base kernel32.dll, xrefs: 00506E4B
integer not minimally-encodedinternal error: took too muchinvalid header field value %qinvalid length of trace eventio: read/write on closed pipemachine is not on the networkmime: invalid media parametermismatched local address typeno XENIX semaphores availabl, xrefs: 00506E1E

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: empty integerexchange fullfatal error: gethostbynamegetservbynamegzip, deflatehttp2client=0if-none-matchimage/svg+xmlinvalid base kernel32.dll$integer not minimally-encodedinternal error: took too muchinvalid header field value %qinvalid length of trace eventio: read/write on closed pipemachine is not on the networkmime: invalid media parametermismatched local address typeno XENIX semaphores availabl$integer too largeinvalid bit size invalid stream IDlocked m0 woke upmark - bad statusmarkBits overflowmissing extensionnil resource bodyno data availablenotetsleepg on g0permission deniedreflect.Value.Intreflect.Value.Lenreflect: New(nil)reflect: call of RZmuF
API String ID: 0-1330801798
Opcode ID: 72f0d2958830d925855a5a34688591eda569c5571b09a279a7b1471d4182ea1b
Instruction ID: 3441bbd8b1ec4ebdc16177e37f49afe7b2724dc1f5ab682cb66ff59d0f3be027
Opcode Fuzzy Hash: 72f0d2958830d925855a5a34688591eda569c5571b09a279a7b1471d4182ea1b
Instruction Fuzzy Hash: F961C1316097198FD754CF29C89026EBBE2BBC8314F488A2DE4D8872D1E7349949DB86

Function 0049CE50 Relevance: 3.9, Strings: 3, Instructions: 160COMMON

Download Yara Rule

Strings

:, xrefs: 0049CFF6
%&'()*+,-./023456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ["\, xrefs: 0049CED8
<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64, xrefs: 0049D0D5

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: %&'()*+,-./023456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ["\$:$<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64
API String ID: 0-1596463289
Opcode ID: 6d10f6ea627129058eeac1d0abeea9a25e351aac37872face18f0f9178f2f0c4
Instruction ID: ee19f27113d43b6ede9c330b820e711ec86c0ae600126d0ca4fe9496b957a41f
Opcode Fuzzy Hash: 6d10f6ea627129058eeac1d0abeea9a25e351aac37872face18f0f9178f2f0c4
Instruction Fuzzy Hash: B7818AB4A08341DFD744DF29C184A1ABBE1BB88744F50892EF8D987361E778E944CF96

Function 004485E0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON

Download Yara Rule

Strings

,-./023456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ["\, xrefs: 004486F9
stack: frame={sp:thread exhaustiontransfer-encodingtruncated headersunknown caller pcwait for GC cyclewine_get_version, xrefs: 0044867B
, fp:-0930.html.jpeg.wasm.webp1562578125:***@:path<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloat, xrefs: 004486A5

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: , fp:-0930.html.jpeg.wasm.webp1562578125:***@:path<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloat$,-./023456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ["\$stack: frame={sp:thread exhaustiontransfer-encodingtruncated headersunknown caller pcwait for GC cyclewine_get_version
API String ID: 0-154883690
Opcode ID: 49d8a0e6bb3290853e6e3329340a5fc9a38684db6d8059e415fbd74712e24bd5
Instruction ID: f9e35bf2200ffa939ae0521e1254c90db3dd50979595eda861af3b37a1b086e6
Opcode Fuzzy Hash: 49d8a0e6bb3290853e6e3329340a5fc9a38684db6d8059e415fbd74712e24bd5
Instruction Fuzzy Hash: CA412BB4609300CFD344EF59C58071EB7E1BF88708F51882EE89897342EB7899499F9B

Function 004B55B0 Relevance: 3.7, Strings: 2, Instructions: 1183COMMON

Download Yara Rule

Strings

reflect.Value.IsNilreflect.Value.Slicerevoked certificatersa: internal errorRZmuFRC: g0 stack [RZmuFRC: insert t= RZmuFRC: pcdata is RZmuFRC: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssync.Cond is copiedtime: unknown unit too many open, xrefs: 004B58D2, 004B58DF, 004B593A, 004B5947, 004B5A56, 004B5A63, 004B5BD7, 004B5BE4, 004B60EC, 004B60F9, 004B6489, 004B6496, 004B650F, 004B651C
reflect.Value.UnsafeAddrresource length too longrunqsteal: runq overflowRZmuFRC: VirtualFree of RZmuFRC: found obj at *(span has no free objectsstack trace unavailablestreamSafe was not resetstructure needs cleaningtext/html; charset=utf-8unexpected buffer le, xrefs: 004B6779, 004B6786, 004B67B9, 004B67C6

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: reflect.Value.IsNilreflect.Value.Slicerevoked certificatersa: internal errorRZmuFRC: g0 stack [RZmuFRC: insert t= RZmuFRC: pcdata is RZmuFRC: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssync.Cond is copiedtime: unknown unit too many open$reflect.Value.UnsafeAddrresource length too longrunqsteal: runq overflowRZmuFRC: VirtualFree of RZmuFRC: found obj at *(span has no free objectsstack trace unavailablestreamSafe was not resetstructure needs cleaningtext/html; charset=utf-8unexpected buffer le
API String ID: 0-1526274817
Opcode ID: e89ed81b64a28257dacbdeeee08b3d3d708ba894c5d92306cbd14e21c91819f3
Instruction ID: e763566e7edbf6239e6388ed4ffe0f28805f2ea5a79df311875476518ea64639
Opcode Fuzzy Hash: e89ed81b64a28257dacbdeeee08b3d3d708ba894c5d92306cbd14e21c91819f3
Instruction Fuzzy Hash: 00C2F2745087418FD324EF29C1806AFFBE1BF89704F54892EE98987351EB38A845DB66

Function 00504860 Relevance: 3.0, Strings: 2, Instructions: 550COMMON

Download Yara Rule

Strings

crypto/sha512: invalid hash state sizeencoding alphabet is not 64-bytes longfailed to parse Location header %q: %vgcBgMarkWorker: blackening not enabledindex out of range [%x] with length %yinsufficient data for base length typeinternal error: unknown string t, xrefs: 00504EDE
crypto/sha512: invalid hash state identifierencoding alphabet contains newline charactergcmarknewobject called while doing checkmarkhttp2: could not negotiate protocol mutuallyhttp2: invalid Connection request header: %qhttp: Request.ContentLength=%d with nil , xrefs: 00504F44, 00504F7D

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: crypto/sha512: invalid hash state identifierencoding alphabet contains newline charactergcmarknewobject called while doing checkmarkhttp2: could not negotiate protocol mutuallyhttp2: invalid Connection request header: %qhttp: Request.ContentLength=%d with nil $crypto/sha512: invalid hash state sizeencoding alphabet is not 64-bytes longfailed to parse Location header %q: %vgcBgMarkWorker: blackening not enabledindex out of range [%x] with length %yinsufficient data for base length typeinternal error: unknown string t
API String ID: 0-1979386919
Opcode ID: 855132c6b470177419df87c5ec28210816949d279781508330c4aabe17fecdb0
Instruction ID: 7dc16033cce604b59469c0611c812a9d788df429c03047487fb807c4c3dcad67
Opcode Fuzzy Hash: 855132c6b470177419df87c5ec28210816949d279781508330c4aabe17fecdb0
Instruction Fuzzy Hash: FB32B571C083694BD300DF5A888401DFFE2AFC9309F5A8A6EECD81B356D674A905DFA5

Function 0043BDE0 Relevance: 2.9, Strings: 2, Instructions: 388COMMON

Download Yara Rule

Strings

]|g, xrefs: 0043C3AE
]|g, xrefs: 0043C2DE

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: ]|g$]|g
API String ID: 0-2482271845
Opcode ID: 9878a381aa2d8ae3a9fbcc8da96b326407ee7eb7a638400111cf4922a6f4f596
Instruction ID: 52ac5faa3a13c78d503094c05e70b214988b5a566df2f88d58d606b799fda509
Opcode Fuzzy Hash: 9878a381aa2d8ae3a9fbcc8da96b326407ee7eb7a638400111cf4922a6f4f596
Instruction Fuzzy Hash: 77E1E1316083558BC714DF59C8C026EF7E2FBC8300F54992FE98597395DB78A949CB8A

Function 00456F10 Relevance: 2.9, Strings: 2, Instructions: 382COMMON

Download Yara Rule

Strings

SwapperTagalogTibetanTirhutaTrailerTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage:WSARecvWSASendvmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererr, xrefs: 0045740B, 00457415
reflectlite.Value.Typeremote address changedRZmuFRC.main not on m0RZmuFRC: t.span= RZmuFRC: physPageSize=RZmuFRC: work.nwait = RZmuFRC:scanstack: gp=s.freeindex > s.nelemsscanstack - bad statussend on closed channelspan has no free spacestack not a power , xrefs: 004573A5, 004573B2

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: SwapperTagalogTibetanTirhutaTrailerTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage:WSARecvWSASendvmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32float64gctracehttp://invalidlookup max-agenil keypanic: refererr$reflectlite.Value.Typeremote address changedRZmuFRC.main not on m0RZmuFRC: t.span= RZmuFRC: physPageSize=RZmuFRC: work.nwait = RZmuFRC:scanstack: gp=s.freeindex > s.nelemsscanstack - bad statussend on closed channelspan has no free spacestack not a power
API String ID: 0-3253843607
Opcode ID: 61e96565787ea3806bd3bab04df71cc7703fd2bd1bf7529c756b5c5acaa4c84e
Instruction ID: 862ce43918fade49c4f5cf53a13f688771dd5a49053e422b336cf9b54754f385
Opcode Fuzzy Hash: 61e96565787ea3806bd3bab04df71cc7703fd2bd1bf7529c756b5c5acaa4c84e
Instruction Fuzzy Hash: 3E021874609301CFC708DF15E59096ABBF2BB89705F55886EF88A87362D778E809CF46

