Edit tour

Windows Analysis Report
system21.exe

Overview

General Information

Sample name:	system21.exe
Analysis ID:	1676523
MD5:	5766ef20fda9263ed77e6c00bf6ca20c
SHA1:	2e227cce2852a8711b283b12b738c30eff4ed7a3
SHA256:	04bbe3af082420e9f5ca72e3020c09e1ef16084697905e7f5b6a937d579192b0
Tags:	exeuser-LuRisa798
Infos:

Detection

Score:	68
Range:	0 - 100
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Disables Windows system restore

Joe Sandbox ML detected suspicious sample

Modifies existing user documents (likely ransomware behavior)

Uses cmd line tools excessively to alter registry or file data

Writes a notice file (html or txt) to demand a ransom

Contains functionality to call native functions

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Modifies existing windows services

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Classification

Process Tree

System is w10x64

system21.exe (PID: 7144 cmdline: "C:\Users\user\Desktop\system21.exe" MD5: 5766EF20FDA9263ED77E6C00BF6CA20C)

conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2520 cmdline: cmd /C move C:\Users\user\Desktop\DUUDTUBZFW\DUUDTUBZFW.docx C:\Users\user\Desktop\DUUDTUBZFW\DUUDTUBZFW.docx.[X6D6Q4@proton.me].LockBit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 5624 cmdline: cmd /C move C:\Users\user\Desktop\DUUDTUBZFW\EOWRVPQCCS.xlsx C:\Users\user\Desktop\DUUDTUBZFW\EOWRVPQCCS.xlsx.[X6D6Q4@proton.me].LockBit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 6040 cmdline: cmd /C move C:\Users\user\Desktop\DUUDTUBZFW\ZGGKNSUKOP.pdf C:\Users\user\Desktop\DUUDTUBZFW\ZGGKNSUKOP.pdf.[X6D6Q4@proton.me].LockBit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 5660 cmdline: cmd /C move C:\Users\user\Desktop\DUUDTUBZFW.docx C:\Users\user\Desktop\DUUDTUBZFW.docx.[X6D6Q4@proton.me].LockBit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 6096 cmdline: cmd /C move C:\Users\user\Desktop\EIVQSAOTAQ.xlsx C:\Users\user\Desktop\EIVQSAOTAQ.xlsx.[X6D6Q4@proton.me].LockBit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 5328 cmdline: cmd /C move C:\Users\user\Desktop\EOWRVPQCCS\EIVQSAOTAQ.xlsx C:\Users\user\Desktop\EOWRVPQCCS\EIVQSAOTAQ.xlsx.[X6D6Q4@proton.me].LockBit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 5456 cmdline: cmd /C move C:\Users\user\Desktop\EOWRVPQCCS\EOWRVPQCCS.docx C:\Users\user\Desktop\EOWRVPQCCS\EOWRVPQCCS.docx.[X6D6Q4@proton.me].LockBit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 6072 cmdline: cmd /C move C:\Users\user\Desktop\EOWRVPQCCS\GIGIYTFFYT.pdf C:\Users\user\Desktop\EOWRVPQCCS\GIGIYTFFYT.pdf.[X6D6Q4@proton.me].LockBit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 1264 cmdline: cmd /C move C:\Users\user\Desktop\EOWRVPQCCS.docx C:\Users\user\Desktop\EOWRVPQCCS.docx.[X6D6Q4@proton.me].LockBit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 5492 cmdline: cmd /C move C:\Users\user\Desktop\EOWRVPQCCS.xlsx C:\Users\user\Desktop\EOWRVPQCCS.xlsx.[X6D6Q4@proton.me].LockBit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 572 cmdline: cmd /C move C:\Users\user\Desktop\Excel.lnk C:\Users\user\Desktop\Excel.lnk.[X6D6Q4@proton.me].LockBit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 4068 cmdline: cmd /C move C:\Users\user\Desktop\GIGIYTFFYT.pdf C:\Users\user\Desktop\GIGIYTFFYT.pdf.[X6D6Q4@proton.me].LockBit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 7008 cmdline: cmd /C move C:\Users\user\Desktop\ZGGKNSUKOP.pdf C:\Users\user\Desktop\ZGGKNSUKOP.pdf.[X6D6Q4@proton.me].LockBit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 6156 cmdline: cmd /C move C:\Users\user\Desktop\desktop.ini C:\Users\user\Desktop\desktop.ini.[X6D6Q4@proton.me].LockBit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

reg.exe (PID: 1268 cmdline: reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 3656 cmdline: reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS /v Start /t REG_DWORD /d 4 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

cleanup

Joe Sandbox Signatures

• AV Detection
• Cryptography
• Compliance
• Software Vulnerabilities
• Networking
• Spam, unwanted Advertisements and Ransom Demands
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Boot Survival
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: system21.exe

Virustotal: Detection: 6%

Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 87.3%

Source: system21.exe, 00000000.00000000.946798973.0000000000354000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_3b856a4a-9

Source: system21.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: system21.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\system21.exe	Code function: 4x nop then mov dword ptr [esp+0Ch], ebx		0_2_001D9890
Source: C:\Users\user\Desktop\system21.exe	Code function: 4x nop then mov dword ptr [esp], edx		0_2_001F2F30

Source: system21.exe	String found in binary or memory: https://go.dev/issue/66821):
Source: system21.exe	String found in binary or memory: https://go.dev/pkg/crypto/rsa#hdr-Minimum_key_size)b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\Windows\SysWOW64\cmd.exe	File moved: C:\Users\user\Desktop\EOWRVPQCCS\EOWRVPQCCS.docx	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	File deleted: C:\Users\user\Desktop\EOWRVPQCCS\EOWRVPQCCS.docx	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File moved: C:\Users\user\Desktop\EOWRVPQCCS.xlsx	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File moved: C:\Users\user\Desktop\DUUDTUBZFW\DUUDTUBZFW.docx	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	File deleted: C:\Users\user\Desktop\DUUDTUBZFW\DUUDTUBZFW.docx	Jump to behavior

Writes a notice file (html or txt) to demand a ransom

Source: C:\Users\user\Desktop\system21.exe	File dropped: C:\Users\user\Desktop\KLIZUSIQEN\Encrypt.html -> encrypted!!!</title><style>body {margin: 0;padding: 0;}header {background-color: #222;color: white;height: 100px;display: flex;align-items: center;padding: 0 20px;}h1 {margin: 0;font-size: 3rem;font-family: arial, sans-serif;text-shadow: 2px 2px #666;letter-spacing: 2px;}main {padding: 20px;background-color: #333;color: #ddd;font-size: 1.2rem;font-family: arial, sans-serif;line-height: 1.5;text-align: justify;text-shadow: 1px 1px #222;border: 2px solid #666;border-radius: 20px;box-shadow: 5px 5px #666;margin: 20px;}main p:first-of-type {margin-top: 0;}main p:last-of-type {margin-bottom: 0;}footer {background-color: #222;color: white;height: 50px;display: flex;align-items: center;padding: 0 20px;font-size: 1rem;font-family: arial, sans-serif;text-shadow: 1px 1px #666;	Jump to dropped file
Source: C:\Users\user\Desktop\system21.exe	File dropped: C:\Users\user\Desktop\TQDFJHPUIU\Encrypt.html -> encrypted!!!</title><style>body {margin: 0;padding: 0;}header {background-color: #222;color: white;height: 100px;display: flex;align-items: center;padding: 0 20px;}h1 {margin: 0;font-size: 3rem;font-family: arial, sans-serif;text-shadow: 2px 2px #666;letter-spacing: 2px;}main {padding: 20px;background-color: #333;color: #ddd;font-size: 1.2rem;font-family: arial, sans-serif;line-height: 1.5;text-align: justify;text-shadow: 1px 1px #222;border: 2px solid #666;border-radius: 20px;box-shadow: 5px 5px #666;margin: 20px;}main p:first-of-type {margin-top: 0;}main p:last-of-type {margin-bottom: 0;}footer {background-color: #222;color: white;height: 50px;display: flex;align-items: center;padding: 0 20px;font-size: 1rem;font-family: arial, sans-serif;text-shadow: 1px 1px #666;	Jump to dropped file
Source: C:\Users\user\Desktop\system21.exe	File dropped: C:\Users\user\Desktop\UNKRLCVOHV\Encrypt.html -> encrypted!!!</title><style>body {margin: 0;padding: 0;}header {background-color: #222;color: white;height: 100px;display: flex;align-items: center;padding: 0 20px;}h1 {margin: 0;font-size: 3rem;font-family: arial, sans-serif;text-shadow: 2px 2px #666;letter-spacing: 2px;}main {padding: 20px;background-color: #333;color: #ddd;font-size: 1.2rem;font-family: arial, sans-serif;line-height: 1.5;text-align: justify;text-shadow: 1px 1px #222;border: 2px solid #666;border-radius: 20px;box-shadow: 5px 5px #666;margin: 20px;}main p:first-of-type {margin-top: 0;}main p:last-of-type {margin-bottom: 0;}footer {background-color: #222;color: white;height: 50px;display: flex;align-items: center;padding: 0 20px;font-size: 1rem;font-family: arial, sans-serif;text-shadow: 1px 1px #666;	Jump to dropped file
Source: C:\Users\user\Desktop\system21.exe	File dropped: C:\Users\user\Desktop\EOWRVPQCCS\Encrypt.html -> encrypted!!!</title><style>body {margin: 0;padding: 0;}header {background-color: #222;color: white;height: 100px;display: flex;align-items: center;padding: 0 20px;}h1 {margin: 0;font-size: 3rem;font-family: arial, sans-serif;text-shadow: 2px 2px #666;letter-spacing: 2px;}main {padding: 20px;background-color: #333;color: #ddd;font-size: 1.2rem;font-family: arial, sans-serif;line-height: 1.5;text-align: justify;text-shadow: 1px 1px #222;border: 2px solid #666;border-radius: 20px;box-shadow: 5px 5px #666;margin: 20px;}main p:first-of-type {margin-top: 0;}main p:last-of-type {margin-bottom: 0;}footer {background-color: #222;color: white;height: 50px;display: flex;align-items: center;padding: 0 20px;font-size: 1rem;font-family: arial, sans-serif;text-shadow: 1px 1px #666;	Jump to dropped file
Source: C:\Users\user\Desktop\system21.exe	File dropped: C:\Users\user\Desktop\Encrypt.html -> encrypted!!!</title><style>body {margin: 0;padding: 0;}header {background-color: #222;color: white;height: 100px;display: flex;align-items: center;padding: 0 20px;}h1 {margin: 0;font-size: 3rem;font-family: arial, sans-serif;text-shadow: 2px 2px #666;letter-spacing: 2px;}main {padding: 20px;background-color: #333;color: #ddd;font-size: 1.2rem;font-family: arial, sans-serif;line-height: 1.5;text-align: justify;text-shadow: 1px 1px #222;border: 2px solid #666;border-radius: 20px;box-shadow: 5px 5px #666;margin: 20px;}main p:first-of-type {margin-top: 0;}main p:last-of-type {margin-bottom: 0;}footer {background-color: #222;color: white;height: 50px;display: flex;align-items: center;padding: 0 20px;font-size: 1rem;font-family: arial, sans-serif;text-shadow: 1px 1px #666;	Jump to dropped file
Source: C:\Users\user\Desktop\system21.exe	File dropped: C:\Users\user\Desktop\CZQKSDDMWR\Encrypt.html -> encrypted!!!</title><style>body {margin: 0;padding: 0;}header {background-color: #222;color: white;height: 100px;display: flex;align-items: center;padding: 0 20px;}h1 {margin: 0;font-size: 3rem;font-family: arial, sans-serif;text-shadow: 2px 2px #666;letter-spacing: 2px;}main {padding: 20px;background-color: #333;color: #ddd;font-size: 1.2rem;font-family: arial, sans-serif;line-height: 1.5;text-align: justify;text-shadow: 1px 1px #222;border: 2px solid #666;border-radius: 20px;box-shadow: 5px 5px #666;margin: 20px;}main p:first-of-type {margin-top: 0;}main p:last-of-type {margin-bottom: 0;}footer {background-color: #222;color: white;height: 50px;display: flex;align-items: center;padding: 0 20px;font-size: 1rem;font-family: arial, sans-serif;text-shadow: 1px 1px #666;	Jump to dropped file
Source: C:\Users\user\Desktop\system21.exe	File dropped: C:\Users\user\Desktop\DUUDTUBZFW\Encrypt.html -> encrypted!!!</title><style>body {margin: 0;padding: 0;}header {background-color: #222;color: white;height: 100px;display: flex;align-items: center;padding: 0 20px;}h1 {margin: 0;font-size: 3rem;font-family: arial, sans-serif;text-shadow: 2px 2px #666;letter-spacing: 2px;}main {padding: 20px;background-color: #333;color: #ddd;font-size: 1.2rem;font-family: arial, sans-serif;line-height: 1.5;text-align: justify;text-shadow: 1px 1px #222;border: 2px solid #666;border-radius: 20px;box-shadow: 5px 5px #666;margin: 20px;}main p:first-of-type {margin-top: 0;}main p:last-of-type {margin-bottom: 0;}footer {background-color: #222;color: white;height: 50px;display: flex;align-items: center;padding: 0 20px;font-size: 1rem;font-family: arial, sans-serif;text-shadow: 1px 1px #666;	Jump to dropped file

Source: C:\Users\user\Desktop\system21.exe	Code function: 0_2_00207790 NtCancelWaitCompletionPacket,SetWaitableTimer,NtAssociateWaitCompletionPacket,		0_2_00207790
Source: C:\Users\user\Desktop\system21.exe	Code function: 0_2_00208FE0 DuplicateHandle,GetCurrentThreadId,CreateWaitableTimerExW,CreateWaitableTimerExW,NtCreateWaitCompletionPacket,VirtualQuery,		0_2_00208FE0

Source: C:\Users\user\Desktop\system21.exe	Code function: 0_2_001D9890	0_2_001D9890
Source: C:\Users\user\Desktop\system21.exe	Code function: 0_2_001E68F0	0_2_001E68F0
Source: C:\Users\user\Desktop\system21.exe	Code function: 0_2_00225900	0_2_00225900
Source: C:\Users\user\Desktop\system21.exe	Code function: 0_2_001EB980	0_2_001EB980
Source: C:\Users\user\Desktop\system21.exe	Code function: 0_2_001D3230	0_2_001D3230
Source: C:\Users\user\Desktop\system21.exe	Code function: 0_2_0020CA10	0_2_0020CA10
Source: C:\Users\user\Desktop\system21.exe	Code function: 0_2_001D52B0	0_2_001D52B0
Source: C:\Users\user\Desktop\system21.exe	Code function: 0_2_001D6AC0	0_2_001D6AC0
Source: C:\Users\user\Desktop\system21.exe	Code function: 0_2_001D72E0	0_2_001D72E0
Source: C:\Users\user\Desktop\system21.exe	Code function: 0_2_001E3C60	0_2_001E3C60
Source: C:\Users\user\Desktop\system21.exe	Code function: 0_2_002024F0	0_2_002024F0
Source: C:\Users\user\Desktop\system21.exe	Code function: 0_2_001F7530	0_2_001F7530
Source: C:\Users\user\Desktop\system21.exe	Code function: 0_2_00203D70	0_2_00203D70
Source: C:\Users\user\Desktop\system21.exe	Code function: 0_2_00210DE0	0_2_00210DE0
Source: C:\Users\user\Desktop\system21.exe	Code function: 0_2_001E1610	0_2_001E1610
Source: C:\Users\user\Desktop\system21.exe	Code function: 0_2_001D7E30	0_2_001D7E30
Source: C:\Users\user\Desktop\system21.exe	Code function: 0_2_001D6620	0_2_001D6620
Source: C:\Users\user\Desktop\system21.exe	Code function: 0_2_001D9E90	0_2_001D9E90
Source: C:\Users\user\Desktop\system21.exe	Code function: 0_2_001DF6A0	0_2_001DF6A0
Source: C:\Users\user\Desktop\system21.exe	Code function: 0_2_001D86F0	0_2_001D86F0
Source: C:\Users\user\Desktop\system21.exe	Code function: 0_2_0023EF30	0_2_0023EF30
Source: C:\Users\user\Desktop\system21.exe	Code function: 0_2_001DF785	0_2_001DF785
Source: C:\Users\user\Desktop\system21.exe	Code function: 0_2_001E47B0	0_2_001E47B0

Source: C:\Users\user\Desktop\system21.exe	Code function: String function: 0020DE40 appears 293 times
Source: C:\Users\user\Desktop\system21.exe	Code function: String function: 0023E6D0 appears 288 times

Source: system21.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\system21.exe

Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f

Source: classification engine

Classification label: mal68.rans.evad.winEXE@34/50@0/0

Source: C:\Users\user\Desktop\system21.exe

File created: C:\Users\user\Desktop\Encrypt.html

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_03

Source: system21.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\system21.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\system21.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: system21.exe

Virustotal: Detection: 6%

Source: system21.exe	String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: system21.exe	String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: system21.exe	String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: system21.exe	String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: system21.exe	String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: system21.exe	String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: system21.exe	String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: system21.exe	String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: system21.exe	String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: system21.exe	String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: system21.exe	String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: system21.exe	String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: system21.exe	String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: system21.exe	String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: system21.exe	String found in binary or memory: misrounded allocation in sysAllocruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: system21.exe	String found in binary or memory: misrounded allocation in sysAllocruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: system21.exe	String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: system21.exe	String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: system21.exe	String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: system21.exe	String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: system21.exe	String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: system21.exe	String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: system21.exe	String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: system21.exe	String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: system21.exe	String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: system21.exe	String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: system21.exe	String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: system21.exe	String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: system21.exe	String found in binary or memory: example.com/m/load.EncryptWithRSA
Source: system21.exe	String found in binary or memory: example.com/m/load.EncryptWithRSATwo
Source: system21.exe	String found in binary or memory: example.com/m/load.Clearlog
Source: system21.exe	String found in binary or memory: example.com/m/load.disableSystemRestore
Source: system21.exe	String found in binary or memory: example.com/m/load.deleteRestorePoints
Source: system21.exe	String found in binary or memory: example.com/m/load.RandomString
Source: system21.exe	String found in binary or memory: example.com/m/load.CreateHTMLFile
Source: system21.exe	String found in binary or memory: example.com/m/load.GetDriveLetters
Source: system21.exe	String found in binary or memory: example.com/m/load.Encrypt
Source: system21.exe	String found in binary or memory: example.com/m/load.Encrypt.deferwrap1
Source: system21.exe	String found in binary or memory: example.com/m/load.CheckFileExtension
Source: system21.exe	String found in binary or memory: example.com/m/load.TraverseFolder
Source: system21.exe	String found in binary or memory: example.com/m/load.TraverseFolder.func1
Source: system21.exe	String found in binary or memory: example.com/m/load.IfDir
Source: system21.exe	String found in binary or memory: example.com/m/load.EncryptStart
Source: system21.exe	String found in binary or memory: example.com/m/load.EncryptStart.func1
Source: system21.exe	String found in binary or memory: example.com/m/load.GenerateHTML
Source: system21.exe	String found in binary or memory: 1io/ioutil.initsort.Sortsort.reverse.Lesssort.StringSlice.Lensort.StringSlice.Lesssort.StringSlice.Swapsort.insertionSortsort.siftDownsort.heapSortsort.pdqsortsort.partitionsort.partitionEqualsort.partialInsertionSortsort.breakPatternssort.nextPowerOfTwosort.(xorshift).Nextsort.choosePivotsort.medianAdjacentsort.mediansort.order2sort.reverseRangesort.(StringSlice).Lensort.(StringSlice).Lesssort.(StringSlice).Swapsort.reverse.Lensort.(reverse).Lensort.(reverse).Lesssort.reverse.Swapsort.(reverse).Swapexample.com/m/load.EncryptWithRSAexample.com/m/load.EncryptWithRSATwoexample.com/m/load.Clearlogexample.com/m/load.disableSystemRestoreexample.com/m/load.deleteRestorePointsexample.com/m/load.RandomStringencoding/hex.EncodeToStringencoding/hex.EncodedLenencoding/hex.Encodeexample.com/m/load.CreateHTMLFileio/ioutil.WriteFileexample.com/m/load.GetDriveLetterssort.Reverseexample.com/m/load.Encryptexample.com/m/load.Encrypt.deferwrap1example.com/m/load.CheckFileExtensionexample.com/m/load.TraverseFolderexample.com/m/load.TraverseFolder.func1example.com/m/load.IfDirexample.com/m/load.EncryptStartexample.com/m/load.EncryptStart.func1main.mainsyscall.(LazyDLL).NewProcflag.Stringflag.Parseexample.com/m/load.GenerateHTMLh5
Source: system21.exe	String found in binary or memory: C:/Program Files (x86)/Go/src/net/addrselect.go
Source: system21.exe	String found in binary or memory: C:/Users/Administrator/Desktop/enc/load/encryByrsa.go
Source: system21.exe	String found in binary or memory: C:/Users/Administrator/Desktop/enc/load/ends.go
Source: system21.exe	String found in binary or memory: C:/Users/Administrator/Desktop/enc/load/runs.go

Source: unknown	Process created: C:\Users\user\Desktop\system21.exe "C:\Users\user\Desktop\system21.exe"
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\DUUDTUBZFW\DUUDTUBZFW.docx C:\Users\user\Desktop\DUUDTUBZFW\DUUDTUBZFW.docx.[X6D6Q4@proton.me].LockBit
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\DUUDTUBZFW\EOWRVPQCCS.xlsx C:\Users\user\Desktop\DUUDTUBZFW\EOWRVPQCCS.xlsx.[X6D6Q4@proton.me].LockBit
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\DUUDTUBZFW\ZGGKNSUKOP.pdf C:\Users\user\Desktop\DUUDTUBZFW\ZGGKNSUKOP.pdf.[X6D6Q4@proton.me].LockBit
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\DUUDTUBZFW.docx C:\Users\user\Desktop\DUUDTUBZFW.docx.[X6D6Q4@proton.me].LockBit
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\EIVQSAOTAQ.xlsx C:\Users\user\Desktop\EIVQSAOTAQ.xlsx.[X6D6Q4@proton.me].LockBit
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\EOWRVPQCCS\EIVQSAOTAQ.xlsx C:\Users\user\Desktop\EOWRVPQCCS\EIVQSAOTAQ.xlsx.[X6D6Q4@proton.me].LockBit
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\EOWRVPQCCS\EOWRVPQCCS.docx C:\Users\user\Desktop\EOWRVPQCCS\EOWRVPQCCS.docx.[X6D6Q4@proton.me].LockBit
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\EOWRVPQCCS\GIGIYTFFYT.pdf C:\Users\user\Desktop\EOWRVPQCCS\GIGIYTFFYT.pdf.[X6D6Q4@proton.me].LockBit
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\EOWRVPQCCS.docx C:\Users\user\Desktop\EOWRVPQCCS.docx.[X6D6Q4@proton.me].LockBit
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\EOWRVPQCCS.xlsx C:\Users\user\Desktop\EOWRVPQCCS.xlsx.[X6D6Q4@proton.me].LockBit
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\Excel.lnk C:\Users\user\Desktop\Excel.lnk.[X6D6Q4@proton.me].LockBit
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\GIGIYTFFYT.pdf C:\Users\user\Desktop\GIGIYTFFYT.pdf.[X6D6Q4@proton.me].LockBit
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\ZGGKNSUKOP.pdf C:\Users\user\Desktop\ZGGKNSUKOP.pdf.[X6D6Q4@proton.me].LockBit
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\desktop.ini C:\Users\user\Desktop\desktop.ini.[X6D6Q4@proton.me].LockBit
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS /v Start /t REG_DWORD /d 4 /f
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\DUUDTUBZFW\DUUDTUBZFW.docx C:\Users\user\Desktop\DUUDTUBZFW\DUUDTUBZFW.docx.[X6D6Q4@proton.me].LockBit	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\DUUDTUBZFW\EOWRVPQCCS.xlsx C:\Users\user\Desktop\DUUDTUBZFW\EOWRVPQCCS.xlsx.[X6D6Q4@proton.me].LockBit	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\DUUDTUBZFW\ZGGKNSUKOP.pdf C:\Users\user\Desktop\DUUDTUBZFW\ZGGKNSUKOP.pdf.[X6D6Q4@proton.me].LockBit	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\DUUDTUBZFW.docx C:\Users\user\Desktop\DUUDTUBZFW.docx.[X6D6Q4@proton.me].LockBit	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\EIVQSAOTAQ.xlsx C:\Users\user\Desktop\EIVQSAOTAQ.xlsx.[X6D6Q4@proton.me].LockBit	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\EOWRVPQCCS\EIVQSAOTAQ.xlsx C:\Users\user\Desktop\EOWRVPQCCS\EIVQSAOTAQ.xlsx.[X6D6Q4@proton.me].LockBit	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\EOWRVPQCCS\EOWRVPQCCS.docx C:\Users\user\Desktop\EOWRVPQCCS\EOWRVPQCCS.docx.[X6D6Q4@proton.me].LockBit	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\EOWRVPQCCS\GIGIYTFFYT.pdf C:\Users\user\Desktop\EOWRVPQCCS\GIGIYTFFYT.pdf.[X6D6Q4@proton.me].LockBit	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\EOWRVPQCCS.docx C:\Users\user\Desktop\EOWRVPQCCS.docx.[X6D6Q4@proton.me].LockBit	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\EOWRVPQCCS.xlsx C:\Users\user\Desktop\EOWRVPQCCS.xlsx.[X6D6Q4@proton.me].LockBit	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\Excel.lnk C:\Users\user\Desktop\Excel.lnk.[X6D6Q4@proton.me].LockBit	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\GIGIYTFFYT.pdf C:\Users\user\Desktop\GIGIYTFFYT.pdf.[X6D6Q4@proton.me].LockBit	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\ZGGKNSUKOP.pdf C:\Users\user\Desktop\ZGGKNSUKOP.pdf.[X6D6Q4@proton.me].LockBit	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\desktop.ini C:\Users\user\Desktop\desktop.ini.[X6D6Q4@proton.me].LockBit	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS /v Start /t REG_DWORD /d 4 /f	Jump to behavior

Source: C:\Users\user\Desktop\system21.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Section loaded: umpdc.dll	Jump to behavior

Source: C:\Users\user\Desktop\system21.exe

File written: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: system21.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: system21.exe

Static file information: File size 3198464 > 1048576

Source: system21.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x182800
Source: system21.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x156000

Source: system21.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: system21.exe

Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\system21.exe	Code function: 0_2_001F3B66 pushfd ; ret		0_2_001F3B67
Source: C:\Users\user\Desktop\system21.exe	Code function: 0_2_001EE766 pushfd ; ret		0_2_001EE767

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Users\user\Desktop\system21.exe	Process created: reg.exe
Source: C:\Users\user\Desktop\system21.exe	Process created: reg.exe
Source: C:\Users\user\Desktop\system21.exe	Process created: reg.exe	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Process created: reg.exe	Jump to behavior

Source: C:\Windows\SysWOW64\reg.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS

Jump to behavior

Source: C:\Users\user\Desktop\system21.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: system21.exe, 00000000.00000002.976092988.0000000000E5E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8

Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\DUUDTUBZFW\DUUDTUBZFW.docx C:\Users\user\Desktop\DUUDTUBZFW\DUUDTUBZFW.docx.[X6D6Q4@proton.me].LockBit	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\DUUDTUBZFW\EOWRVPQCCS.xlsx C:\Users\user\Desktop\DUUDTUBZFW\EOWRVPQCCS.xlsx.[X6D6Q4@proton.me].LockBit	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\DUUDTUBZFW\ZGGKNSUKOP.pdf C:\Users\user\Desktop\DUUDTUBZFW\ZGGKNSUKOP.pdf.[X6D6Q4@proton.me].LockBit	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\DUUDTUBZFW.docx C:\Users\user\Desktop\DUUDTUBZFW.docx.[X6D6Q4@proton.me].LockBit	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\EIVQSAOTAQ.xlsx C:\Users\user\Desktop\EIVQSAOTAQ.xlsx.[X6D6Q4@proton.me].LockBit	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\EOWRVPQCCS\EIVQSAOTAQ.xlsx C:\Users\user\Desktop\EOWRVPQCCS\EIVQSAOTAQ.xlsx.[X6D6Q4@proton.me].LockBit	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\EOWRVPQCCS\EOWRVPQCCS.docx C:\Users\user\Desktop\EOWRVPQCCS\EOWRVPQCCS.docx.[X6D6Q4@proton.me].LockBit	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\EOWRVPQCCS\GIGIYTFFYT.pdf C:\Users\user\Desktop\EOWRVPQCCS\GIGIYTFFYT.pdf.[X6D6Q4@proton.me].LockBit	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\EOWRVPQCCS.docx C:\Users\user\Desktop\EOWRVPQCCS.docx.[X6D6Q4@proton.me].LockBit	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\EOWRVPQCCS.xlsx C:\Users\user\Desktop\EOWRVPQCCS.xlsx.[X6D6Q4@proton.me].LockBit	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\Excel.lnk C:\Users\user\Desktop\Excel.lnk.[X6D6Q4@proton.me].LockBit	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\GIGIYTFFYT.pdf C:\Users\user\Desktop\GIGIYTFFYT.pdf.[X6D6Q4@proton.me].LockBit	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\ZGGKNSUKOP.pdf C:\Users\user\Desktop\ZGGKNSUKOP.pdf.[X6D6Q4@proton.me].LockBit	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C move C:\Users\user\Desktop\desktop.ini C:\Users\user\Desktop\desktop.ini.[X6D6Q4@proton.me].LockBit	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS /v Start /t REG_DWORD /d 4 /f	Jump to behavior

Source: C:\Users\user\Desktop\system21.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Queries volume information: C:\Users\user\Desktop\CZQKSDDMWR VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Queries volume information: C:\Users\user\Desktop\DUUDTUBZFW VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Queries volume information: C:\Users\user\Desktop\DUUDTUBZFW\DUUDTUBZFW.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Queries volume information: C:\Users\user\Desktop\DUUDTUBZFW\EOWRVPQCCS.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Queries volume information: C:\Users\user\Desktop\DUUDTUBZFW\ZGGKNSUKOP.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Queries volume information: C:\Users\user\Desktop\DUUDTUBZFW.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Queries volume information: C:\Users\user\Desktop\EIVQSAOTAQ.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Queries volume information: C:\Users\user\Desktop\EOWRVPQCCS VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Queries volume information: C:\Users\user\Desktop\EOWRVPQCCS\EIVQSAOTAQ.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Queries volume information: C:\Users\user\Desktop\EOWRVPQCCS\EOWRVPQCCS.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Queries volume information: C:\Users\user\Desktop\EOWRVPQCCS\GIGIYTFFYT.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Queries volume information: C:\Users\user\Desktop\EOWRVPQCCS.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Queries volume information: C:\Users\user\Desktop\Excel.lnk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Queries volume information: C:\Users\user\Desktop\GIGIYTFFYT.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Queries volume information: C:\Users\user\Desktop\KLIZUSIQEN VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Queries volume information: C:\Users\user\Desktop\TQDFJHPUIU VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Queries volume information: C:\Users\user\Desktop\ZGGKNSUKOP.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\system21.exe	Queries volume information: C:\Users\user\Desktop\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables Windows system restore

Source: C:\Windows\SysWOW64\reg.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore DisableSR

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Command and Scripting Interpreter	1 Windows Service	1 Windows Service	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	2 Data Encrypted for Impact
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	1 Modify Registry	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	1 Inhibit System Recovery
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	11 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
system21.exe	7%	Virustotal	Browse
system21.exe	8%	ReversingLabs
SAMPLE	100%	Joe Sandbox ML

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1676523
Start date and time:	2025-04-28 19:21:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	system21.exe
Detection:	MAL
Classification:	mal68.rans.evad.winEXE@34/50@0/0
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Execution Graph export aborted for target system21.exe, PID 7144 because there are no executed function
Not all processes where analyzed, report is missing behavior information

Joe Sandbox View / Context

Created / dropped Files

C:\Users\user\Desktop\CZQKSDDMWR\Encrypt.html

Download File

Process:	C:\Users\user\Desktop\system21.exe
File Type:	HTML document, ASCII text, with very long lines (363)
Category:	dropped
Size (bytes):	2378
Entropy (8bit):	5.419937586745534
Encrypted:	false
SSDEEP:	48:B4axAaT4YkaT42VBopBTAavuBgoIE8eMK+5KIwCekY:wdmL8PfEZl
MD5:	3A86858B55DE8531B150A5B40450C2BA
SHA1:	B393C048DB07ED262C344E392090E90881C95D42
SHA-256:	0313C4626AF1206977A266A5B2C67E3EE6EAA3FFAD2E18144A50173EB21DEE01
SHA-512:	CC9E11F5659E0D08504BE4CEF31C8EA6EEDC6E4F3F9EFB9F70A897F23508951F184E9C25E4CDC470EABC74222EC0F6BDE3E463E48C162EEB786D6BF97723B2DA
Malicious:	true
Preview:	<!DOCTYPE html>..<html>..<head>...<meta charset="UTF-8">...<title>You are encrypted!!!</title>...<style>....body {.....margin: 0;.....padding: 0;....}......header {.....background-color: #222;.....color: white;.....height: 100px;.....display: flex;.....align-items: center;.....padding: 0 20px;....}......h1 {.....margin: 0;.....font-size: 3rem;.....font-family: Arial, sans-serif;.....text-shadow: 2px 2px #666;.....letter-spacing: 2px;....}......main {.....padding: 20px;.....background-color: #333;.....color: #ddd;.....font-size: 1.2rem;.....font-family: Arial, sans-serif;.....line-height: 1.5;.....text-align: justify;.....text-shadow: 1px 1px #222;.....border: 2px solid #666;.....border-radius: 20px;.....box-shadow: 5px 5px #666;.....margin: 20px;....}......main p:first-of-type {.....margin-top: 0;....}......main p:last-of-type {.....margin-bottom: 0;....}......footer {.....background-color: #222;.....color: white;.....height: 50px;.....display: flex;.....align-items: center;.....paddin