Function 00528B10 Relevance: 2.9, Strings: 2, Instructions: 381COMMON

Download Yara Rule

Strings

crypto/rsa: unsupported hash functioncrypto: Size of unknown hash functionexplicitly tagged member didn't matchinternal error: unknown network type reflect.Value.Bytes of non-byte slicereflect.Value.Bytes of non-rune slicereflect: Bits of non-arithmetic Type R, xrefs: 0052902A
crypto/rsa: input must be hashed messagedeferproc: d.panic != nil after newdeferevictOldest(%v) on table with %v entrieshttp2: Transport encoding header %q = %qhttp2: invalid pseudo header in trailershttp2: timeout awaiting response headersoversized record rec, xrefs: 00528FAD

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: crypto/rsa: input must be hashed messagedeferproc: d.panic != nil after newdeferevictOldest(%v) on table with %v entrieshttp2: Transport encoding header %q = %qhttp2: invalid pseudo header in trailershttp2: timeout awaiting response headersoversized record rec$crypto/rsa: unsupported hash functioncrypto: Size of unknown hash functionexplicitly tagged member didn't matchinternal error: unknown network type reflect.Value.Bytes of non-byte slicereflect.Value.Bytes of non-rune slicereflect: Bits of non-arithmetic Type R
API String ID: 0-2229242947
Opcode ID: db135b5a260bed76054f58b16f7cb88c946d46cece11fa473934dcf0ac03171f
Instruction ID: 5c5bb98ee35e339e157ef0b5eb89b2a3757cb7ae8ff3cc15f420aa1e973c61f2
Opcode Fuzzy Hash: db135b5a260bed76054f58b16f7cb88c946d46cece11fa473934dcf0ac03171f
Instruction Fuzzy Hash: 0DF18F74A083558FC318DF69D49462EFBE2BFC9304F14892EE98987391DB75E845CB82

Function 0047E9B0 Relevance: 2.9, Strings: 2, Instructions: 374COMMON

Download Yara Rule

Strings

FindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetStdHandleGetTempPathWI'm a teapotJoin_ControlLoadLibraryWMax-ForwardsMeetei_MayekMime-VersionMulti-StatusNot ExtendedNot ModifiedPUSH_PROMISEPahawh_HmongRCodeRefusedRCodeSuccessReadConsoleWRevertTo, xrefs: 0047ED4C, 0047EDF4
ReaddirRefererSharadaShavianSiddhamSinhalaSogdianSoyomboSubjectSwapperTagalogTibetanTirhutaTrailerTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage:WSARecvWSASendvmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32f, xrefs: 0047EE4A, 0047EEE2

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: FindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetStdHandleGetTempPathWI'm a teapotJoin_ControlLoadLibraryWMax-ForwardsMeetei_MayekMime-VersionMulti-StatusNot ExtendedNot ModifiedPUSH_PROMISEPahawh_HmongRCodeRefusedRCodeSuccessReadConsoleWRevertTo$ReaddirRefererSharadaShavianSiddhamSinhalaSogdianSoyomboSubjectSwapperTagalogTibetanTirhutaTrailerTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVTypeTXTTypeWKSUpgradeUsage:WSARecvWSASendvmwaretypes value=abortedcharsetchunkedconnectconsolederivedexpiresfloat32f
API String ID: 0-3568322593
Opcode ID: 7e04a4002cd053efe7fb9cf057ef30c3b7c3f7004c2b355656d9c459b738a419
Instruction ID: ab2c082330a9a0786f7d5f1e065bd1e05512aa8d0b6c30909e501fbc93c32ee9
Opcode Fuzzy Hash: 7e04a4002cd053efe7fb9cf057ef30c3b7c3f7004c2b355656d9c459b738a419
Instruction Fuzzy Hash: 920207786087458FC318CF1AC590A5AFBE2BF8C704F548A6EE88987361D775E845CF86

Function 004E53C0 Relevance: 2.8, Strings: 2, Instructions: 339COMMON

Download Yara Rule

Strings

cipher: NewGCM requires 128-bit block ciphercrypto/sha256: invalid hash state identifiercrypto/sha512: invalid hash state identifierencoding alphabet contains newline charactergcmarknewobject called while doing checkmarkhttp2: could not negotiate protocol mutu, xrefs: 004E5814
cipher: incorrect tag size given to GCMcrypto/rsa: invalid options for Decrypthttp: putIdleConn: keep alives disabledinvalid indexed representation index %dmismatched count during itab table copymspan.sweep: bad span state after sweepout of memory allocating h, xrefs: 004E53FB

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: cipher: NewGCM requires 128-bit block ciphercrypto/sha256: invalid hash state identifiercrypto/sha512: invalid hash state identifierencoding alphabet contains newline charactergcmarknewobject called while doing checkmarkhttp2: could not negotiate protocol mutu$cipher: incorrect tag size given to GCMcrypto/rsa: invalid options for Decrypthttp: putIdleConn: keep alives disabledinvalid indexed representation index %dmismatched count during itab table copymspan.sweep: bad span state after sweepout of memory allocating h
API String ID: 0-3542284906
Opcode ID: e1c5c0d3709d558b632179bd2b035b863d4f5419c79668d42b12eed2d9dcb9bf
Instruction ID: ff79477e90a8ea8187a330ab5ef504963fd9b4eefafe35872472515c2baab42e
Opcode Fuzzy Hash: e1c5c0d3709d558b632179bd2b035b863d4f5419c79668d42b12eed2d9dcb9bf
Instruction Fuzzy Hash: C0E17A759087548FD324DF1AC48461AFBE1BFC8304F858A6EE9A847352D7B8E845CF86

Function 0052F2D0 Relevance: 2.8, Strings: 2, Instructions: 335COMMON

Download Yara Rule

Strings

@, xrefs: 0052F582
@, xrefs: 0052F58A

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: 05d65fdaaf16d3a0ebe6a5710e3257c5b3ef85f5dc9e5480c73c55db785d44d3
Instruction ID: e0b7b42285077ca54950a682fafe4efa7453db3a14a840e56f7c9b644ce0b959
Opcode Fuzzy Hash: 05d65fdaaf16d3a0ebe6a5710e3257c5b3ef85f5dc9e5480c73c55db785d44d3
Instruction Fuzzy Hash: 55C1F2366083664FC301DE69A48011EFBE2BFC5304F45497EE9959B2C3C674E90ACBE6

Function 005285E0 Relevance: 2.8, Strings: 2, Instructions: 328COMMON

Download Yara Rule

Strings

crypto/rsa: unsupported hash functioncrypto: Size of unknown hash functionexplicitly tagged member didn't matchinternal error: unknown network type reflect.Value.Bytes of non-byte slicereflect.Value.Bytes of non-rune slicereflect: Bits of non-arithmetic Type R, xrefs: 00528A89
crypto/rsa: input must be hashed messagedeferproc: d.panic != nil after newdeferevictOldest(%v) on table with %v entrieshttp2: Transport encoding header %q = %qhttp2: invalid pseudo header in trailershttp2: timeout awaiting response headersoversized record rec, xrefs: 00528A13

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: crypto/rsa: input must be hashed messagedeferproc: d.panic != nil after newdeferevictOldest(%v) on table with %v entrieshttp2: Transport encoding header %q = %qhttp2: invalid pseudo header in trailershttp2: timeout awaiting response headersoversized record rec$crypto/rsa: unsupported hash functioncrypto: Size of unknown hash functionexplicitly tagged member didn't matchinternal error: unknown network type reflect.Value.Bytes of non-byte slicereflect.Value.Bytes of non-rune slicereflect: Bits of non-arithmetic Type R
API String ID: 0-2229242947
Opcode ID: adfc327032eec77287b0686fc2387a25063dd71415459cd379e0a0d6bd63613b
Instruction ID: 3d09eb856a882f76f6b33bab6de48186f5112876b59875e65277eb5c0b2abf51
Opcode Fuzzy Hash: adfc327032eec77287b0686fc2387a25063dd71415459cd379e0a0d6bd63613b
Instruction Fuzzy Hash: F7E148746093458FC718DF69D09072EBBE2BFC9304F54892EE99987392DB75A844CF82

Function 005306E0 Relevance: 2.8, Strings: 2, Instructions: 310COMMON

Download Yara Rule

Strings

, xrefs: 00530A48
, xrefs: 00530A05

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 9d653919a1e5ea2dc71a47716b054005d36fe4fb457cf9af95d40c8c9b10a6be
Instruction ID: 946e09ff8c6d6cbe92e55fae93cd3bebe343762bfd9851ed10d43d03d0a298e8
Opcode Fuzzy Hash: 9d653919a1e5ea2dc71a47716b054005d36fe4fb457cf9af95d40c8c9b10a6be
Instruction Fuzzy Hash: 30D1F77424D38A9FC305DF59C494A1EFBE0BB89304F80996EE98447393D774E80ACB96

Function 00410D00 Relevance: 2.8, Strings: 2, Instructions: 281COMMON

Download Yara Rule

Strings

bulkBarrierPreWrite: unaligned argumentscannot free workbufs when work.full != 0cannot represent time as GeneralizedTimechacha20poly1305: invalid buffer overlapcrypto/cipher: message too large for GCMcrypto/cipher: output smaller than inputcrypto/rsa: input mu, xrefs: 004110B8
(, xrefs: 004110C1

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: ($bulkBarrierPreWrite: unaligned argumentscannot free workbufs when work.full != 0cannot represent time as GeneralizedTimechacha20poly1305: invalid buffer overlapcrypto/cipher: message too large for GCMcrypto/cipher: output smaller than inputcrypto/rsa: input mu
API String ID: 0-293591660
Opcode ID: 06561ba570ba251f876db49f99b8ab1db223d0c1dbfa80a2416278dfac95fd74
Instruction ID: 8efc194d0f0e8ef478128d79daf0d7dd2f1eb3bb32a2dfa59608f17499c78ebb
Opcode Fuzzy Hash: 06561ba570ba251f876db49f99b8ab1db223d0c1dbfa80a2416278dfac95fd74
Instruction Fuzzy Hash: BFC16B75A09341CFC714DF19C180A6ABBE1BFC9300F55896EE98987361D7B8EC85CB4A

Function 0052CC10 Relevance: 2.7, Strings: 2, Instructions: 184COMMON

Download Yara Rule

Strings

0, xrefs: 0052CD58
0, xrefs: 0052CD50

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: 0$0
API String ID: 0-203156872
Opcode ID: 711971fe220f92475d241621135ca942f9860838efa00e29fbd4b140e33645c6
Instruction ID: 3e833716f659ccdf1b091d8ab73a79fb296cd4c5ff2951a845a6ec5fda33246d
Opcode Fuzzy Hash: 711971fe220f92475d241621135ca942f9860838efa00e29fbd4b140e33645c6
Instruction Fuzzy Hash: 1861C172A083598FE304DF19C48452DBFE2BFC8340F468A7DE89997382D674E905DB85

Function 00499BE0 Relevance: 2.6, Strings: 2, Instructions: 134COMMON

Download Yara Rule

Strings

<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64, xrefs: 00499DFC
#%&'()*+,-./023456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ["\, xrefs: 00499D33, 00499D8D, 00499DCC

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: #%&'()*+,-./023456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ["\$<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64
API String ID: 0-1970213411
Opcode ID: 0c07588b0b0c8d9be364b4bf0b5f2a0bfd6a158fc1496f6f452f220e2a956e4b
Instruction ID: e52c3948e375cfa74c9dc5db76aac54edb3e0b3629e57d3e389f13629851eac5
Opcode Fuzzy Hash: 0c07588b0b0c8d9be364b4bf0b5f2a0bfd6a158fc1496f6f452f220e2a956e4b
Instruction Fuzzy Hash: 0E618EB4608301DFD748DF19C180A1ABBF1BF88744F10992EE89987362D379E985CF96

Function 00492F50 Relevance: 2.6, Strings: 2, Instructions: 114COMMON

Download Yara Rule

Strings

<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64, xrefs: 00492F95, 0049300C
/023456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ["\, xrefs: 00493026, 004930E6

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: /023456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ["\$<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64
API String ID: 0-3424948765
Opcode ID: 3a130cc9d249515e2d315399815d4f3c0384817280a5459bb9ca08394821d9da
Instruction ID: b4c7da5c398119e50110313bb5e2efe88914f60a893ea692d8e522586d233568
Opcode Fuzzy Hash: 3a130cc9d249515e2d315399815d4f3c0384817280a5459bb9ca08394821d9da
Instruction Fuzzy Hash: 895166B8909341AFC744DF29C180A1AFBF1BB88754F508D2EF89887351E779E9448B86

Function 0049A260 Relevance: 2.6, Strings: 2, Instructions: 61COMMON

Download Yara Rule

Strings

<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64, xrefs: 0049A34D
on pc= sp: sp=$pid%x><) = ) m=+Inf+inf, n -Inf-inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.xml0x%x10803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCESTChamDATADashDateEESTEtagFromGOGCGoneHEADHostJulyJuneLisuMiaoModiNZDTNZSTNewaPINGPOSTSASTStat, xrefs: 0049A31D

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: on pc= sp: sp=$pid%x><) = ) m=+Inf+inf, n -Inf-inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.xml0x%x10803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCESTChamDATADashDateEESTEtagFromGOGCGoneHEADHostJulyJuneLisuMiaoModiNZDTNZSTNewaPINGPOSTSASTStat$<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64
API String ID: 0-1719578814
Opcode ID: 5a8ade2ed636ebfe9e9b7cf1a69402c9841b172c94c8e1c0c46cf299fe4b48bb
Instruction ID: 10f6f6c62d2e582b26cbbca8c6b97ca4cd7bde2fed729de827524e790df4a927
Opcode Fuzzy Hash: 5a8ade2ed636ebfe9e9b7cf1a69402c9841b172c94c8e1c0c46cf299fe4b48bb
Instruction Fuzzy Hash: E0319DB4908305CFD718DF15C180A1AFBE1BB88344F54892EE89987352D379E989CF97

Function 00493E60 Relevance: 2.6, Strings: 2, Instructions: 53COMMON

Download Yara Rule

Strings

%&'()*+,-./023456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ["\, xrefs: 00493EAE
<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64, xrefs: 00493F0B

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: %&'()*+,-./023456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ["\$<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64
API String ID: 0-552111962
Opcode ID: 13b5913de4a26c04478991f66715cfae5759be8dfa8de315a4f88e86e8c84cd2
Instruction ID: d841fd44cc1238054febafe4b31a2ef5773089d79f245dde333c2988488dfbbe
Opcode Fuzzy Hash: 13b5913de4a26c04478991f66715cfae5759be8dfa8de315a4f88e86e8c84cd2
Instruction Fuzzy Hash: 8321A4B4908341DFDB08DF26C484A1BFBE1BB88304F44896EE89987351D739DA85CF5A

Function 0049A0D0 Relevance: 2.5, Strings: 2, Instructions: 40COMMON

Download Yara Rule

Strings

<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64, xrefs: 0049A156
address cgocheckcs default:durationeax ebp ebx ecx edi edx eflags eip esi esp exporterfinishedfs go1.13.8gs hijackedhttp/1.1if-matchif-rangeinfinityinvalid locationloopbackno anodeno-cacheno_proxyopen -> raw-, xrefs: 0049A113

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64$address cgocheckcs default:durationeax ebp ebx ecx edi edx eflags eip esi esp exporterfinishedfs go1.13.8gs hijackedhttp/1.1if-matchif-rangeinfinityinvalid locationloopbackno anodeno-cacheno_proxyopen -> raw-
API String ID: 0-67748943
Opcode ID: 8f2effff72fb5ed4a35be4465b123e5011b08a85a6dd71fed5303317556725ac
Instruction ID: 679c431203307e03a511acc58fcf8857ebbd871c83da576d915123a1df28641e
Opcode Fuzzy Hash: 8f2effff72fb5ed4a35be4465b123e5011b08a85a6dd71fed5303317556725ac
Instruction Fuzzy Hash: 451115B4908300DFC704DF15C58171ABBE0BB88704F54982EE89987361E739EA59CF87

Function 0047FA30 Relevance: 2.5, Strings: 2, Instructions: 35COMMON

Download Yara Rule

Strings

<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64, xrefs: 0047FA9C
exit status gcpacertracegetaddrinfowhost is downhttp2debug=1http2debug=2illegal seekinvalid baseinvalid portinvalid slotiphlpapi.dllkernel32.dllmadvdontneedmax-forwardsnetapi32.dllno such hostnot pollableout of rangepointtopointproxyconnectreflect.Copyreleasep, xrefs: 0047FA69

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64$exit status gcpacertracegetaddrinfowhost is downhttp2debug=1http2debug=2illegal seekinvalid baseinvalid portinvalid slotiphlpapi.dllkernel32.dllmadvdontneedmax-forwardsnetapi32.dllno such hostnot pollableout of rangepointtopointproxyconnectreflect.Copyreleasep
API String ID: 0-2686383435
Opcode ID: da3ebc453e069ad3a8c6457bccb7a97c2cfd866ed7fc14b80f1ab0eae1b035f6
Instruction ID: f3c09ff6feec27039c2b4c6b3d0e9e9477ff01aad88d885b1ace8f956b843e72
Opcode Fuzzy Hash: da3ebc453e069ad3a8c6457bccb7a97c2cfd866ed7fc14b80f1ab0eae1b035f6
Instruction Fuzzy Hash: FA0108B59083018BC304EF19C18065ABBE0BB88704F44896EE88D97351E739DA48CB5B

Function 004AC930 Relevance: 2.0, Strings: 1, Instructions: 714COMMON

Download Yara Rule

Strings

0123456789ABCDEF0123456789abcdef2384185791015625: value of type :VerifyDNSLengthAddDllDirectory, xrefs: 004ACBC7

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: 0123456789ABCDEF0123456789abcdef2384185791015625: value of type :VerifyDNSLengthAddDllDirectory
API String ID: 0-1680996434
Opcode ID: e00b850f48bcd3a3322dccc2034504ff87079ffaf0f0a8e592843d371f17bb29
Instruction ID: 6ae421632c9172eabd413fcf1ccb1c9530b90c34e6fe372233a2e2611306e124
Opcode Fuzzy Hash: e00b850f48bcd3a3322dccc2034504ff87079ffaf0f0a8e592843d371f17bb29
Instruction Fuzzy Hash: 2452AC7290C7558FC329CF19C48065EFBE2BBD8340F558A2EE89987351DB74E909CB86