C:\Users\user\Desktop\DUUDTUBZFW.docx

Download File

Process:	C:\Users\user\Desktop\system21.exe
File Type:	data
Category:	dropped
Size (bytes):	1290
Entropy (8bit):	7.8606606117989
Encrypted:	false
SSDEEP:	24:ifkrYRRUPDH9gZqVe/L114DeLyiBtLPi5QjL0wkLQLrKR4A00mgIEg/6n4aSXjxm:Qkvf8pTb79jwwkLQ/KAun4aSzxm
MD5:	87DE2AB890FF9E13C21C0C462658BC58
SHA1:	5E64CACA2581FAE51753593E52382617BAF4D020
SHA-256:	392A5A5BC05685A067FC39E23FF0020F7A9C717AF8B2DBC4D07D699D1BC5DC9A
SHA-512:	A28E59FBEC3AFD346A1B23FED46E2B0CA64E60D58217B1A09DBC2B22F1969E48A19B55C719935A29A625647D5E73CF8E779FED98ADE22DCE709225B1A1EBCCAA
Malicious:	false
Preview:	E7.....$....S.TT.=.$..b..8.2.u....6..`..;....bN.)9...x.v....l...[7..U.`.Z.w.......g&5a...m.."...e..t.A...AB...=..l....b...q........uG./x\....zl.3N.....H..o.\|..#..p-..:..Qfo!...EX.a.E$7.s>hB/..&..."......+.c8.....8&Zo.^o&!..]...-..`.......pz;.Jd.27.%.....w...7.....\|.....E7.7$>..Ge....b....}.....yk.(.t.f..^....:.E.F3JITk.%...P..e..[.mc}.O.......?.'...Z.m.tI.s.......\|....y.Y..W...d.f..!...'..S..(.n..w..... />....._..y-.KI...Q..OF\|b..R.x.]....U......KB.$'k....../.v.+.Y.....@1.\.E...5..b....k.......q%]..7[......m.l)x00.......~..{.F.....A...... _.a.j..Du......hn..<2..J....\..L.[......R. .k..Cw.....i.,_"a.y.......M2...V}...D.&....8..=.....i3.)......`.^?o..d..a;zN!..,i..z...:<Nx.$...}o.a.Gg..OZb...W.{......+J..P........@v.(.T..R....$.i6....'.1....(.0.^..x.>.M.e.%}..!.C.C......W..r.j.G..sC%...r..f1@. ...0.d&v.....'."*..y\.....I..}.?3..FB.L...$..e...".......O.. .j+....#{eQ,.&...X..o.....O.E......1[.V..@.....8....\|....k.....f..\|.Tc..u

C:\Users\user\Desktop\DUUDTUBZFW.docx.[X6D6Q4@proton.me].LockBit (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	1290
Entropy (8bit):	7.8606606117989
Encrypted:	false
SSDEEP:	24:ifkrYRRUPDH9gZqVe/L114DeLyiBtLPi5QjL0wkLQLrKR4A00mgIEg/6n4aSXjxm:Qkvf8pTb79jwwkLQ/KAun4aSzxm
MD5:	87DE2AB890FF9E13C21C0C462658BC58
SHA1:	5E64CACA2581FAE51753593E52382617BAF4D020
SHA-256:	392A5A5BC05685A067FC39E23FF0020F7A9C717AF8B2DBC4D07D699D1BC5DC9A
SHA-512:	A28E59FBEC3AFD346A1B23FED46E2B0CA64E60D58217B1A09DBC2B22F1969E48A19B55C719935A29A625647D5E73CF8E779FED98ADE22DCE709225B1A1EBCCAA
Malicious:	false
Preview:	E7.....$....S.TT.=.$..b..8.2.u....6..`..;....bN.)9...x.v....l...[7..U.`.Z.w.......g&5a...m.."...e..t.A...AB...=..l....b...q........uG./x\....zl.3N.....H..o.\|..#..p-..:..Qfo!...EX.a.E$7.s>hB/..&..."......+.c8.....8&Zo.^o&!..]...-..`.......pz;.Jd.27.%.....w...7.....\|.....E7.7$>..Ge....b....}.....yk.(.t.f..^....:.E.F3JITk.%...P..e..[.mc}.O.......?.'...Z.m.tI.s.......\|....y.Y..W...d.f..!...'..S..(.n..w..... />....._..y-.KI...Q..OF\|b..R.x.]....U......KB.$'k....../.v.+.Y.....@1.\.E...5..b....k.......q%]..7[......m.l)x00.......~..{.F.....A...... _.a.j..Du......hn..<2..J....\..L.[......R. .k..Cw.....i.,_"a.y.......M2...V}...D.&....8..=.....i3.)......`.^?o..d..a;zN!..,i..z...:<Nx.$...}o.a.Gg..OZb...W.{......+J..P........@v.(.T..R....$.i6....'.1....(.0.^..x.>.M.e.%}..!.C.C......W..r.j.G..sC%...r..f1@. ...0.d&v.....'."*..y\.....I..}.?3..FB.L...$..e...".......O.. .j+....#{eQ,.&...X..o.....O.E......1[.V..@.....8....\|....k.....f..\|.Tc..u

C:\Users\user\Desktop\DUUDTUBZFW\DUUDTUBZFW.docx

Download File

Process:	C:\Users\user\Desktop\system21.exe
File Type:	data
Category:	dropped
Size (bytes):	1290
Entropy (8bit):	7.856054182347621
Encrypted:	false
SSDEEP:	24:ifkrYRRUPDH9gZqVe/L114DeLyiBtLPi5QjL0wkLQLrKR4A00mgIEg/6n4aSX+Z+:Qkvf8pTb79jwwkLQ/KAun4aSOZMBzn
MD5:	65EAE4517F4EBAE64C774C67C6A15F99
SHA1:	CB4F5C0E77C96525B29EA346C62072D525A9C711
SHA-256:	2348AF9D3073747D6AA701A4EBCEAE2B89467860E2232ABE810801335849689C
SHA-512:	2D871BDCF9EC3EA0FC9C2E79159D93F52357C6A36D4D262D68755356CCB8930BC2A10D5BB24DDCB80CB05FE595C648814FB64C45C2FEB9CE57D39C4131C6FB62
Malicious:	true
Preview:	E7.....$....S.TT.=.$..b..8.2.u....6..`..;....bN.)9...x.v....l...[7..U.`.Z.w.......g&5a...m.."...e..t.A...AB...=..l....b...q........uG./x\....zl.3N.....H..o.\|..#..p-..:..Qfo!...EX.a.E$7.s>hB/..&..."......+.c8.....8&Zo.^o&!..]...-..`.......pz;.Jd.27.%.....w...7.....\|.....E7.7$>..Ge....b....}.....yk.(.t.f..^....:.E.F3JITk.%...P..e..[.mc}.O.......?.'...Z.m.tI.s.......\|....y.Y..W...d.f..!...'..S..(.n..w..... />....._..y-.KI...Q..OF\|b..R.x.]....U......KB.$'k....../.v.+.Y.....@1.\.E...5..b....k.......q%]..7[......m.l)x00.......~..{.F.....A...... _.a.j..Du......hn..<2..J....\..L.[......R. .k..Cw.....i.,_"a.y.......M2...V}...D.&....8..=.....i3.)......`.^?o..d..a;zN!..,i..z...:<Nx.$...}o.a.Gg..OZb...W.{......+J..P........@v.(.T..R....$.i6....'.1....(.0.^..x.>.M.e.%}..!.C.C......W..r.j.G..sC%...r..f1@. ...0.d&v.....'."*..y\.....I..}.?3..FB.L...$..e...".......O.. .j+....#{eQ,.&...X..o.....O.E......1[.V..@.....8....\|....k.....f..\|.Tc..u

C:\Users\user\Desktop\DUUDTUBZFW\DUUDTUBZFW.docx.[X6D6Q4@proton.me].LockBit (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	1290
Entropy (8bit):	7.856054182347621
Encrypted:	false
SSDEEP:	24:ifkrYRRUPDH9gZqVe/L114DeLyiBtLPi5QjL0wkLQLrKR4A00mgIEg/6n4aSX+Z+:Qkvf8pTb79jwwkLQ/KAun4aSOZMBzn
MD5:	65EAE4517F4EBAE64C774C67C6A15F99
SHA1:	CB4F5C0E77C96525B29EA346C62072D525A9C711
SHA-256:	2348AF9D3073747D6AA701A4EBCEAE2B89467860E2232ABE810801335849689C
SHA-512:	2D871BDCF9EC3EA0FC9C2E79159D93F52357C6A36D4D262D68755356CCB8930BC2A10D5BB24DDCB80CB05FE595C648814FB64C45C2FEB9CE57D39C4131C6FB62
Malicious:	false
Preview:	E7.....$....S.TT.=.$..b..8.2.u....6..`..;....bN.)9...x.v....l...[7..U.`.Z.w.......g&5a...m.."...e..t.A...AB...=..l....b...q........uG./x\....zl.3N.....H..o.\|..#..p-..:..Qfo!...EX.a.E$7.s>hB/..&..."......+.c8.....8&Zo.^o&!..]...-..`.......pz;.Jd.27.%.....w...7.....\|.....E7.7$>..Ge....b....}.....yk.(.t.f..^....:.E.F3JITk.%...P..e..[.mc}.O.......?.'...Z.m.tI.s.......\|....y.Y..W...d.f..!...'..S..(.n..w..... />....._..y-.KI...Q..OF\|b..R.x.]....U......KB.$'k....../.v.+.Y.....@1.\.E...5..b....k.......q%]..7[......m.l)x00.......~..{.F.....A...... _.a.j..Du......hn..<2..J....\..L.[......R. .k..Cw.....i.,_"a.y.......M2...V}...D.&....8..=.....i3.)......`.^?o..d..a;zN!..,i..z...:<Nx.$...}o.a.Gg..OZb...W.{......+J..P........@v.(.T..R....$.i6....'.1....(.0.^..x.>.M.e.%}..!.C.C......W..r.j.G..sC%...r..f1@. ...0.d&v.....'."*..y\.....I..}.?3..FB.L...$..e...".......O.. .j+....#{eQ,.&...X..o.....O.E......1[.V..@.....8....\|....k.....f..\|.Tc..u

C:\Users\user\Desktop\DUUDTUBZFW\EOWRVPQCCS.xlsx

Download File

Process:	C:\Users\user\Desktop\system21.exe
File Type:	data
Category:	dropped
Size (bytes):	1290
Entropy (8bit):	7.8758399512778805
Encrypted:	false
SSDEEP:	24:oOReMDo6xFVZapocyUCz4noPz9AbTSqJXVFIOZ2kAV3VJFjVdVLzAGpG7Z:oFMDxxzZyAzIoubTSqhPAVdpj4aG7Z
MD5:	3D908E60C1874F536CAD3120F0FAD7AE
SHA1:	C57A45F14762B727B65F9D82441EBE8F1BD360B5
SHA-256:	D4BF281C049713489CDAFE979FDC55AD5E46B832C9FA8AD951A2B0480257CDDD
SHA-512:	85E1E426427F1AFD55835B351D4B7D726463C0388D90CD4E0E760AB09339ACD4287020E48A8F080F22BDFE2704CEE7CE890A3005FAF671A239D4F1982E7D0C8F
Malicious:	false
Preview:	D-.....=....N.WP.9.0..v..:.,.j.... .....8....eU.41...d.}(....p...B4..[.y.F.a..d....m65....w..'...v..`.^...]X...<..k.....}...h.......eU.5vE....{n.)P.....N..`.f..2..a#..2.Bbg+...AY.o.W:(.t/bD!..)...*........4.o>.....:7Cl.@l/&..P...)..f......wk}7.N{.3..;.....p...?......h.......R-.$!"..@c....t....d......l.!.v.e..K.....,.T.U,GDVa.1...M..>r..H.tul.\........./...D.`.e@.x.......a....h.M..Z...m.~.+...>..R..5.q..}......,81.....P..\|2.\W...R..SVqr..P.z.C...Z......EU.-;{......$.o.5.W.....X&.U.Y...-..p....h.......h<C..-[.....d.t!h$4.."..2.k..y.K.....Y......,\.`.oo.Fb......tx..%0..H.....F..K.^......K. .g..Lk.....k.<Y!n.~.......J?...Ow...T.)....<..#.....~.........u.\'u...z..l#aR".. l..}...30B..9...~o.s.Fa..E@}...B.z..e... S..H........Cg.).G..D....5.q.....8.8....$.5.S..`.".C.j.9i.."._.R......B..f.o.L..}Q=...b..f3G.$...).`5l......3:..bI.....G..p.+,..WP.]...;..r...>.......@..&.w3....$n~E%.(...M..`.....U.Y......?A.I..@.....#.........h.....b..q.[p....u

C:\Users\user\Desktop\DUUDTUBZFW\EOWRVPQCCS.xlsx.[X6D6Q4@proton.me].LockBit (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	1290
Entropy (8bit):	7.8758399512778805
Encrypted:	false
SSDEEP:	24:oOReMDo6xFVZapocyUCz4noPz9AbTSqJXVFIOZ2kAV3VJFjVdVLzAGpG7Z:oFMDxxzZyAzIoubTSqhPAVdpj4aG7Z
MD5:	3D908E60C1874F536CAD3120F0FAD7AE
SHA1:	C57A45F14762B727B65F9D82441EBE8F1BD360B5
SHA-256:	D4BF281C049713489CDAFE979FDC55AD5E46B832C9FA8AD951A2B0480257CDDD
SHA-512:	85E1E426427F1AFD55835B351D4B7D726463C0388D90CD4E0E760AB09339ACD4287020E48A8F080F22BDFE2704CEE7CE890A3005FAF671A239D4F1982E7D0C8F
Malicious:	false
Preview:	D-.....=....N.WP.9.0..v..:.,.j.... .....8....eU.41...d.}(....p...B4..[.y.F.a..d....m65....w..'...v..`.^...]X...<..k.....}...h.......eU.5vE....{n.)P.....N..`.f..2..a#..2.Bbg+...AY.o.W:(.t/bD!..)...*........4.o>.....:7Cl.@l/&..P...)..f......wk}7.N{.3..;.....p...?......h.......R-.$!"..@c....t....d......l.!.v.e..K.....,.T.U,GDVa.1...M..>r..H.tul.\........./...D.`.e@.x.......a....h.M..Z...m.~.+...>..R..5.q..}......,81.....P..\|2.\W...R..SVqr..P.z.C...Z......EU.-;{......$.o.5.W.....X&.U.Y...-..p....h.......h<C..-[.....d.t!h$4.."..2.k..y.K.....Y......,\.`.oo.Fb......tx..%0..H.....F..K.^......K. .g..Lk.....k.<Y!n.~.......J?...Ow...T.)....<..#.....~.........u.\'u...z..l#aR".. l..}...30B..9...~o.s.Fa..E@}...B.z..e... S..H........Cg.).G..D....5.q.....8.8....$.5.S..`.".C.j.9i.."._.R......B..f.o.L..}Q=...b..f3G.$...).`5l......3:..bI.....G..p.+,..WP.]...;..r...>.......@..&.w3....$n~E%.(...M..`.....U.Y......?A.I..@.....#.........h.....b..q.[p....u

C:\Users\user\Desktop\DUUDTUBZFW\Encrypt.html

Download File

Process:	C:\Users\user\Desktop\system21.exe
File Type:	HTML document, ASCII text, with very long lines (363)
Category:	dropped
Size (bytes):	2378
Entropy (8bit):	5.419937586745534
Encrypted:	false
SSDEEP:	48:B4axAaT4YkaT42VBopBTAavuBgoIE8eMK+5KIwCekY:wdmL8PfEZl
MD5:	3A86858B55DE8531B150A5B40450C2BA
SHA1:	B393C048DB07ED262C344E392090E90881C95D42
SHA-256:	0313C4626AF1206977A266A5B2C67E3EE6EAA3FFAD2E18144A50173EB21DEE01
SHA-512:	CC9E11F5659E0D08504BE4CEF31C8EA6EEDC6E4F3F9EFB9F70A897F23508951F184E9C25E4CDC470EABC74222EC0F6BDE3E463E48C162EEB786D6BF97723B2DA
Malicious:	true
Preview:	<!DOCTYPE html>..<html>..<head>...<meta charset="UTF-8">...<title>You are encrypted!!!</title>...<style>....body {.....margin: 0;.....padding: 0;....}......header {.....background-color: #222;.....color: white;.....height: 100px;.....display: flex;.....align-items: center;.....padding: 0 20px;....}......h1 {.....margin: 0;.....font-size: 3rem;.....font-family: Arial, sans-serif;.....text-shadow: 2px 2px #666;.....letter-spacing: 2px;....}......main {.....padding: 20px;.....background-color: #333;.....color: #ddd;.....font-size: 1.2rem;.....font-family: Arial, sans-serif;.....line-height: 1.5;.....text-align: justify;.....text-shadow: 1px 1px #222;.....border: 2px solid #666;.....border-radius: 20px;.....box-shadow: 5px 5px #666;.....margin: 20px;....}......main p:first-of-type {.....margin-top: 0;....}......main p:last-of-type {.....margin-bottom: 0;....}......footer {.....background-color: #222;.....color: white;.....height: 50px;.....display: flex;.....align-items: center;.....paddin

C:\Users\user\Desktop\DUUDTUBZFW\ZGGKNSUKOP.pdf

Download File

Process:	C:\Users\user\Desktop\system21.exe
File Type:	data
Category:	dropped
Size (bytes):	1290
Entropy (8bit):	7.860134719007296
Encrypted:	false
SSDEEP:	24:fXdsQy1Huv5vwJ24ubWVoagk6SiDdkukz1DAl/WIwniuJz8eyTJZ:fCQy1OBwJBu2oBpDdkZzUWFnTJzWZ
MD5:	A009E1F8C2521F8B821CD705126A7D7B
SHA1:	A304C2BEF40AC7B9DD829F2350E891B452E3ACC1
SHA-256:	7BCC1EAFC3C2C7580D35055F33B3E2A482FB2FBA474214ABBDAE6F5755738540
SHA-512:	460F4998E18474B0A12BC854A7DF1B6ADFAFC937F827072BAE0F6F802E67764AEF11E739CFCBF85FC37C5C8FA6C564942D91E8743B71C953E55FE591D027CA75
Malicious:	false
Preview:	[%....5....G..RY.-.6..v..&./.a....(..`..$....yS.!;...a.b+....b...C(..G.`.D.~..}....b1<h...p.. ...l..v.Q...DO...5..e.....r...k.......iR.'vD....{y. M.....D..j.a.. ..\|4..&..N~m4...ME.m.L"'.}&oP:..&...:.......%.{=.....6(Xn.Nm02..R...!..}......er~,.Cd.:#.,.....~...'......u.....B6.:35..K{....a....v.....nn.?.v.u..Y.....R.A@ZHm.?...T..=n..G.a.h.\.......3.3...G.m.x@.........p....a.R..M...t.g.,...9..J....h..k.....<!<.....T..k=.PN...N..NGfa..A.x.U....X......EC.&!w......9.d. .Z.....F.K.H...'..~..x.......h,T.."K.....~.q"f+=..%..#.~..z.P.....[......,D.`.sz.Rb......dk.. .xC....V..].J......I...).j..Wn.....t.-A3o.c.......N?...[f...N.-....>..".....~!.6......p.U#c...`..b<mS&..=r..y...%-Fv.+...ki.m.Xm..ISu...B.l..l...7U..K........Vm.>.]..Z....#.h#....9.;....1.'.R..y.'.W.n.e..>.\.T......O..l.o.B..jK<...m..d.G.6...;.o(a.....%.<,..bQ.....Q..i."..]U.U...9..x...<.......R..5.h9....&wdR+.1...W..f......N.Q......?Q.O..G.....&....z..........`..}.^h...

C:\Users\user\Desktop\DUUDTUBZFW\ZGGKNSUKOP.pdf.[X6D6Q4@proton.me].LockBit (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	1290
Entropy (8bit):	7.860134719007296
Encrypted:	false
SSDEEP:	24:fXdsQy1Huv5vwJ24ubWVoagk6SiDdkukz1DAl/WIwniuJz8eyTJZ:fCQy1OBwJBu2oBpDdkZzUWFnTJzWZ
MD5:	A009E1F8C2521F8B821CD705126A7D7B
SHA1:	A304C2BEF40AC7B9DD829F2350E891B452E3ACC1
SHA-256:	7BCC1EAFC3C2C7580D35055F33B3E2A482FB2FBA474214ABBDAE6F5755738540
SHA-512:	460F4998E18474B0A12BC854A7DF1B6ADFAFC937F827072BAE0F6F802E67764AEF11E739CFCBF85FC37C5C8FA6C564942D91E8743B71C953E55FE591D027CA75
Malicious:	false
Preview:	[%....5....G..RY.-.6..v..&./.a....(..`..$....yS.!;...a.b+....b...C(..G.`.D.~..}....b1<h...p.. ...l..v.Q...DO...5..e.....r...k.......iR.'vD....{y. M.....D..j.a.. ..\|4..&..N~m4...ME.m.L"'.}&oP:..&...:.......%.{=.....6(Xn.Nm02..R...!..}......er~,.Cd.:#.,.....~...'......u.....B6.:35..K{....a....v.....nn.?.v.u..Y.....R.A@ZHm.?...T..=n..G.a.h.\.......3.3...G.m.x@.........p....a.R..M...t.g.,...9..J....h..k.....<!<.....T..k=.PN...N..NGfa..A.x.U....X......EC.&!w......9.d. .Z.....F.K.H...'..~..x.......h,T.."K.....~.q"f+=..%..#.~..z.P.....[......,D.`.sz.Rb......dk.. .xC....V..].J......I...).j..Wn.....t.-A3o.c.......N?...[f...N.-....>..".....~!.6......p.U#c...`..b<mS&..=r..y...%-Fv.+...ki.m.Xm..ISu...B.l..l...7U..K........Vm.>.]..Z....#.h#....9.;....1.'.R..y.'.W.n.e..>.\.T......O..l.o.B..jK<...m..d.G.6...;.o(a.....%.<,..bQ.....Q..i."..]U.U...9..x...<.......R..5.h9....&wdR+.1...W..f......N.Q......?Q.O..G.....&....z..........`..}.^h...

C:\Users\user\Desktop\EIVQSAOTAQ.xlsx

Download File

Process:	C:\Users\user\Desktop\system21.exe
File Type:	data
Category:	dropped
Size (bytes):	1290
Entropy (8bit):	7.85123873261989
Encrypted:	false
SSDEEP:	24:418JhT2CRcet4w+pCVb3GGw+XE41Dc1icWaCJ0lA:418JhTpRFt4Urw+XJDaUaC0q
MD5:	4CF29BBF12A1CD2C430E7ABFF259E404
SHA1:	FDFF2B9ABF4B7B0FFBE1F2A9CE8EB2E25E4FA41D
SHA-256:	16A7ECAE35FEF845F0956AB16438CEDDF2A8BD1498634F450451E36C1B026A64
SHA-512:	CAF1DD473661DDDC2A8B545A7116519983EBB47405F5E98D6C8FF8A5CF1CF271279FFA971BD3278D526EA14F381DC05C340C110DA8A21A91C830D6B9D9C2DD89
Malicious:	false
Preview:	D+.........C.MF.5.!..c..!.>.{....!..w../.....D./0...c.z6....b...]...V.d.Z.}.......u=3....l..>...p..e._....GB...,..v.....}...h.......bV.9rL....ar.&B......O..o.v.....i2..:.Psf=...RQ.w.N$0.}(pQ"..-...1.......&.q8....."7Pg.Uq#$..G... ..d......dxh>.Qz.-".5.....v...<.....l.......G4.3:9..Ow....t....}.....`f.$.w.p..\....-.R.Z?D]C`.5...E...h..G.ojm._......1.1...A.t.nD.{.......e....g.K..D...w.v.:...'..H..1.i..k......9&%.....I..i?.M]...N..RFnp..A.`.U...Y......HP.53t......:.}./.K....._".@.S...&.....p.......x2^..+^.....\|.g5s47..?..:.o..n.B......O......^.c.ek.^q......kc..(?.jT....\..[.S......S./.p..Fv.....c.'K#\|.i.......N1...Qs...I.%....&..1.....`4. ......a.Oq...y..k'oK0..,e..~...-$]`."...{h.z.Mp..EUw...P.v..f...;M..F........Cp.9.\..M....#.x1....=.$....9.?.]..n..A.x.0g..'.I.T......@..l.h.L..yI>...p..i _.&...1.v&`.....$.)5..wR.....A..{. &.._J.N.....`...#.......P..4.t....#jlH#.!...C..u.....K.]...... G.P..S.....!.........t.....v..g.Zo....}

C:\Users\user\Desktop\EIVQSAOTAQ.xlsx.[X6D6Q4@proton.me].LockBit (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	1290
Entropy (8bit):	7.85123873261989
Encrypted:	false
SSDEEP:	24:418JhT2CRcet4w+pCVb3GGw+XE41Dc1icWaCJ0lA:418JhTpRFt4Urw+XJDaUaC0q
MD5:	4CF29BBF12A1CD2C430E7ABFF259E404
SHA1:	FDFF2B9ABF4B7B0FFBE1F2A9CE8EB2E25E4FA41D
SHA-256:	16A7ECAE35FEF845F0956AB16438CEDDF2A8BD1498634F450451E36C1B026A64
SHA-512:	CAF1DD473661DDDC2A8B545A7116519983EBB47405F5E98D6C8FF8A5CF1CF271279FFA971BD3278D526EA14F381DC05C340C110DA8A21A91C830D6B9D9C2DD89
Malicious:	false
Preview:	D+.........C.MF.5.!..c..!.>.{....!..w../.....D./0...c.z6....b...]...V.d.Z.}.......u=3....l..>...p..e._....GB...,..v.....}...h.......bV.9rL....ar.&B......O..o.v.....i2..:.Psf=...RQ.w.N$0.}(pQ"..-...1.......&.q8....."7Pg.Uq#$..G... ..d......dxh>.Qz.-".5.....v...<.....l.......G4.3:9..Ow....t....}.....`f.$.w.p..\....-.R.Z?D]C`.5...E...h..G.ojm._......1.1...A.t.nD.{.......e....g.K..D...w.v.:...'..H..1.i..k......9&%.....I..i?.M]...N..RFnp..A.`.U...Y......HP.53t......:.}./.K....._".@.S...&.....p.......x2^..+^.....\|.g5s47..?..:.o..n.B......O......^.c.ek.^q......kc..(?.jT....\..[.S......S./.p..Fv.....c.'K#\|.i.......N1...Qs...I.%....&..1.....`4. ......a.Oq...y..k'oK0..,e..~...-$]`."...{h.z.Mp..EUw...P.v..f...;M..F........Cp.9.\..M....#.x1....=.$....9.?.]..n..A.x.0g..'.I.T......@..l.h.L..yI>...p..i _.&...1.v&`.....$.)5..wR.....A..{. &.._J.N.....`...#.......P..4.t....#jlH#.!...C..u.....K.]...... G.P..S.....!.........t.....v..g.Zo....}

C:\Users\user\Desktop\EOWRVPQCCS.docx

Download File

Process:	C:\Users\user\Desktop\system21.exe
File Type:	data
Category:	dropped
Size (bytes):	1290
Entropy (8bit):	7.869197595376719
Encrypted:	false
SSDEEP:	24:oOReMDo6xFVZapocyUCz4noPz9AbTSqJXVFIOZ2kAV3VJFjVFuHtA5VWo5FgLJRP:oFMDxxzZyAzIoubTSqhPAVdpkHkUQmFp
MD5:	4AD5AA7AC79233D12E84D0306664D35A
SHA1:	A47B8243FF96ACFE37D3C47D5994678676F0D8F8
SHA-256:	E9DDD39D5B399DCBB08F915D01205E23E3DD56F7016524CA3F0E57FF014EA253
SHA-512:	DB80372667EC4C1F494A7AD36BB3237411623C072A83310B4761BF330C65224456B7F19D33B0EF0423B62E0E69032C5F0F4C8098F4134FB4982EF622D475616E
Malicious:	false
Preview:	D-.....=....N.WP.9.0..v..:.,.j.... .....8....eU.41...d.}(....p...B4..[.y.F.a..d....m65....w..'...v..`.^...]X...<..k.....}...h.......eU.5vE....{n.)P.....N..`.f..2..a#..2.Bbg+...AY.o.W:(.t/bD!..)...*........4.o>.....:7Cl.@l/&..P...)..f......wk}7.N{.3..;.....p...?......h.......R-.$!"..@c....t....d......l.!.v.e..K.....,.T.U,GDVa.1...M..>r..H.tul.\........./...D.`.e@.x.......a....h.M..Z...m.~.+...>..R..5.q..}......,81.....P..\|2.\W...R..SVqr..P.z.C...Z......EU.-;{......$.o.5.W.....X&.U.Y...-..p....h.......h<C..-[.....d.t!h$4.."..2.k..y.K.....Y......,\.`.oo.Fb......tx..%0..H.....F..K.^......K. .g..Lk.....k.<Y!n.~.......J?...Ow...T.)....<..#.....~.........u.\'u...z..l#aR".. l..}...30B..9...~o.s.Fa..E@}...B.z..e... S..H........Cg.).G..D....5.q.....8.8....$.5.S..`.".C.j.9i.."._.R......B..f.o.L..}Q=...b..f3G.$...).`5l......3:..bI.....G..p.+,..WP.]...;..r...>.......@..&.w3....$n~E%.(...M..`.....U.Y......?A.I..@.....#.........h.....b..q.[p....u

C:\Users\user\Desktop\EOWRVPQCCS.docx.[X6D6Q4@proton.me].LockBit (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	1290
Entropy (8bit):	7.869197595376719
Encrypted:	false
SSDEEP:	24:oOReMDo6xFVZapocyUCz4noPz9AbTSqJXVFIOZ2kAV3VJFjVFuHtA5VWo5FgLJRP:oFMDxxzZyAzIoubTSqhPAVdpkHkUQmFp
MD5:	4AD5AA7AC79233D12E84D0306664D35A
SHA1:	A47B8243FF96ACFE37D3C47D5994678676F0D8F8
SHA-256:	E9DDD39D5B399DCBB08F915D01205E23E3DD56F7016524CA3F0E57FF014EA253
SHA-512:	DB80372667EC4C1F494A7AD36BB3237411623C072A83310B4761BF330C65224456B7F19D33B0EF0423B62E0E69032C5F0F4C8098F4134FB4982EF622D475616E
Malicious:	false
Preview:	D-.....=....N.WP.9.0..v..:.,.j.... .....8....eU.41...d.}(....p...B4..[.y.F.a..d....m65....w..'...v..`.^...]X...<..k.....}...h.......eU.5vE....{n.)P.....N..`.f..2..a#..2.Bbg+...AY.o.W:(.t/bD!..)...*........4.o>.....:7Cl.@l/&..P...)..f......wk}7.N{.3..;.....p...?......h.......R-.$!"..@c....t....d......l.!.v.e..K.....,.T.U,GDVa.1...M..>r..H.tul.\........./...D.`.e@.x.......a....h.M..Z...m.~.+...>..R..5.q..}......,81.....P..\|2.\W...R..SVqr..P.z.C...Z......EU.-;{......$.o.5.W.....X&.U.Y...-..p....h.......h<C..-[.....d.t!h$4.."..2.k..y.K.....Y......,\.`.oo.Fb......tx..%0..H.....F..K.^......K. .g..Lk.....k.<Y!n.~.......J?...Ow...T.)....<..#.....~.........u.\'u...z..l#aR".. l..}...30B..9...~o.s.Fa..E@}...B.z..e... S..H........Cg.).G..D....5.q.....8.8....$.5.S..`.".C.j.9i.."._.R......B..f.o.L..}Q=...b..f3G.$...).`5l......3:..bI.....G..p.+,..WP.]...;..r...>.......@..&.w3....$n~E%.(...M..`.....U.Y......?A.I..@.....#.........h.....b..q.[p....u

C:\Users\user\Desktop\EOWRVPQCCS.xlsx

Download File

Process:	C:\Users\user\Desktop\system21.exe
File Type:	data
Category:	dropped
Size (bytes):	1290
Entropy (8bit):	7.8680709212472415
Encrypted:	false
SSDEEP:	24:oOReMDo6xFVZapocyUCz4noPz9AbTSqJXVFIOZ2kAV3VJFjVSgW7JkCSr7YU37Dr:oFMDxxzZyAzIoubTSqhPAVdpSgmkC0Ya
MD5:	1D491FF51FC48DA04A995ECD9FA336A6
SHA1:	B8FF67450A4BDF39F231A4766E544833795C796A
SHA-256:	41369FA79846C9AC1601DB2F73529FCDD018E4A81A0F936A1C19263400C53E58
SHA-512:	83E95E976DBC9CEFBD704F1136F73A350C05707862A7FBEAEC07CA39CE0C6C1EFA3F2CEBC54B76D09EA565407626E71E68711495F1334D2620F1E3DFFBFFD7AC
Malicious:	true
Preview:	D-.....=....N.WP.9.0..v..:.,.j.... .....8....eU.41...d.}(....p...B4..[.y.F.a..d....m65....w..'...v..`.^...]X...<..k.....}...h.......eU.5vE....{n.)P.....N..`.f..2..a#..2.Bbg+...AY.o.W:(.t/bD!..)...*........4.o>.....:7Cl.@l/&..P...)..f......wk}7.N{.3..;.....p...?......h.......R-.$!"..@c....t....d......l.!.v.e..K.....,.T.U,GDVa.1...M..>r..H.tul.\........./...D.`.e@.x.......a....h.M..Z...m.~.+...>..R..5.q..}......,81.....P..\|2.\W...R..SVqr..P.z.C...Z......EU.-;{......$.o.5.W.....X&.U.Y...-..p....h.......h<C..-[.....d.t!h$4.."..2.k..y.K.....Y......,\.`.oo.Fb......tx..%0..H.....F..K.^......K. .g..Lk.....k.<Y!n.~.......J?...Ow...T.)....<..#.....~.........u.\'u...z..l#aR".. l..}...30B..9...~o.s.Fa..E@}...B.z..e... S..H........Cg.).G..D....5.q.....8.8....$.5.S..`.".C.j.9i.."._.R......B..f.o.L..}Q=...b..f3G.$...).`5l......3:..bI.....G..p.+,..WP.]...;..r...>.......@..&.w3....$n~E%.(...M..`.....U.Y......?A.I..@.....#.........h.....b..q.[p....u