Function 004BAA30 Relevance: 1.9, Strings: 1, Instructions: 621COMMON

Download Yara Rule

Strings

@Ef, xrefs: 004BAB38, 004BAB7E, 004BB02D, 004BB1BB, 004BB1CC

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: @Ef
API String ID: 0-2785291263
Opcode ID: 70c69a8ae27f11b7b6e4e8220da7a25e988d6bc38ec3c44ede478b5eb347ea76
Instruction ID: 12405c037a5f851320455fb478c6a8a1ef45666b7fbe76483e0e42a049c71c6e
Opcode Fuzzy Hash: 70c69a8ae27f11b7b6e4e8220da7a25e988d6bc38ec3c44ede478b5eb347ea76
Instruction Fuzzy Hash: 764256749083908BC714DF29C0802AFBBE1BF89344F55899EF8D887352D778D845DBA6

Function 004BB610 Relevance: 1.8, Strings: 1, Instructions: 545COMMON

Download Yara Rule

Strings

@Ef, xrefs: 004BB7EC, 004BB98B, 004BBA1D, 004BBB0F, 004BBC13

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: @Ef
API String ID: 0-2785291263
Opcode ID: 7abc2f74c27f5f060929c332b7f501203fbba6ff29562da006b3ce0b92539835
Instruction ID: db8837f49e837ec54b531192dfcecbc0a386a11ea2786d30b97616cb3803c016
Opcode Fuzzy Hash: 7abc2f74c27f5f060929c332b7f501203fbba6ff29562da006b3ce0b92539835
Instruction Fuzzy Hash: 3E42D1B4508345CFC724DF25C480AAABBF1FF89304F54892EE98987351E778A949CF96

Function 004A47A0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

ParseFloatPhoenicianProcessingRST_STREAMSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSet-CookieUser-AgentWSACleanupWSASocketWWSAStartupatomicand8casgstatuscomplex128connectiondnsapi.dllexitThreadexp mastergetsockoptgoroutine http_proxyimage/jpegimage/webp, xrefs: 004A4D23, 004A4DA8

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: ParseFloatPhoenicianProcessingRST_STREAMSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSet-CookieUser-AgentWSACleanupWSASocketWWSAStartupatomicand8casgstatuscomplex128connectiondnsapi.dllexitThreadexp mastergetsockoptgoroutine http_proxyimage/jpegimage/webp
API String ID: 0-3480181070
Opcode ID: 33bcde2639c69fef6023ef1282087b8bd24b784998c89b7123667b3acdf15e6c
Instruction ID: 6bb56e9455c04bbe835196173c9ab4bfef678f83d139c83aa3b9c6772f695d70
Opcode Fuzzy Hash: 33bcde2639c69fef6023ef1282087b8bd24b784998c89b7123667b3acdf15e6c
Instruction Fuzzy Hash: DB128036A087148FD328CF69C88055EF7E2BBC8750F158A2DE9A587350EBB1EC45CB85

Function 004F6970 Relevance: 1.7, Strings: 1, Instructions: 460COMMON

Download Yara Rule

Strings

invalid number base %dkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledprotocol not availableprotocol not supportedreflect.Value.MapI, xrefs: 004F705E

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: invalid number base %dkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledprotocol not availableprotocol not supportedreflect.Value.MapI
API String ID: 0-2610757077
Opcode ID: b8a30ebce1b1b210832eb1edc83ada19f1912cd403e40c7709b2fc72fb7733fc
Instruction ID: db11a54df5bb173ed54724bf58cb471e75ef9640525dd634bdf4313fd3541705
Opcode Fuzzy Hash: b8a30ebce1b1b210832eb1edc83ada19f1912cd403e40c7709b2fc72fb7733fc
Instruction Fuzzy Hash: 7512077460C3888FD324CF29D08076BBBE1BBC9700F51892EEAD983352D77998459B5B

Function 00478390 Relevance: 1.6, Strings: 1, Instructions: 332COMMON

Download Yara Rule

Strings

LocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13, xrefs: 004783C1, 00478894

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: LocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64mkdirmonthntohspanicparsepop3srangesleepslicesockssse41sse42ssse3text/tls13
API String ID: 0-473674791
Opcode ID: 91899b2e948e6f7025e9c7a845a539e7969a27cd238e163646807f35622a0249
Instruction ID: 2a6cf4a571b5f771e9a50f16cbc0de09f53c38e859ffb50d963e34fde0513fd4
Opcode Fuzzy Hash: 91899b2e948e6f7025e9c7a845a539e7969a27cd238e163646807f35622a0249
Instruction Fuzzy Hash: 3EE1A174608305CFC308EF19D49066ABBE2FB99305F55892EF89987351EB78E845CF86

Function 004CE0E0 Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64, xrefs: 004CE4CB

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64
API String ID: 0-2434630079
Opcode ID: ebf3d015df1e265ce0aa105a51c924f56d50d29d5d641311c705b24997d0353c
Instruction ID: e30d1fa2c4e9a89a0b0d80270cd66c2a72e2f9e21cfcd99a4d54d0d0680ba6a0
Opcode Fuzzy Hash: ebf3d015df1e265ce0aa105a51c924f56d50d29d5d641311c705b24997d0353c
Instruction Fuzzy Hash: 78D1E1B8608741DFC354DF1AC180A2AFBE1BF89704F64C92EE89987311D739E955CB86

Function 0041C800 Relevance: 1.5, Strings: 1, Instructions: 227COMMON

Download Yara Rule

Strings

scanobject n == 0seeker can't seekselect (no cases)stack: frame={sp:thread exhaustiontransfer-encodingtruncated headersunknown caller pcwait for GC cyclewine_get_version, xrefs: 0041CAED

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: scanobject n == 0seeker can't seekselect (no cases)stack: frame={sp:thread exhaustiontransfer-encodingtruncated headersunknown caller pcwait for GC cyclewine_get_version
API String ID: 0-3210843353
Opcode ID: dae67dc0bc577d55697b09f8eb15b39953bc8a044c86f4ac87d93a1b25a5e35c
Instruction ID: e69100153cae50a308f375a16f39f1919e20730f2ffb1d9470e446ece02a0c89
Opcode Fuzzy Hash: dae67dc0bc577d55697b09f8eb15b39953bc8a044c86f4ac87d93a1b25a5e35c
Instruction Fuzzy Hash: AE9127B4A483488FC314DF15C9C066AF7E2BF88714F15892EE99987351D778E981CB8A

Function 005316B0 Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

@, xrefs: 0053195E

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 9258c3591d6df9857b12dc00e9460924f048afd2c1fc354595a7796ae8873323
Instruction ID: abc884bde2285c7b8f1bac5578780ff4104e678e7865d1735d1cfcbd7624a9a1
Opcode Fuzzy Hash: 9258c3591d6df9857b12dc00e9460924f048afd2c1fc354595a7796ae8873323
Instruction Fuzzy Hash: 9C816F3520D3818BD355CA7984C064FBFE2AFEA204F948A6DE9C45B387C574D909C7A7

Function 004FD2F0 Relevance: 1.5, Strings: 1, Instructions: 206COMMON

Download Yara Rule

Strings

, xrefs: 004FD320

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 2288e64ae7de331fbef40101d1f4f61948f108b6e17f0e588cd381811b41ff24
Instruction ID: 0281433afede75ab4a7ec8d9dff8573e4a147c8c805f2362766326ed94721534
Opcode Fuzzy Hash: 2288e64ae7de331fbef40101d1f4f61948f108b6e17f0e588cd381811b41ff24
Instruction Fuzzy Hash: A061E375A1030E4BD318AEADC8C4228F392FB45314F48463EDB118B383DA78A99997D6

Function 0052E390 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

`, xrefs: 0052E3BA

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 798003aed22db3e3ac9074229bd70e9b8992f0cf569001c90be2d2d41f5db7b0
Instruction ID: 2a7a6ce24d6aaea68b14d60726bf1f1e27be5f8e732499b65aea9c748173353a
Opcode Fuzzy Hash: 798003aed22db3e3ac9074229bd70e9b8992f0cf569001c90be2d2d41f5db7b0
Instruction Fuzzy Hash: 2A9104B42093459FC304DF59D480A0FFBE1BF99304F90896EE9884B392D775E909CBA6

Function 0052EF40 Relevance: 1.4, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

@, xrefs: 0052F162

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: e4e4fa6a5648d86e151b15efe6dee170a1a5d9a7241f319f59a68a52c9621fba
Instruction ID: 0a31fc3ff7c638717b0264ae91188b9cd5108cc7dce84af63b653095eead10b5
Opcode Fuzzy Hash: e4e4fa6a5648d86e151b15efe6dee170a1a5d9a7241f319f59a68a52c9621fba
Instruction Fuzzy Hash: 0961AE3560D3818BD344DB2984C015FBFD2AFEA204F948A6DF9C95B382C674D809CB97

Function 00534D70 Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

\, xrefs: 00534D9A

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: \
API String ID: 0-2967466578
Opcode ID: a34cf37d2a1d76cc27c2da8e2c65bf1f7bb5415d397f451f2ac96dce48d4b145
Instruction ID: 4a737ef4bbd195dab266ecfa15ae8ebec7028d376da82e7f33d2a5d6dd368d20
Opcode Fuzzy Hash: a34cf37d2a1d76cc27c2da8e2c65bf1f7bb5415d397f451f2ac96dce48d4b145
Instruction Fuzzy Hash: 1F71F2B42093858FC304DF19C480A0FFBE1BB89304F94896EE9885B392D775E949CB97

Function 004E1C40 Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64, xrefs: 004E1CAB

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64
API String ID: 0-2434630079
Opcode ID: 607a24b83c35f66ea602dcce5ed7901cf239e8d3451c62f462d4b70e557ee08e
Instruction ID: 76b20ccf6c72a95317770c5d6c2b39ca6d061d0d21c3746c54f51054e2538b27
Opcode Fuzzy Hash: 607a24b83c35f66ea602dcce5ed7901cf239e8d3451c62f462d4b70e557ee08e
Instruction Fuzzy Hash: 1D0184B49483468FD304FF25C58161AF7E1BB88304F548A6DD89987312E778A945CB8A

Function 004A1A80 Relevance: 1.3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

Strings

<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64, xrefs: 004A1AB5

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64
API String ID: 0-2434630079
Opcode ID: f9b7b15c4a48b339026c4c9a8cb02ccc194d17775e9a315b611c63320c23ba1a
Instruction ID: a46100cb64f51c10bcc2840023bdacd72ea1f6e166e8e94d381bd0ee5d0ab690
Opcode Fuzzy Hash: f9b7b15c4a48b339026c4c9a8cb02ccc194d17775e9a315b611c63320c23ba1a
Instruction Fuzzy Hash: 6F014C74609701CFCB14DF55C080A2BB7E1BBA5304F15886EE48A4B366D738D845DB9A

Function 004EEE00 Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64, xrefs: 004EEE22

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64
API String ID: 0-2434630079
Opcode ID: 8eeec41dc74764646c21d4541ae5f80d8c41953f43de7a4bfcab00e2e8220b9c
Instruction ID: f7d314555582dddb9ba72ca23983f2b23e291d643069bc712a230c32f218c9d5
Opcode Fuzzy Hash: 8eeec41dc74764646c21d4541ae5f80d8c41953f43de7a4bfcab00e2e8220b9c
Instruction Fuzzy Hash: 6111B3746083418FD304DF1AC190A2AFBE1BB88304F14885EE89D87352D739E945DF9B

Function 00492C50 Relevance: 1.3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

Strings

<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64, xrefs: 00492C6D

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64
API String ID: 0-2434630079
Opcode ID: c11354a0905a8139ade486eda16e9df2aecbdc5b72e0a6b32ee992fe54b4ff05
Instruction ID: 283f84beb91888deaa8899aa3d26bfdbc4794a36746a407f99d9fbc478d8114d
Opcode Fuzzy Hash: c11354a0905a8139ade486eda16e9df2aecbdc5b72e0a6b32ee992fe54b4ff05
Instruction Fuzzy Hash: 3BF0F4B49087019FCB04EF29C18161FBBE0BB88748F94486EE88D83751E739E945CB5B

Function 0049E780 Relevance: 1.3, Strings: 1, Instructions: 18COMMON

Download Yara Rule

Strings

<nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64, xrefs: 0049E7A8

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID: <nil>AdlamAprilBamumBatakBuhidDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsageP-224P-256P-384P-521RangeRealmRunicSTermTakriTamilTypeAqemuvboxallowarraybad nchdirclosefalsefaultfloatfnamegcinghellohttpsimap2imap3imapsint16int32int64
API String ID: 0-2434630079
Opcode ID: 26ad8eab674201064a2c0806fca208780c9d54ebb6eff0fceb1a5f5212b3d36d
Instruction ID: de43162d72c805fc229588726c7492bc569e50c666389f48c4fe6c76ee84dbd9
Opcode Fuzzy Hash: 26ad8eab674201064a2c0806fca208780c9d54ebb6eff0fceb1a5f5212b3d36d
Instruction Fuzzy Hash: 55E0E579604600EFDB14CF16C480B6ABBE1BB88700F54C8AEE85E8B761D739E841DF16

Function 004A9AD0 Relevance: .9, Instructions: 911COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 485f7230276863448fc505a844099d2ebd68e7ebeec42b4da1d200184ce7025c
Instruction ID: ec72a1a13ff9a9d7a14dbda2d53c17b98e840d3d788d7b1054dad5fd4898157b
Opcode Fuzzy Hash: 485f7230276863448fc505a844099d2ebd68e7ebeec42b4da1d200184ce7025c
Instruction Fuzzy Hash: 8D8259366083958FD324CF59C48079EF7E2BFC9300F59892ED9999B346D770A849CB86

Function 004FF760 Relevance: .8, Instructions: 775COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdc591bdd2c78706ec2fbb24ab06f3d0c447c66ef011f053593c6949095c64b0
Instruction ID: 770ce8ecb3321734e650b6b9662c0bac205db38b17b87014e148e3aa59d03005
Opcode Fuzzy Hash: bdc591bdd2c78706ec2fbb24ab06f3d0c447c66ef011f053593c6949095c64b0
Instruction Fuzzy Hash: 1A72A6746087858FD378CF1DC981B8AF7E2BFC8200F548A2D969DC7366EA706815CB56

Function 004A8550 Relevance: .7, Instructions: 735COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c93bce96d9256bf751173e4a9476bafb60fe843da7c55c8e92b6fdeff6e388e9
Instruction ID: fefde0e38e2f41750d46f73dece0f651c92158d29ba4402c0e6e943d257bf222
Opcode Fuzzy Hash: c93bce96d9256bf751173e4a9476bafb60fe843da7c55c8e92b6fdeff6e388e9
Instruction Fuzzy Hash: B842A2366093198FC315DE99C8C054EF7E2FBC9340F58893DE9944B386EBB5A849CB85

Function 004DCEB0 Relevance: .7, Instructions: 722COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54c0da4a1356a3ec0d052dd59c5a2c10252b07159848a6ca072b074228024b3e
Instruction ID: c7888487f411fe346feb11dd9f245f495e4fc570bf9840ac9be25faf0f8efef1
Opcode Fuzzy Hash: 54c0da4a1356a3ec0d052dd59c5a2c10252b07159848a6ca072b074228024b3e
Instruction Fuzzy Hash: 5052AD71A4C3518FD321DF24C4A075EBBE2ABC9704F58891FE49887392D738D946CB8A

Function 004EDC30 Relevance: .7, Instructions: 666COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a95184dd472b56bde749236508013ccb6bbd47980fb4904606485a20355bd4a9
Instruction ID: 800075c55a2ed1766d47ccb4d41f86f0eae735392607cd8c1db34e45aa5bba55
Opcode Fuzzy Hash: a95184dd472b56bde749236508013ccb6bbd47980fb4904606485a20355bd4a9
Instruction Fuzzy Hash: 4C72BC74A083858FD324DF16C080B9BFBE1BF89304F14892EE9D987352D775A949CB96

Function 00535A00 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2ea42c436bffa7806b0cdde79ec3accb4d599dfef942cc265f5dce5e621c651
Instruction ID: 1a753610477f0e2efc3ab1a7c70234a6da35d1794769938bcc8c77fccf0269f3
Opcode Fuzzy Hash: f2ea42c436bffa7806b0cdde79ec3accb4d599dfef942cc265f5dce5e621c651
Instruction Fuzzy Hash: E032723714D70D4F8329EEE8D8C55C6B3D2EB84224F1A863D8A5687B41FEF8B50A95C4

Function 004A8FF0 Relevance: .6, Instructions: 636COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62e348de59cbb09a86f21abb4d35fe07528e8d2142fdf5190e3d57f75859831
Instruction ID: 71cbe75783031d88c2d1f534b15a46f35a135dddd7fe788a24c3ac95156e57f3
Opcode Fuzzy Hash: e62e348de59cbb09a86f21abb4d35fe07528e8d2142fdf5190e3d57f75859831
Instruction Fuzzy Hash: FA42AD36A083558FD324DF69C48075EF7E2BBC9300F54892ED99897352EB74AC49CB86

Function 004589B0 Relevance: .6, Instructions: 621COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd8c727db97c61511af5f38065ea987ecddbadbc5469abc396aedff93d2bba7
Instruction ID: eaeb68dd37e478e99a62e43fd86653221db1a74d3f441970f220cd1f223b44b3
Opcode Fuzzy Hash: 3bd8c727db97c61511af5f38065ea987ecddbadbc5469abc396aedff93d2bba7
Instruction Fuzzy Hash: 9142577490C3909BC714DF29C08062FBBE1AB89305F59896EFCD897352DB38D849DB96

Function 00412520 Relevance: .6, Instructions: 603COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdf7b11c207dc360d4ed77470aa3b64d6096ccc488f0c4a60331668e6d1001ce
Instruction ID: 4b4ad1cf89dce031e69473b7b501c6ad6d671febe5de510f387ee7bf7093c012
Opcode Fuzzy Hash: bdf7b11c207dc360d4ed77470aa3b64d6096ccc488f0c4a60331668e6d1001ce
Instruction Fuzzy Hash: 1A12D2327087558BC314DE69C9C016AF3E2BBC9300F154A2ED595D7381EBB4ED5A8B8A

Function 0053B880 Relevance: .6, Instructions: 564COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09a7f8160c7bfbf0573b45ac7ad4006b3c95bc783bda430c6a1e81130283daea
Instruction ID: 5ade0a6dc49dd6bb4fb7403ade4ca2baf83fb880d776af43231a481c230e7981
Opcode Fuzzy Hash: 09a7f8160c7bfbf0573b45ac7ad4006b3c95bc783bda430c6a1e81130283daea
Instruction Fuzzy Hash: 7D224A7164D7668FE712CE08C85035EFBE1BB88B44F85492DE5848B396D7B9C8468BC2

Function 004A7C50 Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e267829888f5a32104b464d946176148e7d9d4faa89130ab6f1e1b7068633a59
Instruction ID: e3b7bb46c0a236393501474f4a29398a76be893d7452d519b941128416a3ce5b
Opcode Fuzzy Hash: e267829888f5a32104b464d946176148e7d9d4faa89130ab6f1e1b7068633a59
Instruction Fuzzy Hash: 30028E327087148FD315CE99C8C065EF7E2BBC8300F098A3DE99587355EAB5AC49CB86