C:\Users\user\Desktop\EOWRVPQCCS.xlsx.[X6D6Q4@proton.me].LockBit (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	1290
Entropy (8bit):	7.8680709212472415
Encrypted:	false
SSDEEP:	24:oOReMDo6xFVZapocyUCz4noPz9AbTSqJXVFIOZ2kAV3VJFjVSgW7JkCSr7YU37Dr:oFMDxxzZyAzIoubTSqhPAVdpSgmkC0Ya
MD5:	1D491FF51FC48DA04A995ECD9FA336A6
SHA1:	B8FF67450A4BDF39F231A4766E544833795C796A
SHA-256:	41369FA79846C9AC1601DB2F73529FCDD018E4A81A0F936A1C19263400C53E58
SHA-512:	83E95E976DBC9CEFBD704F1136F73A350C05707862A7FBEAEC07CA39CE0C6C1EFA3F2CEBC54B76D09EA565407626E71E68711495F1334D2620F1E3DFFBFFD7AC
Malicious:	false
Preview:	D-.....=....N.WP.9.0..v..:.,.j.... .....8....eU.41...d.}(....p...B4..[.y.F.a..d....m65....w..'...v..`.^...]X...<..k.....}...h.......eU.5vE....{n.)P.....N..`.f..2..a#..2.Bbg+...AY.o.W:(.t/bD!..)...*........4.o>.....:7Cl.@l/&..P...)..f......wk}7.N{.3..;.....p...?......h.......R-.$!"..@c....t....d......l.!.v.e..K.....,.T.U,GDVa.1...M..>r..H.tul.\........./...D.`.e@.x.......a....h.M..Z...m.~.+...>..R..5.q..}......,81.....P..\|2.\W...R..SVqr..P.z.C...Z......EU.-;{......$.o.5.W.....X&.U.Y...-..p....h.......h<C..-[.....d.t!h$4.."..2.k..y.K.....Y......,\.`.oo.Fb......tx..%0..H.....F..K.^......K. .g..Lk.....k.<Y!n.~.......J?...Ow...T.)....<..#.....~.........u.\'u...z..l#aR".. l..}...30B..9...~o.s.Fa..E@}...B.z..e... S..H........Cg.).G..D....5.q.....8.8....$.5.S..`.".C.j.9i.."._.R......B..f.o.L..}Q=...b..f3G.$...).`5l......3:..bI.....G..p.+,..WP.]...;..r...>.......@..&.w3....$n~E%.(...M..`.....U.Y......?A.I..@.....#.........h.....b..q.[p....u

C:\Users\user\Desktop\EOWRVPQCCS\EIVQSAOTAQ.xlsx

Download File

Process:	C:\Users\user\Desktop\system21.exe
File Type:	data
Category:	dropped
Size (bytes):	1290
Entropy (8bit):	7.850399343861191
Encrypted:	false
SSDEEP:	24:418JhT2CRcet4w+pCVb3GGw+XE41zG2Tyygd:418JhTpRFt4Urw+XJyay
MD5:	A46A8551B94EEC5F2D9FF031BC9F1FA4
SHA1:	3E8F36972E0B96494CE06E155F75F0AAAE8D9F09
SHA-256:	F6B77B168FC9E633344578624614A7B5B80C5F40C81051FDFB9C6474C957A176
SHA-512:	FAC87989167D79A389BF483FD81E84761724CEA4BB630532FDCD7B9FCB01A12AC7E15FC2A224AE4142903BACF540A7D832B0E27BAF9F616FB575D72F0E91CF45
Malicious:	false
Preview:	D+.........C.MF.5.!..c..!.>.{....!..w../.....D./0...c.z6....b...]...V.d.Z.}.......u=3....l..>...p..e._....GB...,..v.....}...h.......bV.9rL....ar.&B......O..o.v.....i2..:.Psf=...RQ.w.N$0.}(pQ"..-...1.......&.q8....."7Pg.Uq#$..G... ..d......dxh>.Qz.-".5.....v...<.....l.......G4.3:9..Ow....t....}.....`f.$.w.p..\....-.R.Z?D]C`.5...E...h..G.ojm._......1.1...A.t.nD.{.......e....g.K..D...w.v.:...'..H..1.i..k......9&%.....I..i?.M]...N..RFnp..A.`.U...Y......HP.53t......:.}./.K....._".@.S...&.....p.......x2^..+^.....\|.g5s47..?..:.o..n.B......O......^.c.ek.^q......kc..(?.jT....\..[.S......S./.p..Fv.....c.'K#\|.i.......N1...Qs...I.%....&..1.....`4. ......a.Oq...y..k'oK0..,e..~...-$]`."...{h.z.Mp..EUw...P.v..f...;M..F........Cp.9.\..M....#.x1....=.$....9.?.]..n..A.x.0g..'.I.T......@..l.h.L..yI>...p..i _.&...1.v&`.....$.)5..wR.....A..{. &.._J.N.....`...#.......P..4.t....#jlH#.!...C..u.....K.]...... G.P..S.....!.........t.....v..g.Zo....}

C:\Users\user\Desktop\EOWRVPQCCS\EIVQSAOTAQ.xlsx.[X6D6Q4@proton.me].LockBit (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	1290
Entropy (8bit):	7.850399343861191
Encrypted:	false
SSDEEP:	24:418JhT2CRcet4w+pCVb3GGw+XE41zG2Tyygd:418JhTpRFt4Urw+XJyay
MD5:	A46A8551B94EEC5F2D9FF031BC9F1FA4
SHA1:	3E8F36972E0B96494CE06E155F75F0AAAE8D9F09
SHA-256:	F6B77B168FC9E633344578624614A7B5B80C5F40C81051FDFB9C6474C957A176
SHA-512:	FAC87989167D79A389BF483FD81E84761724CEA4BB630532FDCD7B9FCB01A12AC7E15FC2A224AE4142903BACF540A7D832B0E27BAF9F616FB575D72F0E91CF45
Malicious:	false
Preview:	D+.........C.MF.5.!..c..!.>.{....!..w../.....D./0...c.z6....b...]...V.d.Z.}.......u=3....l..>...p..e._....GB...,..v.....}...h.......bV.9rL....ar.&B......O..o.v.....i2..:.Psf=...RQ.w.N$0.}(pQ"..-...1.......&.q8....."7Pg.Uq#$..G... ..d......dxh>.Qz.-".5.....v...<.....l.......G4.3:9..Ow....t....}.....`f.$.w.p..\....-.R.Z?D]C`.5...E...h..G.ojm._......1.1...A.t.nD.{.......e....g.K..D...w.v.:...'..H..1.i..k......9&%.....I..i?.M]...N..RFnp..A.`.U...Y......HP.53t......:.}./.K....._".@.S...&.....p.......x2^..+^.....\|.g5s47..?..:.o..n.B......O......^.c.ek.^q......kc..(?.jT....\..[.S......S./.p..Fv.....c.'K#\|.i.......N1...Qs...I.%....&..1.....`4. ......a.Oq...y..k'oK0..,e..~...-$]`."...{h.z.Mp..EUw...P.v..f...;M..F........Cp.9.\..M....#.x1....=.$....9.?.]..n..A.x.0g..'.I.T......@..l.h.L..yI>...p..i _.&...1.v&`.....$.)5..wR.....A..{. &.._J.N.....`...#.......P..4.t....#jlH#.!...C..u.....K.]...... G.P..S.....!.........t.....v..g.Zo....}

C:\Users\user\Desktop\EOWRVPQCCS\EOWRVPQCCS.docx

Download File

Process:	C:\Users\user\Desktop\system21.exe
File Type:	data
Category:	dropped
Size (bytes):	1290
Entropy (8bit):	7.865558102055706
Encrypted:	false
SSDEEP:	24:oOReMDo6xFVZapocyUCz4noPz9AbTSqJXVFIOZ2kAV3VJFjViPLdwtQfn2zohR1:oFMDxxzZyAzIoubTSqhPAVdpi5wtQfnn
MD5:	E367EDC6751F1591A45E701C4F508F73
SHA1:	8FDC0475C23B0052BA7AC566D6894E866779643D
SHA-256:	6A1D605F60ACD8FB5D56223B3B1555416B71DE20631785B14F0D84F718F63748
SHA-512:	E3EDD314BBF38561E0D2AC3457645C11A80F7B37793933386780838AF97CC676E5C8105C188385608B30CA225D42C547A6D06D73B370CF9CCFFDE8486CA3CEDA
Malicious:	true
Preview:	D-.....=....N.WP.9.0..v..:.,.j.... .....8....eU.41...d.}(....p...B4..[.y.F.a..d....m65....w..'...v..`.^...]X...<..k.....}...h.......eU.5vE....{n.)P.....N..`.f..2..a#..2.Bbg+...AY.o.W:(.t/bD!..)...*........4.o>.....:7Cl.@l/&..P...)..f......wk}7.N{.3..;.....p...?......h.......R-.$!"..@c....t....d......l.!.v.e..K.....,.T.U,GDVa.1...M..>r..H.tul.\........./...D.`.e@.x.......a....h.M..Z...m.~.+...>..R..5.q..}......,81.....P..\|2.\W...R..SVqr..P.z.C...Z......EU.-;{......$.o.5.W.....X&.U.Y...-..p....h.......h<C..-[.....d.t!h$4.."..2.k..y.K.....Y......,\.`.oo.Fb......tx..%0..H.....F..K.^......K. .g..Lk.....k.<Y!n.~.......J?...Ow...T.)....<..#.....~.........u.\'u...z..l#aR".. l..}...30B..9...~o.s.Fa..E@}...B.z..e... S..H........Cg.).G..D....5.q.....8.8....$.5.S..`.".C.j.9i.."._.R......B..f.o.L..}Q=...b..f3G.$...).`5l......3:..bI.....G..p.+,..WP.]...;..r...>.......@..&.w3....$n~E%.(...M..`.....U.Y......?A.I..@.....#.........h.....b..q.[p....u

C:\Users\user\Desktop\EOWRVPQCCS\EOWRVPQCCS.docx.[X6D6Q4@proton.me].LockBit (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	1290
Entropy (8bit):	7.865558102055706
Encrypted:	false
SSDEEP:	24:oOReMDo6xFVZapocyUCz4noPz9AbTSqJXVFIOZ2kAV3VJFjViPLdwtQfn2zohR1:oFMDxxzZyAzIoubTSqhPAVdpi5wtQfnn
MD5:	E367EDC6751F1591A45E701C4F508F73
SHA1:	8FDC0475C23B0052BA7AC566D6894E866779643D
SHA-256:	6A1D605F60ACD8FB5D56223B3B1555416B71DE20631785B14F0D84F718F63748
SHA-512:	E3EDD314BBF38561E0D2AC3457645C11A80F7B37793933386780838AF97CC676E5C8105C188385608B30CA225D42C547A6D06D73B370CF9CCFFDE8486CA3CEDA
Malicious:	false
Preview:	D-.....=....N.WP.9.0..v..:.,.j.... .....8....eU.41...d.}(....p...B4..[.y.F.a..d....m65....w..'...v..`.^...]X...<..k.....}...h.......eU.5vE....{n.)P.....N..`.f..2..a#..2.Bbg+...AY.o.W:(.t/bD!..)...*........4.o>.....:7Cl.@l/&..P...)..f......wk}7.N{.3..;.....p...?......h.......R-.$!"..@c....t....d......l.!.v.e..K.....,.T.U,GDVa.1...M..>r..H.tul.\........./...D.`.e@.x.......a....h.M..Z...m.~.+...>..R..5.q..}......,81.....P..\|2.\W...R..SVqr..P.z.C...Z......EU.-;{......$.o.5.W.....X&.U.Y...-..p....h.......h<C..-[.....d.t!h$4.."..2.k..y.K.....Y......,\.`.oo.Fb......tx..%0..H.....F..K.^......K. .g..Lk.....k.<Y!n.~.......J?...Ow...T.)....<..#.....~.........u.\'u...z..l#aR".. l..}...30B..9...~o.s.Fa..E@}...B.z..e... S..H........Cg.).G..D....5.q.....8.8....$.5.S..`.".C.j.9i.."._.R......B..f.o.L..}Q=...b..f3G.$...).`5l......3:..bI.....G..p.+,..WP.]...;..r...>.......@..&.w3....$n~E%.(...M..`.....U.Y......?A.I..@.....#.........h.....b..q.[p....u

C:\Users\user\Desktop\EOWRVPQCCS\Encrypt.html

Download File

Process:	C:\Users\user\Desktop\system21.exe
File Type:	HTML document, ASCII text, with very long lines (363)
Category:	dropped
Size (bytes):	2378
Entropy (8bit):	5.419937586745534
Encrypted:	false
SSDEEP:	48:B4axAaT4YkaT42VBopBTAavuBgoIE8eMK+5KIwCekY:wdmL8PfEZl
MD5:	3A86858B55DE8531B150A5B40450C2BA
SHA1:	B393C048DB07ED262C344E392090E90881C95D42
SHA-256:	0313C4626AF1206977A266A5B2C67E3EE6EAA3FFAD2E18144A50173EB21DEE01
SHA-512:	CC9E11F5659E0D08504BE4CEF31C8EA6EEDC6E4F3F9EFB9F70A897F23508951F184E9C25E4CDC470EABC74222EC0F6BDE3E463E48C162EEB786D6BF97723B2DA
Malicious:	true
Preview:	<!DOCTYPE html>..<html>..<head>...<meta charset="UTF-8">...<title>You are encrypted!!!</title>...<style>....body {.....margin: 0;.....padding: 0;....}......header {.....background-color: #222;.....color: white;.....height: 100px;.....display: flex;.....align-items: center;.....padding: 0 20px;....}......h1 {.....margin: 0;.....font-size: 3rem;.....font-family: Arial, sans-serif;.....text-shadow: 2px 2px #666;.....letter-spacing: 2px;....}......main {.....padding: 20px;.....background-color: #333;.....color: #ddd;.....font-size: 1.2rem;.....font-family: Arial, sans-serif;.....line-height: 1.5;.....text-align: justify;.....text-shadow: 1px 1px #222;.....border: 2px solid #666;.....border-radius: 20px;.....box-shadow: 5px 5px #666;.....margin: 20px;....}......main p:first-of-type {.....margin-top: 0;....}......main p:last-of-type {.....margin-bottom: 0;....}......footer {.....background-color: #222;.....color: white;.....height: 50px;.....display: flex;.....align-items: center;.....paddin

C:\Users\user\Desktop\EOWRVPQCCS\GIGIYTFFYT.pdf

Download File

Process:	C:\Users\user\Desktop\system21.exe
File Type:	data
Category:	dropped
Size (bytes):	1290
Entropy (8bit):	7.855246261540098
Encrypted:	false
SSDEEP:	24:Go/y3THqWJy+oyxxZD1VRI91EwNNHJ0ldZmhFSSTxsiiTe2g8dtdAQi1:GGyjlxoyxxZBLUVqdZmh7TGii62tdtd6
MD5:	165BEF6CFF0D0EE1183E4E39D42DF28C
SHA1:	F51078FAF3DF838E379D852996668936EA77878C
SHA-256:	A7C1AFC2EAA3B3A2F98ECBAEBEA8646610143BD69CD57E85868F03D865FD01B7
SHA-512:	5CF4318AA5010F94F3FDC88C12B9A0DD451E36182DBDFE26BC9B675FA7BBFF6918AED656B7361C0C69A8C959F580DECD16A21F3730B63645FF56445497FFEFD7
Malicious:	false
Preview:	F+.....8....O.@U.$.6..v..#.-.v....)..u.. ....{T.3...q.k1........M3..G.j.C.b..q....r.:j...i..2...g..h.]...UE......{....s...p.......`G.:\|_....`o.'C.....M..p.x..5..i..$..D{k...SP.w.T9+.y0`B'......8......%.s .....47[s.Ff#/..Z...;..k......esu&.Gb. #.<.....q...).....h.......R5.0:)..@n....n....q.....ua.>.h.f..M....".I.@ VYA..3...Q..)r..\.fmj.^.......3.,...Y.o.xY.x.......\|....b.H..G...d.q..-...%..Y..#.t..i......6?!.....M..l=.EG...G..JRwv..\.b.V...]......ID.24u.......v.).R.....O.T.F...&..o..b.......n/\...)G.....j.p4v.2..'..4....{.S.....Y......<W.w.ns.\}......n~..(7.w[....G..X.V......K...).f...Om.....v.3T!u.m......._=..._a...K.)....#../......>.6......`.N,v...p..a+uP5..7~..v...+!Fg.-...nn.`.Qj..SPs...I.{..k...(A..I........Aw.7.[..Y....8.q'....'.$....9.".C..e.-.\.s.,`..'.].Z......@..j.q.O..rA2...i..d#Q....+.q8a....3.35..zC.....L..y./3..VG.^...+..c...;.......A..1.i:..../kfN?.#...B..i.....O.P......6X.T..D.....=....z....j.....y..z.[h....h

C:\Users\user\Desktop\EOWRVPQCCS\GIGIYTFFYT.pdf.[X6D6Q4@proton.me].LockBit (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	1290
Entropy (8bit):	7.855246261540098
Encrypted:	false
SSDEEP:	24:Go/y3THqWJy+oyxxZD1VRI91EwNNHJ0ldZmhFSSTxsiiTe2g8dtdAQi1:GGyjlxoyxxZBLUVqdZmh7TGii62tdtd6
MD5:	165BEF6CFF0D0EE1183E4E39D42DF28C
SHA1:	F51078FAF3DF838E379D852996668936EA77878C
SHA-256:	A7C1AFC2EAA3B3A2F98ECBAEBEA8646610143BD69CD57E85868F03D865FD01B7
SHA-512:	5CF4318AA5010F94F3FDC88C12B9A0DD451E36182DBDFE26BC9B675FA7BBFF6918AED656B7361C0C69A8C959F580DECD16A21F3730B63645FF56445497FFEFD7
Malicious:	false
Preview:	F+.....8....O.@U.$.6..v..#.-.v....)..u.. ....{T.3...q.k1........M3..G.j.C.b..q....r.:j...i..2...g..h.]...UE......{....s...p.......`G.:\|_....`o.'C.....M..p.x..5..i..$..D{k...SP.w.T9+.y0`B'......8......%.s .....47[s.Ff#/..Z...;..k......esu&.Gb. #.<.....q...).....h.......R5.0:)..@n....n....q.....ua.>.h.f..M....".I.@ VYA..3...Q..)r..\.fmj.^.......3.,...Y.o.xY.x.......\|....b.H..G...d.q..-...%..Y..#.t..i......6?!.....M..l=.EG...G..JRwv..\.b.V...]......ID.24u.......v.).R.....O.T.F...&..o..b.......n/\...)G.....j.p4v.2..'..4....{.S.....Y......<W.w.ns.\}......n~..(7.w[....G..X.V......K...).f...Om.....v.3T!u.m......._=..._a...K.)....#../......>.6......`.N,v...p..a+uP5..7~..v...+!Fg.-...nn.`.Qj..SPs...I.{..k...(A..I........Aw.7.[..Y....8.q'....'.$....9.".C..e.-.\.s.,`..'.].Z......@..j.q.O..rA2...i..d#Q....+.q8a....3.35..zC.....L..y./3..VG.^...+..c...;.......A..1.i:..../kfN?.#...B..i.....O.P......6X.T..D.....=....z....j.....y..z.[h....h

C:\Users\user\Desktop\Encrypt.html

Download File

Process:	C:\Users\user\Desktop\system21.exe
File Type:	HTML document, ASCII text, with very long lines (363)
Category:	dropped
Size (bytes):	2378
Entropy (8bit):	5.419937586745534
Encrypted:	false
SSDEEP:	48:B4axAaT4YkaT42VBopBTAavuBgoIE8eMK+5KIwCekY:wdmL8PfEZl
MD5:	3A86858B55DE8531B150A5B40450C2BA
SHA1:	B393C048DB07ED262C344E392090E90881C95D42
SHA-256:	0313C4626AF1206977A266A5B2C67E3EE6EAA3FFAD2E18144A50173EB21DEE01
SHA-512:	CC9E11F5659E0D08504BE4CEF31C8EA6EEDC6E4F3F9EFB9F70A897F23508951F184E9C25E4CDC470EABC74222EC0F6BDE3E463E48C162EEB786D6BF97723B2DA
Malicious:	true
Preview:	<!DOCTYPE html>..<html>..<head>...<meta charset="UTF-8">...<title>You are encrypted!!!</title>...<style>....body {.....margin: 0;.....padding: 0;....}......header {.....background-color: #222;.....color: white;.....height: 100px;.....display: flex;.....align-items: center;.....padding: 0 20px;....}......h1 {.....margin: 0;.....font-size: 3rem;.....font-family: Arial, sans-serif;.....text-shadow: 2px 2px #666;.....letter-spacing: 2px;....}......main {.....padding: 20px;.....background-color: #333;.....color: #ddd;.....font-size: 1.2rem;.....font-family: Arial, sans-serif;.....line-height: 1.5;.....text-align: justify;.....text-shadow: 1px 1px #222;.....border: 2px solid #666;.....border-radius: 20px;.....box-shadow: 5px 5px #666;.....margin: 20px;....}......main p:first-of-type {.....margin-top: 0;....}......main p:last-of-type {.....margin-bottom: 0;....}......footer {.....background-color: #222;.....color: white;.....height: 50px;.....display: flex;.....align-items: center;.....paddin

C:\Users\user\Desktop\Excel.lnk

Download File

Process:	C:\Users\user\Desktop\system21.exe
File Type:	data
Category:	dropped
Size (bytes):	2719
Entropy (8bit):	7.925877496574379
Encrypted:	false
SSDEEP:	48:Be3WDMn03ipmtt/ok6fzbuCTTT8ACqw598/1DzXG/A2x1m3NmpBXd/Sv:BmWg03Lok6HPL8ACxG8/tBfN0
MD5:	C98BEC7FDFDEBC94019159DAEA072A9D
SHA1:	5CA4737E67D2D66D6BA69246BCFF87FFD748A78A
SHA-256:	F06BCFD695656BA086334DC39EAA3F33E47319827883F24B6E4EF835CF3B9565
SHA-512:	D62FBC8F3323D1125D7DFF9C1DCB6F23785CB545424D1A34FB9D7B421F08E46EEEFE41C631A5DBA47FD83650ED207DFAA80F70459F0C85856290CFD22E872F88
Malicious:	false
Preview:	Mb...~..\.......:I ...m.Vw{\|I..J..`x..lS...n.>x.k..5.2~L...:X.A.e..../...1...N.w..n.X......r....a...0.......X.yM.!?..O.0...........]0.~.................'.5G.w.(gDCk..S1#n.......I.rr..CgK...aj.........a.)WSt...paH6..Vj....$..h........:...:.m....Im.v.PV..$..^}...#.).......iM.v2o...4.\|.....7....F.L:..l.<K#O.......i...WgB.g,.v.Z-...<.i..%a...&U+..A(}..M....'.6..q...X.2.]...)...z...J..h..V.tT...Ya. ..L.....uj.Z..7.r.......I.../....6}.d9.3.j..../.W........7fg.....CW7.h.....A..i.....P.e.^(..+;.P.A.E.<....{'...L.=.>..Wv....`.u..e.O.......e.......;s1. ...:....W.')R.ru.:..............-...=.f...%.....9.i.e,.:.....B.w.&..5O....a.C..S..d.Z.~.j.7.%'..(J2eI.......L.Ko..=....Q=.>.h^.?...EN..cCa..C].........-...rl.#..........FC.Bi.......B.Iw.............(..@...j....0..k....~T...i..+.#...C.H./.J.>...s...H..Qm.........ct.p..W.......2iwZ=..... .(....;.+K....e..w.9C...eV'fo.d.O.....I....V..M;J..=xqWsS6...w..v:.'.X.<..?./..K.A ..\

C:\Users\user\Desktop\Excel.lnk.[X6D6Q4@proton.me].LockBit (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	2719
Entropy (8bit):	7.925877496574379
Encrypted:	false
SSDEEP:	48:Be3WDMn03ipmtt/ok6fzbuCTTT8ACqw598/1DzXG/A2x1m3NmpBXd/Sv:BmWg03Lok6HPL8ACxG8/tBfN0
MD5:	C98BEC7FDFDEBC94019159DAEA072A9D
SHA1:	5CA4737E67D2D66D6BA69246BCFF87FFD748A78A
SHA-256:	F06BCFD695656BA086334DC39EAA3F33E47319827883F24B6E4EF835CF3B9565
SHA-512:	D62FBC8F3323D1125D7DFF9C1DCB6F23785CB545424D1A34FB9D7B421F08E46EEEFE41C631A5DBA47FD83650ED207DFAA80F70459F0C85856290CFD22E872F88
Malicious:	false
Preview:	Mb...~..\.......:I ...m.Vw{\|I..J..`x..lS...n.>x.k..5.2~L...:X.A.e..../...1...N.w..n.X......r....a...0.......X.yM.!?..O.0...........]0.~.................'.5G.w.(gDCk..S1#n.......I.rr..CgK...aj.........a.)WSt...paH6..Vj....$..h........:...:.m....Im.v.PV..$..^}...#.).......iM.v2o...4.\|.....7....F.L:..l.<K#O.......i...WgB.g,.v.Z-...<.i..%a...&U+..A(}..M....'.6..q...X.2.]...)...z...J..h..V.tT...Ya. ..L.....uj.Z..7.r.......I.../....6}.d9.3.j..../.W........7fg.....CW7.h.....A..i.....P.e.^(..+;.P.A.E.<....{'...L.=.>..Wv....`.u..e.O.......e.......;s1. ...:....W.')R.ru.:..............-...=.f...%.....9.i.e,.:.....B.w.&..5O....a.C..S..d.Z.~.j.7.%'..(J2eI.......L.Ko..=....Q=.>.h^.?...EN..cCa..C].........-...rl.#..........FC.Bi.......B.Iw.............(..@...j....0..k....~T...i..+.#...C.H./.J.>...s...H..Qm.........ct.p..W.......2iwZ=..... .(....;.+K....e..w.9C...eV'fo.d.O.....I....V..M;J..=xqWsS6...w..v:.'.X.<..?./..K.A ..\

C:\Users\user\Desktop\GIGIYTFFYT.pdf

Download File

Process:	C:\Users\user\Desktop\system21.exe
File Type:	data
Category:	dropped
Size (bytes):	1290
Entropy (8bit):	7.842652474208049
Encrypted:	false
SSDEEP:	24:Go/y3THqWJy+oyxxZD1VRI91EwNNHJ0ldZmhFSSTxsiiTe2gl3NfLUNGzVElX:GGyjlxoyxxZBLUVqdZmh7TGii62YNjUn
MD5:	669D3FF832C9554EEB799E15C9CF0C16
SHA1:	9BA2B2E0EBE5D3F379FDED8BF62106C37EAA3D03
SHA-256:	01BBAF8CCA0863F76A6FBEA802A2D1B150FE395E636E124CD0EBB1AA2666F6C2
SHA-512:	BF6DCCA26A3E662928031EE22DDD15040D3F5A48E6149BAE5963FA67DFC4ECB0763234403AD49A97D6434075CE99E8D0BBB978AC28916D4F79688521741FAD15
Malicious:	false
Preview:	F+.....8....O.@U.$.6..v..#.-.v....)..u.. ....{T.3...q.k1........M3..G.j.C.b..q....r.:j...i..2...g..h.]...UE......{....s...p.......`G.:\|_....`o.'C.....M..p.x..5..i..$..D{k...SP.w.T9+.y0`B'......8......%.s .....47[s.Ff#/..Z...;..k......esu&.Gb. #.<.....q...).....h.......R5.0:)..@n....n....q.....ua.>.h.f..M....".I.@ VYA..3...Q..)r..\.fmj.^.......3.,...Y.o.xY.x.......\|....b.H..G...d.q..-...%..Y..#.t..i......6?!.....M..l=.EG...G..JRwv..\.b.V...]......ID.24u.......v.).R.....O.T.F...&..o..b.......n/\...)G.....j.p4v.2..'..4....{.S.....Y......<W.w.ns.\}......n~..(7.w[....G..X.V......K...).f...Om.....v.3T!u.m......._=..._a...K.)....#../......>.6......`.N,v...p..a+uP5..7~..v...+!Fg.-...nn.`.Qj..SPs...I.{..k...(A..I........Aw.7.[..Y....8.q'....'.$....9.".C..e.-.\.s.,`..'.].Z......@..j.q.O..rA2...i..d#Q....+.q8a....3.35..zC.....L..y./3..VG.^...+..c...;.......A..1.i:..../kfN?.#...B..i.....O.P......6X.T..D.....=....z....j.....y..z.[h....h

C:\Users\user\Desktop\GIGIYTFFYT.pdf.[X6D6Q4@proton.me].LockBit (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	1290
Entropy (8bit):	7.842652474208049
Encrypted:	false
SSDEEP:	24:Go/y3THqWJy+oyxxZD1VRI91EwNNHJ0ldZmhFSSTxsiiTe2gl3NfLUNGzVElX:GGyjlxoyxxZBLUVqdZmh7TGii62YNjUn
MD5:	669D3FF832C9554EEB799E15C9CF0C16
SHA1:	9BA2B2E0EBE5D3F379FDED8BF62106C37EAA3D03
SHA-256:	01BBAF8CCA0863F76A6FBEA802A2D1B150FE395E636E124CD0EBB1AA2666F6C2
SHA-512:	BF6DCCA26A3E662928031EE22DDD15040D3F5A48E6149BAE5963FA67DFC4ECB0763234403AD49A97D6434075CE99E8D0BBB978AC28916D4F79688521741FAD15
Malicious:	false
Preview:	F+.....8....O.@U.$.6..v..#.-.v....)..u.. ....{T.3...q.k1........M3..G.j.C.b..q....r.:j...i..2...g..h.]...UE......{....s...p.......`G.:\|_....`o.'C.....M..p.x..5..i..$..D{k...SP.w.T9+.y0`B'......8......%.s .....47[s.Ff#/..Z...;..k......esu&.Gb. #.<.....q...).....h.......R5.0:)..@n....n....q.....ua.>.h.f..M....".I.@ VYA..3...Q..)r..\.fmj.^.......3.,...Y.o.xY.x.......\|....b.H..G...d.q..-...%..Y..#.t..i......6?!.....M..l=.EG...G..JRwv..\.b.V...]......ID.24u.......v.).R.....O.T.F...&..o..b.......n/\...)G.....j.p4v.2..'..4....{.S.....Y......<W.w.ns.\}......n~..(7.w[....G..X.V......K...).f...Om.....v.3T!u.m......._=..._a...K.)....#../......>.6......`.N,v...p..a+uP5..7~..v...+!Fg.-...nn.`.Qj..SPs...I.{..k...(A..I........Aw.7.[..Y....8.q'....'.$....9.".C..e.-.\.s.,`..'.].Z......@..j.q.O..rA2...i..d#Q....+.q8a....3.35..zC.....L..y./3..VG.^...+..c...;.......A..1.i:..../kfN?.#...B..i.....O.P......6X.T..D.....=....z....j.....y..z.[h....h

C:\Users\user\Desktop\KLIZUSIQEN\Encrypt.html

Download File

Process:	C:\Users\user\Desktop\system21.exe
File Type:	HTML document, ASCII text, with very long lines (363)
Category:	dropped
Size (bytes):	2378
Entropy (8bit):	5.419937586745534
Encrypted:	false
SSDEEP:	48:B4axAaT4YkaT42VBopBTAavuBgoIE8eMK+5KIwCekY:wdmL8PfEZl
MD5:	3A86858B55DE8531B150A5B40450C2BA
SHA1:	B393C048DB07ED262C344E392090E90881C95D42
SHA-256:	0313C4626AF1206977A266A5B2C67E3EE6EAA3FFAD2E18144A50173EB21DEE01
SHA-512:	CC9E11F5659E0D08504BE4CEF31C8EA6EEDC6E4F3F9EFB9F70A897F23508951F184E9C25E4CDC470EABC74222EC0F6BDE3E463E48C162EEB786D6BF97723B2DA
Malicious:	true
Preview:	<!DOCTYPE html>..<html>..<head>...<meta charset="UTF-8">...<title>You are encrypted!!!</title>...<style>....body {.....margin: 0;.....padding: 0;....}......header {.....background-color: #222;.....color: white;.....height: 100px;.....display: flex;.....align-items: center;.....padding: 0 20px;....}......h1 {.....margin: 0;.....font-size: 3rem;.....font-family: Arial, sans-serif;.....text-shadow: 2px 2px #666;.....letter-spacing: 2px;....}......main {.....padding: 20px;.....background-color: #333;.....color: #ddd;.....font-size: 1.2rem;.....font-family: Arial, sans-serif;.....line-height: 1.5;.....text-align: justify;.....text-shadow: 1px 1px #222;.....border: 2px solid #666;.....border-radius: 20px;.....box-shadow: 5px 5px #666;.....margin: 20px;....}......main p:first-of-type {.....margin-top: 0;....}......main p:last-of-type {.....margin-bottom: 0;....}......footer {.....background-color: #222;.....color: white;.....height: 50px;.....display: flex;.....align-items: center;.....paddin

C:\Users\user\Desktop\TQDFJHPUIU\Encrypt.html

Download File

Process:	C:\Users\user\Desktop\system21.exe
File Type:	HTML document, ASCII text, with very long lines (363)
Category:	dropped
Size (bytes):	2378
Entropy (8bit):	5.419937586745534
Encrypted:	false
SSDEEP:	48:B4axAaT4YkaT42VBopBTAavuBgoIE8eMK+5KIwCekY:wdmL8PfEZl
MD5:	3A86858B55DE8531B150A5B40450C2BA
SHA1:	B393C048DB07ED262C344E392090E90881C95D42
SHA-256:	0313C4626AF1206977A266A5B2C67E3EE6EAA3FFAD2E18144A50173EB21DEE01
SHA-512:	CC9E11F5659E0D08504BE4CEF31C8EA6EEDC6E4F3F9EFB9F70A897F23508951F184E9C25E4CDC470EABC74222EC0F6BDE3E463E48C162EEB786D6BF97723B2DA
Malicious:	true
Preview:	<!DOCTYPE html>..<html>..<head>...<meta charset="UTF-8">...<title>You are encrypted!!!</title>...<style>....body {.....margin: 0;.....padding: 0;....}......header {.....background-color: #222;.....color: white;.....height: 100px;.....display: flex;.....align-items: center;.....padding: 0 20px;....}......h1 {.....margin: 0;.....font-size: 3rem;.....font-family: Arial, sans-serif;.....text-shadow: 2px 2px #666;.....letter-spacing: 2px;....}......main {.....padding: 20px;.....background-color: #333;.....color: #ddd;.....font-size: 1.2rem;.....font-family: Arial, sans-serif;.....line-height: 1.5;.....text-align: justify;.....text-shadow: 1px 1px #222;.....border: 2px solid #666;.....border-radius: 20px;.....box-shadow: 5px 5px #666;.....margin: 20px;....}......main p:first-of-type {.....margin-top: 0;....}......main p:last-of-type {.....margin-bottom: 0;....}......footer {.....background-color: #222;.....color: white;.....height: 50px;.....display: flex;.....align-items: center;.....paddin

C:\Users\user\Desktop\UNKRLCVOHV\Encrypt.html

Download File

Process:	C:\Users\user\Desktop\system21.exe
File Type:	HTML document, ASCII text, with very long lines (363)
Category:	dropped
Size (bytes):	2378
Entropy (8bit):	5.419937586745534
Encrypted:	false
SSDEEP:	48:B4axAaT4YkaT42VBopBTAavuBgoIE8eMK+5KIwCekY:wdmL8PfEZl
MD5:	3A86858B55DE8531B150A5B40450C2BA
SHA1:	B393C048DB07ED262C344E392090E90881C95D42
SHA-256:	0313C4626AF1206977A266A5B2C67E3EE6EAA3FFAD2E18144A50173EB21DEE01
SHA-512:	CC9E11F5659E0D08504BE4CEF31C8EA6EEDC6E4F3F9EFB9F70A897F23508951F184E9C25E4CDC470EABC74222EC0F6BDE3E463E48C162EEB786D6BF97723B2DA
Malicious:	true
Preview:	<!DOCTYPE html>..<html>..<head>...<meta charset="UTF-8">...<title>You are encrypted!!!</title>...<style>....body {.....margin: 0;.....padding: 0;....}......header {.....background-color: #222;.....color: white;.....height: 100px;.....display: flex;.....align-items: center;.....padding: 0 20px;....}......h1 {.....margin: 0;.....font-size: 3rem;.....font-family: Arial, sans-serif;.....text-shadow: 2px 2px #666;.....letter-spacing: 2px;....}......main {.....padding: 20px;.....background-color: #333;.....color: #ddd;.....font-size: 1.2rem;.....font-family: Arial, sans-serif;.....line-height: 1.5;.....text-align: justify;.....text-shadow: 1px 1px #222;.....border: 2px solid #666;.....border-radius: 20px;.....box-shadow: 5px 5px #666;.....margin: 20px;....}......main p:first-of-type {.....margin-top: 0;....}......main p:last-of-type {.....margin-bottom: 0;....}......footer {.....background-color: #222;.....color: white;.....height: 50px;.....display: flex;.....align-items: center;.....paddin

C:\Users\user\Desktop\ZGGKNSUKOP.pdf

Download File

Process:	C:\Users\user\Desktop\system21.exe
File Type:	data
Category:	dropped
Size (bytes):	1290
Entropy (8bit):	7.867589218669617
Encrypted:	false
SSDEEP:	24:fXdsQy1Huv5vwJ24ubWVoagk6SiDdkukz1DAl/WI3cDxM9d+4LD:fCQy1OBwJBu2oBpDdkZzUWV693LD
MD5:	554436825F52F7C61D6DD21043DB72BA
SHA1:	E031E3AFE0AB39A22CAF4F3C544AA43955A6F643
SHA-256:	71D7547A6363E03925495ACF83A209CF5EE62500EA290A24DA770FE54EDF150B
SHA-512:	34048685956F5DB327F0A0A559A57E55BE8E1F0019837EA6BBFA559F6733C3FA65B50E2CB1D2EF1F96340EE4E8CD143C665CB0AFB2B990275907F25DF2153030
Malicious:	false
Preview:	[%....5....G..RY.-.6..v..&./.a....(..`..$....yS.!;...a.b+....b...C(..G.`.D.~..}....b1<h...p.. ...l..v.Q...DO...5..e.....r...k.......iR.'vD....{y. M.....D..j.a.. ..\|4..&..N~m4...ME.m.L"'.}&oP:..&...:.......%.{=.....6(Xn.Nm02..R...!..}......er~,.Cd.:#.,.....~...'......u.....B6.:35..K{....a....v.....nn.?.v.u..Y.....R.A@ZHm.?...T..=n..G.a.h.\.......3.3...G.m.x@.........p....a.R..M...t.g.,...9..J....h..k.....<!<.....T..k=.PN...N..NGfa..A.x.U....X......EC.&!w......9.d. .Z.....F.K.H...'..~..x.......h,T.."K.....~.q"f+=..%..#.~..z.P.....[......,D.`.sz.Rb......dk.. .xC....V..].J......I...).j..Wn.....t.-A3o.c.......N?...[f...N.-....>..".....~!.6......p.U#c...`..b<mS&..=r..y...%-Fv.+...ki.m.Xm..ISu...B.l..l...7U..K........Vm.>.]..Z....#.h#....9.;....1.'.R..y.'.W.n.e..>.\.T......O..l.o.B..jK<...m..d.G.6...;.o(a.....%.<,..bQ.....Q..i."..]U.U...9..x...<.......R..5.h9....&wdR+.1...W..f......N.Q......?Q.O..G.....&....z..........`..}.^h...

C:\Users\user\Desktop\ZGGKNSUKOP.pdf.[X6D6Q4@proton.me].LockBit (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	1290
Entropy (8bit):	7.867589218669617
Encrypted:	false
SSDEEP:	24:fXdsQy1Huv5vwJ24ubWVoagk6SiDdkukz1DAl/WI3cDxM9d+4LD:fCQy1OBwJBu2oBpDdkZzUWV693LD
MD5:	554436825F52F7C61D6DD21043DB72BA
SHA1:	E031E3AFE0AB39A22CAF4F3C544AA43955A6F643
SHA-256:	71D7547A6363E03925495ACF83A209CF5EE62500EA290A24DA770FE54EDF150B
SHA-512:	34048685956F5DB327F0A0A559A57E55BE8E1F0019837EA6BBFA559F6733C3FA65B50E2CB1D2EF1F96340EE4E8CD143C665CB0AFB2B990275907F25DF2153030
Malicious:	false
Preview:	[%....5....G..RY.-.6..v..&./.a....(..`..$....yS.!;...a.b+....b...C(..G.`.D.~..}....b1<h...p.. ...l..v.Q...DO...5..e.....r...k.......iR.'vD....{y. M.....D..j.a.. ..\|4..&..N~m4...ME.m.L"'.}&oP:..&...:.......%.{=.....6(Xn.Nm02..R...!..}......er~,.Cd.:#.,.....~...'......u.....B6.:35..K{....a....v.....nn.?.v.u..Y.....R.A@ZHm.?...T..=n..G.a.h.\.......3.3...G.m.x@.........p....a.R..M...t.g.,...9..J....h..k.....<!<.....T..k=.PN...N..NGfa..A.x.U....X......EC.&!w......9.d. .Z.....F.K.H...'..~..x.......h,T.."K.....~.q"f+=..%..#.~..z.P.....[......,D.`.sz.Rb......dk.. .xC....V..].J......I...).j..Wn.....t.-A3o.c.......N?...[f...N.-....>..".....~!.6......p.U#c...`..b<mS&..=r..y...%-Fv.+...ki.m.Xm..ISu...B.l..l...7U..K........Vm.>.]..Z....#.h#....9.;....1.'.R..y.'.W.n.e..>.\.T......O..l.o.B..jK<...m..d.G.6...;.o(a.....%.<,..bQ.....Q..i."..]U.U...9..x...<.......R..5.h9....&wdR+.1...W..f......N.Q......?Q.O..G.....&....z..........`..}.^h...

C:\Users\user\Desktop\desktop.ini

Download File

Process:	C:\Users\user\Desktop\system21.exe
File Type:	data
Category:	modified
Size (bytes):	546
Entropy (8bit):	7.638764989288579
Encrypted:	false
SSDEEP:	12:QxTtwSqvKAyaKwK3Heh+KtRvq7L4OcFsO2V9ByGDyIibl:wNAUaLKuh+OC7CF2BXehl
MD5:	B39E05E51845CEBB8501EB7C500C5516
SHA1:	028A7253E1C34C59CDD352B27FA72CBF8AFC7894
SHA-256:	94F2233E9FC74F7717D46D6333F1006E9CFF2AA7D9CA76B1BBE8D97936881528
SHA-512:	E38038E8C17A580960A0D6F750E519FA05F1F88D923EEB38EB6D3D72FA2C2C97F1782050BADE5BD0AF6249A6D3D0D35E3FFD800818B13E512E14C17A47A779E6
Malicious:	false
Preview:	......~........o..\|.`..F..m..".M. ..l.._.m.C..R..y.G...5.2.L..:+......./...1.EQ....$7~.....9.....=...0......K..X.y>.U...".....%.......7#1.L=3...,D.I.........J..8G.v..Kg+C....T#...P..n..;..Oe.14pc.A...p......D.uo B..p..S.z>Yk..KH....,.....V...3.9..g4.xA.[.aN.....^w..D..z.GH.W......J.GI.I.q...P.... ..[..k..3.<[..W.6.X...t.An.5....[...uZ...M...D&.9.7,eH...^K0.x..J...v.iW/`..Fj'..>X0....F"...:f..Y.,..b.6.8.uQN.B[............4..[!p....9.9.m......~.).....y6gm...rs.....)o/..P9d.....>m..nE..**.n..Q..!........

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\reg.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.237326145256008
Encrypted:	false
SSDEEP:	3:bqX4LxGT82AGN8cyn:bqX4E8NGN8Rn
MD5:	13015015DD907D28996153DF14881252
SHA1:	532C595BAAE0A027D02D1B28D7B83D57350A310E
SHA-256:	4499283166530CE395CBC12677FEF2BD52759EACDCC5BDDE56C039B1A2E99C0B
SHA-512:	B81FB62AB27E7722BFCB386766FFA1D1EBA05B8B03CD5D2160BB2570F87568381D923AC75017D785E1DEC1685769023727F4280E27C2A69CDE69772CA62E2A92
Malicious:	false
Preview:	The operation completed successfully....

WriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler

• system21.exe
• conhost.exe
• cmd.exe
• cmd.exe
• cmd.exe
• cmd.exe
• cmd.exe
• cmd.exe
• cmd.exe
• cmd.exe
• cmd.exe
• cmd.exe
• cmd.exe
• cmd.exe
• cmd.exe
• cmd.exe
• reg.exe
• reg.exe

Click to jump to process

Memory Usage

• system21.exe
• conhost.exe
• cmd.exe
• cmd.exe
• cmd.exe
• cmd.exe
• cmd.exe
• cmd.exe
• cmd.exe
• cmd.exe
• cmd.exe
• cmd.exe
• cmd.exe
• cmd.exe
• cmd.exe
• cmd.exe
• reg.exe
• reg.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• system21.exe
• conhost.exe
• cmd.exe
• cmd.exe
• cmd.exe
• cmd.exe
• cmd.exe
• cmd.exe
• cmd.exe
• cmd.exe
• cmd.exe
• cmd.exe
• cmd.exe
• cmd.exe
• cmd.exe
• cmd.exe
• reg.exe
• reg.exe

Click to jump to process

Target ID:	0
Start time:	13:22:09
Start date:	28/04/2025
Path:	C:\Users\user\Desktop\system21.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\system21.exe"
Imagebase:	0x1d0000
File size:	3'198'464 bytes
MD5 hash:	5766EF20FDA9263ED77E6C00BF6CA20C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:22:09
Start date:	28/04/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff642da0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:22:10
Start date:	28/04/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /C move C:\Users\user\Desktop\DUUDTUBZFW\DUUDTUBZFW.docx C:\Users\user\Desktop\DUUDTUBZFW\DUUDTUBZFW.docx.[X6D6Q4@proton.me].LockBit
Imagebase:	0x460000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:22:10
Start date:	28/04/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /C move C:\Users\user\Desktop\DUUDTUBZFW\EOWRVPQCCS.xlsx C:\Users\user\Desktop\DUUDTUBZFW\EOWRVPQCCS.xlsx.[X6D6Q4@proton.me].LockBit
Imagebase:	0x460000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:22:10
Start date:	28/04/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /C move C:\Users\user\Desktop\DUUDTUBZFW\ZGGKNSUKOP.pdf C:\Users\user\Desktop\DUUDTUBZFW\ZGGKNSUKOP.pdf.[X6D6Q4@proton.me].LockBit
Imagebase:	0x460000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:22:10
Start date:	28/04/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /C move C:\Users\user\Desktop\DUUDTUBZFW.docx C:\Users\user\Desktop\DUUDTUBZFW.docx.[X6D6Q4@proton.me].LockBit
Imagebase:	0x460000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:22:10
Start date:	28/04/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /C move C:\Users\user\Desktop\EIVQSAOTAQ.xlsx C:\Users\user\Desktop\EIVQSAOTAQ.xlsx.[X6D6Q4@proton.me].LockBit
Imagebase:	0x460000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:22:10
Start date:	28/04/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /C move C:\Users\user\Desktop\EOWRVPQCCS\EIVQSAOTAQ.xlsx C:\Users\user\Desktop\EOWRVPQCCS\EIVQSAOTAQ.xlsx.[X6D6Q4@proton.me].LockBit
Imagebase:	0x460000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:22:10
Start date:	28/04/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /C move C:\Users\user\Desktop\EOWRVPQCCS\EOWRVPQCCS.docx C:\Users\user\Desktop\EOWRVPQCCS\EOWRVPQCCS.docx.[X6D6Q4@proton.me].LockBit
Imagebase:	0x460000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:22:10
Start date:	28/04/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /C move C:\Users\user\Desktop\EOWRVPQCCS\GIGIYTFFYT.pdf C:\Users\user\Desktop\EOWRVPQCCS\GIGIYTFFYT.pdf.[X6D6Q4@proton.me].LockBit
Imagebase:	0x460000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:22:10
Start date:	28/04/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /C move C:\Users\user\Desktop\EOWRVPQCCS.docx C:\Users\user\Desktop\EOWRVPQCCS.docx.[X6D6Q4@proton.me].LockBit
Imagebase:	0x460000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	13:22:11
Start date:	28/04/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /C move C:\Users\user\Desktop\EOWRVPQCCS.xlsx C:\Users\user\Desktop\EOWRVPQCCS.xlsx.[X6D6Q4@proton.me].LockBit
Imagebase:	0x460000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	13:22:11
Start date:	28/04/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /C move C:\Users\user\Desktop\Excel.lnk C:\Users\user\Desktop\Excel.lnk.[X6D6Q4@proton.me].LockBit
Imagebase:	0x460000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	13:22:11
Start date:	28/04/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /C move C:\Users\user\Desktop\GIGIYTFFYT.pdf C:\Users\user\Desktop\GIGIYTFFYT.pdf.[X6D6Q4@proton.me].LockBit
Imagebase:	0x460000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	13:22:12
Start date:	28/04/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /C move C:\Users\user\Desktop\ZGGKNSUKOP.pdf C:\Users\user\Desktop\ZGGKNSUKOP.pdf.[X6D6Q4@proton.me].LockBit
Imagebase:	0x460000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	13:22:12
Start date:	28/04/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /C move C:\Users\user\Desktop\desktop.ini C:\Users\user\Desktop\desktop.ini.[X6D6Q4@proton.me].LockBit
Imagebase:	0x460000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	13:22:12
Start date:	28/04/2025
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
Imagebase:	0x230000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	13:22:12
Start date:	28/04/2025
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS /v Start /t REG_DWORD /d 4 /f
Imagebase:	0x230000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 001EB980 Relevance: 16.0, Strings: 12, Instructions: 1014COMMON

Download Yara Rule

Strings

gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket, xrefs: 001ECBC8
MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc=, xrefs: 001EC91A
ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACE, xrefs: 001EC476
ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)total < 0traceback} stack=, xrefs: 001EC85A
., xrefs: 001EC18E
gc %: gp *(in n= ) - NaN P m= MPC= < end > ]:???pc= G125625SunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02-01EDTASTADTPSTPDTNSTNDT+03+04+07+06IST+09+08IDT+12PKT+11KST+05JST+10-11-12-08-0, xrefs: 001EC222
failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre, xrefs: 001ECBB2
!, xrefs: 001EBFFA
MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, xrefs: 001EC984
gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:1562578125MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930monthLocalGreeksse41sse42ssse3SHA-1P-256P-384P-521P-224filesstring hangupkilledlistensocketreadatdelete/q, xrefs: 001EBA4A
non-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrsmall map with no empty slot (concurrent map wri, xrefs: 001ECB9C
5, xrefs: 001ECBA5

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:$ MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc=$ ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACE$ ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)total < 0traceback} stack=$!$.$5$failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre$gc %: gp *(in n= ) - NaN P m= MPC= < end > ]:???pc= G125625SunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02-01EDTASTADTPSTPDTNSTNDT+03+04+07+06IST+09+08IDT+12PKT+11KST+05JST+10-11-12-08-0$gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket$gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:1562578125MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930monthLocalGreeksse41sse42ssse3SHA-1P-256P-384P-521P-224filesstring hangupkilledlistensocketreadatdelete/q$non-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrsmall map with no empty slot (concurrent map wri
API String ID: 0-1919889966
Opcode ID: 09d34a2c14af1580ac57d0a7b53313abd9f6a5b5b142dea2cc627518a72582c4
Instruction ID: a0e4890bb45d7885eacf0cb346052ab7c4ff4e8231dc026485b657d39a53aa62
Opcode Fuzzy Hash: 09d34a2c14af1580ac57d0a7b53313abd9f6a5b5b142dea2cc627518a72582c4
Instruction Fuzzy Hash: C6B2F774509784CFC364EF69D491B9EBBE5FB88300F05882EE88987352EB34A945CF56

Function 00225900 Relevance: 12.9, Strings: 10, Instructions: 420COMMON

Download Yara Rule

Strings

and defersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:1562578125MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930monthLocalGreeksse41sse42ssse3, xrefs: 00225C26, 00225E1A
locals stack map entries for abi mismatch detected between runtime: impossible type kind unsafe.Slice: len out of range227373675443232059478759765625Eastern Standard Time (Mexico)Turks And Caicos Standard TimeCentral Standard Time (Mexico)E. South America Sta, xrefs: 00225E44
missing stackmapbad symbol tablenon-Go functionpointerless type not in ranges:23841857910156250123456789ABCDEFtime: bad [0-9]*DuplicateTokenExGetCurrentThreadGetModuleHandleWRtlVirtualUnwindexec: no commandGODEBUG: value "[bisect-match 0xdivision by zeroleng, xrefs: 00225D9A, 00225F8A
(targetpc= , plugin: running < 0runtime: g : frame.sp=created by 30517578125ProcessPrngMoveFileExWNetShareAddNetShareDeli/o timeoutinvalid oidSYSTEMROOT=gocachehashgocachetesthttp2clienthttp2serverrandseednoparchive/tartls10servercrypto/x509archive/zipSHA-512, xrefs: 00225C7A, 00225E6E
runtime: frame ts set in timertraceback stuckruntime.gopanicunexpected kind476837158203125: cannot parse ,M3.2.0,M11.1.0ImpersonateSelfOpenThreadTokenx509usepoliciesjstmpllitinterptarinsecurepathx509keypairleafzipinsecurepathRegCreateKeyExWRegDeleteValueWinval, xrefs: 00225D12, 00225F02
untyped args out of range no module data in goroutine runtime: seq1=runtime: goid=invalid syntax1907348632812595367431640625time.Location(: extra text: OpenSCManagerWModule32FirstWunreachable: crypto/fips140mime/multipartRegSetValueExWdata truncatedunknown , xrefs: 00225D3C
args stack map entries for invalid runtime symbol tableruntime: no module data for mismatched isSending updates[originating from goroutine traceRegion: alloc too large18189894035458564758300781259094947017729282379150390625Canada Central Standard TimeCen. Aus, xrefs: 00225C50
runtime: pcdata is bad ABI description14901161193847656257450580596923828125bad value for fieldEgypt Standard TimeSudan Standard TimeLibya Standard TimeBahia Standard TimeHaiti Standard TimeYukon Standard TimeAltai Standard TimeIndia Standard TimeSyria Standar, xrefs: 00225BFC, 00225DF0
untyped locals missing stackmapbad symbol tablenon-Go functionpointerless type not in ranges:23841857910156250123456789ABCDEFtime: bad [0-9]*DuplicateTokenExGetCurrentThreadGetModuleHandleWRtlVirtualUnwindexec: no commandGODEBUG: value "[bisect-match 0xdivi, xrefs: 00225F2C
bad symbol tablenon-Go functionpointerless type not in ranges:23841857910156250123456789ABCDEFtime: bad [0-9]*DuplicateTokenExGetCurrentThreadGetModuleHandleWRtlVirtualUnwindexec: no commandGODEBUG: value "[bisect-match 0xdivision by zerolength too largeRCod, xrefs: 00225CBF, 00225EB3

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: (targetpc= , plugin: running < 0runtime: g : frame.sp=created by 30517578125ProcessPrngMoveFileExWNetShareAddNetShareDeli/o timeoutinvalid oidSYSTEMROOT=gocachehashgocachetesthttp2clienthttp2serverrandseednoparchive/tartls10servercrypto/x509archive/zipSHA-512$ and defersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:1562578125MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930monthLocalGreeksse41sse42ssse3$ args stack map entries for invalid runtime symbol tableruntime: no module data for mismatched isSending updates[originating from goroutine traceRegion: alloc too large18189894035458564758300781259094947017729282379150390625Canada Central Standard TimeCen. Aus$ locals stack map entries for abi mismatch detected between runtime: impossible type kind unsafe.Slice: len out of range227373675443232059478759765625Eastern Standard Time (Mexico)Turks And Caicos Standard TimeCentral Standard Time (Mexico)E. South America Sta$ untyped args out of range no module data in goroutine runtime: seq1=runtime: goid=invalid syntax1907348632812595367431640625time.Location(: extra text: OpenSCManagerWModule32FirstWunreachable: crypto/fips140mime/multipartRegSetValueExWdata truncatedunknown $ untyped locals missing stackmapbad symbol tablenon-Go functionpointerless type not in ranges:23841857910156250123456789ABCDEFtime: bad [0-9]*DuplicateTokenExGetCurrentThreadGetModuleHandleWRtlVirtualUnwindexec: no commandGODEBUG: value "[bisect-match 0xdivi$bad symbol tablenon-Go functionpointerless type not in ranges:23841857910156250123456789ABCDEFtime: bad [0-9]*DuplicateTokenExGetCurrentThreadGetModuleHandleWRtlVirtualUnwindexec: no commandGODEBUG: value "[bisect-match 0xdivision by zerolength too largeRCod$missing stackmapbad symbol tablenon-Go functionpointerless type not in ranges:23841857910156250123456789ABCDEFtime: bad [0-9]*DuplicateTokenExGetCurrentThreadGetModuleHandleWRtlVirtualUnwindexec: no commandGODEBUG: value "[bisect-match 0xdivision by zeroleng$runtime: frame ts set in timertraceback stuckruntime.gopanicunexpected kind476837158203125: cannot parse ,M3.2.0,M11.1.0ImpersonateSelfOpenThreadTokenx509usepoliciesjstmpllitinterptarinsecurepathx509keypairleafzipinsecurepathRegCreateKeyExWRegDeleteValueWinval$runtime: pcdata is bad ABI description14901161193847656257450580596923828125bad value for fieldEgypt Standard TimeSudan Standard TimeLibya Standard TimeBahia Standard TimeHaiti Standard TimeYukon Standard TimeAltai Standard TimeIndia Standard TimeSyria Standar
API String ID: 0-575146282
Opcode ID: 8b0665d39330eb837570aea39a68b72af09288603ae97d0298244a5db80ae21b
Instruction ID: 3c26835d68b44a3002adf20c0d1b87eab0ff78d2a5953a5f4677efc3b31aaf90
Opcode Fuzzy Hash: 8b0665d39330eb837570aea39a68b72af09288603ae97d0298244a5db80ae21b
Instruction Fuzzy Hash: E112F1B452A7149FC344EFA8D18161ABBE0FF88704F41892EF99887392E774E854DF52

Function 00208FE0 Relevance: 12.8, Strings: 10, Instructions: 253COMMON

Download Yara Rule

Strings

bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timers152587890625762939453125OpenServiceWRevertToSelfCreateEv, xrefs: 002092BD
runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerocrypto/rsa: message too long for RSA key sizex509: trailing data after ASN.1 of , xrefs: 0020944C
CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=strconv: illegal App, xrefs: 002093CA, 00209425
VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notinvalid timer channel: no capacity3552713678800500929355, xrefs: 00209318
runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:, xrefs: 002092E4
runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!2220446049250313080847263336181640625internal error: unknown network type g, xrefs: 00209480
runtime: NtCreateWaitCompletionPacket failed; errno=casfrom_Gscanstatus: gp->status is not in scan stateecdsa: internal error: unexpectedly masking off bitsnon-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno, xrefs: 0020933B
%, xrefs: 00209489
NtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 , xrefs: 0020936F
runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerocrypto/rsa: message too long for RSA key sizex509: trailing data after ASN.1 of public-keyzero length explicit tag was not an, xrefs: 00209396, 002093F1

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: %$CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=strconv: illegal App$NtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 $VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notinvalid timer channel: no capacity3552713678800500929355$bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timers152587890625762939453125OpenServiceWRevertToSelfCreateEv$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerocrypto/rsa: message too long for RSA key sizex509: trailing data after ASN.1 of $runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!2220446049250313080847263336181640625internal error: unknown network type g$runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerocrypto/rsa: message too long for RSA key sizex509: trailing data after ASN.1 of public-keyzero length explicit tag was not an$runtime: NtCreateWaitCompletionPacket failed; errno=casfrom_Gscanstatus: gp->status is not in scan stateecdsa: internal error: unexpectedly masking off bitsnon-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno$runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:
API String ID: 0-1964012926
Opcode ID: 0edbdd579a16079512aafcb66bd0e1e09a4eb3fab6694c124eac6a59dbf432b2
Instruction ID: a72d45d01e18f0d58a05e2e6fd98a892a1a601f3de5ea28a94e6cfd421f4d420
Opcode Fuzzy Hash: 0edbdd579a16079512aafcb66bd0e1e09a4eb3fab6694c124eac6a59dbf432b2
Instruction Fuzzy Hash: 1CC1F2B452A7018FD300EFA8D59571ABBE8FF88704F00892DE5888B392D775D999CF52

Function 00207790 Relevance: 7.6, Strings: 6, Instructions: 133COMMON

Download Yara Rule

Strings

runtime: SetWaitableTimer failed; errno= stopTheWorld: not stopped (stopwait != 0)invalid timer: fake time but no syncgroup34694469519536141888238489627838134765625strconv: illegal AppendInt/FormatInt baseTime.UnmarshalBinary: unsupported versionfips140: unkno, xrefs: 00207958
d, xrefs: 00207816
runtime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocresize: invalid argspan has no free stacksstack growth after forkshrinkstack at bad timereflect.methodValueCall2328306, xrefs: 00207931, 0020798C, 002079DF
5, xrefs: 002079B4
runtime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrsmall map with no empty slot (concurrent map writes?)panic calling String method on zero %v for flag , xrefs: 002079AB
runtime: NtAssociateWaitCompletionPacket failed; errno= crypto/cipher: internal error: generic CTR used with AESb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21bd376388b5f723fb4c22dfe6cd4375a05a07, xrefs: 002078FD

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: 5$d$runtime: NtAssociateWaitCompletionPacket failed; errno= crypto/cipher: internal error: generic CTR used with AESb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21bd376388b5f723fb4c22dfe6cd4375a05a07$runtime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrsmall map with no empty slot (concurrent map writes?)panic calling String method on zero %v for flag $runtime: SetWaitableTimer failed; errno= stopTheWorld: not stopped (stopwait != 0)invalid timer: fake time but no syncgroup34694469519536141888238489627838134765625strconv: illegal AppendInt/FormatInt baseTime.UnmarshalBinary: unsupported versionfips140: unkno$runtime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocresize: invalid argspan has no free stacksstack growth after forkshrinkstack at bad timereflect.methodValueCall2328306
API String ID: 0-2166924004
Opcode ID: a59156bc096942f9ffdcce75c27797cd1f934a1c8faf5c6b0490eb65e80860c0
Instruction ID: e87bc845e19569eb9ecb6817fc3802ee76d7ad4545d6b1ea3bf1c3bc5852eed1
Opcode Fuzzy Hash: a59156bc096942f9ffdcce75c27797cd1f934a1c8faf5c6b0490eb65e80860c0
Instruction Fuzzy Hash: 5A51CEB452A3019FD344EF68C485B1ABBE4BF88704F41892DF48887392D775E958DF92

Function 001F7530 Relevance: 5.5, Strings: 4, Instructions: 483COMMON

Download Yara Rule

Strings

runtime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame ts set in timertraceback stuckrunti, xrefs: 001F7A66, 001F7AB5
min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=3814697265625invalid base parsing time , xrefs: 001F7A9A
min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce, xrefs: 001F7AE9
!, xrefs: 001F7AF2

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: !$min must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exce$min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=3814697265625invalid base parsing time $runtime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame ts set in timertraceback stuckrunti
API String ID: 0-1777950278
Opcode ID: 66eeb524508d894dd373778eadb32825633798b8a3fd3218c621c021f6ecaddf
Instruction ID: c7fe416bb7fe8c5c302ac48b0c3362e7c2dba0c1d0c78c9ae90cdd75969a3e66
Opcode Fuzzy Hash: 66eeb524508d894dd373778eadb32825633798b8a3fd3218c621c021f6ecaddf
Instruction Fuzzy Hash: 2FF1E33260971A4FD715DE58C8C062EB7E2EBC8344F19893CEA998B391EB71D945CB81

Function 00210DE0 Relevance: 5.4, Strings: 4, Instructions: 352COMMON

Download Yara Rule

Strings

stopTheWorld: not stopped (stopwait != 0)invalid timer: fake time but no syncgroup34694469519536141888238489627838134765625strconv: illegal AppendInt/FormatInt baseTime.UnmarshalBinary: unsupported versionfips140: unknown GODEBUG setting fips140=RSASSA-PKCS-v1, xrefs: 00211150
stopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a , xrefs: 00211303
stopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2138777878078144567552953958511352539062569388939039072283776, xrefs: 002112AB
stopTheWorld: not stopped (status != _Pgcstop)select on synctest channel from outside bubblesignal arrived during external code executionruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base poin, xrefs: 00211270

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: stopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2138777878078144567552953958511352539062569388939039072283776$stopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a $stopTheWorld: not stopped (status != _Pgcstop)select on synctest channel from outside bubblesignal arrived during external code executionruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base poin$stopTheWorld: not stopped (stopwait != 0)invalid timer: fake time but no syncgroup34694469519536141888238489627838134765625strconv: illegal AppendInt/FormatInt baseTime.UnmarshalBinary: unsupported versionfips140: unknown GODEBUG setting fips140=RSASSA-PKCS-v1
API String ID: 0-4169609375
Opcode ID: a6d12d49a144c9aa3e532ca23dd7e03e8c3b2075ac81d81b94f3053c1be86020
Instruction ID: d9b2befff6cc6f35b0d3e4f0eee435bf069dab1f2d5bf4c1c58818f4f1a7d9d9
Opcode Fuzzy Hash: a6d12d49a144c9aa3e532ca23dd7e03e8c3b2075ac81d81b94f3053c1be86020
Instruction Fuzzy Hash: 93F11374A193418FC358DF69C480A6AFBF1BF98700F14892EE99987361DB74D895CF82

Function 0020CA10 Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

', xrefs: 0020CEAB
invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go functionpointerless type not in ranges:23841857910156250123456789ABCDEFtime: bad [0-9]*DuplicateTokenExGetCurrentThreadGetM, xrefs: 0020CE8C
suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function traceRegion: alloc with concurrent drop2775557561562891351059079170227050781252006-01-02 15:04:05.999999, xrefs: 0020CEA2

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: '$invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go functionpointerless type not in ranges:23841857910156250123456789ABCDEFtime: bad [0-9]*DuplicateTokenExGetCurrentThreadGetM$suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function traceRegion: alloc with concurrent drop2775557561562891351059079170227050781252006-01-02 15:04:05.999999
API String ID: 0-2961018152
Opcode ID: b0f21c08fac96d20add5ed269fb690939964cc2787a1c184420bde151a3c0536
Instruction ID: 236cb46eaf614931cad7a049fb64d66067b98a2798413e62d0dac5da1e7485f9
Opcode Fuzzy Hash: b0f21c08fac96d20add5ed269fb690939964cc2787a1c184420bde151a3c0536
Instruction Fuzzy Hash: 98D131B462D3418FC718DF25C090A2ABBE1AF89704F65496DF8C98B392D734ED54DB42

Function 001F2F30 Relevance: 3.8, Strings: 3, Instructions: 92COMMON

Download Yara Rule

Strings

mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largex509: RSA public exponent is not a positive numberedwards255, xrefs: 001F301C
gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackunsafe.Slice: ptr is nil and len is not , xrefs: 001F3032
,, xrefs: 001F303B

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: ,$gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackunsafe.Slice: ptr is nil and len is not $mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largex509: RSA public exponent is not a positive numberedwards255
API String ID: 0-1949655048
Opcode ID: 3b9849db9443a3ab33766b7f68780e7ebd3785bd818b0fcaa02227fa7ed7d85f
Instruction ID: a11741bbc60795d7d6d11387f7c391c1f5ad0dc436ba4a4e8bb2532d56934d18
Opcode Fuzzy Hash: 3b9849db9443a3ab33766b7f68780e7ebd3785bd818b0fcaa02227fa7ed7d85f
Instruction Fuzzy Hash: 943191756057958FD305DF24C890A6AB7E2FB95308F4885BED9884F383DB31D84ACB85

Function 001D52B0 Relevance: 3.3, Strings: 2, Instructions: 753COMMON

Download Yara Rule

Strings

&, xrefs: 001D5377
concurrent map iteration and map writebigmod: internal error: bad arithmeticinternal error: unknown string type %dasn1: Unmarshal recipient value is nilcrypto/sha256: invalid hash state sizecrypto/sha512: invalid hash state sizeinvalid P224 compressed point en, xrefs: 001D536E

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: &$concurrent map iteration and map writebigmod: internal error: bad arithmeticinternal error: unknown string type %dasn1: Unmarshal recipient value is nilcrypto/sha256: invalid hash state sizecrypto/sha512: invalid hash state sizeinvalid P224 compressed point en
API String ID: 0-2021671869
Opcode ID: ae734ca57cce0c0901ebecd085769327ae6746f26767db7f03ccffd4dbb44785
Instruction ID: 59c41d4866a09b31c6e8c7a145437de8c1e45e56bdc7a9c0719d44451ccd3776
Opcode Fuzzy Hash: ae734ca57cce0c0901ebecd085769327ae6746f26767db7f03ccffd4dbb44785
Instruction Fuzzy Hash: CA529F76A057118FC748CF1AC4D0A1ABBE2BFC8324F5A92ADD8594B766D770EC45CB80