Function 0052B420 Relevance: .5, Instructions: 487COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 630a1e6651963de7e423d5a82e849d05e43493a8509868d364208466d24b654d
Instruction ID: 84cff029a94850f46f1fb56ff13452703ca6043c0eb1d2f3c6f6833b4cf73618
Opcode Fuzzy Hash: 630a1e6651963de7e423d5a82e849d05e43493a8509868d364208466d24b654d
Instruction Fuzzy Hash: CB22F175A083418FD728DF29D490B6EFBE1BFC8304F14892DE99987392D774A845CB82

Function 004AEDE0 Relevance: .5, Instructions: 478COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dafe3a87e879ca62396d8c38bdeeb1a143ce186110902b145acb2680cdc1bcb9
Instruction ID: ee43b24b4e83fdf92ce8abb89319878172828fa59a3b191cb4a813c4f77ac78e
Opcode Fuzzy Hash: dafe3a87e879ca62396d8c38bdeeb1a143ce186110902b145acb2680cdc1bcb9
Instruction Fuzzy Hash: 4602DD7564C3558FD715CE5EC84032FBAE1ABA6304F44447EE5948B3C2DBBEC84A8B86

Function 00505890 Relevance: .4, Instructions: 418COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2159b33d91237a771cf8a9bd1b193c71366a833704691c797a5806a6c596baf2
Instruction ID: e2b6a45257bef379caa17f408c29c738ef7990b3ce2d0ea751a466600b266a4c
Opcode Fuzzy Hash: 2159b33d91237a771cf8a9bd1b193c71366a833704691c797a5806a6c596baf2
Instruction Fuzzy Hash: 45E13E3174D3998FD306DAAD4C8050FBFD19BD5200F94897DE9849B383DAA4E81AC7DA

Function 004E7370 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd35e81701a1ef64c669a8e7023eb3fcb601adc62596f75b52e7715ea5494f39
Instruction ID: c357b9dd94480f96395ff98b0ea459f3c293cd61b2acbf55cba2df8a0a128d92
Opcode Fuzzy Hash: dd35e81701a1ef64c669a8e7023eb3fcb601adc62596f75b52e7715ea5494f39
Instruction Fuzzy Hash: 75E1AA31A083A54BD310DF6E888002EFBE2BFC5311F59866EE5949B343D638E946DBD5

Function 004E78B0 Relevance: .4, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c77049f12dc5c2624acf15aae423b43b1146a26f811132e3f2b4df696db2a18a
Instruction ID: 5e2f417d79bc5a36f0daf32a4fd275cf3ecfaab799607dbfc6f702aaeb597aae
Opcode Fuzzy Hash: c77049f12dc5c2624acf15aae423b43b1146a26f811132e3f2b4df696db2a18a
Instruction Fuzzy Hash: D8E1AB31A083B54BD311DF2D888002AFBE2BFC5311F49866EE9949B347D634E946DBD5

Function 004A3E70 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59e4bb1e7fef5fddb746ece2dd26a7d90d9e0239d28cf8d1db41be64c91bae30
Instruction ID: 72f01adb424859f0bd7d05527618e35ee8e6adb61e601277dbcfbe3f67e429d0
Opcode Fuzzy Hash: 59e4bb1e7fef5fddb746ece2dd26a7d90d9e0239d28cf8d1db41be64c91bae30
Instruction Fuzzy Hash: C1E17932A183148FC318CF59C48065EF7E2BBC9740F158A2EF89997340E7B5AD49CB86

Function 004EA270 Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93b230be4def13dc58de43e017ba069697a5a24bef48c92384dc33af1d5128ea
Instruction ID: 17302c07077bc77840e28110de08eed0faf6af1889ac7b6031322323d19e002a
Opcode Fuzzy Hash: 93b230be4def13dc58de43e017ba069697a5a24bef48c92384dc33af1d5128ea
Instruction Fuzzy Hash: 6FF12474A083858FC714CF26C48065AFBE2BBC8705F54892EE8C98B341D779E956CB87

Function 004FF250 Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a9d9112e0182d51bb456f6c6219ac1c01f531e0e828b21d481ba194f7f34ed
Instruction ID: cb0c0dfd4fd3b377fe9de62c9c8023dbf131848559345d0fef684e3638df06f8
Opcode Fuzzy Hash: 68a9d9112e0182d51bb456f6c6219ac1c01f531e0e828b21d481ba194f7f34ed
Instruction Fuzzy Hash: 0CE1C172A007088BC714DF5DE88425DF7D2BF88320F698B7EDA1587382D779A919CB85

Function 00488AF0 Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f73b47f7aca4a8deea1ffe6d47f8c03dc418087fa9eaf746c9e2894c2a7677eb
Instruction ID: 045e933a4a81c6ec549ec00a59ee404a76d11e4ab51d83697f793bc8c8cb8503
Opcode Fuzzy Hash: f73b47f7aca4a8deea1ffe6d47f8c03dc418087fa9eaf746c9e2894c2a7677eb
Instruction Fuzzy Hash: 18F18BB8A093459F8304EF19C18082EFBF1BBC9704F518A1EFAC997351D735E9429B96

Function 00489BA0 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 407226ed6b263c994b8b55705aba4690f99c6cc3e096251e5e2f8f50f1a3e9a9
Instruction ID: 0f20c4ee5ecf4735b35e2762e04a8113ea5916bb5c22cca925c1eb44da5727c3
Opcode Fuzzy Hash: 407226ed6b263c994b8b55705aba4690f99c6cc3e096251e5e2f8f50f1a3e9a9
Instruction Fuzzy Hash: 3AE1BB746097458F8308EF19C08092EBBF1BB89704F588A2EF9CA97351D736AD46DB46

Function 00514620 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff726d6906138fc91a1ff2f89a8121154fce50bb847fcf079248b709bccd484d
Instruction ID: 553566f17896b7685671159a7529c1df34af972d2aaf82afb93644884ed02b58
Opcode Fuzzy Hash: ff726d6906138fc91a1ff2f89a8121154fce50bb847fcf079248b709bccd484d
Instruction Fuzzy Hash: 06C17F72A087048BD308CF4DD89070AF7E2FFC8304F598A2DE9A957356D675AD16CB86

Function 005029A0 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31d4d0ba38dcf84602b0552edf826712085c680d3695712d29277e456a321a0
Instruction ID: a04cdfdd09329419882323f7e79453053db8499d78d90d9800073690eec12452
Opcode Fuzzy Hash: a31d4d0ba38dcf84602b0552edf826712085c680d3695712d29277e456a321a0
Instruction Fuzzy Hash: 1AB137766083558BC325DF25C48469EFBE2FFD8304F108D2EE89987382DB74A945CB86

Function 0052D5C0 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10cb3ee7ea5e442e673b00bc79e9ebd460ea57406f60cfcde8c6428103305036
Instruction ID: 3e5b1a1a16b970485f3fc590377b09f047d60055bf10346cca3c3afad53e3264
Opcode Fuzzy Hash: 10cb3ee7ea5e442e673b00bc79e9ebd460ea57406f60cfcde8c6428103305036
Instruction Fuzzy Hash: 95A19D35A083658FD704DF29C4C015EBBE1BF89304F54896DE9998B382D734E949CBE6

Function 004E7DF0 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20d9888bb0b6d7c79c5c346cd2f1e294f2314e78f1f1156a80ae1d6522a5f5c0
Instruction ID: afbbe5b4b65dac76a6196710bce21dfa155d545b92b70e554ae0389512bbdb20
Opcode Fuzzy Hash: 20d9888bb0b6d7c79c5c346cd2f1e294f2314e78f1f1156a80ae1d6522a5f5c0
Instruction Fuzzy Hash: 1E9158316083A54BC710DF2EC88013AF7E2BFC8311F598A6EED9557246D738AD0A9BD5

Function 0052D280 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca18609efcf77ad9349129d1df8eb68fa97ef4a6a85e8270c5cdd394b8a03f32
Instruction ID: 9751522c55ab6441416750d783b401d9cd50f739743918bfcf3d7bc8f3a581ea
Opcode Fuzzy Hash: ca18609efcf77ad9349129d1df8eb68fa97ef4a6a85e8270c5cdd394b8a03f32
Instruction Fuzzy Hash: 77A1BE346083658FD704DF28D4C051EBBE2BFCA304F50896DE9998B382D774E949CBA2

Function 0052C260 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 926dcec0356d0fbe38aa6ce121ca4b698ddc1e62184065843ea7273dffebbbc0
Instruction ID: d58e85920bbc67fc28e21c91c85e6478ca15b0e3b2f094797d2687543fca1d3c
Opcode Fuzzy Hash: 926dcec0356d0fbe38aa6ce121ca4b698ddc1e62184065843ea7273dffebbbc0
Instruction Fuzzy Hash: BC714B346083658FC708EF29C49442EBFE2AFC9305F448A6DE8995B387D674E905CBD6

Function 0040C310 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51654261dc5dc6ff0aa91bf5e414de1ee56ddf87b135242fb66e28b2bac9e6c8
Instruction ID: a6e3b78c7d7c8b2e9ef899d888ba169c024011c3acf69c48f14de0f080d8ce23
Opcode Fuzzy Hash: 51654261dc5dc6ff0aa91bf5e414de1ee56ddf87b135242fb66e28b2bac9e6c8
Instruction Fuzzy Hash: AD717A79604358CFC714EF24C88066AB7A0BB48704F4546BADC48AB383E778ED56DBD5

Function 004E6AE0 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f46cf86384ce45b79c2ba56a051a2e18c34b4d60f6e778ada284fd4740e7bba8
Instruction ID: 3bbe0cd49ae15c6659ec2d73c5da4bb052c4b01add916d7b666ec1f0c17ad23c
Opcode Fuzzy Hash: f46cf86384ce45b79c2ba56a051a2e18c34b4d60f6e778ada284fd4740e7bba8
Instruction Fuzzy Hash: 95612A316093A59FC305CF59848050FFBE1AFD8344F498A2EE8899B392D7B5D906CB82