Function 001D86F0 Relevance: 1.7, Strings: 1, Instructions: 420COMMON

Download Yara Rule

Strings

concurrent map writessequence tag mismatchinvalid scalar lengthargument list too longaddress already in usenetwork is unreachablecannot allocate memoryprotocol not availableprotocol not supportedremote address changedConvertSidToStringSidWConvertStringSidToSid, xrefs: 001D8725, 001D8820, 001D8CD0

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: concurrent map writessequence tag mismatchinvalid scalar lengthargument list too longaddress already in usenetwork is unreachablecannot allocate memoryprotocol not availableprotocol not supportedremote address changedConvertSidToStringSidWConvertStringSidToSid
API String ID: 0-3569007715
Opcode ID: feaa47660e19c378873448cea54a673d61f22587df051ad0788d9821f5c51ef5
Instruction ID: 3e1e678df2c29bfbf1ba89d4be3c2700447886389dc2597f25a014ecd6fe5535
Opcode Fuzzy Hash: feaa47660e19c378873448cea54a673d61f22587df051ad0788d9821f5c51ef5
Instruction Fuzzy Hash: FD023874618741CFC728DF69C490A6ABBE1FF88304F15886EE9998B352DB34E845CF52

Function 001D7E30 Relevance: 1.6, Strings: 1, Instructions: 388COMMON

Download Yara Rule

Strings

concurrent map writessequence tag mismatchinvalid scalar lengthargument list too longaddress already in usenetwork is unreachablecannot allocate memoryprotocol not availableprotocol not supportedremote address changedConvertSidToStringSidWConvertStringSidToSid, xrefs: 001D7E5E, 001D7F74, 001D8341

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: concurrent map writessequence tag mismatchinvalid scalar lengthargument list too longaddress already in usenetwork is unreachablecannot allocate memoryprotocol not availableprotocol not supportedremote address changedConvertSidToStringSidWConvertStringSidToSid
API String ID: 0-3569007715
Opcode ID: 7ec441acc6006aedbabcf65e9c1cdb38cf5b5a949f7b6d795939600474d8fbd5
Instruction ID: 782dffd01796dd44aeee3dea3c482cdd4fb8082657f0cc5e1fa2cc2cd798c52e
Opcode Fuzzy Hash: 7ec441acc6006aedbabcf65e9c1cdb38cf5b5a949f7b6d795939600474d8fbd5
Instruction Fuzzy Hash: 4DF14875608745CFC724DF64C480A6AFBE1BF89710F15896EE9988B352EB30E845CB92

Function 001D72E0 Relevance: 1.6, Strings: 1, Instructions: 366COMMON

Download Yara Rule

Strings

concurrent map writessequence tag mismatchinvalid scalar lengthargument list too longaddress already in usenetwork is unreachablecannot allocate memoryprotocol not availableprotocol not supportedremote address changedConvertSidToStringSidWConvertStringSidToSid, xrefs: 001D7315, 001D742E, 001D778D

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: concurrent map writessequence tag mismatchinvalid scalar lengthargument list too longaddress already in usenetwork is unreachablecannot allocate memoryprotocol not availableprotocol not supportedremote address changedConvertSidToStringSidWConvertStringSidToSid
API String ID: 0-3569007715
Opcode ID: af35c576be7ee0f04322301d1e2aa4892c290a3fdbc12bbdb922dce9fc330c49
Instruction ID: a777111a2f8dc68bc33d10705136baec5396d289a3721314bc8155f3ad66eb30
Opcode Fuzzy Hash: af35c576be7ee0f04322301d1e2aa4892c290a3fdbc12bbdb922dce9fc330c49
Instruction Fuzzy Hash: 73E16F75909754CFC728CF65C490A5AF7E1BF84704F15896EE8988B392EB31E805CB82

Function 001D6AC0 Relevance: 1.6, Strings: 1, Instructions: 350COMMON

Download Yara Rule

Strings

concurrent map writessequence tag mismatchinvalid scalar lengthargument list too longaddress already in usenetwork is unreachablecannot allocate memoryprotocol not availableprotocol not supportedremote address changedConvertSidToStringSidWConvertStringSidToSid, xrefs: 001D6AEE, 001D6BDF, 001D6F0D

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: concurrent map writessequence tag mismatchinvalid scalar lengthargument list too longaddress already in usenetwork is unreachablecannot allocate memoryprotocol not availableprotocol not supportedremote address changedConvertSidToStringSidWConvertStringSidToSid
API String ID: 0-3569007715
Opcode ID: 87953325108927fef9b7ea1393d38c5d9f36b00ee46d2d7fc7b45979d2338c55
Instruction ID: d372f0417d16d72c13c208a98305f577f08460ae3bd28c57ef2a58910bf87218
Opcode Fuzzy Hash: 87953325108927fef9b7ea1393d38c5d9f36b00ee46d2d7fc7b45979d2338c55
Instruction Fuzzy Hash: EAE17A75A087558FC718DF55C490A2AFBE1FF88704F16896EE8D98B352E731E805CB82

Function 001D6620 Relevance: 1.6, Strings: 1, Instructions: 343COMMON

Download Yara Rule

Strings

concurrent map writessequence tag mismatchinvalid scalar lengthargument list too longaddress already in usenetwork is unreachablecannot allocate memoryprotocol not availableprotocol not supportedremote address changedConvertSidToStringSidWConvertStringSidToSid, xrefs: 001D664E, 001D673F, 001D6A55

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: concurrent map writessequence tag mismatchinvalid scalar lengthargument list too longaddress already in usenetwork is unreachablecannot allocate memoryprotocol not availableprotocol not supportedremote address changedConvertSidToStringSidWConvertStringSidToSid
API String ID: 0-3569007715
Opcode ID: fd256b9d83aa187cfac4d5e2d599e513ad6867b90a2628cc100644121bf02cee
Instruction ID: 8c6477c6dc5b138537301819f1aa0b07bdf3a8ae42d7829a4ca15b7a8c82f742
Opcode Fuzzy Hash: fd256b9d83aa187cfac4d5e2d599e513ad6867b90a2628cc100644121bf02cee
Instruction Fuzzy Hash: 33E17B75A08754CFC718CF55C490A2ABBE1BF89704F19896EE8D99B352E731EC05CB82

Function 001E68F0 Relevance: 1.5, Strings: 1, Instructions: 288COMMON

Download Yara Rule

Strings

span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor, xrefs: 001E6B4A

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor
API String ID: 0-1712010102
Opcode ID: 08448068123f149edc9d5e7c8fb74ef8ef883dedd4bea079b16517426da83e1f
Instruction ID: 29d9ee96521bd7413ac0b2e257e5e9c820088c2b93704da29f7c5481eb43c850
Opcode Fuzzy Hash: 08448068123f149edc9d5e7c8fb74ef8ef883dedd4bea079b16517426da83e1f
Instruction Fuzzy Hash: 8BC115B46187859FC748EF29C090A2EBBE0BF98744F40892EF4C98B352E735D945DB42

Function 001D3230 Relevance: 1.5, Strings: 1, Instructions: 288COMMON

Download Yara Rule

Strings

, xrefs: 001D33C9

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 7b06f6f8a38f6094e353ce6b7785b342da400df7c9101b541089952b1e4842e7
Instruction ID: 86da2efd307441efa2000578c451ac238c434be0e8835870fe042834a192d284
Opcode Fuzzy Hash: 7b06f6f8a38f6094e353ce6b7785b342da400df7c9101b541089952b1e4842e7
Instruction Fuzzy Hash: E0A1C375A083158BC719DF68D8C061EBBE1BBC8344F54893DE8A88B341EB79D945CB82

Function 001DF785 Relevance: 1.5, Strings: 1, Instructions: 288COMMON

Download Yara Rule

Strings

, xrefs: 001DF8A7

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 29d1d7e1e7d882a5b560a56f2b6d8730aa00350028549b9a06be3e9c7d3e5fbd
Instruction ID: e3908a9934a7817300f63d2536b6772bac7ed77594d5ed30469d6c817ba8afae
Opcode Fuzzy Hash: 29d1d7e1e7d882a5b560a56f2b6d8730aa00350028549b9a06be3e9c7d3e5fbd
Instruction Fuzzy Hash: 6EB15C756093158FC719EF58C490A2EB7E1FB88304F05867EE89A8B352E774DA45CB81

Function 001E47B0 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d11b367c02b801c3795631f023b3e38b7154555adf1af688782d201ede31274
Instruction ID: 809d318ce29f4d9a1c23e39f5bc98f2de021b41467612cd62091f291a8d27a42
Opcode Fuzzy Hash: 8d11b367c02b801c3795631f023b3e38b7154555adf1af688782d201ede31274
Instruction Fuzzy Hash: BA0254B5A08B858FC714DF2AC48061EBBE1BFC8754F54892DE99987351E770ED48CB82

Function 002024F0 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a819e8b09b664ee02dc1e8492da34c1ad6e565607d45c6dc195ab4f7c341fb
Instruction ID: df236b594b17646a4793028407a4a9a8cab1a48c9a5901fba1d01cbe709969b2
Opcode Fuzzy Hash: b4a819e8b09b664ee02dc1e8492da34c1ad6e565607d45c6dc195ab4f7c341fb
Instruction Fuzzy Hash: 91E14832B247168FD318DEA9C8C022AF7D2ABC8340F59863DE954D7382EA75DC5D8781

Function 001D9E90 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87a326f0dc16ae39532b94d94bd3f68e1198fffa7b2ed10cb6eab960814ffd6d
Instruction ID: 28c454b0c66e0d30057d6c2fd9a4a81d083f446634be2f3d4283a85e5c147211
Opcode Fuzzy Hash: 87a326f0dc16ae39532b94d94bd3f68e1198fffa7b2ed10cb6eab960814ffd6d
Instruction Fuzzy Hash: 6681E9B2A183508FC314DF29D88095AF7E2BFC8744F56892EF988D7311E771D9158B86

Function 001E1610 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d427f35a97687e5e01f00ecc1c6817a71439e1d4e45df5b0e14182e5273625f6
Instruction ID: e0cf6009bc22a7a7a485c33c3bef108c6a2bfeb4e777dc5c8a612b51b955ba4b
Opcode Fuzzy Hash: d427f35a97687e5e01f00ecc1c6817a71439e1d4e45df5b0e14182e5273625f6
Instruction Fuzzy Hash: E9516D75A08B849FC718DF1AC480A6EB7E2BBD8700F5A492DE89997351EB70DD41CB81

Function 001D9890 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a8fe6d1b090a577b082f1b84c2909b3c261d652c99335dfbc0a54495cc8c833
Instruction ID: 8796e43c528759b70b66482413773a120f3890f3a066f89cf3875489b1078679
Opcode Fuzzy Hash: 5a8fe6d1b090a577b082f1b84c2909b3c261d652c99335dfbc0a54495cc8c833
Instruction Fuzzy Hash: 7651A77090C3A44AE3599B6F489402EFFF25FCA301F448E6EF5E443386D5B88515DBAA

Function 00203D70 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05f8e6aa4e5d62d82952e9a0626c0f4d962b829b16ad59043467cf7c23b7c56c
Instruction ID: c152b1fadc64c98f81c7a72a1569430accdaaea45422cf8dcde05f055a7dedb0
Opcode Fuzzy Hash: 05f8e6aa4e5d62d82952e9a0626c0f4d962b829b16ad59043467cf7c23b7c56c
Instruction Fuzzy Hash: 37518775A097128FC318DF69C4D0A2AB7E0BB88704F04897CE9999B392DB30EC55CBC1

Function 001E3C60 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47cf858f34ea10218c6fce18f568a5681771a570be20a29812a016f5e65337ba
Instruction ID: 192b0b3476f3e0858e2faa09644581e546a1e98232bbd73c6078c6ea70cdd7a5
Opcode Fuzzy Hash: 47cf858f34ea10218c6fce18f568a5681771a570be20a29812a016f5e65337ba
Instruction Fuzzy Hash: 9C41B371904F458FC306DF39C89022AB3E5AFDA340F45872EF95AAB352EB3099918B41

Function 001DF6A0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0c30bc251312b25c644889183640f38a21970ee43c169c51d15a3f528866790
Instruction ID: 492cb64a9baf7693e1e2888493f72bcd8b7ba565509c0c061cbb8fb0554a4dcc
Opcode Fuzzy Hash: b0c30bc251312b25c644889183640f38a21970ee43c169c51d15a3f528866790
Instruction Fuzzy Hash: 1921C3317042418BC70CCF3AD8E113AF7E2ABC9310B5A853ED557CB7A1D634E906C696

Function 0023EF30 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 276598b2e375b63a21496b34889b8e10c5eecae5072a3a70f7513c344ab59381
Instruction ID: b4ce7710ff0a5b641003983d3dcc39e1f26b64bb936992c0265586cda4ab597c
Opcode Fuzzy Hash: 276598b2e375b63a21496b34889b8e10c5eecae5072a3a70f7513c344ab59381
Instruction Fuzzy Hash: 1611D7B4A00B518FD358DF59C8D4966B3E2FB8C201B4681BDDA0A9B767CA70BC15DB84

Function 001D9CB0 Relevance: 18.8, Strings: 15, Instructions: 86COMMON

Download Yara Rule

Strings

2-by, xrefs: 001D9CFF
te k, xrefs: 001D9D22
nd 3, xrefs: 001D9CEA
te k, xrefs: 001D9D1B
expa, xrefs: 001D9DE2
nd 3, xrefs: 001D9CE3
expa, xrefs: 001D9D37
2-by, xrefs: 001D9D0D
nd 3, xrefs: 001D9CF1
te k, xrefs: 001D9D30
2-by, xrefs: 001D9D06
te k, xrefs: 001D9D29
expa, xrefs: 001D9CD5
nd 3, xrefs: 001D9CF8
2-by, xrefs: 001D9D14

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: 2-by$2-by$2-by$2-by$expa$expa$expa$nd 3$nd 3$nd 3$nd 3$te k$te k$te k$te k
API String ID: 0-4277483314
Opcode ID: 8d147a08c7b3e7e34667c38fe2d773c5df7928464a052d8abc88f286552ebb20
Instruction ID: ad64f6104b9d143a725e766f682ae679c4bc5188b75200fcdf5d1d54d561c7a1
Opcode Fuzzy Hash: 8d147a08c7b3e7e34667c38fe2d773c5df7928464a052d8abc88f286552ebb20
Instruction Fuzzy Hash: 085114B49056408FD358CF06C198BA5BBE1BF88304F2A86FAC4588F776E7768446CF51

Function 001E9CD0 Relevance: 18.0, Strings: 14, Instructions: 470COMMON

Download Yara Rule

Strings

runtime.SetFinalizer: pointer not at beginning of allocated blocknistec: internal error: p224Table called with out-of-bounds valuenistec: internal error: p256Table called with out-of-bounds valuenistec: internal error: p384Table called with out-of-bounds value, xrefs: 001EA252
runtime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inco, xrefs: 001EA07F, 001EA107, 001EA18F
runtime.SetFinalizer: first argument is nilruntime.SetFinalizer: finalizer already setgcBgMarkWorker: unexpected gcMarkWorkerModenon in-use span found with specials bit setgrew heap, but no adequate free space foundroot level max pages doesn't fit in summaryru, xrefs: 001EA342
because dotdotdotruntime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime., xrefs: 001EA1CB
runtime.SetFinalizer: first argument was allocated into an arenacompileCallback: expected function with one uintptr-sized resultattempted to trace stack of a goroutine this thread does not ownABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ABCD, xrefs: 001EA2BA
runtime.SetFinalizer: second argument is gcSweep being done but phase is not GCoffobjects added out of order or overlappingmheap.freeSpanLocked - invalid stack freemheap.freeSpanLocked - invalid span stateattempted to add zero-sized address rangeruntime: block, xrefs: 001EA20D
`D=, xrefs: 001E9D8F
, not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failed, xrefs: 001EA317
runtime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unknown mark worker modecannot free workbufs when work.full != 0runtime: out of memory: cannot allocate runtime.preemptM: duplicatehandle failedstopTheWorld: broken, xrefs: 001EA2FD
runtime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= runtime: NtCreateWaitCompletionPacket failed; errno=, xrefs: 001EA2A4
(, xrefs: 001EA307
nil elem type! to finalizer GC worker initruntime: full=runtime: want=MB; allocated RtlGetVersion, xrefs: 001EA2D0
, not a functiongc: unswept span KiB work (bg), mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 001EA227
+, xrefs: 001EA34B

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: because dotdotdotruntime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.$($+$, not a functiongc: unswept span KiB work (bg), mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$, not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failed$`D=$nil elem type! to finalizer GC worker initruntime: full=runtime: want=MB; allocated RtlGetVersion$runtime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inco$runtime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unknown mark worker modecannot free workbufs when work.full != 0runtime: out of memory: cannot allocate runtime.preemptM: duplicatehandle failedstopTheWorld: broken$runtime.SetFinalizer: first argument is nilruntime.SetFinalizer: finalizer already setgcBgMarkWorker: unexpected gcMarkWorkerModenon in-use span found with specials bit setgrew heap, but no adequate free space foundroot level max pages doesn't fit in summaryru$runtime.SetFinalizer: first argument was allocated into an arenacompileCallback: expected function with one uintptr-sized resultattempted to trace stack of a goroutine this thread does not ownABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ABCD$runtime.SetFinalizer: pointer not at beginning of allocated blocknistec: internal error: p224Table called with out-of-bounds valuenistec: internal error: p256Table called with out-of-bounds valuenistec: internal error: p384Table called with out-of-bounds value$runtime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= runtime: NtCreateWaitCompletionPacket failed; errno=$runtime.SetFinalizer: second argument is gcSweep being done but phase is not GCoffobjects added out of order or overlappingmheap.freeSpanLocked - invalid stack freemheap.freeSpanLocked - invalid span stateattempted to add zero-sized address rangeruntime: block
API String ID: 0-2988007638
Opcode ID: 232919c3b9949ab569c3ec2c0bfafaca71336d344daae680770c49931ae31818
Instruction ID: 62e0de2111532530dd6adbe8fefedd08d87acdde09fdb54223178edbc2ce07c8
Opcode Fuzzy Hash: 232919c3b9949ab569c3ec2c0bfafaca71336d344daae680770c49931ae31818
Instruction Fuzzy Hash: D8128DB5608B928FC715DF19C48065EBBE0BF88700F41892EE9C59B392D375E946CF82

Function 001E18C0 Relevance: 16.5, Strings: 13, Instructions: 259COMMON

Download Yara Rule

Strings

) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:, xrefs: 001E1CE9
system page size ( but memory size /gc/pauses:seconds because dotdotdotruntime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames , xrefs: 001E1BCF, 001E1C31, 001E1CBD
bad system huge page sizearena already initialized to unused region of span bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: p, xrefs: 001E1BB4
failed to get system page sizeruntime: found in object at *( in prepareForSweep; sweepgen /cpu/classes/total:cpu-seconds/gc/cycles/automatic:gc-cycles/sched/pauses/total/gc:seconds/sync/mutex/wait/total:seconds/godebug/non-default-behavior/bcryptprimitives.dll, xrefs: 001E1D44
expected all size classes up to min size for malloc header to fit in one-page spanscrypto/cipher: use of CTR with non-AES ciphers is not allowed in FIPS 140-only modereflect.Value.Interface: cannot return value obtained from unexported field or methodreflect: , xrefs: 001E1B12
bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double wait, xrefs: 001E1C16, 001E1CA2, 001E1D2E
am Files (x86)/Go/src/unique/clone.go, xrefs: 001E1925, 001E1A5A
) is smaller than minimum page size (/cpu/classes/gc/mark/idle:cpu-secondssetprofilebucket: profile already setfailed to reserve page summary memoryruntime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpr, xrefs: 001E1C5D
bad TinySizeClassruntime: pointer g already scannedmark - bad statusscanobject n == 0swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 001E1D5A
min size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not enabledcasGToWaitingForGC with non-isWaitingForGC wait reasonno goroutines (main called runtime.Goexit) - deadlock!trace: non-empty full trace buffer for done , xrefs: 001E1B28
) must be a power of 2system huge page size (runtime: s.allocCount= s.allocCount > s.nelems/gc/heap/allocs:objectsmissing type in runfinqruntime: internal errorwork.nwait > work.nprocleft over markroot jobsgcDrain phase incorrectMB during sweep; swept bad pro, xrefs: 001E1B99, 001E1BFB
system huge page size (runtime: s.allocCount= s.allocCount > s.nelems/gc/heap/allocs:objectsmissing type in runfinqruntime: internal errorwork.nwait > work.nprocleft over markroot jobsgcDrain phase incorrectMB during sweep; swept bad profile stack countruntime, xrefs: 001E1B6D
$, xrefs: 001E1CF2

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: $$) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:$) is smaller than minimum page size (/cpu/classes/gc/mark/idle:cpu-secondssetprofilebucket: profile already setfailed to reserve page summary memoryruntime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpr$) must be a power of 2system huge page size (runtime: s.allocCount= s.allocCount > s.nelems/gc/heap/allocs:objectsmissing type in runfinqruntime: internal errorwork.nwait > work.nprocleft over markroot jobsgcDrain phase incorrectMB during sweep; swept bad pro$am Files (x86)/Go/src/unique/clone.go$bad TinySizeClassruntime: pointer g already scannedmark - bad statusscanobject n == 0swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb$bad system huge page sizearena already initialized to unused region of span bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: p$bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double wait$expected all size classes up to min size for malloc header to fit in one-page spanscrypto/cipher: use of CTR with non-AES ciphers is not allowed in FIPS 140-only modereflect.Value.Interface: cannot return value obtained from unexported field or methodreflect: $failed to get system page sizeruntime: found in object at *( in prepareForSweep; sweepgen /cpu/classes/total:cpu-seconds/gc/cycles/automatic:gc-cycles/sched/pauses/total/gc:seconds/sync/mutex/wait/total:seconds/godebug/non-default-behavior/bcryptprimitives.dll$min size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not enabledcasGToWaitingForGC with non-isWaitingForGC wait reasonno goroutines (main called runtime.Goexit) - deadlock!trace: non-empty full trace buffer for done $system huge page size (runtime: s.allocCount= s.allocCount > s.nelems/gc/heap/allocs:objectsmissing type in runfinqruntime: internal errorwork.nwait > work.nprocleft over markroot jobsgcDrain phase incorrectMB during sweep; swept bad profile stack countruntime$system page size ( but memory size /gc/pauses:seconds because dotdotdotruntime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames
API String ID: 0-264769081
Opcode ID: be5408ecbfd745663d46bee3db6f9766e7b4d8e4658d519fea6ad8a96dfa329e
Instruction ID: f78f4fdef44b7996f16b05acacf140eeb0ecac1d93dddd838d50610c857098d6
Opcode Fuzzy Hash: be5408ecbfd745663d46bee3db6f9766e7b4d8e4658d519fea6ad8a96dfa329e
Instruction Fuzzy Hash: 10C158B411AB449FD304EF65D89576EBBE5FB98304F01883EE4888B292E7749948DF12

Function 001E1D80 Relevance: 14.1, Strings: 11, Instructions: 345COMMON

Download Yara Rule

Strings

., xrefs: 001E2322
out of memory allocating heap arena metadata/cpu/classes/scavenge/background:cpu-secondsruntime: unexpected metric registration for gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbi, xrefs: 001E2068
) not in usable address space: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: , xrefs: 001E22E5
region exceeds uintptr range/gc/heap/frees-by-size:bytes/gc/heap/tiny/allocs:objects/sched/goroutines:goroutinesgcBgMarkWorker: mode not setmspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: m, xrefs: 001E2234
memory reservation exceeds address space limittried to park scavenger from another goroutinereleased less than one physical page of memorysysGrow bounds not aligned to pallocChunkBytesruntime: failed to create new OS thread (have runtime: panic before malloc h, xrefs: 001E2319
out of memory allocating allArenas/memory/classes/heap/objects:bytesruntime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning wit, xrefs: 001E2052
misrounded allocation in sysAllocruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec, xrefs: 001E2266
out of memory allocating heap arena map/cpu/classes/gc/mark/assist:cpu-seconds/cpu/classes/scavenge/total:cpu-seconds/memory/classes/profiling/buckets:bytesmspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResume, xrefs: 001E209E
am Files (x86)/Go/src/unique/clone.go, xrefs: 001E1DD4, 001E219A
runtime: memory allocated by OS [misrounded allocation in sysAllocruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:b, xrefs: 001E2291
arena already initialized to unused region of span bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p , xrefs: 001E207E

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: ) not in usable address space: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: $.$am Files (x86)/Go/src/unique/clone.go$arena already initialized to unused region of span bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p $memory reservation exceeds address space limittried to park scavenger from another goroutinereleased less than one physical page of memorysysGrow bounds not aligned to pallocChunkBytesruntime: failed to create new OS thread (have runtime: panic before malloc h$misrounded allocation in sysAllocruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec$out of memory allocating allArenas/memory/classes/heap/objects:bytesruntime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning wit$out of memory allocating heap arena map/cpu/classes/gc/mark/assist:cpu-seconds/cpu/classes/scavenge/total:cpu-seconds/memory/classes/profiling/buckets:bytesmspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResume$out of memory allocating heap arena metadata/cpu/classes/scavenge/background:cpu-secondsruntime: unexpected metric registration for gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbi$region exceeds uintptr range/gc/heap/frees-by-size:bytes/gc/heap/tiny/allocs:objects/sched/goroutines:goroutinesgcBgMarkWorker: mode not setmspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: m$runtime: memory allocated by OS [misrounded allocation in sysAllocruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:b
API String ID: 0-1956721644
Opcode ID: b6e8419f0b8b14e21b5d8b3395d5bf40a8a2f33ac69a8678d3209f1f242644a2
Instruction ID: 0ba82d6bce17cf79c92cdb280254fce37b265f8d49854d134b4589ef00b244e6
Opcode Fuzzy Hash: b6e8419f0b8b14e21b5d8b3395d5bf40a8a2f33ac69a8678d3209f1f242644a2
Instruction Fuzzy Hash: 06F113B46097458FC714EF29C48065EBBF5BF88700F45892EE9988B352E775E948CF82

Function 002373B0 Relevance: 13.9, Strings: 11, Instructions: 175COMMON

Download Yara Rule

Strings

base 390625SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minutesecondGetACPexec: Commonrdtscppopcntcmd/gonetdnsX25519headerAnswer-money:Usage:abortedCopySidWSARecvWSASendconnectsignal readdirwriteatconsoleshadowsfloat32float64invaliduintptrChan, xrefs: 002374ED
not in ranges:23841857910156250123456789ABCDEFtime: bad [0-9]*DuplicateTokenExGetCurrentThreadGetModuleHandleWRtlVirtualUnwindexec: no commandGODEBUG: value "[bisect-match 0xdivision by zerolength too largeRCodeFormatErrorC:\/$Recycle.Bin\permission deniedwr, xrefs: 00237517
- NaN P m= MPC= < end > ]:???pc= G125625SunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02-01EDTASTADTPSTPDTNSTNDT+03+04+07+06IST+09+08IDT+12PKT+11KST+05JST+10-11-12-08-09+13CETBSTMSK-06+14St, xrefs: 00237648
out of range no module data in goroutine runtime: seq1=runtime: goid=invalid syntax1907348632812595367431640625time.Location(: extra text: OpenSCManagerWModule32FirstWunreachable: crypto/fips140mime/multipartRegSetValueExWdata truncatedunknown dsbyteRCodeNam, xrefs: 0023761E
runtime: type offset base pointer out of rangeruntime: text offset base pointer out of rangex509: failed to unmarshal elliptic curve pointcipher.NewCTR: IV length must equal block sizeinvariant failed: growthLeft is unexpectedly 0math/big: mismatched montgomer, xrefs: 002375D2
runtime: type offset out of range142108547152020037174224853515625710542735760100185871124267578125skip everything and stop the walkGetVolumeNameForVolumeMountPointWwaiting for unsupported file typex509: invalid RSA public exponentconcurrent map read and map w, xrefs: 0023767C
types : type 19531259765625TuesdayJanuaryOctoberMUI_StdMUI_Dlt\\.\UNCEd25519MD5-RSAPATHEXTavx512fos/execfips140runtimetls3desSHA-224SHA-256SHA-384SHA-512AES-CBC[Money] C:\Boot\durationno anodeCancelIoReadFileAcceptExWSAIoctlshutdownFullPathvssadminGoStringsca, xrefs: 00237562
`D=, xrefs: 002373D8, 00237532
etypes 48828125strconv.parsing ParseIntThursdaySaturdayFebruaryNovemberDecember%!Month(nil PoolwsaioctlSHA1-RSADSA-SHA1overflowavx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlsmlkem#fips140CTR_DRBGMD5+SHA1SHA3-224SHA3-256SHA3-384SHA3-512default:SHA2-256SHA2, xrefs: 0023758C
!, xrefs: 00237685
runtime: typeOff runtime: textOff 1192092895507812559604644775390625invalid bit size GTB Standard TimeFLE Standard TimeGMT Standard Timefractional secondos/exec.Command(exec: killing Cmdexec: not startedmultipartmaxpartsRegLoadMUIStringWunexpected result%%!%c, xrefs: 002374C4, 002375F5

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: types : type 19531259765625TuesdayJanuaryOctoberMUI_StdMUI_Dlt\\.\UNCEd25519MD5-RSAPATHEXTavx512fos/execfips140runtimetls3desSHA-224SHA-256SHA-384SHA-512AES-CBC[Money] C:\Boot\durationno anodeCancelIoReadFileAcceptExWSAIoctlshutdownFullPathvssadminGoStringsca$ - NaN P m= MPC= < end > ]:???pc= G125625SunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02-01EDTASTADTPSTPDTNSTNDT+03+04+07+06IST+09+08IDT+12PKT+11KST+05JST+10-11-12-08-09+13CETBSTMSK-06+14St$ base 390625SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minutesecondGetACPexec: Commonrdtscppopcntcmd/gonetdnsX25519headerAnswer-money:Usage:abortedCopySidWSARecvWSASendconnectsignal readdirwriteatconsoleshadowsfloat32float64invaliduintptrChan$ etypes 48828125strconv.parsing ParseIntThursdaySaturdayFebruaryNovemberDecember%!Month(nil PoolwsaioctlSHA1-RSADSA-SHA1overflowavx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlsmlkem#fips140CTR_DRBGMD5+SHA1SHA3-224SHA3-256SHA3-384SHA3-512default:SHA2-256SHA2$ not in ranges:23841857910156250123456789ABCDEFtime: bad [0-9]*DuplicateTokenExGetCurrentThreadGetModuleHandleWRtlVirtualUnwindexec: no commandGODEBUG: value "[bisect-match 0xdivision by zerolength too largeRCodeFormatErrorC:\/$Recycle.Bin\permission deniedwr$ out of range no module data in goroutine runtime: seq1=runtime: goid=invalid syntax1907348632812595367431640625time.Location(: extra text: OpenSCManagerWModule32FirstWunreachable: crypto/fips140mime/multipartRegSetValueExWdata truncatedunknown dsbyteRCodeNam$!$`D=$runtime: type offset base pointer out of rangeruntime: text offset base pointer out of rangex509: failed to unmarshal elliptic curve pointcipher.NewCTR: IV length must equal block sizeinvariant failed: growthLeft is unexpectedly 0math/big: mismatched montgomer$runtime: type offset out of range142108547152020037174224853515625710542735760100185871124267578125skip everything and stop the walkGetVolumeNameForVolumeMountPointWwaiting for unsupported file typex509: invalid RSA public exponentconcurrent map read and map w$runtime: typeOff runtime: textOff 1192092895507812559604644775390625invalid bit size GTB Standard TimeFLE Standard TimeGMT Standard Timefractional secondos/exec.Command(exec: killing Cmdexec: not startedmultipartmaxpartsRegLoadMUIStringWunexpected result%%!%c
API String ID: 0-3480363644
Opcode ID: c1eafdf68aef04dcb3faefbf536d57419fd8f3790298b9cb208d9cc0d7a251b8
Instruction ID: 8f909a0aa5cabf927d66d7c13ae060eaea9f75ceb81681c010189034947e0557
Opcode Fuzzy Hash: c1eafdf68aef04dcb3faefbf536d57419fd8f3790298b9cb208d9cc0d7a251b8
Instruction Fuzzy Hash: FA8116B452A7019FD744EF64C481A5EBBE4FF88704F40882EE88887352E774D954DF52

Function 00237100 Relevance: 13.9, Strings: 11, Instructions: 156COMMON

Download Yara Rule

Strings

base 390625SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minutesecondGetACPexec: Commonrdtscppopcntcmd/gonetdnsX25519headerAnswer-money:Usage:abortedCopySidWSARecvWSASendconnectsignal readdirwriteatconsoleshadowsfloat32float64invaliduintptrChan, xrefs: 002371F8
runtime: name offset out of rangeruntime: type offset out of range142108547152020037174224853515625710542735760100185871124267578125skip everything and stop the walkGetVolumeNameForVolumeMountPointWwaiting for unsupported file typex509: invalid RSA public expo, xrefs: 0023738B
not in ranges:23841857910156250123456789ABCDEFtime: bad [0-9]*DuplicateTokenExGetCurrentThreadGetModuleHandleWRtlVirtualUnwindexec: no commandGODEBUG: value "[bisect-match 0xdivision by zerolength too largeRCodeFormatErrorC:\/$Recycle.Bin\permission deniedwr, xrefs: 00237222
- NaN P m= MPC= < end > ]:???pc= G125625SunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02-01EDTASTADTPSTPDTNSTNDT+03+04+07+06IST+09+08IDT+12PKT+11KST+05JST+10-11-12-08-09+13CETBSTMSK-06+14St, xrefs: 00237357
out of range no module data in goroutine runtime: seq1=runtime: goid=invalid syntax1907348632812595367431640625time.Location(: extra text: OpenSCManagerWModule32FirstWunreachable: crypto/fips140mime/multipartRegSetValueExWdata truncatedunknown dsbyteRCodeNam, xrefs: 0023732D
!, xrefs: 00237394
types : type 19531259765625TuesdayJanuaryOctoberMUI_StdMUI_Dlt\\.\UNCEd25519MD5-RSAPATHEXTavx512fos/execfips140runtimetls3desSHA-224SHA-256SHA-384SHA-512AES-CBC[Money] C:\Boot\durationno anodeCancelIoReadFileAcceptExWSAIoctlshutdownFullPathvssadminGoStringsca, xrefs: 00237271
runtime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base pointer out of rangex509: failed to unmarshal elliptic curve pointcipher.NewCTR: IV length must equal block sizeinvariant failed: growthLeft i, xrefs: 002372E1
`D=, xrefs: 00237123, 0023723D
runtime: nameOff runtime: typeOff runtime: textOff 1192092895507812559604644775390625invalid bit size GTB Standard TimeFLE Standard TimeGMT Standard Timefractional secondos/exec.Command(exec: killing Cmdexec: not startedmultipartmaxpartsRegLoadMUIStringWunexp, xrefs: 002371CF, 00237304
etypes 48828125strconv.parsing ParseIntThursdaySaturdayFebruaryNovemberDecember%!Month(nil PoolwsaioctlSHA1-RSADSA-SHA1overflowavx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlsmlkem#fips140CTR_DRBGMD5+SHA1SHA3-224SHA3-256SHA3-384SHA3-512default:SHA2-256SHA2, xrefs: 0023729B

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: types : type 19531259765625TuesdayJanuaryOctoberMUI_StdMUI_Dlt\\.\UNCEd25519MD5-RSAPATHEXTavx512fos/execfips140runtimetls3desSHA-224SHA-256SHA-384SHA-512AES-CBC[Money] C:\Boot\durationno anodeCancelIoReadFileAcceptExWSAIoctlshutdownFullPathvssadminGoStringsca$ - NaN P m= MPC= < end > ]:???pc= G125625SunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02-01EDTASTADTPSTPDTNSTNDT+03+04+07+06IST+09+08IDT+12PKT+11KST+05JST+10-11-12-08-09+13CETBSTMSK-06+14St$ base 390625SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minutesecondGetACPexec: Commonrdtscppopcntcmd/gonetdnsX25519headerAnswer-money:Usage:abortedCopySidWSARecvWSASendconnectsignal readdirwriteatconsoleshadowsfloat32float64invaliduintptrChan$ etypes 48828125strconv.parsing ParseIntThursdaySaturdayFebruaryNovemberDecember%!Month(nil PoolwsaioctlSHA1-RSADSA-SHA1overflowavx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlsmlkem#fips140CTR_DRBGMD5+SHA1SHA3-224SHA3-256SHA3-384SHA3-512default:SHA2-256SHA2$ not in ranges:23841857910156250123456789ABCDEFtime: bad [0-9]*DuplicateTokenExGetCurrentThreadGetModuleHandleWRtlVirtualUnwindexec: no commandGODEBUG: value "[bisect-match 0xdivision by zerolength too largeRCodeFormatErrorC:\/$Recycle.Bin\permission deniedwr$ out of range no module data in goroutine runtime: seq1=runtime: goid=invalid syntax1907348632812595367431640625time.Location(: extra text: OpenSCManagerWModule32FirstWunreachable: crypto/fips140mime/multipartRegSetValueExWdata truncatedunknown dsbyteRCodeNam$!$`D=$runtime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base pointer out of rangex509: failed to unmarshal elliptic curve pointcipher.NewCTR: IV length must equal block sizeinvariant failed: growthLeft i$runtime: name offset out of rangeruntime: type offset out of range142108547152020037174224853515625710542735760100185871124267578125skip everything and stop the walkGetVolumeNameForVolumeMountPointWwaiting for unsupported file typex509: invalid RSA public expo$runtime: nameOff runtime: typeOff runtime: textOff 1192092895507812559604644775390625invalid bit size GTB Standard TimeFLE Standard TimeGMT Standard Timefractional secondos/exec.Command(exec: killing Cmdexec: not startedmultipartmaxpartsRegLoadMUIStringWunexp
API String ID: 0-85076904
Opcode ID: 32cb2facd9b8ea78522c88e250971f01ad0f39283cda9246d63538a5d4600d9c
Instruction ID: a2d7270257cb8d835a8594980de6b31130797d53b8390735d8f0bfaa2f84d77f
Opcode Fuzzy Hash: 32cb2facd9b8ea78522c88e250971f01ad0f39283cda9246d63538a5d4600d9c
Instruction Fuzzy Hash: 1B61F2B452A7018FD740EFA4C48566EBBE4BB88704F40886EF48887392E7749954DF52

Function 001ECF90 Relevance: 12.8, Strings: 10, Instructions: 285COMMON

Download Yara Rule

Strings

gcBgMarkWorker: blackening not enabledcannot read stack of running goroutineruntime: blocked read on free polldescruntime: LoadLibraryExW failed; errno=runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more th, xrefs: 001ED431
work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= , xrefs: 001ED2E4
work.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread I, xrefs: 001ED3C3
runtime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket, xrefs: 001ED2BB
&, xrefs: 001ED43A
runtime: work.nwait= previous allocCount=, levelBits[level] = runtime: searchIdx = defer on system stackpanic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdea, xrefs: 001ED365
gcBgMarkWorker: mode not setmspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on , xrefs: 001ED3D9
work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status=, xrefs: 001ED30E, 001ED38F
work.nwait > work.nprocleft over markroot jobsgcDrain phase incorrectMB during sweep; swept bad profile stack countruntime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocres, xrefs: 001ED342
GC worker initruntime: full=runtime: want=MB; allocated RtlGetVersion, xrefs: 001ECFD4

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status=$ work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= $&$GC worker initruntime: full=runtime: want=MB; allocated RtlGetVersion$gcBgMarkWorker: blackening not enabledcannot read stack of running goroutineruntime: blocked read on free polldescruntime: LoadLibraryExW failed; errno=runtime: GetProcAddress failed; errno=runtime: sudog with non-false isSelectarg size to reflect.call more th$gcBgMarkWorker: mode not setmspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on $runtime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket$runtime: work.nwait= previous allocCount=, levelBits[level] = runtime: searchIdx = defer on system stackpanic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdea$work.nwait > work.nprocleft over markroot jobsgcDrain phase incorrectMB during sweep; swept bad profile stack countruntime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocres$work.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread I
API String ID: 0-471095910
Opcode ID: 8ae37723fb481223a89917c49bdcda0e7c187b7b8e9a5d30c8f8780d30e5e778
Instruction ID: 096c10524dff992b3d8d18b868cf1025afeff6adc13f29e457d52b70385d27e4
Opcode Fuzzy Hash: 8ae37723fb481223a89917c49bdcda0e7c187b7b8e9a5d30c8f8780d30e5e778
Instruction Fuzzy Hash: B1D1EDB45197448FC344EF69D080A2ABBF1FF99304F00896EE9988B362D735E884CF52

Function 001ED6A0 Relevance: 12.8, Strings: 10, Instructions: 276COMMON

Download Yara Rule

Strings

runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targe, xrefs: 001ED856
nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at en, xrefs: 001EDAA6
next= jobs= goid sweep B -> % util alloc free span= prev= list=, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base 390625SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minutesecondGetACPexec: Commonrdtscppopcntcm, xrefs: 001EDA28
flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc called from , xrefs: 001ED880
8, xrefs: 001EDB4E
runtime: full=runtime: want=MB; allocated RtlGetVersion, xrefs: 001ED9FE
wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)total < 0traceback} stack=[ gp.goid= lockedm, xrefs: 001ED8C6
nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc , xrefs: 001EDAFA
in gcMark expecting to see gcphase as _GCmarkterminationruntime: NtAssociateWaitCompletionPacket failed; errno= crypto/cipher: internal error: generic CTR used with AESb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4b70e0cbd6bb4bf7f321390b94a03c1d356c2, xrefs: 001EDB45
P has cached GC work at end of mark terminationfailed to acquire lock to start a GC transitionfinishGCTransition called without starting one?tried to sleep scavenger from another goroutineruntime: CreateIoCompletionPort failed (errno= racy sudog adjustment due, xrefs: 001ED94B

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc called from $ nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at en$ nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc $ next= jobs= goid sweep B -> % util alloc free span= prev= list=, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base 390625SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minutesecondGetACPexec: Commonrdtscppopcntcm$ wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)total < 0traceback} stack=[ gp.goid= lockedm$8$P has cached GC work at end of mark terminationfailed to acquire lock to start a GC transitionfinishGCTransition called without starting one?tried to sleep scavenger from another goroutineruntime: CreateIoCompletionPort failed (errno= racy sudog adjustment due$in gcMark expecting to see gcphase as _GCmarkterminationruntime: NtAssociateWaitCompletionPacket failed; errno= crypto/cipher: internal error: generic CTR used with AESb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4b70e0cbd6bb4bf7f321390b94a03c1d356c2$runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targe$runtime: full=runtime: want=MB; allocated RtlGetVersion
API String ID: 0-2091269373
Opcode ID: 2f2f3225e551b402e0c62eb57ced6d68d94ff176efb321defc46630f17df5b28
Instruction ID: 946aed909ad37a8723f25a006cf788df7dfc6424f2177486d9800f468886f99d
Opcode Fuzzy Hash: 2f2f3225e551b402e0c62eb57ced6d68d94ff176efb321defc46630f17df5b28
Instruction Fuzzy Hash: 21D1E4B451A740CFD340EF69D485A1EBBE5BF88704F41886EF9888B392E7349854DF12

Function 00219CC0 Relevance: 12.7, Strings: 10, Instructions: 241COMMON

Download Yara Rule

Strings

nmidlelocked= needspinning=randinit twicestore64 failedmemprofileratesemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module data in goroutine runtime: seq1=runtime: goid=invalid syntax1907348632812595367431640625time.Loc, xrefs: 00219FAC
mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes 48828125strconv.parsing ParseIntThursdaySaturdayFebruaryNovemberDecember%!Month(nil PoolwsaioctlSHA1-RSADSA-SHA1overflowavx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlsmlkem#fips140CTR_, xrefs: 00219FD6
all goroutines are asleep - deadlock!2220446049250313080847263336181640625internal error: unknown network type godebug: unexpected IncNonDefault of x509: RSA key missing NULL parameterscipher: message authentication failedcrypto/cipher: invalid buffer overlapb, xrefs: 00219F33
%, xrefs: 00219F3C
runtime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a power of 2too many callback functionstimer when must b, xrefs: 00219F62
nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type 19531259765625TuesdayJanuaryOctoberMUI_StdMUI_Dlt\\.\UNCEd25519MD5-RSAPATHEXTavx512fos/execfips140runtimetls3desSHA-224SHA-256SHA-384SHA-512AES-CBC[Money] C:\Boot, xrefs: 0021A000
checkdead: no p for timercheckdead: no m for timerunknown sigtramp callbackunexpected fault address missing stack in newstackbad status in shrinkstackmissing traceGCSweepStart2910383045673370361328125South Sudan Standard TimeUS Mountain Standard TimeMiddle Eas, xrefs: 00219EF5
checkdead: no m for timerunknown sigtramp callbackunexpected fault address missing stack in newstackbad status in shrinkstackmissing traceGCSweepStart2910383045673370361328125South Sudan Standard TimeUS Mountain Standard TimeMiddle East Standard TimeTransbaika, xrefs: 00219ECF
no goroutines (main called runtime.Goexit) - deadlock!trace: non-empty full trace buffer for done generationtrace: non-empty full trace buffer for next generationgoroutine running on other thread; stack unavailableinternal error: polling on unsupported descr, xrefs: 00219DBE
checkdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer found on stack locals stack map entries for abi mismatch detected between runtime: impossible type kind unsafe.Slice: len out of range22737367544323205947, xrefs: 0021A044

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes 48828125strconv.parsing ParseIntThursdaySaturdayFebruaryNovemberDecember%!Month(nil PoolwsaioctlSHA1-RSADSA-SHA1overflowavx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlsmlkem#fips140CTR_$ nmidlelocked= needspinning=randinit twicestore64 failedmemprofileratesemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module data in goroutine runtime: seq1=runtime: goid=invalid syntax1907348632812595367431640625time.Loc$ nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type 19531259765625TuesdayJanuaryOctoberMUI_StdMUI_Dlt\\.\UNCEd25519MD5-RSAPATHEXTavx512fos/execfips140runtimetls3desSHA-224SHA-256SHA-384SHA-512AES-CBC[Money] C:\Boot$%$all goroutines are asleep - deadlock!2220446049250313080847263336181640625internal error: unknown network type godebug: unexpected IncNonDefault of x509: RSA key missing NULL parameterscipher: message authentication failedcrypto/cipher: invalid buffer overlapb$checkdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer found on stack locals stack map entries for abi mismatch detected between runtime: impossible type kind unsafe.Slice: len out of range22737367544323205947$checkdead: no m for timerunknown sigtramp callbackunexpected fault address missing stack in newstackbad status in shrinkstackmissing traceGCSweepStart2910383045673370361328125South Sudan Standard TimeUS Mountain Standard TimeMiddle East Standard TimeTransbaika$checkdead: no p for timercheckdead: no m for timerunknown sigtramp callbackunexpected fault address missing stack in newstackbad status in shrinkstackmissing traceGCSweepStart2910383045673370361328125South Sudan Standard TimeUS Mountain Standard TimeMiddle Eas$no goroutines (main called runtime.Goexit) - deadlock!trace: non-empty full trace buffer for done generationtrace: non-empty full trace buffer for next generationgoroutine running on other thread; stack unavailableinternal error: polling on unsupported descr$runtime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a power of 2too many callback functionstimer when must b
API String ID: 0-1274400293
Opcode ID: 303f6ae84a52db903aa56093fefb608c08d58886c61a01224f66328a7d14859d
Instruction ID: e0eaff4c23657ec87d8849d24a88883a30e3b70b4987f60326c40f297e3c6bbf
Opcode Fuzzy Hash: 303f6ae84a52db903aa56093fefb608c08d58886c61a01224f66328a7d14859d
Instruction Fuzzy Hash: 1FA176B452A3048FC704EF64D491AAEBBE4BF99304F44483EE8898B352E770D994CF56

Function 001DD520 Relevance: 12.7, Strings: 10, Instructions: 199COMMON

Download Yara Rule

Strings

(types from different packages)runtime: failed to release pagesruntime: fixalloc size too largeinvalid limiter event type foundscanstack: goroutine not stoppedscavenger state is already wiredsweep increased allocation countremovespecial on invalid pointergetW, xrefs: 001DD71C
, not object next= jobs= goid sweep B -> % util alloc free span= prev= list=, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base 390625SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minutesecondGetACPexec: Commonrd, xrefs: 001DD61F
: missing method notetsleepg on g0bad TinySizeClassruntime: pointer g already scannedmark - bad statusscanobject n == 0swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 001DD7DB
(types from different scopes)notetsleep - waitm out of syncfailed to get system page sizeruntime: found in object at *( in prepareForSweep; sweepgen /cpu/classes/total:cpu-seconds/gc/cycles/automatic:gc-cycles/sched/pauses/total/gc:seconds/sync/mutex/wait/tot, xrefs: 001DD754
interface conversion: freeIndex is not valids.freeindex > s.nelemsbad sweepgen in refillspan has no free space/gc/scan/globals:bytes/gc/heap/frees:objectsruntime: work.nwait = runtime:scanstack: gp=scanstack - bad statusheadTailIndex overflowruntime.main not o, xrefs: 001DD5E3, 001DD79F, 001DD845
interfaceinvalid nreflect: funcargs(bad indirInterfacetimerSendpollCacheprofBlockstackpoolhchanLeafwbufSpansGC (idle)mSpanDeadinittracescavtracepanicwaitchan sendpreemptedcoroutinecopystack ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.), xrefs: 001DD550
is not pointerBAD RANK status unknown(trigger= npages= nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes 48828125strconv.parsing ParseIntThursdaySaturdayFebruaryNovemberDecember%!Month(nil , xrefs: 001DD7B9
is LEAFbase of ) = <==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125AtoiJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDT as hour.com.exe.bat.cmdpathermsfsrmsse3avx2bmi1bmi2time,#=:asn1tag:icmpigmpCAST80000fal, xrefs: 001DD605
is nil, not value method span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads=, xrefs: 001DD867
, xrefs: 001DD726

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: $ (types from different packages)runtime: failed to release pagesruntime: fixalloc size too largeinvalid limiter event type foundscanstack: goroutine not stoppedscavenger state is already wiredsweep increased allocation countremovespecial on invalid pointergetW$ (types from different scopes)notetsleep - waitm out of syncfailed to get system page sizeruntime: found in object at *( in prepareForSweep; sweepgen /cpu/classes/total:cpu-seconds/gc/cycles/automatic:gc-cycles/sched/pauses/total/gc:seconds/sync/mutex/wait/tot$ is LEAFbase of ) = <==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125AtoiJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDT as hour.com.exe.bat.cmdpathermsfsrmsse3avx2bmi1bmi2time,#=:asn1tag:icmpigmpCAST80000fal$ is nil, not value method span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads=$ is not pointerBAD RANK status unknown(trigger= npages= nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes 48828125strconv.parsing ParseIntThursdaySaturdayFebruaryNovemberDecember%!Month(nil $, not object next= jobs= goid sweep B -> % util alloc free span= prev= list=, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base 390625SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minutesecondGetACPexec: Commonrd$: missing method notetsleepg on g0bad TinySizeClassruntime: pointer g already scannedmark - bad statusscanobject n == 0swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb$interface conversion: freeIndex is not valids.freeindex > s.nelemsbad sweepgen in refillspan has no free space/gc/scan/globals:bytes/gc/heap/frees:objectsruntime: work.nwait = runtime:scanstack: gp=scanstack - bad statusheadTailIndex overflowruntime.main not o$interfaceinvalid nreflect: funcargs(bad indirInterfacetimerSendpollCacheprofBlockstackpoolhchanLeafwbufSpansGC (idle)mSpanDeadinittracescavtracepanicwaitchan sendpreemptedcoroutinecopystack ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.)
API String ID: 0-3642054924
Opcode ID: 53eb3f8e8569c006682dc5011158594e1255631081e62601550a18921fc346ec
Instruction ID: d5be0f6f83ed65bc526d9e7d1bc2448b6913dbff41a2a6e09e33efbc466fe22f
Opcode Fuzzy Hash: 53eb3f8e8569c006682dc5011158594e1255631081e62601550a18921fc346ec
Instruction Fuzzy Hash: BCA18BB85083419FD718DF29D090A6ABBF1BF88704F50896EF8D987360DB75A848CF42

Function 001F0FD0 Relevance: 11.7, Strings: 9, Instructions: 437COMMON

Download Yara Rule

Strings

, xrefs: 001F166E
mark - bad statusscanobject n == 0swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 001F1274
can't scan our own stackgcDrainN phase incorrectpageAlloc: out of memoryruntime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSruntime: mp.lockedInt = runqsteal: runq overflowunexpected syncgroup setdouble traceGCSweepS, xrefs: 001F1585
remaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p has runnable gsstoplockedm: not runnablereleasep: invalid p statecheckdead: no p for timercheckdead: no m for timerunknown si, xrefs: 001F14C6
scanstack: goroutine not stoppedscavenger state is already wiredsweep increased allocation countremovespecial on invalid pointergetWeakHandle on invalid pointerruntime: root level max pages = NtAssociateWaitCompletionPacket, xrefs: 001F1665
, goid= s=nil (scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type 19531259765625TuesdayJanuaryOctoberMUI_StdMUI_Dlt\\.\UNCEd25519MD5-RSAPATHEXTavx512fos/execf, xrefs: 001F1210, 001F1601, 001F16D8
`D=, xrefs: 001F1465
, gp->atomicstatus=marking free object KiB work (eager), [controller reset]mspan.sweep: state=sysMemStat overflowbad sequence numberntdll.dll not foundwinmm.dll not foundruntime: g0 stack [panic during mallocpanic holding locksmissing deferreturnunexpected gp, xrefs: 001F1240, 001F1631, 001F1708
runtime:scanstack: gp=scanstack - bad statusheadTailIndex overflowruntime.main not on m0set_crosscall2 missingbad g->status in readywirep: invalid p stateassembly checks failedstack not a power of 2minpc or maxpc invalidcompileCallback: type syscall: n > len(a, xrefs: 001F16B3

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: $, goid= s=nil (scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type 19531259765625TuesdayJanuaryOctoberMUI_StdMUI_Dlt\\.\UNCEd25519MD5-RSAPATHEXTavx512fos/execf$, gp->atomicstatus=marking free object KiB work (eager), [controller reset]mspan.sweep: state=sysMemStat overflowbad sequence numberntdll.dll not foundwinmm.dll not foundruntime: g0 stack [panic during mallocpanic holding locksmissing deferreturnunexpected gp$`D=$can't scan our own stackgcDrainN phase incorrectpageAlloc: out of memoryruntime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSruntime: mp.lockedInt = runqsteal: runq overflowunexpected syncgroup setdouble traceGCSweepS$mark - bad statusscanobject n == 0swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb$remaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p has runnable gsstoplockedm: not runnablereleasep: invalid p statecheckdead: no p for timercheckdead: no m for timerunknown si$runtime:scanstack: gp=scanstack - bad statusheadTailIndex overflowruntime.main not on m0set_crosscall2 missingbad g->status in readywirep: invalid p stateassembly checks failedstack not a power of 2minpc or maxpc invalidcompileCallback: type syscall: n > len(a$scanstack: goroutine not stoppedscavenger state is already wiredsweep increased allocation countremovespecial on invalid pointergetWeakHandle on invalid pointerruntime: root level max pages = NtAssociateWaitCompletionPacket
API String ID: 0-3357452238
Opcode ID: 36e8a3e270ba5f34ebf29a6d6f5a5007566556d4bf1146d0cfb05b81ce3d4c12
Instruction ID: 63de3e323e638435a513a26f73d6758fd4c2fe751f48fbeb75868cd4fcaec97b
Opcode Fuzzy Hash: 36e8a3e270ba5f34ebf29a6d6f5a5007566556d4bf1146d0cfb05b81ce3d4c12
Instruction Fuzzy Hash: AC22E474509744DFC764EF64C080BAABBE1BF89304F15896DE99887352EB34D888DF52

Function 001D1C10 Relevance: 11.6, Strings: 9, Instructions: 326COMMON

Download Yara Rule

Strings

!, xrefs: 001D1DFC
GODEBUG: no value specified for "unaligned 64-bit atomic operationindefinite length found (not DER)struct contains unexported fieldscrypto/aes: output not full blocksha3: invalid hash state functionscalar has high bit set illegallyflag provided but not defined, xrefs: 001D1DF3
GODEBUG: can not enable "unexpected key value typeExpandEnvironmentStringsWtesting simulated failureunknown Go type for sliceexplicit tag has no childinvalid request descriptorno CSI structure availablerequired key not availableno message of desired typename n, xrefs: 001D1E95
", missing CPU supportexit hook invoked panicpattern bits too long: asn1: structure error: truncated tag or lengthEd25519 sign and verifyed25519: bad public keyP224 point not on curveP256 point not on curveP384 point not on curveP521 point not on curveinvalid, xrefs: 001D1EBF
"os0b0x0X0ointregaddcmdnilEOFmapptr...finobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ]:???pc= G125625SunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02-01EDTASTADTPSTPDTNSTNDT+03+04+07+0, xrefs: 001D1DBE, 001D1E1D, 001D1FFE
" not supported for cpu option "input overflows the modulus sizeinteger is not minimally encodedecdsa: internal error: r is zeroecdsa: internal error: s is zeroed25519: bad public key length: crypto/aes: input not full blocksubtle.XORBytes: invalid overlapC:\P, xrefs: 001D1D94
cpu., xrefs: 001D1C81
GODEBUG: value "[bisect-match 0xdivision by zerolength too largeRCodeFormatErrorC:\/$Recycle.Bin\permission deniedwrong medium typeno data availableexec format errorLookupAccountSidWDnsRecordListFreeGetCurrentProcessGetShortPathNameWWSAEnumProtocolsWwinreadlin, xrefs: 001D1D6A
GODEBUG: unknown cpu feature "sync: inconsistent mutex statesync: unlock of unlocked mutexfips: invalid self-test name: crypto/ecdh: mismatched curvessubtle.XORBytes: dst too shortcannot assign requested address.lib section in a.out corruptedfmt: unknown base;, xrefs: 001D1FD4

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: !$"os0b0x0X0ointregaddcmdnilEOFmapptr...finobjgc %: gp *(in n= ) - NaN P m= MPC= < end > ]:???pc= G125625SunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02-01EDTASTADTPSTPDTNSTNDT+03+04+07+0$" not supported for cpu option "input overflows the modulus sizeinteger is not minimally encodedecdsa: internal error: r is zeroecdsa: internal error: s is zeroed25519: bad public key length: crypto/aes: input not full blocksubtle.XORBytes: invalid overlapC:\P$", missing CPU supportexit hook invoked panicpattern bits too long: asn1: structure error: truncated tag or lengthEd25519 sign and verifyed25519: bad public keyP224 point not on curveP256 point not on curveP384 point not on curveP521 point not on curveinvalid$GODEBUG: can not enable "unexpected key value typeExpandEnvironmentStringsWtesting simulated failureunknown Go type for sliceexplicit tag has no childinvalid request descriptorno CSI structure availablerequired key not availableno message of desired typename n$GODEBUG: no value specified for "unaligned 64-bit atomic operationindefinite length found (not DER)struct contains unexported fieldscrypto/aes: output not full blocksha3: invalid hash state functionscalar has high bit set illegallyflag provided but not defined$GODEBUG: unknown cpu feature "sync: inconsistent mutex statesync: unlock of unlocked mutexfips: invalid self-test name: crypto/ecdh: mismatched curvessubtle.XORBytes: dst too shortcannot assign requested address.lib section in a.out corruptedfmt: unknown base;$GODEBUG: value "[bisect-match 0xdivision by zerolength too largeRCodeFormatErrorC:\/$Recycle.Bin\permission deniedwrong medium typeno data availableexec format errorLookupAccountSidWDnsRecordListFreeGetCurrentProcessGetShortPathNameWWSAEnumProtocolsWwinreadlin$cpu.
API String ID: 0-3997687518
Opcode ID: 73f3cff4135a35f25ea6640d3cf457a0fcc9deab3d72f7130680fd9f5d9e5709
Instruction ID: 7c05c67b858c7db04ee2be33b50617e9193253c7db14641ae94e3972f5d9e2ae
Opcode Fuzzy Hash: 73f3cff4135a35f25ea6640d3cf457a0fcc9deab3d72f7130680fd9f5d9e5709
Instruction Fuzzy Hash: BFD1BF74619315AFC714EFA4C48092EBBE2AFD8304F45892EF8998B392D730E945DF52

Function 001F2B30 Relevance: 10.2, Strings: 8, Instructions: 239COMMON

Download Yara Rule

Strings

s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=3814697265625, xrefs: 001F2C45
s=nil (scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type 19531259765625TuesdayJanuaryOctoberMUI_StdMUI_Dlt\\.\UNCEd25519MD5-RSAPATHEXTavx512fos/execfips140r, xrefs: 001F2DA5
) = <==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125AtoiJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDT as hour.com.exe.bat.cmdpathermsfsrmsse3avx2bmi1bmi2time,#=:asn1tag:icmpigmpCAST80000falsevaluefloat -%, xrefs: 001F2E7D
s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)total < 0traceback} stack=[ gp.goid= lockedm=244140625ParseUin, xrefs: 001F2C1B
s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=active < 0, xrefs: 001F2BF1
... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:1562578125MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930monthLocalGreeksse41sse42ssse3SHA-1P-256P-384P-521P-224filesstring hangupkilledlistensocketreadatdelete/quietStringForma, xrefs: 001F2DF9, 001F2F03
unknown(trigger= npages= nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes 48828125strconv.parsing ParseIntThursdaySaturdayFebruaryNovemberDecember%!Month(nil PoolwsaioctlSHA1-RSADSA-SHA1over, xrefs: 001F2D15
*(in n= ) - NaN P m= MPC= < end > ]:???pc= G125625SunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02-01EDTASTADTPSTPDTNSTNDT+03+04+07+06IST+09+08IDT+12PKT+11KST+05JST+10-11-12-08-09+13CETBS, xrefs: 001F2E29

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: *(in n= ) - NaN P m= MPC= < end > ]:???pc= G125625SunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02-01EDTASTADTPSTPDTNSTNDT+03+04+07+06IST+09+08IDT+12PKT+11KST+05JST+10-11-12-08-09+13CETBS$ ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:1562578125MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930monthLocalGreeksse41sse42ssse3SHA-1P-256P-384P-521P-224filesstring hangupkilledlistensocketreadatdelete/quietStringForma$ s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=active < 0$ s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)total < 0traceback} stack=[ gp.goid= lockedm=244140625ParseUin$ s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=3814697265625$ s=nil (scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type 19531259765625TuesdayJanuaryOctoberMUI_StdMUI_Dlt\\.\UNCEd25519MD5-RSAPATHEXTavx512fos/execfips140r$) = <==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125AtoiJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDT as hour.com.exe.bat.cmdpathermsfsrmsse3avx2bmi1bmi2time,#=:asn1tag:icmpigmpCAST80000falsevaluefloat -%$unknown(trigger= npages= nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes 48828125strconv.parsing ParseIntThursdaySaturdayFebruaryNovemberDecember%!Month(nil PoolwsaioctlSHA1-RSADSA-SHA1over
API String ID: 0-3410059045
Opcode ID: fd98e3c2ac7418c2f5de8e2eed8dd39a51797ed95f096ace52c3a1fe1316c4bf
Instruction ID: debd06d2596fea51516273b88f5bd52f4cfa9db0c6f573409de0b2226cb670e9
Opcode Fuzzy Hash: fd98e3c2ac7418c2f5de8e2eed8dd39a51797ed95f096ace52c3a1fe1316c4bf
Instruction Fuzzy Hash: 58B1E5B451A7048FD344EFA8C585B2EBBE5AF88304F45886DF9888B392E734D954DF12

Function 0020EB60 Relevance: 10.2, Strings: 8, Instructions: 223COMMON

Download Yara Rule

Strings

runtime: sudog with non-nil centersyscall inconsistent bp entersyscall inconsistent sp gfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too longinvalid function symbol tabl, xrefs: 0020EDDD
runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime: wrong goroutine in newstackruntime:, xrefs: 0020EDF3
$, xrefs: 0020EE8C
runtime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runtime: stack split at bad timepanic while printing panic valueruntime: setevent failed; errno=runt, xrefs: 0020EE4B
runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumber1110223024625156540423631668090820312555511151231257827021181583404541015625time: missing Location in call to Dateconcurrent map iteration and map, xrefs: 0020EE35
runtime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runtime: stack split at bad timepanic while printing panic valueruntime: setevent failed; errno=runtime.semasleep wait_abandoned2842, xrefs: 0020EE1F
runtime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=methodValueCallFrameObjs is not in a modulesynctest timer accessed from outside bubblemu, xrefs: 0020EDC7
runtime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runtime: stack split at bad timepanic while printing panic valueruntime: setevent failed; errno=runtime.semasleep wait_abandoned28421709430404007434844970703125: da, xrefs: 0020EE09

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: $$runtime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=methodValueCallFrameObjs is not in a modulesynctest timer accessed from outside bubblemu$runtime: sudog with non-false isSelectarg size to reflect.call more than 1GBv could not fit in traceBytesPerNumber1110223024625156540423631668090820312555511151231257827021181583404541015625time: missing Location in call to Dateconcurrent map iteration and map$runtime: sudog with non-nil centersyscall inconsistent bp entersyscall inconsistent sp gfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too longinvalid function symbol tabl$runtime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runtime: stack split at bad timepanic while printing panic valueruntime: setevent failed; errno=runt$runtime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runtime: stack split at bad timepanic while printing panic valueruntime: setevent failed; errno=runtime.semasleep wait_abandoned2842$runtime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runtime: stack split at bad timepanic while printing panic valueruntime: setevent failed; errno=runtime.semasleep wait_abandoned28421709430404007434844970703125: da$runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime: wrong goroutine in newstackruntime:
API String ID: 0-3880860840
Opcode ID: 697e019a9d09ccfcb37df7fcc4f28e1f812ec4cedd53daaf6447d024ac974e3b
Instruction ID: 9320578e661ddf45d7a9d985078b90520a8f721ca7ac693fc7301b4dd182d920
Opcode Fuzzy Hash: 697e019a9d09ccfcb37df7fcc4f28e1f812ec4cedd53daaf6447d024ac974e3b
Instruction Fuzzy Hash: EBA157B46157468FCB14EF15C5C0A5ABBF9FF98300F41882EE9898B392D730A964CF52

Function 001DF1D0 Relevance: 10.2, Strings: 8, Instructions: 218COMMON

Download Yara Rule

Strings

panicwrap: unexpected string after type name: memory reservation exceeds address space limittried to park scavenger from another goroutinereleased less than one physical page of memorysysGrow bounds not aligned to pallocChunkBytesruntime: failed to create new , xrefs: 001DF369
., xrefs: 001DF373
pointerBAD RANK status unknown(trigger= npages= nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes 48828125strconv.parsing ParseIntThursdaySaturdayFebruaryNovemberDecember%!Month(nil Poolwsai, xrefs: 001DF4A4
panicwrap: no ( in panicwrap: no ) in called using nil *unknown wait reasonnotesleep not on g0GC work not flushed/gc/scan/heap:bytes/gc/heap/goal:bytes/gc/heap/live:bytesbad kind in runfinqmarkroot: bad indexnwait > work.nprocs, gp->atomicstatus=marking free , xrefs: 001DF570
value method span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=, xrefs: 001DF3FD
called using nil *unknown wait reasonnotesleep not on g0GC work not flushed/gc/scan/heap:bytes/gc/heap/goal:bytes/gc/heap/live:bytesbad kind in runfinqmarkroot: bad indexnwait > work.nprocs, gp->atomicstatus=marking free object KiB work (eager), [controller , xrefs: 001DF47E
panicwrap: no ) in called using nil *unknown wait reasonnotesleep not on g0GC work not flushed/gc/scan/heap:bytes/gc/heap/goal:bytes/gc/heap/live:bytesbad kind in runfinqmarkroot: bad indexnwait > work.nprocs, gp->atomicstatus=marking free object KiB work (ea, xrefs: 001DF513
panicwrap: unexpected string after package name: runtime: unexpected waitm - semaphore out of syncs.allocCount != s.nelems && freeIndex == s.nelemssweeper left outstanding across sweep generationsfully empty unfreed span set block found in resetcasgstatus: wai, xrefs: 001DF2A8