Function 004ED350 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 030e459320a537ac57a9081485a5a66dd631bebb4d2a57c19bceceb585b6b8f7
Instruction ID: f7fbeaa549e54d86b6901b52b99c1d2d5a4b222da8a52fba5ade4308d01f5bb4
Opcode Fuzzy Hash: 030e459320a537ac57a9081485a5a66dd631bebb4d2a57c19bceceb585b6b8f7
Instruction Fuzzy Hash: 46519D36A083559BC304DF2AC48016EF7E2BBC8308F55893EE89997345E775ED458B8A

Function 004741F0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a911f894fc6eaea8f1ef3551fe21cb9e4bc008f86c07e1e98fe2a61a9c87abff
Instruction ID: f97a587a5b8ac46bc2f913d9afaeec5f2d9eebebb9e9474cf0bc717c35c54de7
Opcode Fuzzy Hash: a911f894fc6eaea8f1ef3551fe21cb9e4bc008f86c07e1e98fe2a61a9c87abff
Instruction Fuzzy Hash: C651D6367087154BD304DE5CC8C016EB3D2ABC8640F988A6DFE998B385E774DD02DB86

Function 004FE7B0 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95fc7bc9b169e8905231b1bf0195d9ceb31cbdd53cfef19440b7e1b7118f7991
Instruction ID: 79142d7237538654c09be6c53d718473b4ca5da9130003dcda2824ef5743135a
Opcode Fuzzy Hash: 95fc7bc9b169e8905231b1bf0195d9ceb31cbdd53cfef19440b7e1b7118f7991
Instruction Fuzzy Hash: AC51EC7510D3849BD755CF29C4C054ABBA2AFE5208F68CA9CE4881B34BC275E907CBA6

Function 004E1A40 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 580ecec941d1438ef30d88149c0d8323a1b24c614ce3a160d6631e1206a7ee57
Instruction ID: 3281222fb23e47895b99cee0bb9686b0fe161232302eb98889d0a2bb8e62cb3f
Opcode Fuzzy Hash: 580ecec941d1438ef30d88149c0d8323a1b24c614ce3a160d6631e1206a7ee57
Instruction Fuzzy Hash: E2510DB4549386CFC348DF16C19043ABBE1BF44702F5489AEE8864B762D738ED81DB56

Function 00406E00 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68f73657872b59ad6c79013c552055531da4adbc654e3b8480197dce938b70f5
Instruction ID: c73e9709ebeedbffcc29ab2d8daa556e46b2fe7b26efec79eda147ce8fe02921
Opcode Fuzzy Hash: 68f73657872b59ad6c79013c552055531da4adbc654e3b8480197dce938b70f5
Instruction Fuzzy Hash: 5851F6717582028BC70CCF38CA96526BB96FBC9200F51E47FE806CF6E6E534D6169B81

Function 004503D0 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3623f67c8d0851e58ae574047faf2f94c103907ae4f7d8ec9f469ad32e700065
Instruction ID: 907e2cd928dbc74f2b7a9be43ac69f569374d1415e4be7cff39a19eed995d1c6
Opcode Fuzzy Hash: 3623f67c8d0851e58ae574047faf2f94c103907ae4f7d8ec9f469ad32e700065
Instruction Fuzzy Hash: C451C224C0CF4B65E6334B7DC4025267B207EB3240B01E76FFDC6B55B2EB666944BA22

Function 004E6960 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4f5fa44a45e5a08d4ff1cff26a63134833174591bce24c34dc1a69127de816b
Instruction ID: 92a6abce830f7f7ffc5f154f154be424b022a49c5d98e1fe3119bddb87009991
Opcode Fuzzy Hash: d4f5fa44a45e5a08d4ff1cff26a63134833174591bce24c34dc1a69127de816b
Instruction Fuzzy Hash: 9C413E706093818FD709CF29849011EBFE2AFD9244F48C96DE8899B387D674D949CBA6

Function 0052C8C0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ac24b53755511dee8a35562ba0da22b73cffe48be94e53c5d3f05c4d2ccef4d
Instruction ID: 55fd2a8b519ec7ceadf4b5603bdd75b4db0f1fa1fe6b0df302cc20683c738a19
Opcode Fuzzy Hash: 6ac24b53755511dee8a35562ba0da22b73cffe48be94e53c5d3f05c4d2ccef4d
Instruction Fuzzy Hash: 123173337187190B935CECF998D622BB2C397C4200F4A863DDF56C7386EDB8981992C9

Function 004E62A0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0e5356793624fc88878293195ff110ba72858cd46c95a6cbdad89e6e0a9701
Instruction ID: 2122ff2de021c5e0de21eabb2001ca8358e35759ea3e3e5ff51cde10ae6e3d57
Opcode Fuzzy Hash: 9a0e5356793624fc88878293195ff110ba72858cd46c95a6cbdad89e6e0a9701
Instruction Fuzzy Hash: 26413A716083558FD700CF1AC0C051AFBE1FB88344F568A6EE9AA97312D774E946CF96

Function 0052CA00 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26383347d5f67ea6735e83020012a4670bc2db2ee9d4cea9ea2d334d8347fdda
Instruction ID: 7b825cc4528bd8ed962fe94c14d195e3239473b4bb35e762536a4a75a7036d6e
Opcode Fuzzy Hash: 26383347d5f67ea6735e83020012a4670bc2db2ee9d4cea9ea2d334d8347fdda
Instruction Fuzzy Hash: 5A3161327147190BA35CECF98C9622BB2C397C4200F49C63DDB56C7786E9B8981A92C5

Function 0052C4C0 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9de7ca2f7f1dca3065157669585ae32140b549024721c1bf7be36c565c7bb9c1
Instruction ID: b3ea390118c598ef3cce5be20e3a137b8f9ba41b1d64447d3bd3abcbc9b44bb5
Opcode Fuzzy Hash: 9de7ca2f7f1dca3065157669585ae32140b549024721c1bf7be36c565c7bb9c1
Instruction Fuzzy Hash: 0231E776A207548FC344DF58ECE111AB792F78C310F4A492CE6518B355FA34AB22DB94

Function 004FC700 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fda1c8d1eb915cc72dcdeeb5e725cec69ea180a6d6025af10ce4f9c8c38e8de
Instruction ID: 1f28e1c22f60d6f01fadcd989489fc1818217cc52611ab9ec892069456a130e6
Opcode Fuzzy Hash: 0fda1c8d1eb915cc72dcdeeb5e725cec69ea180a6d6025af10ce4f9c8c38e8de
Instruction Fuzzy Hash: DF21D131B0420A87C70CEA29885603E77D3ABC8304F048D3EE94BD3285DA78E8178A85

Function 00513E40 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c388c97625eaa3d0cf08761397b7e60e55ef30291583b0c38ff766440c918593
Instruction ID: 34928b5c597459331108ed7751344c47254130c127d7befcdbdd8f8bf3ccec25
Opcode Fuzzy Hash: c388c97625eaa3d0cf08761397b7e60e55ef30291583b0c38ff766440c918593
Instruction Fuzzy Hash: 8F21EA756447088F8708EFA6C481546B7E2BFCC208B65C2BC89184F30AFB76E9139A90

Function 00427800 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a430003ad0aa5b55ae480b0d484cb4dc1f4aac0c3a375a3f045c0bbfaecea739
Instruction ID: 7377ce603eda2d8abca3a2448319355ca394ef852ca3d0142c5ca5e84c056070
Opcode Fuzzy Hash: a430003ad0aa5b55ae480b0d484cb4dc1f4aac0c3a375a3f045c0bbfaecea739
Instruction Fuzzy Hash: 30116A757083158FD718EF21E09576BB7E1BB84344F80892EE8A687381E7399909CA56

Function 0043B070 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01899fc2e52a8a58710d28c0b5edbcb8814637ca68c11e4ecb26dc60f470bafb
Instruction ID: 27cfd29d884bb5d4ceeaf6ea592731502c8bc5d86a4b0372aa3f9ad317094d7c
Opcode Fuzzy Hash: 01899fc2e52a8a58710d28c0b5edbcb8814637ca68c11e4ecb26dc60f470bafb
Instruction Fuzzy Hash: A4F03A75A05644DFC305EF25D5817A9BBF1FF48708F80885EDC99433A2DB39A849CB22

Function 00451620 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d5c330cf624cd5bd411d0e3e10f985c523d7e0044af9a55021d24e0c4da4cc
Instruction ID: 39816acd5d3db450ac957862eba157dfd925d4a39f995c558836aaa3aca43307
Opcode Fuzzy Hash: 12d5c330cf624cd5bd411d0e3e10f985c523d7e0044af9a55021d24e0c4da4cc
Instruction Fuzzy Hash: 07D0ECB04083059FC310EF0CC88524ABBE0FB88630F808B5DA8B9432D0D33495088B93

Function 00450350 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71cbff6a63cd06314b29beecd0ea09756fc988f0f193cc55a5ac5a9ac22e30c9
Instruction ID: 611eba699e51f7d4a3e0fa7ad89b2e442e38fafe14dc2fcd2163f09cf077171b
Opcode Fuzzy Hash: 71cbff6a63cd06314b29beecd0ea09756fc988f0f193cc55a5ac5a9ac22e30c9
Instruction Fuzzy Hash: A8C012A4908BD09AF71187109208355BFC47741316F60C08FEC4801112C2FA85CCD706

Function 004512E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 004512EC
WriteFile.KERNEL32 ref: 00451320