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: called using nil *unknown wait reasonnotesleep not on g0GC work not flushed/gc/scan/heap:bytes/gc/heap/goal:bytes/gc/heap/live:bytesbad kind in runfinqmarkroot: bad indexnwait > work.nprocs, gp->atomicstatus=marking free object KiB work (eager), [controller $ pointerBAD RANK status unknown(trigger= npages= nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes 48828125strconv.parsing ParseIntThursdaySaturdayFebruaryNovemberDecember%!Month(nil Poolwsai$.$panicwrap: no ( in panicwrap: no ) in called using nil *unknown wait reasonnotesleep not on g0GC work not flushed/gc/scan/heap:bytes/gc/heap/goal:bytes/gc/heap/live:bytesbad kind in runfinqmarkroot: bad indexnwait > work.nprocs, gp->atomicstatus=marking free $panicwrap: no ) in called using nil *unknown wait reasonnotesleep not on g0GC work not flushed/gc/scan/heap:bytes/gc/heap/goal:bytes/gc/heap/live:bytesbad kind in runfinqmarkroot: bad indexnwait > work.nprocs, gp->atomicstatus=marking free object KiB work (ea$panicwrap: unexpected string after package name: runtime: unexpected waitm - semaphore out of syncs.allocCount != s.nelems && freeIndex == s.nelemssweeper left outstanding across sweep generationsfully empty unfreed span set block found in resetcasgstatus: wai$panicwrap: unexpected string after type name: memory reservation exceeds address space limittried to park scavenger from another goroutinereleased less than one physical page of memorysysGrow bounds not aligned to pallocChunkBytesruntime: failed to create new $value method span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=
API String ID: 0-136763669
Opcode ID: 0c2b0b8705ace9ab99d9b55e960c55c8780affe18f7d3d4b855b59e02b617215
Instruction ID: 3be74ee84b944007a3220009815571f80778c0e3ec2a1d667f762db519be86d9
Opcode Fuzzy Hash: 0c2b0b8705ace9ab99d9b55e960c55c8780affe18f7d3d4b855b59e02b617215
Instruction Fuzzy Hash: 98B1AFB49183419FC728DF68D585B9EBBE1BF88300F41892EE88987351DB74A949CF52

Function 001FA450 Relevance: 10.2, Strings: 8, Instructions: 177COMMON

Download Yara Rule

Strings

alloc free span= prev= list=, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base 390625SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minutesecondGetACPexec: Commonrdtscppopcntcmd/gonetdnsX25519headerAnswer-money:U, xrefs: 001FA5C9
runtime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not, xrefs: 001FA484
(bad use of unsafe.Pointer or having race conditions? try -d=checkptr or -race)expected all size classes up to min size for malloc header to fit in one-page spanscrypto/cipher: use of CTR with non-AES ciphers is not allowed in FIPS 140-only modereflect.Value, xrefs: 001FA4FA
zombie, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type 19531259765625TuesdayJanuaryOctoberMUI_StdMUI_Dlt\\.\UNCEd25519MD5-RSAPATHEXTavx512fos/execfips140runtimetls3desSHA-224SHA-256SHA-384S, xrefs: 001FA681
found pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1, xrefs: 001FA726
marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)total < 0traceback} stack=[ gp.goid= lockedm=244140625ParseUintWednesdaySeptember-07:00:00Z07:00:0, xrefs: 001FA61B
Q, xrefs: 001FA503
, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: running < 0runtime: g : frame.sp=created, xrefs: 001FA4A6

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: (bad use of unsafe.Pointer or having race conditions? try -d=checkptr or -race)expected all size classes up to min size for malloc header to fit in one-page spanscrypto/cipher: use of CTR with non-AES ciphers is not allowed in FIPS 140-only modereflect.Value$ alloc free span= prev= list=, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base 390625SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minutesecondGetACPexec: Commonrdtscppopcntcmd/gonetdnsX25519headerAnswer-money:U$ marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)total < 0traceback} stack=[ gp.goid= lockedm=244140625ParseUintWednesdaySeptember-07:00:00Z07:00:0$ zombie, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type 19531259765625TuesdayJanuaryOctoberMUI_StdMUI_Dlt\\.\UNCEd25519MD5-RSAPATHEXTavx512fos/execfips140runtimetls3desSHA-224SHA-256SHA-384S$, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: running < 0runtime: g : frame.sp=created$Q$found pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1$runtime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not
API String ID: 0-2624937860
Opcode ID: ff36fa9a72fceb33d3970ab8b60b1c21851e64580d74d87b5fd8553da8137521
Instruction ID: 1a7871bbc5c6a8453989446e4be07e94dd39685db954e45b2b752fe6cd28c149
Opcode Fuzzy Hash: ff36fa9a72fceb33d3970ab8b60b1c21851e64580d74d87b5fd8553da8137521
Instruction Fuzzy Hash: 737105B001A3448FD344EFA4C09562ABBE4AF89308F85495EF9C88B293D779D954DF23

Function 001F8B20 Relevance: 10.1, Strings: 8, Instructions: 126COMMON

Download Yara Rule

Strings

pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=active < 0unknown pcruntime: ggoroutine 1220703125, xrefs: 001F8CB9
pages/byte s.sweepgen= allocCount ProcessPrng, xrefs: 001F8CDF
pacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinning: not a spinning mruntime: profBuf already closedruntime: split stack overflow: ...additional frames elided...unsafe.String: len out of range113686837721, xrefs: 001F8C22
MB; allocated RtlGetVersion, xrefs: 001F8C4C
1, xrefs: 001F8D21
MB during sweep; swept bad profile stack countruntime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocresize: invalid argspan has no free stacksstack growth after forkshrinks, xrefs: 001F8C8F
sweeper left outstanding across sweep generationsfully empty unfreed span set block found in resetcasgstatus: waiting for Gwaiting but is Grunnablenot enough significant bits after mult128bitPow10strings.Reader.UnreadByte: at beginning of stringstrings.Reader., xrefs: 001F8D18
mismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freefailed to get or create weak handleattempt to clear non-empty span setruntime: close polldesc w/o unblockNtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has, xrefs: 001F8D02

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=active < 0unknown pcruntime: ggoroutine 1220703125$ pages/byte s.sweepgen= allocCount ProcessPrng$1$MB during sweep; swept bad profile stack countruntime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocresize: invalid argspan has no free stacksstack growth after forkshrinks$MB; allocated RtlGetVersion$mismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freefailed to get or create weak handleattempt to clear non-empty span setruntime: close polldesc w/o unblockNtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has$pacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinning: not a spinning mruntime: profBuf already closedruntime: split stack overflow: ...additional frames elided...unsafe.String: len out of range113686837721$sweeper left outstanding across sweep generationsfully empty unfreed span set block found in resetcasgstatus: waiting for Gwaiting but is Grunnablenot enough significant bits after mult128bitPow10strings.Reader.UnreadByte: at beginning of stringstrings.Reader.
API String ID: 0-4236478924
Opcode ID: 434b385c482443de2806974bfb1f035001672cc9001662e144ad1a2533635fbe
Instruction ID: bf360148564130ecd3cf7a7c41c497e0bdc0e4d59f8d669201f4b7c7e1710184
Opcode Fuzzy Hash: 434b385c482443de2806974bfb1f035001672cc9001662e144ad1a2533635fbe
Instruction Fuzzy Hash: 525104B451A7449FC344EF68C48562EBBE5BF98304F41892EF89987392EB34D984CF52

Function 001E5450 Relevance: 10.1, Strings: 8, Instructions: 125COMMON

Download Yara Rule

Strings

runtime: found in object at *( in prepareForSweep; sweepgen /cpu/classes/total:cpu-seconds/gc/cycles/automatic:gc-cycles/sched/pauses/total/gc:seconds/sync/mutex/wait/total:seconds/godebug/non-default-behavior/bcryptprimitives.dll not foundpanic called with ni, xrefs: 001E54F3
object next= jobs= goid sweep B -> % util alloc free span= prev= list=, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base 390625SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minutesecondGetACPexec: Commonrdtscppo, xrefs: 001E5562
runtime: pointer g already scannedmark - bad statusscanobject n == 0swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 001E5471
>, xrefs: 001E54E1
to unused region of span bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p has runnable gsstoplocked, xrefs: 001E567C
to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitpreempt off reason: , xrefs: 001E55B1
found bad pointer in Go heap (incorrect use of unsafe or cgo?)limiterEvent.stop: found wrong event in p's limiter event slotslice length too short to convert to array or pointer to arrayruntime: internal error: misuse of lockOSThread/unlockOSThread0123456789ab, xrefs: 001E54D8
span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failed, xrefs: 001E55EF

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failed$ to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitpreempt off reason: $ to unused region of span bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p has runnable gsstoplocked$>$found bad pointer in Go heap (incorrect use of unsafe or cgo?)limiterEvent.stop: found wrong event in p's limiter event slotslice length too short to convert to array or pointer to arrayruntime: internal error: misuse of lockOSThread/unlockOSThread0123456789ab$object next= jobs= goid sweep B -> % util alloc free span= prev= list=, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base 390625SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minutesecondGetACPexec: Commonrdtscppo$runtime: found in object at *( in prepareForSweep; sweepgen /cpu/classes/total:cpu-seconds/gc/cycles/automatic:gc-cycles/sched/pauses/total/gc:seconds/sync/mutex/wait/total:seconds/godebug/non-default-behavior/bcryptprimitives.dll not foundpanic called with ni$runtime: pointer g already scannedmark - bad statusscanobject n == 0swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
API String ID: 0-1691395255
Opcode ID: b57983465542a24768c16ce1aca6c18d32604d619a76b2cb38b616ffa0a6bbd0
Instruction ID: 3e6d1b1c7400a56cc6f1f7f9cb5af81f2a257669c1632b0b34c4f2ce975838c8
Opcode Fuzzy Hash: b57983465542a24768c16ce1aca6c18d32604d619a76b2cb38b616ffa0a6bbd0
Instruction Fuzzy Hash: 8D51B5B401A7008FD340EFA8C585B6EBBE5AF58704F41886EF58887392E7749854DF23

Function 002376A0 Relevance: 10.1, Strings: 8, Instructions: 123COMMON

Download Yara Rule

Strings

runtime: textOff 1192092895507812559604644775390625invalid bit size GTB Standard TimeFLE Standard TimeGMT Standard Timefractional secondos/exec.Command(exec: killing Cmdexec: not startedmultipartmaxpartsRegLoadMUIStringWunexpected result%%!%c(big.Int=%s)divis, xrefs: 0023775D
base 390625SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minutesecondGetACPexec: Commonrdtscppopcntcmd/gonetdnsX25519headerAnswer-money:Usage:abortedCopySidWSARecvWSASendconnectsignal readdirwriteatconsoleshadowsfloat32float64invaliduintptrChan, xrefs: 00237786
not in ranges:23841857910156250123456789ABCDEFtime: bad [0-9]*DuplicateTokenExGetCurrentThreadGetModuleHandleWRtlVirtualUnwindexec: no commandGODEBUG: value "[bisect-match 0xdivision by zerolength too largeRCodeFormatErrorC:\/$Recycle.Bin\permission deniedwr, xrefs: 002377B0
runtime: text offset base pointer out of rangex509: failed to unmarshal elliptic curve pointcipher.NewCTR: IV length must equal block sizeinvariant failed: growthLeft is unexpectedly 0math/big: mismatched montgomery number lengthsedwards25519: invalid field el, xrefs: 00237883
., xrefs: 0023788C
types : type 19531259765625TuesdayJanuaryOctoberMUI_StdMUI_Dlt\\.\UNCEd25519MD5-RSAPATHEXTavx512fos/execfips140runtimetls3desSHA-224SHA-256SHA-384SHA-512AES-CBC[Money] C:\Boot\durationno anodeCancelIoReadFileAcceptExWSAIoctlshutdownFullPathvssadminGoStringsca, xrefs: 00237813
`D=, xrefs: 002376C4, 002377CB
etypes 48828125strconv.parsing ParseIntThursdaySaturdayFebruaryNovemberDecember%!Month(nil PoolwsaioctlSHA1-RSADSA-SHA1overflowavx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlsmlkem#fips140CTR_DRBGMD5+SHA1SHA3-224SHA3-256SHA3-384SHA3-512default:SHA2-256SHA2, xrefs: 0023783D

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: types : type 19531259765625TuesdayJanuaryOctoberMUI_StdMUI_Dlt\\.\UNCEd25519MD5-RSAPATHEXTavx512fos/execfips140runtimetls3desSHA-224SHA-256SHA-384SHA-512AES-CBC[Money] C:\Boot\durationno anodeCancelIoReadFileAcceptExWSAIoctlshutdownFullPathvssadminGoStringsca$ base 390625SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minutesecondGetACPexec: Commonrdtscppopcntcmd/gonetdnsX25519headerAnswer-money:Usage:abortedCopySidWSARecvWSASendconnectsignal readdirwriteatconsoleshadowsfloat32float64invaliduintptrChan$ etypes 48828125strconv.parsing ParseIntThursdaySaturdayFebruaryNovemberDecember%!Month(nil PoolwsaioctlSHA1-RSADSA-SHA1overflowavx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlsmlkem#fips140CTR_DRBGMD5+SHA1SHA3-224SHA3-256SHA3-384SHA3-512default:SHA2-256SHA2$ not in ranges:23841857910156250123456789ABCDEFtime: bad [0-9]*DuplicateTokenExGetCurrentThreadGetModuleHandleWRtlVirtualUnwindexec: no commandGODEBUG: value "[bisect-match 0xdivision by zerolength too largeRCodeFormatErrorC:\/$Recycle.Bin\permission deniedwr$.$`D=$runtime: text offset base pointer out of rangex509: failed to unmarshal elliptic curve pointcipher.NewCTR: IV length must equal block sizeinvariant failed: growthLeft is unexpectedly 0math/big: mismatched montgomery number lengthsedwards25519: invalid field el$runtime: textOff 1192092895507812559604644775390625invalid bit size GTB Standard TimeFLE Standard TimeGMT Standard Timefractional secondos/exec.Command(exec: killing Cmdexec: not startedmultipartmaxpartsRegLoadMUIStringWunexpected result%%!%c(big.Int=%s)divis
API String ID: 0-1968333630
Opcode ID: 3a89497cec51398c6b40735a5c9f62ec4b4ff4dc5ca46dd50c6e4423af5b3155
Instruction ID: c800e2a228426f889f878f32c5916b10de023afe27132e7d6c39eb2e39eb5208
Opcode Fuzzy Hash: 3a89497cec51398c6b40735a5c9f62ec4b4ff4dc5ca46dd50c6e4423af5b3155
Instruction Fuzzy Hash: 0A5115B4529701CFC754EF68D485A6ABBF4FB88304F40892EE48887352E774D994DF12

Function 001D20C0 Relevance: 9.2, Strings: 7, Instructions: 441COMMON

Download Yara Rule

Strings

avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlsmlkem#fips140CTR_DRBGMD5+SHA1SHA3-224SHA3-256SHA3-384SHA3-512default:SHA2-256SHA2-512ClassANYQuestioninterruptbus errorFindCloseLocalFreeMoveFileWWriteFileWSASendTofork/execDisableSRREG_DWORD].LockBit method: , xrefs: 001D25E1
ermsfsrmsse3avx2bmi1bmi2time,#=:asn1tag:icmpigmpCAST80000falsevaluefloat -%sntohschdir<nil>writeclosegetwdLstatHKCU\StartErrorint16int32int64uint8arrayslice and defersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... ma, xrefs: 001D2121
sse41sse42ssse3SHA-1P-256P-384P-521P-224filesstring hangupkilledlistensocketreadatdelete/quietStringFormat[]byteuint16uint32uint64structchan<-<-chan Valuesysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc free span= prev= list, xrefs: 001D230A
pclmulqdqmath/randtlsrsakexunderflowprintableomitemptyfiles,dnsdns,filesipv6-icmpd.nx != 0fips140: cSHAKE128ClassINETAuthorityuser32.dllShowWindowterminatedowner diedDnsQuery_WGetIfEntryCancelIoExCreatePipeGetVersionWSACleanupWSAStartupgetsockoptsetsockoptdnsa, xrefs: 001D2153
avx512fos/execfips140runtimetls3desSHA-224SHA-256SHA-384SHA-512AES-CBC[Money] C:\Boot\durationno anodeCancelIoReadFileAcceptExWSAIoctlshutdownFullPathvssadminGoStringscavengepollDescsynctesttraceBufdeadlockraceFinipanicnilcgocheckrunnableeax ebx ecx , xrefs: 001D25BF
rdtscppopcntcmd/gonetdnsX25519headerAnswer-money:Usage:abortedCopySidWSARecvWSASendconnectsignal readdirwriteatconsoleshadowsfloat32float64invaliduintptrChanDir Value>forcegcallocmWcpuprofallocmRunknowngctraceIO waitrunningsyscallwaitingforevernetworkUNKNOWN:, xrefs: 001D216C
adxaesshaavxfmanetMD5SETcgodnstcpudptrueuintquitbindfilereadopensyncpipeStat/allmoveboolint8chanfunccallkind on != allgallprootitabsbrkidledead is LEAFbase of ) = <==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125Atoi, xrefs: 001D20F0

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: adxaesshaavxfmanetMD5SETcgodnstcpudptrueuintquitbindfilereadopensyncpipeStat/allmoveboolint8chanfunccallkind on != allgallprootitabsbrkidledead is LEAFbase of ) = <==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125Atoi$avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlsmlkem#fips140CTR_DRBGMD5+SHA1SHA3-224SHA3-256SHA3-384SHA3-512default:SHA2-256SHA2-512ClassANYQuestioninterruptbus errorFindCloseLocalFreeMoveFileWWriteFileWSASendTofork/execDisableSRREG_DWORD].LockBit method: $avx512fos/execfips140runtimetls3desSHA-224SHA-256SHA-384SHA-512AES-CBC[Money] C:\Boot\durationno anodeCancelIoReadFileAcceptExWSAIoctlshutdownFullPathvssadminGoStringscavengepollDescsynctesttraceBufdeadlockraceFinipanicnilcgocheckrunnableeax ebx ecx $ermsfsrmsse3avx2bmi1bmi2time,#=:asn1tag:icmpigmpCAST80000falsevaluefloat -%sntohschdir<nil>writeclosegetwdLstatHKCU\StartErrorint16int32int64uint8arrayslice and defersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleepgcing MB, got= ... ma$pclmulqdqmath/randtlsrsakexunderflowprintableomitemptyfiles,dnsdns,filesipv6-icmpd.nx != 0fips140: cSHAKE128ClassINETAuthorityuser32.dllShowWindowterminatedowner diedDnsQuery_WGetIfEntryCancelIoExCreatePipeGetVersionWSACleanupWSAStartupgetsockoptsetsockoptdnsa$rdtscppopcntcmd/gonetdnsX25519headerAnswer-money:Usage:abortedCopySidWSARecvWSASendconnectsignal readdirwriteatconsoleshadowsfloat32float64invaliduintptrChanDir Value>forcegcallocmWcpuprofallocmRunknowngctraceIO waitrunningsyscallwaitingforevernetworkUNKNOWN:$sse41sse42ssse3SHA-1P-256P-384P-521P-224filesstring hangupkilledlistensocketreadatdelete/quietStringFormat[]byteuint16uint32uint64structchan<-<-chan Valuesysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc free span= prev= list
API String ID: 0-2342607040
Opcode ID: d7dc97e5330dad665dc5f8e2bdc79ce41434ca5328ed0aa984c2bf395551fa00
Instruction ID: c1e66be00d39d08f66a76b0ecb1150998084c5cd0613ab27eafacb0df352da87
Opcode Fuzzy Hash: d7dc97e5330dad665dc5f8e2bdc79ce41434ca5328ed0aa984c2bf395551fa00
Instruction Fuzzy Hash: 4A2240B85083418FD718DF1AE4C0B56BBE0BF98304F1485AEE8598B366E374D949CF99

Function 0022D790 Relevance: 9.0, Strings: 7, Instructions: 214COMMON

Download Yara Rule

Strings

called from runtime: pid=3814697265625invalid base parsing time out of rangedalTLDpSugct?GetTempPath2WModule32NextWRtlGetVersionSHA256-RSAPSSSHA384-RSAPSSSHA512-RSAPSSbad IV lengthcrypto/subtlegocacheverifyinstallgoroothtml/templatetlsmaxrsasizeRegDeleteKeyW, xrefs: 0022D962
runtime: g : frame.sp=created by 30517578125ProcessPrngMoveFileExWNetShareAddNetShareDeli/o timeoutinvalid oidSYSTEMROOT=gocachehashgocachetesthttp2clienthttp2serverrandseednoparchive/tartls10servercrypto/x509archive/zipSHA-512/224SHA-512/256generalizedapplica, xrefs: 0022D90E
runtime: traceback stuck. pc=tried to trace dead goroutineruntime: impossible type kindruntime.semasleep wait_failed45474735088646411895751953125Central America Standard TimeNorth Asia East Standard TimeN. Central Asia Standard TimeChatham Islands Standard Tim, xrefs: 0022DA10
sp= sp: lr: fp= gp= mp=) m=3125AtoiJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDT as hour.com.exe.bat.cmdpathermsfsrmsse3avx2bmi1bmi2time,#=:asn1tag:icmpigmpCAST80000falsevaluefloat -%sntohschdir<nil>writeclosegetwdLstatHKCU\StartErrorint16int32int, xrefs: 0022DA3A
: unexpected return pc for 363797880709171295166015625Easter Island Standard Timeabi.NewName: tag too long: httpservecontentkeepheadersinput overflows the modulusinvalid P224 point encodinginvalid P256 point encodinginvalid P384 point encodinginvalid P521 poin, xrefs: 0022D938
unknown caller pc, synctest group stack: frame={sp:runtime: nameOff runtime: typeOff runtime: textOff 1192092895507812559604644775390625invalid bit size GTB Standard TimeFLE Standard TimeGMT Standard Timefractional secondos/exec.Command(exec: killing Cmdexec:, xrefs: 0022D9ED
traceback stuckruntime.gopanicunexpected kind476837158203125: cannot parse ,M3.2.0,M11.1.0ImpersonateSelfOpenThreadTokenx509usepoliciesjstmpllitinterptarinsecurepathx509keypairleafzipinsecurepathRegCreateKeyExWRegDeleteValueWinvalid boolean0601021504Z0700non-m, xrefs: 0022DA92

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: called from runtime: pid=3814697265625invalid base parsing time out of rangedalTLDpSugct?GetTempPath2WModule32NextWRtlGetVersionSHA256-RSAPSSSHA384-RSAPSSSHA512-RSAPSSbad IV lengthcrypto/subtlegocacheverifyinstallgoroothtml/templatetlsmaxrsasizeRegDeleteKeyW$ sp= sp: lr: fp= gp= mp=) m=3125AtoiJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDT as hour.com.exe.bat.cmdpathermsfsrmsse3avx2bmi1bmi2time,#=:asn1tag:icmpigmpCAST80000falsevaluefloat -%sntohschdir<nil>writeclosegetwdLstatHKCU\StartErrorint16int32int$: unexpected return pc for 363797880709171295166015625Easter Island Standard Timeabi.NewName: tag too long: httpservecontentkeepheadersinput overflows the modulusinvalid P224 point encodinginvalid P256 point encodinginvalid P384 point encodinginvalid P521 poin$runtime: g : frame.sp=created by 30517578125ProcessPrngMoveFileExWNetShareAddNetShareDeli/o timeoutinvalid oidSYSTEMROOT=gocachehashgocachetesthttp2clienthttp2serverrandseednoparchive/tartls10servercrypto/x509archive/zipSHA-512/224SHA-512/256generalizedapplica$runtime: traceback stuck. pc=tried to trace dead goroutineruntime: impossible type kindruntime.semasleep wait_failed45474735088646411895751953125Central America Standard TimeNorth Asia East Standard TimeN. Central Asia Standard TimeChatham Islands Standard Tim$traceback stuckruntime.gopanicunexpected kind476837158203125: cannot parse ,M3.2.0,M11.1.0ImpersonateSelfOpenThreadTokenx509usepoliciesjstmpllitinterptarinsecurepathx509keypairleafzipinsecurepathRegCreateKeyExWRegDeleteValueWinvalid boolean0601021504Z0700non-m$unknown caller pc, synctest group stack: frame={sp:runtime: nameOff runtime: typeOff runtime: textOff 1192092895507812559604644775390625invalid bit size GTB Standard TimeFLE Standard TimeGMT Standard Timefractional secondos/exec.Command(exec: killing Cmdexec:
API String ID: 0-878246731
Opcode ID: 8c5ed5ecd92f770a4a3149291232360a69d119a92d03b27ec33c699007941521
Instruction ID: 47b23a7546e17ea8e0723df5888ca326344dc8acbd0cabfb924aac648651cb43
Opcode Fuzzy Hash: 8c5ed5ecd92f770a4a3149291232360a69d119a92d03b27ec33c699007941521
Instruction Fuzzy Hash: 21A127B45293159FC344EFA8D18171ABBE0BF88300F44896DF8888B392D774D995DF92

Function 002255C0 Relevance: 9.0, Strings: 7, Instructions: 206COMMON

Download Yara Rule

Strings

: no frame (sp=runtime: frame ts set in timertraceback stuckruntime.gopanicunexpected kind476837158203125: cannot parse ,M3.2.0,M11.1.0ImpersonateSelfOpenThreadTokenx509usepoliciesjstmpllitinterptarinsecurepathx509keypairleafzipinsecurepathRegCreateKeyExWRegDe, xrefs: 00225848
reflect.makeFuncStubtrace: out of memorywirep: already in go37252902984619140625time: invalid numberJordan Standard TimeArabic Standard TimeIsrael Standard TimeTaipei Standard TimeAzores Standard TimeTurkey Standard TimeGetAdaptersAddressesNtSetInformationFile, xrefs: 0022565E
reflect.methodValueCall23283064365386962890625E. Africa Standard TimeTocantins Standard TimeArgentina Standard TimeVenezuela Standard TimeGreenland Standard TimeSri Lanka Standard TimeWest Bank Standard TimeQyzylorda Standard TimeSingapore Standard TimeWest As, xrefs: 00225639
fp= gp= mp=) m=3125AtoiJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDT as hour.com.exe.bat.cmdpathermsfsrmsse3avx2bmi1bmi2time,#=:asn1tag:icmpigmpCAST80000falsevaluefloat -%sntohschdir<nil>writeclosegetwdLstatHKCU\StartErrorint16int32int64uint8array, xrefs: 00225872
) at entry+ (targetpc= , plugin: running < 0runtime: g : frame.sp=created by 30517578125ProcessPrngMoveFileExWNetShareAddNetShareDeli/o timeoutinvalid oidSYSTEMROOT=gocachehashgocachetesthttp2clienthttp2serverrandseednoparchive/tartls10servercrypto/x509archive, xrefs: 0022589C
reflect mismatch untyped locals missing stackmapbad symbol tablenon-Go functionpointerless type not in ranges:23841857910156250123456789ABCDEFtime: bad [0-9]*DuplicateTokenExGetCurrentThreadGetModuleHandleWRtlVirtualUnwindexec: no commandGODEBUG: value "[bis, xrefs: 002257A9, 002258D0
runtime: confused by pcHeader.textStart= timer data corruption186264514923095703125931322574615478515625Morocco Standard TimeNamibia Standard TimeAlaskan Standard TimeCentral Standard TimePacific Standard TimeEastern Standard TimeSE Asia Standard TimeArabian , xrefs: 00225775, 0022581E

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: fp= gp= mp=) m=3125AtoiJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDT as hour.com.exe.bat.cmdpathermsfsrmsse3avx2bmi1bmi2time,#=:asn1tag:icmpigmpCAST80000falsevaluefloat -%sntohschdir<nil>writeclosegetwdLstatHKCU\StartErrorint16int32int64uint8array$) at entry+ (targetpc= , plugin: running < 0runtime: g : frame.sp=created by 30517578125ProcessPrngMoveFileExWNetShareAddNetShareDeli/o timeoutinvalid oidSYSTEMROOT=gocachehashgocachetesthttp2clienthttp2serverrandseednoparchive/tartls10servercrypto/x509archive$: no frame (sp=runtime: frame ts set in timertraceback stuckruntime.gopanicunexpected kind476837158203125: cannot parse ,M3.2.0,M11.1.0ImpersonateSelfOpenThreadTokenx509usepoliciesjstmpllitinterptarinsecurepathx509keypairleafzipinsecurepathRegCreateKeyExWRegDe$reflect mismatch untyped locals missing stackmapbad symbol tablenon-Go functionpointerless type not in ranges:23841857910156250123456789ABCDEFtime: bad [0-9]*DuplicateTokenExGetCurrentThreadGetModuleHandleWRtlVirtualUnwindexec: no commandGODEBUG: value "[bis$reflect.makeFuncStubtrace: out of memorywirep: already in go37252902984619140625time: invalid numberJordan Standard TimeArabic Standard TimeIsrael Standard TimeTaipei Standard TimeAzores Standard TimeTurkey Standard TimeGetAdaptersAddressesNtSetInformationFile$reflect.methodValueCall23283064365386962890625E. Africa Standard TimeTocantins Standard TimeArgentina Standard TimeVenezuela Standard TimeGreenland Standard TimeSri Lanka Standard TimeWest Bank Standard TimeQyzylorda Standard TimeSingapore Standard TimeWest As$runtime: confused by pcHeader.textStart= timer data corruption186264514923095703125931322574615478515625Morocco Standard TimeNamibia Standard TimeAlaskan Standard TimeCentral Standard TimePacific Standard TimeEastern Standard TimeSE Asia Standard TimeArabian
API String ID: 0-3735297116
Opcode ID: bee48d9e3f36fbd0f0b9dfcf9026da8ac7605ffd67a70da7027cb9117b752cef
Instruction ID: c2b80549ba6ee030804faa8d438bf5d37fd72fcad9620155ff62e6cb9fede179
Opcode Fuzzy Hash: bee48d9e3f36fbd0f0b9dfcf9026da8ac7605ffd67a70da7027cb9117b752cef
Instruction Fuzzy Hash: E891F2B46197019FC304EF68D584A2ABBF1AF89304F44886DF9888B3A2D734E954DF12

Function 0020D890 Relevance: 8.9, Strings: 7, Instructions: 144COMMON

Download Yara Rule

Strings

NaN P m= MPC= < end > ]:???pc= G125625SunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02-01EDTASTADTPSTPDTNSTNDT+03+04+07+06IST+09+08IDT+12PKT+11KST+05JST+10-11-12-08-09+13CETBSTMSK-06+14StdDl, xrefs: 0020D97D
-, xrefs: 0020D968
-, xrefs: 0020DA2A
+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125AtoiJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDT as hour.com.exe.bat.cmdpathermsfsrmsse3avx2bmi1bmi2time,#=:asn1tag:icmpigmpCAST80000falsevaluefloat -%sntohschdir<nil>writ, xrefs: 0020D8FE
-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125AtoiJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDT as hour.com.exe.bat.cmdpathermsfsrmsse3avx2bmi1bmi2time,#=:asn1tag:icmpigmpCAST80000falsevaluefloat -%sntohschdir<nil>writeclo, xrefs: 0020D8E4
., xrefs: 0020DA1A
e+, xrefs: 0020DA1F

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: +Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125AtoiJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDT as hour.com.exe.bat.cmdpathermsfsrmsse3avx2bmi1bmi2time,#=:asn1tag:icmpigmpCAST80000falsevaluefloat -%sntohschdir<nil>writ$-$-$-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125AtoiJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDT as hour.com.exe.bat.cmdpathermsfsrmsse3avx2bmi1bmi2time,#=:asn1tag:icmpigmpCAST80000falsevaluefloat -%sntohschdir<nil>writeclo$.$NaN P m= MPC= < end > ]:???pc= G125625SunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02-01EDTASTADTPSTPDTNSTNDT+03+04+07+06IST+09+08IDT+12PKT+11KST+05JST+10-11-12-08-09+13CETBSTMSK-06+14StdDl$e+
API String ID: 0-1591629137
Opcode ID: 151a5ef916ffdc47648dd00b63c6e68ac89486b6d5468fbd11486403cc4a076c
Instruction ID: 48030bbef4f7eb9c4942bf4308a87b8639915038c91b75655b5ca887044af275
Opcode Fuzzy Hash: 151a5ef916ffdc47648dd00b63c6e68ac89486b6d5468fbd11486403cc4a076c
Instruction Fuzzy Hash: F1515C7242AB458EC70BEF78C06532AB7946FA2380F408B5EE887662D3E7705569C742

Function 001E2500 Relevance: 8.9, Strings: 7, Instructions: 128COMMON

Download Yara Rule

Strings

freeIndex is not valids.freeindex > s.nelemsbad sweepgen in refillspan has no free space/gc/scan/globals:bytes/gc/heap/frees:objectsruntime: work.nwait = runtime:scanstack: gp=scanstack - bad statusheadTailIndex overflowruntime.main not on m0set_crosscall2 mis, xrefs: 001E2680
1, xrefs: 001E2717
s.allocCount= nil elem type! to finalizer GC worker initruntime: full=runtime: want=MB; allocated RtlGetVersion, xrefs: 001E25FC
runtime: s.allocCount= s.allocCount > s.nelems/gc/heap/allocs:objectsmissing type in runfinqruntime: internal errorwork.nwait > work.nprocleft over markroot jobsgcDrain phase incorrectMB during sweep; swept bad profile stack countruntime: netpoll failedpanic d, xrefs: 001E26A0
s.allocCount != s.nelems && freeIndex == s.nelemssweeper left outstanding across sweep generationsfully empty unfreed span set block found in resetcasgstatus: waiting for Gwaiting but is Grunnablenot enough significant bits after mult128bitPow10strings.Reader., xrefs: 001E270E
s.nelems= of size runtime: p ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64, xrefs: 001E2636, 001E26DA
s.allocCount > s.nelems/gc/heap/allocs:objectsmissing type in runfinqruntime: internal errorwork.nwait > work.nprocleft over markroot jobsgcDrain phase incorrectMB during sweep; swept bad profile stack countruntime: netpoll failedpanic during preemptoffnanotim, xrefs: 001E266A