Strings

RZmuFRC: signal received on thread not created by Go., xrefs: 004512F7

Memory Dump Source

Source File: 00000000.00000002.2903715035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903699543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903853565.00000000005FB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904002546.0000000000819000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904023421.000000000081F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904051365.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904069474.000000000084E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.000000000084F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000865000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904088531.0000000000868000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904157011.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_p.jbxd

Similarity

API ID: FileHandleWrite
String ID: RZmuFRC: signal received on thread not created by Go.
API String ID: 3320372497-1813181609
Opcode ID: 5e252d2c0df5b1b11e023753846a3c4b3eaeef063c38a7c19dd2ec452a0ceddc
Instruction ID: 5f4a3e5b8e2ec80b7c233b2cd6260e454c0fdb1d32dfa7476873078fe23aae81
Opcode Fuzzy Hash: 5e252d2c0df5b1b11e023753846a3c4b3eaeef063c38a7c19dd2ec452a0ceddc
Instruction Fuzzy Hash: 91E052B4808B058BC340EF19D85524ABBE5FB89311F91CA5DE89847364E77499488BC7

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	rNuevaorden_pdf.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	I334hDwRjj.exe	Get hash	malicious	Blank Grabber, Njrat	Browse	ip-api.com/json/?fields=225545
	startup_str_466.bat	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	7dtpow.ps1	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	x.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	TR98760H.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	47SXvEQ.exe	Get hash	malicious	Blank Grabber, Xmrig	Browse	ip-api.com/json/?fields=225545
	test.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	ip-api.com/json/
	HaLCYOFjMN.exe	Get hash	malicious	DCRat, PureLog Stealer, RedLine, XWorm, zgRAT	Browse	ip-api.com/line/?fields=hosting
	1.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/?fields=hosting,query

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	rNuevaorden_pdf.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	I334hDwRjj.exe	Get hash	malicious	Blank Grabber, Njrat	Browse	208.95.112.1
	startup_str_466.bat	Get hash	malicious	XWorm	Browse	208.95.112.1
	7dtpow.ps1	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	x.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	TR98760H.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	47SXvEQ.exe	Get hash	malicious	Blank Grabber, Xmrig	Browse	208.95.112.1
	test.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	208.95.112.1
	HaLCYOFjMN.exe	Get hash	malicious	DCRat, PureLog Stealer, RedLine, XWorm, zgRAT	Browse	208.95.112.1
	1.exe	Get hash	malicious	Unknown	Browse	208.95.112.1

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SKATTV-ASBG	009274965.lnk	Get hash	malicious	DarkVision Rat	Browse	87.121.86.214
	LPO-0048532025.lnk	Get hash	malicious	DarkVision Rat	Browse	87.121.86.214
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	87.120.187.226
	Pago.xls	Get hash	malicious	AveMaria, UACMe	Browse	87.121.86.205
	yIla7SeJ6r.doc	Get hash	malicious	XenoRAT	Browse	87.121.86.205
	Outstanding_Payment.vbs	Get hash	malicious	Unknown	Browse	87.121.86.205
	Comprobante de pago.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	87.121.86.105
	RHxJqGoGFB.exe	Get hash	malicious	Sality	Browse	94.156.127.59
	yVVZdG2NJX.exe	Get hash	malicious	GuLoader	Browse	87.121.86.8
	https://www.google.co.kr/url?url=https://hrtyuytitwagtxswxzqxpcm&jtdm=hjstxxb&qhwocq=elw&vrszx=mrursi&rtz=qksmlok&sdyxm=kxlpun&hnkj=iujyvng&vochgqf=ylsd&pkhfd=vyifcj&nymdhak=ffn&ylzv=xpddvxaj&zoadnebgoj=rccejsmuqd&q=amp/hmf1bnz.s%C2%ADlf%C2%ADpg%C2%ADq%C2%ADq%C2%ADwzu%C2%ADx%C2%ADppns%C2%ADc%C2%ADs%C2%AD.com%E2%80%8B/n7brnx1iy&lbgq=ihcrvpx&isffrcc=xjcvvbbd&hokv=buitobfj&nfzezydbgm=lhtjhglyxx&pjwu=tdsgcse&cesnzrb=ekoykarj&ifpv=yabmwecd&acyeqkflup=bacwibnnwl&dovx=vqvcdxk&rwbvdtj=khlezois&efgx=ktfpexjt&iqggbgjmwh=cvqmvfdelx&gqsh=ghsdgye&hipceti=hpqeesqk&hkvbucxuvo=drwoirzwsq&dril=qbpemxo&xziwtam=tdvywqlj&nndiwyldry=kjqbehmdbj&kqef=faiqetj&peigggc=vbyfdxky&fstmbbtmkx=rjxugltfmc&rpws=borxqez&rijvxqj=ntedqhtd&wohxxxgtmq=jpiozpkrbp&cxah=gcmtksp&tzidqah=syxnwioo&szzishkfke=xmnmodwwoc&xmif=xdxtrqz&ajzcojq=fmtqkshw&gkmh=vmwdknp&xvlhpuf=zkhqqziq&rvfh=igbqint&gdnzlky=hyzlhjke&dqkq=ophpttl&yoamsuz=cuykisoc&frzr=lajcnwi&chdmjpw=hymhkhbw&wnxy=zwkomqb&duxkrfq=asjrwcgu&fzya=hrpcnke&hxrusxm=foudbois&yqgm=uhfvxoo&uynyplq=iryzkatx&qfzs=stmleud&vkbxzkf=hxgbjzit&dnro=vjxntck&kfrldgj=vpyfihbn&nsko=sdzidzb&unudtuz=mnvrwokv&lisf=zxdfari&tdyzrah=otrtzuun&rfza=trokalr&vkfduyc=wpwvnxpe&jjsq=pgkbofh&uatnbjp=gtwiypfq&zilu=kagobvs&jqfufkw=bckrzetp&tjng=jgmmmod&fvdtpsk=vlyzfjep&mgoi=fklhysh&llyljdv=jxpogtdn&gcjv=vjlzkuf&erlhvti=peuprtov&kbxk=jviffkg&lklbxhl=uhzpnzfw&upaw=gfmiehp&ismxijp=hmwbsmgj&zdkc=kodikna&njllvzf=oodglyrw&urdk=cktezyn&vmqhwgh=kqcbhffu&riqy=tlnbqzr&nmlgrkn=inyeynzg&vebu=pwpghzr&ckpmyoc=tmeufjen&otic=svrqsdo&tbwzub	Get hash	malicious	Unknown	Browse	87.121.86.72
TUT-ASUS	rNuevaorden_pdf.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	I334hDwRjj.exe	Get hash	malicious	Blank Grabber, Njrat	Browse	208.95.112.1
	startup_str_466.bat	Get hash	malicious	XWorm	Browse	208.95.112.1
	7dtpow.ps1	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	x.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	TR98760H.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	47SXvEQ.exe	Get hash	malicious	Blank Grabber, Xmrig	Browse	208.95.112.1
	test.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	208.95.112.1
	HaLCYOFjMN.exe	Get hash	malicious	DCRat, PureLog Stealer, RedLine, XWorm, zgRAT	Browse	208.95.112.1
	1.exe	Get hash	malicious	Unknown	Browse	208.95.112.1

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.24020990774791
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	p.exe
File size:	4'521'472 bytes
MD5:	194e3ca62e9ba481112e59310a00b54b
SHA1:	b847e924e9e0ead4777ee503348e802dd542dccb
SHA256:	03423f8fdb61fd95846125db52094515cb5eb4553be9c14f04e5e25ca9a12ec2
SHA512:	d68c9fd37a994d47a4f9022066309349c01fde945884baf1833d8a0d3d13ebc028374775bb899a0c94bca95b0a19d30872e41e07f5634417abba02333bed9b1f
SSDEEP:	49152:QJh8otvwQas/apa4PwcK9Dkh+oxXRgy51k8oDRr+aRl0WwHSFiWtMEquAb7/i:Wh8oGBs/apn6oxBB51kbrMmO/i
TLSH:	40265C50FA9B80F9DA07157044A7923FB731A60D9336CFCBCB406E97E817AD15A33269
File Content Preview:	MZ......................@...............................................!..L.SZnQsPJiijmWJrHHafgIMqfaQHdkqepFCRDMTgbV...$.......PE..L.........D...................................A...@...........................F............................................

Entrypoint:	0x451290
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	1cd364a9e949d5ecebd6c614e64bc545

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x469000	0x330	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x419020	0x84	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1f93f7	0x1f9400	bfdf9d60cb5fa6d53a433fb97059b900	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1fb000	0x21d859	0x21da00	1f7f42082e1fd82100253408c8b38e2c	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x419000	0x4f778	0x38600	5e1482ec199d21f3af0a53ea723bd6d9	False	0.5089557926829268	data	6.101087761596061	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x469000	0x330	0x400	038a701fe4f6ed08cc5954b6ec6358f2	False	0.4287109375	data	4.084212401407136	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.symtab	0x46a000	0x4	0x200	07b5472d347d42780469fb2654b7fc54	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report p.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: p.exePID: 7632, Parent PID: 2580

Windows Analysis Report
p.exe

Function 004512A0 Relevance: 1.5, APIs: 1, Instructions: 19
networkCOMMON

Function 0048A850 Relevance: 57.1, Strings: 45, Instructions: 870
COMMON

Function 0051AFF0 Relevance: 24.0, Strings: 14, Instructions: 6494
COMMON

Function 00522810 Relevance: 20.9, Strings: 14, Instructions: 3448
COMMON

Function 0043E770 Relevance: 16.7, Strings: 13, Instructions: 420
COMMON