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: s.nelems= of size runtime: p ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64$1$freeIndex is not valids.freeindex > s.nelemsbad sweepgen in refillspan has no free space/gc/scan/globals:bytes/gc/heap/frees:objectsruntime: work.nwait = runtime:scanstack: gp=scanstack - bad statusheadTailIndex overflowruntime.main not on m0set_crosscall2 mis$runtime: s.allocCount= s.allocCount > s.nelems/gc/heap/allocs:objectsmissing type in runfinqruntime: internal errorwork.nwait > work.nprocleft over markroot jobsgcDrain phase incorrectMB during sweep; swept bad profile stack countruntime: netpoll failedpanic d$s.allocCount != s.nelems && freeIndex == s.nelemssweeper left outstanding across sweep generationsfully empty unfreed span set block found in resetcasgstatus: waiting for Gwaiting but is Grunnablenot enough significant bits after mult128bitPow10strings.Reader.$s.allocCount > s.nelems/gc/heap/allocs:objectsmissing type in runfinqruntime: internal errorwork.nwait > work.nprocleft over markroot jobsgcDrain phase incorrectMB during sweep; swept bad profile stack countruntime: netpoll failedpanic during preemptoffnanotim$s.allocCount= nil elem type! to finalizer GC worker initruntime: full=runtime: want=MB; allocated RtlGetVersion
API String ID: 0-1969633658
Opcode ID: 9c9269b29913047216a7b75f51bc955700bf48c5e58e0aebe5dfdbc5e13d7cbd
Instruction ID: 5b2a5439b3d1457d0c997c7bc3a521fe40ffd9a6156d085a9bfe369beb84ca59
Opcode Fuzzy Hash: 9c9269b29913047216a7b75f51bc955700bf48c5e58e0aebe5dfdbc5e13d7cbd
Instruction Fuzzy Hash: 9151E3B40197509FC380EF65C19122EBBE5BF98704F81885EF8C887282E774C955DB63

Function 001F3D80 Relevance: 7.9, Strings: 6, Instructions: 430COMMON

Download Yara Rule

Strings

pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type 19531259765625TuesdayJanuaryOctoberMUI_StdMUI_Dlt\\.\UNCEd25519MD5-RSAPATHEXTavx512fos/execfips140runtimetls3desSHA-224S, xrefs: 001F4180
B -> % util alloc free span= prev= list=, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base 390625SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minutesecondGetACPexec: Commonrdtscppopcntcmd/gonetdnsX25519headerAn, xrefs: 001F442A
B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)total < 0traceback} stack=[ gp.goid= lockedm=244140625ParseUintWednesdaySeptembe, xrefs: 001F4343
exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plug, xrefs: 001F41E5
, cons/mark maxTrigger= pages/byte s.sweepgen= allocCount ProcessPrng, xrefs: 001F4490
in n= ) - NaN P m= MPC= < end > ]:???pc= G125625SunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02-01EDTASTADTPSTPDTNSTNDT+03+04+07+06IST+09+08IDT+12PKT+11KST+05JST+10-11-12-08-09+13CETBSTMS, xrefs: 001F43FA

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: B -> % util alloc free span= prev= list=, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base 390625SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minutesecondGetACPexec: Commonrdtscppopcntcmd/gonetdnsX25519headerAn$ B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)total < 0traceback} stack=[ gp.goid= lockedm=244140625ParseUintWednesdaySeptembe$ exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plug$, cons/mark maxTrigger= pages/byte s.sweepgen= allocCount ProcessPrng$in n= ) - NaN P m= MPC= < end > ]:???pc= G125625SunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02-01EDTASTADTPSTPDTNSTNDT+03+04+07+06IST+09+08IDT+12PKT+11KST+05JST+10-11-12-08-09+13CETBSTMS$pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type 19531259765625TuesdayJanuaryOctoberMUI_StdMUI_Dlt\\.\UNCEd25519MD5-RSAPATHEXTavx512fos/execfips140runtimetls3desSHA-224S
API String ID: 0-41381343
Opcode ID: 368d79a277286691d90a6c09fd6427bf730a7bf8d77a81b61386d6da6f3d4718
Instruction ID: 16205d459f11df8c2d450bd66c460492b055a35df5551ae88b0f67808f1616e4
Opcode Fuzzy Hash: 368d79a277286691d90a6c09fd6427bf730a7bf8d77a81b61386d6da6f3d4718
Instruction Fuzzy Hash: 5622F5745197448FC365EF68C581B5EBBE1BF99340F01892EE9C99B352EB34A884CF42

Function 001F2850 Relevance: 7.7, Strings: 6, Instructions: 191COMMON

Download Yara Rule

Strings

#, xrefs: 001F2B0E
runtime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket, xrefs: 001F29F5
greyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freefailed to get or create weak handleattempt to clear non-empty span setruntime: close polldesc w/o unblockNtCreateWaitCompletionPacket failedfindrunnable: n, xrefs: 001F2B05
objgc %: gp *(in n= ) - NaN P m= MPC= < end > ]:???pc= G125625SunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02-01EDTASTADTPSTPDTNSTNDT+03+04+07+06IST+09+08IDT+12PKT+11KST+05JST+10-11-12-0, xrefs: 001F2AB4
base of ) = <==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125AtoiJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDT as hour.com.exe.bat.cmdpathermsfsrmsse3avx2bmi1bmi2time,#=:asn1tag:icmpigmpCAST80000falsevaluef, xrefs: 001F2A8E
marking free object KiB work (eager), [controller reset]mspan.sweep: state=sysMemStat overflowbad sequence numberntdll.dll not foundwinmm.dll not foundruntime: g0 stack [panic during mallocpanic holding locksmissing deferreturnunexpected gp.parampanic during , xrefs: 001F2AEF

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: #$base of ) = <==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125AtoiJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDT as hour.com.exe.bat.cmdpathermsfsrmsse3avx2bmi1bmi2time,#=:asn1tag:icmpigmpCAST80000falsevaluef$greyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freefailed to get or create weak handleattempt to clear non-empty span setruntime: close polldesc w/o unblockNtCreateWaitCompletionPacket failedfindrunnable: n$marking free object KiB work (eager), [controller reset]mspan.sweep: state=sysMemStat overflowbad sequence numberntdll.dll not foundwinmm.dll not foundruntime: g0 stack [panic during mallocpanic holding locksmissing deferreturnunexpected gp.parampanic during $objgc %: gp *(in n= ) - NaN P m= MPC= < end > ]:???pc= G125625SunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02-01EDTASTADTPSTPDTNSTNDT+03+04+07+06IST+09+08IDT+12PKT+11KST+05JST+10-11-12-0$runtime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket
API String ID: 0-1340902535
Opcode ID: dab44fece35539392a246cd4a0e4119dd0524b5125ec9722606f979ff538d71e
Instruction ID: fec59fc216497bf1438f983457744867d469eba19cf4fb251d22e4e285f2bcac
Opcode Fuzzy Hash: dab44fece35539392a246cd4a0e4119dd0524b5125ec9722606f979ff538d71e
Instruction Fuzzy Hash: 1C8177746097448FD704EF28C490B6ABBE1BF98308F4589AEE9C88B392D774D945CF52

Function 00212F10 Relevance: 7.7, Strings: 6, Instructions: 189COMMON

Download Yara Rule

Strings

$, xrefs: 002131B2
.!, xrefs: 002130A9
startm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime: wrong goroutine in newstackruntime: invalid pc-encoded table f=timer moved between synctest bubbles44408920, xrefs: 002131A9
startm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame ts set in timertraceback stuckruntime.gopanicunexpected kind476837158203125: cannot parse ,M3.2.0,M11.1.0ImpersonateSelfOpenThreadTokenx509u, xrefs: 0021317D
startm: p has runnable gsstoplockedm: not runnablereleasep: invalid p statecheckdead: no p for timercheckdead: no m for timerunknown sigtramp callbackunexpected fault address missing stack in newstackbad status in shrinkstackmissing traceGCSweepStart2910383045, xrefs: 00213167
startm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruption18626451492309570312593132257, xrefs: 00213193

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: $$startm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime: wrong goroutine in newstackruntime: invalid pc-encoded table f=timer moved between synctest bubbles44408920$startm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame ts set in timertraceback stuckruntime.gopanicunexpected kind476837158203125: cannot parse ,M3.2.0,M11.1.0ImpersonateSelfOpenThreadTokenx509u$startm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruption18626451492309570312593132257$startm: p has runnable gsstoplockedm: not runnablereleasep: invalid p statecheckdead: no p for timercheckdead: no m for timerunknown sigtramp callbackunexpected fault address missing stack in newstackbad status in shrinkstackmissing traceGCSweepStart2910383045$.!
API String ID: 0-1738157585
Opcode ID: cf602faed0b04f67532962d287d1a0c5ce57cd4d446e03f0dfc15156347995d0
Instruction ID: f728946dc5911ef30e641a6225a015694a019f766fda3744e45b00095c557be3
Opcode Fuzzy Hash: cf602faed0b04f67532962d287d1a0c5ce57cd4d446e03f0dfc15156347995d0
Instruction Fuzzy Hash: 898129745197819FCB40DF25C4D0AAABBF1AF9A300F44886DE8D88B362D335D959CF52

Function 001F6D40 Relevance: 7.6, Strings: 6, Instructions: 134COMMON

Download Yara Rule

Strings

(forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)total < 0traceback} stack=[ gp.goid, xrefs: 001F6F11
% util alloc free span= prev= list=, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base 390625SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minutesecondGetACPexec: Commonrdtscppopcntcmd/gonetdnsX25519headerAnswer-m, xrefs: 001F6EB4
scav ptr ] = (usageinit ms, fault tab= top=[...], fp:1562578125MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930monthLocalGreeksse41sse42ssse3SHA-1P-256P-384P-521P-224filesstring hangupkilledlistensocketreadatdelete/quietStringFormat[]byteuin, xrefs: 001F6E0C
KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=active < 0unknown pcruntime: ggoroutine , xrefs: 001F6E8A
KiB work (bg), mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 001F6E36
KiB work (eager), [controller reset]mspan.sweep: state=sysMemStat overflowbad sequence numberntdll.dll not foundwinmm.dll not foundruntime: g0 stack [panic during mallocpanic holding locksmissing deferreturnunexpected gp.parampanic during panicunexpected g , xrefs: 001F6E60

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)total < 0traceback} stack=[ gp.goid$ KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=active < 0unknown pcruntime: ggoroutine $ KiB work (bg), mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$ KiB work (eager), [controller reset]mspan.sweep: state=sysMemStat overflowbad sequence numberntdll.dll not foundwinmm.dll not foundruntime: g0 stack [panic during mallocpanic holding locksmissing deferreturnunexpected gp.parampanic during panicunexpected g $% util alloc free span= prev= list=, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base 390625SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minutesecondGetACPexec: Commonrdtscppopcntcmd/gonetdnsX25519headerAnswer-m$scav ptr ] = (usageinit ms, fault tab= top=[...], fp:1562578125MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930monthLocalGreeksse41sse42ssse3SHA-1P-256P-384P-521P-224filesstring hangupkilledlistensocketreadatdelete/quietStringFormat[]byteuin
API String ID: 0-420665411
Opcode ID: a7ec57476bfdd7e2c1753d560245e2ae97b690b5bcbd048d84650fe53b876ab2
Instruction ID: 83d7ffc726e86f4a2c8ac05647147a32e2b89b679a8bc2fcb60c18a07aaba5cd
Opcode Fuzzy Hash: a7ec57476bfdd7e2c1753d560245e2ae97b690b5bcbd048d84650fe53b876ab2
Instruction Fuzzy Hash: 6F51E3B451A7409FC344EF68D491A2ABBE4BF98304F01886EF9C88B392E734D954DF52

Function 00216330 Relevance: 7.6, Strings: 6, Instructions: 122COMMON

Download Yara Rule

Strings

bad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timers152587890625762939453125OpenServiceWRevertToSelfCreateEventWGetConsoleCPUnlockFileExVirtualQueryNtCreate, xrefs: 002164FC
preempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame ts set in timertraceback stuckruntime.gopanicunexpected kind476837158203125: cannot parse ,M3.2.0,M11.1.0ImpersonateSelfOpenThreadTokenx509usepoliciesjstmp, xrefs: 002164C4
%, xrefs: 00216488
runtime: unexpected SPWRITE function all goroutines are asleep - deadlock!2220446049250313080847263336181640625internal error: unknown network type godebug: unexpected IncNonDefault of x509: RSA key missing NULL parameterscipher: message authentication failedc, xrefs: 0021647F
in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeup298023223876953125Cuba Standard TimeOmsk Standard TimeArab Standard TimeIran Standard TimeRussia Time Zone 3Fiji Standard Time: day ou, xrefs: 002164A9
preempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruption186264514923095703125931322574615478515625Morocco Standard TimeNamibia Standard TimeAlaskan , xrefs: 002164DA

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeup298023223876953125Cuba Standard TimeOmsk Standard TimeArab Standard TimeIran Standard TimeRussia Time Zone 3Fiji Standard Time: day ou$%$bad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timers152587890625762939453125OpenServiceWRevertToSelfCreateEventWGetConsoleCPUnlockFileExVirtualQueryNtCreate$preempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame ts set in timertraceback stuckruntime.gopanicunexpected kind476837158203125: cannot parse ,M3.2.0,M11.1.0ImpersonateSelfOpenThreadTokenx509usepoliciesjstmp$preempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruption186264514923095703125931322574615478515625Morocco Standard TimeNamibia Standard TimeAlaskan $runtime: unexpected SPWRITE function all goroutines are asleep - deadlock!2220446049250313080847263336181640625internal error: unknown network type godebug: unexpected IncNonDefault of x509: RSA key missing NULL parameterscipher: message authentication failedc
API String ID: 0-2396210401
Opcode ID: c1f4231d5e60799b0ec54c731c6493b46b3ecd114b68eb79d70322e0e5501b39
Instruction ID: d224cee41684b825deb6ac3457f105e538bae5d3fb63459207cdce6b21d64565
Opcode Fuzzy Hash: c1f4231d5e60799b0ec54c731c6493b46b3ecd114b68eb79d70322e0e5501b39
Instruction Fuzzy Hash: E05112B46287419FC714EF68C195A6EBBE4AF98704F01886DF8C88B392D774D894CF12

Function 00205BD0 Relevance: 7.6, Strings: 6, Instructions: 118COMMON

Download Yara Rule

Strings

, tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)total < 0traceback} stack=[ gp.goid= lockedm=244140625ParseUintWednesdaySeptember-07:00:00Z07:00:00rwxrwxrwxntdll.dllpsapi.dll#execwai, xrefs: 00205D62
head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type 19531259765625TuesdayJanuaryOctoberMUI_StdMUI_Dlt\\.\UNCEd25519MD5-RSAPATHEXTavx512fos/execfips140runtimetls3desSHA-224SHA-256SHA-384SHA-512AES-CBC[, xrefs: 00205D38
attempt to clear non-empty span setruntime: close polldesc w/o unblockNtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=177635683940025, xrefs: 00205D96
fully empty unfreed span set block found in resetcasgstatus: waiting for Gwaiting but is Grunnablenot enough significant bits after mult128bitPow10strings.Reader.UnreadByte: at beginning of stringstrings.Reader.WriteTo: invalid WriteString countx509: Ed25519 k, xrefs: 00205CFF
span set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= runtime: NtCreateWaitCompletionPacket failed; errno=casfrom_Gscanstatus: gp->status is not in scan stateecdsa: internal error: unexpectedly masking off bits, xrefs: 00205D15
#, xrefs: 00205D9F

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: #$, tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)total < 0traceback} stack=[ gp.goid= lockedm=244140625ParseUintWednesdaySeptember-07:00:00Z07:00:00rwxrwxrwxntdll.dllpsapi.dll#execwai$attempt to clear non-empty span setruntime: close polldesc w/o unblockNtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=177635683940025$fully empty unfreed span set block found in resetcasgstatus: waiting for Gwaiting but is Grunnablenot enough significant bits after mult128bitPow10strings.Reader.UnreadByte: at beginning of stringstrings.Reader.WriteTo: invalid WriteString countx509: Ed25519 k$head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type 19531259765625TuesdayJanuaryOctoberMUI_StdMUI_Dlt\\.\UNCEd25519MD5-RSAPATHEXTavx512fos/execfips140runtimetls3desSHA-224SHA-256SHA-384SHA-512AES-CBC[$span set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= runtime: NtCreateWaitCompletionPacket failed; errno=casfrom_Gscanstatus: gp->status is not in scan stateecdsa: internal error: unexpectedly masking off bits
API String ID: 0-1830562060
Opcode ID: 9548ce2f7b93026e45dc2400763bb87a3017699d07c8b244d605cbcba171d542
Instruction ID: 9d174e4e119527310cd5d0ff60179ea3b477153df9ee8cdba8dd5c6ff1872f58
Opcode Fuzzy Hash: 9548ce2f7b93026e45dc2400763bb87a3017699d07c8b244d605cbcba171d542
Instruction Fuzzy Hash: CA51BEB45297019FD340EF68D185A2EBBE4AF98704F418C2EE4C897382E734D994CF16

Function 00210130 Relevance: 7.6, Strings: 6, Instructions: 112COMMON

Download Yara Rule

Strings

casfrom_Gscanstatus:top gp->status is not in scan state is currently not supported for use in system callbacksSOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zonesecdsa: internal error: shift can only be by 1 to 7 bitsedwards25519: invalid SetBytesWithClampi, xrefs: 002102FA
7, xrefs: 00210303
, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)total < 0traceback} stack=[ gp.goid= lockedm=244140625ParseUintWednesdaySeptember-07:00:00Z07:00:00rwxrwxrwxntdll.dllpsapi.dll#execwaitInheritedpclmulqdqmath/randtlsrsake, xrefs: 002101E9, 00210290
runtime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=methodValueCallFrameObjs is not in a modulesynctest timer accessed from outside bubblemult64bitPow10: power of 10 is out of rangeexec: WaitDelay expired before I/O completeed, xrefs: 0021026E
casfrom_Gscanstatus: gp->status is not in scan stateecdsa: internal error: unexpectedly masking off bitsnon-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS thr, xrefs: 00210253
runtime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function traceRegion: alloc with concurrent drop2775557561562891351059079170227050781252006-01-02 15:04:05.999999999 -0700 MSTmath/big: buffer too small, xrefs: 002101C7

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: , oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)total < 0traceback} stack=[ gp.goid= lockedm=244140625ParseUintWednesdaySeptember-07:00:00Z07:00:00rwxrwxrwxntdll.dllpsapi.dll#execwaitInheritedpclmulqdqmath/randtlsrsake$7$casfrom_Gscanstatus: gp->status is not in scan stateecdsa: internal error: unexpectedly masking off bitsnon-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS thr$casfrom_Gscanstatus:top gp->status is not in scan state is currently not supported for use in system callbacksSOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zonesecdsa: internal error: shift can only be by 1 to 7 bitsedwards25519: invalid SetBytesWithClampi$runtime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=methodValueCallFrameObjs is not in a modulesynctest timer accessed from outside bubblemult64bitPow10: power of 10 is out of rangeexec: WaitDelay expired before I/O completeed$runtime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function traceRegion: alloc with concurrent drop2775557561562891351059079170227050781252006-01-02 15:04:05.999999999 -0700 MSTmath/big: buffer too small
API String ID: 0-1217617889
Opcode ID: fb7e212902ff2fa34be9cd6070c998d182d1e05df7aee3853534a268e445f429
Instruction ID: 682f9df9e5dc272b654480c95b7c835d8872870b1174620e078be22371c6dda8
Opcode Fuzzy Hash: fb7e212902ff2fa34be9cd6070c998d182d1e05df7aee3853534a268e445f429
Instruction Fuzzy Hash: C15109B41297018FC340EFA4C58566EBBE5EF98704F41486DE4988B392E7749898CF23

Function 001E7040 Relevance: 7.6, Strings: 6, Instructions: 105COMMON

Download Yara Rule

Strings

9, xrefs: 001E70EC
runtime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incorrectpageAlloc: out of me, xrefs: 001E711C
runtime: checkmarks found unexpected unmarked object obj=cannot run executable found relative to current directory (set GODEBUG=execwait=2 to capture stacks for debugging)crypto/drbg: internal error: request size exceeds maximumGODEBUG=execwait=2 detected a le, xrefs: 001E70E3
objgc %: gp *(in n= ) - NaN P m= MPC= < end > ]:???pc= G125625SunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02-01EDTASTADTPSTPDTNSTNDT+03+04+07+06IST+09+08IDT+12PKT+11KST+05JST+10-11-12-0, xrefs: 001E71B1
base of ) = <==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125AtoiJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDT as hour.com.exe.bat.cmdpathermsfsrmsse3avx2bmi1bmi2time,#=:asn1tag:icmpigmpCAST80000falsevaluef, xrefs: 001E718B
checkmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinning: not a spinning mruntime: pro, xrefs: 001E71EC

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: 9$base of ) = <==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125AtoiJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDT as hour.com.exe.bat.cmdpathermsfsrmsse3avx2bmi1bmi2time,#=:asn1tag:icmpigmpCAST80000falsevaluef$checkmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinning: not a spinning mruntime: pro$objgc %: gp *(in n= ) - NaN P m= MPC= < end > ]:???pc= G125625SunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02-01EDTASTADTPSTPDTNSTNDT+03+04+07+06IST+09+08IDT+12PKT+11KST+05JST+10-11-12-0$runtime: checkmarks found unexpected unmarked object obj=cannot run executable found relative to current directory (set GODEBUG=execwait=2 to capture stacks for debugging)crypto/drbg: internal error: request size exceeds maximumGODEBUG=execwait=2 detected a le$runtime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incorrectpageAlloc: out of me
API String ID: 0-269630040
Opcode ID: aa603dceb488f79b9cd3575aa9ebe296f9b0be4ce73b550f99dfb16092b6b1d8
Instruction ID: d02a273d2755c60875cde8d4fd83ba414805249771f5cb73d9faf68218413d2f
Opcode Fuzzy Hash: aa603dceb488f79b9cd3575aa9ebe296f9b0be4ce73b550f99dfb16092b6b1d8
Instruction Fuzzy Hash: B64124B411A7408FD341EF68C481B2EBBE4AF99704F4488ADE8C887392D7749958DF22

Function 0022DAC0 Relevance: 7.6, Strings: 6, Instructions: 84COMMON

Download Yara Rule

Strings

top=[...], fp:1562578125MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930monthLocalGreeksse41sse42ssse3SHA-1P-256P-384P-521P-224filesstring hangupkilledlistensocketreadatdelete/quietStringFormat[]byteuint16uint32uint64structchan<-<-chan Values, xrefs: 0022DB6F
: frame.sp=created by 30517578125ProcessPrngMoveFileExWNetShareAddNetShareDeli/o timeoutinvalid oidSYSTEMROOT=gocachehashgocachetesthttp2clienthttp2serverrandseednoparchive/tartls10servercrypto/x509archive/zipSHA-512/224SHA-512/256generalizedapplicationClassHE, xrefs: 0022DB45
stack=[ minutes status= etypes 48828125strconv.parsing ParseIntThursdaySaturdayFebruaryNovemberDecember%!Month(nil PoolwsaioctlSHA1-RSADSA-SHA1overflowavx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlsmlkem#fips140CTR_DRBGMD5+SHA1SHA3-224SHA3-256SHA3-384SHA3, xrefs: 0022DBB9
#, xrefs: 0022DC20
runtime: ggoroutine 12207031256103515625time.Date(time.Local%!Weekday(IsValidSidLogonUserWLockFileExNetUserAddNetUserDelNtOpenFileWSASocketWunixpacketrsa1024minx509rsacrtSHA256-RSASHA384-RSASHA512-RSADSA-SHA256ECDSA-SHA1execerrdotSYSTEMROOThttp2debugcrypto/rsa, xrefs: 0022DB1B
traceback did not unwind completelyruntime: createevent failed; errno=1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 92006-01-02T15:04:05.999999999Z07:00file type does not support deadlinex509: wrong Ed2, xrefs: 0022DC17

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: stack=[ minutes status= etypes 48828125strconv.parsing ParseIntThursdaySaturdayFebruaryNovemberDecember%!Month(nil PoolwsaioctlSHA1-RSADSA-SHA1overflowavx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlsmlkem#fips140CTR_DRBGMD5+SHA1SHA3-224SHA3-256SHA3-384SHA3$ top=[...], fp:1562578125MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930monthLocalGreeksse41sse42ssse3SHA-1P-256P-384P-521P-224filesstring hangupkilledlistensocketreadatdelete/quietStringFormat[]byteuint16uint32uint64structchan<-<-chan Values$#$: frame.sp=created by 30517578125ProcessPrngMoveFileExWNetShareAddNetShareDeli/o timeoutinvalid oidSYSTEMROOT=gocachehashgocachetesthttp2clienthttp2serverrandseednoparchive/tartls10servercrypto/x509archive/zipSHA-512/224SHA-512/256generalizedapplicationClassHE$runtime: ggoroutine 12207031256103515625time.Date(time.Local%!Weekday(IsValidSidLogonUserWLockFileExNetUserAddNetUserDelNtOpenFileWSASocketWunixpacketrsa1024minx509rsacrtSHA256-RSASHA384-RSASHA512-RSADSA-SHA256ECDSA-SHA1execerrdotSYSTEMROOThttp2debugcrypto/rsa$traceback did not unwind completelyruntime: createevent failed; errno=1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 92006-01-02T15:04:05.999999999Z07:00file type does not support deadlinex509: wrong Ed2
API String ID: 0-926677057
Opcode ID: 9ecce6f9a7b5a69af77a0b37e62d28633017785554c9e3f971510d92c36a925a
Instruction ID: 1158ed431c0fa55a6a2037ffca7cd930cba24bf504d21ec5d906fd93d0547034
Opcode Fuzzy Hash: 9ecce6f9a7b5a69af77a0b37e62d28633017785554c9e3f971510d92c36a925a
Instruction Fuzzy Hash: ED41D4B451A7019FD300EFA8D585B1ABBE4FF88304F41886DE48887392E7749858DF63

Function 002072F0 Relevance: 6.6, Strings: 5, Instructions: 302COMMON

Download Yara Rule

Strings

runtime: GetQueuedCompletionStatusEx failed (errno= runtime: NtCreateWaitCompletionPacket failed; errno=casfrom_Gscanstatus: gp->status is not in scan stateecdsa: internal error: unexpectedly masking off bitsnon-concurrent sweep failed to drain all sweep queue, xrefs: 0020757B
runtime: GetQueuedCompletionStatusEx returned net_op with invalid key= too many concurrent operations on a single file or socket (max 1048575)exec: command with a non-nil Cancel was not created with CommandContextruntime: GetQueuedCompletionStatusEx returned n, xrefs: 002076D9
H, xrefs: 00207735
runtime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocresize: invalid argspan has no free stacksstack growth after forkshrinkstack at bad timereflect.methodValueCall2328306, xrefs: 002075C0, 0020770D, 0020775F
) - NaN P m= MPC= < end > ]:???pc= G125625SunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02-01EDTASTADTPSTPDTNSTNDT+03+04+07+06IST+09+08IDT+12PKT+11KST+05JST+10-11-12-08-09+13CETBSTMSK-06+1, xrefs: 002075A5

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: ) - NaN P m= MPC= < end > ]:???pc= G125625SunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02-01EDTASTADTPSTPDTNSTNDT+03+04+07+06IST+09+08IDT+12PKT+11KST+05JST+10-11-12-08-09+13CETBSTMSK-06+1$H$runtime: GetQueuedCompletionStatusEx failed (errno= runtime: NtCreateWaitCompletionPacket failed; errno=casfrom_Gscanstatus: gp->status is not in scan stateecdsa: internal error: unexpectedly masking off bitsnon-concurrent sweep failed to drain all sweep queue$runtime: GetQueuedCompletionStatusEx returned net_op with invalid key= too many concurrent operations on a single file or socket (max 1048575)exec: command with a non-nil Cancel was not created with CommandContextruntime: GetQueuedCompletionStatusEx returned n$runtime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocresize: invalid argspan has no free stacksstack growth after forkshrinkstack at bad timereflect.methodValueCall2328306
API String ID: 0-2755292009
Opcode ID: c137606e61706ae0d93e4dd3e01107f242b5c3a66719523ecd28a588c03df364
Instruction ID: ca4151880d34a50cce4a12ec9817b3d61a25a27ef4ac26f4edb6d6d3e9dcec52
Opcode Fuzzy Hash: c137606e61706ae0d93e4dd3e01107f242b5c3a66719523ecd28a588c03df364
Instruction Fuzzy Hash: 8CC18DB092D7458FC750EF68C48172EBBE5AB84304F44882DE9888B3D2EB75E855DF52

Function 001F0770 Relevance: 6.5, Strings: 5, Instructions: 258COMMON

Download Yara Rule

Strings

runtime: work.nwait = runtime:scanstack: gp=scanstack - bad statusheadTailIndex overflowruntime.main not on m0set_crosscall2 missingbad g->status in readywirep: invalid p stateassembly checks failedstack not a power of 2minpc or maxpc invalidcompileCallback: t, xrefs: 001F0B3D
runtime: work.nwait= previous allocCount=, levelBits[level] = runtime: searchIdx = defer on system stackpanic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdea, xrefs: 001F0ABC
work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status=, xrefs: 001F0AE6, 001F0B67
work.nwait > work.nprocleft over markroot jobsgcDrain phase incorrectMB during sweep; swept bad profile stack countruntime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocres, xrefs: 001F0B1A
nwait > work.nprocs, gp->atomicstatus=marking free object KiB work (eager), [controller reset]mspan.sweep: state=sysMemStat overflowbad sequence numberntdll.dll not foundwinmm.dll not foundruntime: g0 stack [panic during mallocpanic holding locksmissing defer, xrefs: 001F0B9B

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status=$nwait > work.nprocs, gp->atomicstatus=marking free object KiB work (eager), [controller reset]mspan.sweep: state=sysMemStat overflowbad sequence numberntdll.dll not foundwinmm.dll not foundruntime: g0 stack [panic during mallocpanic holding locksmissing defer$runtime: work.nwait = runtime:scanstack: gp=scanstack - bad statusheadTailIndex overflowruntime.main not on m0set_crosscall2 missingbad g->status in readywirep: invalid p stateassembly checks failedstack not a power of 2minpc or maxpc invalidcompileCallback: t$runtime: work.nwait= previous allocCount=, levelBits[level] = runtime: searchIdx = defer on system stackpanic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdea$work.nwait > work.nprocleft over markroot jobsgcDrain phase incorrectMB during sweep; swept bad profile stack countruntime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocres
API String ID: 0-2668497798
Opcode ID: 38e67d3b1f6edf77c31ef34985bbe17c49477a22f880054c1651046bf2dd49d4
Instruction ID: 345790ae3e7c4f7671e4dfdce5906463247631732842cec83a850398b6057ec3
Opcode Fuzzy Hash: 38e67d3b1f6edf77c31ef34985bbe17c49477a22f880054c1651046bf2dd49d4
Instruction Fuzzy Hash: E2C1E1B45197448FD344EF68C094A6ABBE1BF89714F05886DF9C88B362E774E884CF52

Function 002358A0 Relevance: 6.5, Strings: 5, Instructions: 240COMMON

Download Yara Rule

Strings

attempted to trace a bad status for a goroutineFIPS 140-3 mode is not supported on windows-386bigmod: modulus for ExpShortVarTime must be oddasn1: Unmarshal recipient value is non-pointer crypto/ecdh: public key is the identity elementslice bounds out of range, xrefs: 00235ACD
0, xrefs: 00235C4E
", xrefs: 00235A3B
runtime: goid=invalid syntax1907348632812595367431640625time.Location(: extra text: OpenSCManagerWModule32FirstWunreachable: crypto/fips140mime/multipartRegSetValueExWdata truncatedunknown dsbyteRCodeNameErroradvertise errorkey has expirednetwork is downno me, xrefs: 00235A93
attempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=strconv: illegal AppendFloat/FormatFloat bitSizenot enough significant bits after mult64bitPow10x509: X25519 key encoded with illegal parametersinvalid or incomplet, xrefs: 00235C45

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: "$0$attempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=strconv: illegal AppendFloat/FormatFloat bitSizenot enough significant bits after mult64bitPow10x509: X25519 key encoded with illegal parametersinvalid or incomplet$attempted to trace a bad status for a goroutineFIPS 140-3 mode is not supported on windows-386bigmod: modulus for ExpShortVarTime must be oddasn1: Unmarshal recipient value is non-pointer crypto/ecdh: public key is the identity elementslice bounds out of range$runtime: goid=invalid syntax1907348632812595367431640625time.Location(: extra text: OpenSCManagerWModule32FirstWunreachable: crypto/fips140mime/multipartRegSetValueExWdata truncatedunknown dsbyteRCodeNameErroradvertise errorkey has expirednetwork is downno me
API String ID: 0-1645962149
Opcode ID: 45d4a00243284db377bbebd89291ab126b633c57323a4cd74853f29c08c16bff
Instruction ID: 34db3bd7bb8f3df20bb210b38725f1faf81ed26ea99a5f9f4a462d8b49abc210
Opcode Fuzzy Hash: 45d4a00243284db377bbebd89291ab126b633c57323a4cd74853f29c08c16bff
Instruction Fuzzy Hash: 43B1CCB461E7918FC364CF29C09066AFBE1AF89304F54886EE9D887382D7749958CF53

Function 00223360 Relevance: 6.5, Strings: 5, Instructions: 238COMMON

Download Yara Rule

Strings

out of memory (stackalloc)shrinking stack in libcallruntime: pcHeader: magic= traceRegion: out of memory1455191522836685180664062572759576141834259033203125South Africa Standard TimeSaint Pierre Standard TimeNewfoundland Standard TimeCentral Asia Standard Time, xrefs: 0022341A
out of memoryunimplemented is nil, not value method span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=, xrefs: 0022355D
!, xrefs: 00223685
stack size not a power of 2too many callback functionstimer when must be positive: unexpected return pc for 363797880709171295166015625Easter Island Standard Timeabi.NewName: tag too long: httpservecontentkeepheadersinput overflows the modulusinvalid P224 poin, xrefs: 00223666
stackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of rangeruntime: type offset out of range14210854715202003717422485351, xrefs: 0022367C

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: !$out of memory (stackalloc)shrinking stack in libcallruntime: pcHeader: magic= traceRegion: out of memory1455191522836685180664062572759576141834259033203125South Africa Standard TimeSaint Pierre Standard TimeNewfoundland Standard TimeCentral Asia Standard Time$out of memoryunimplemented is nil, not value method span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=$stack size not a power of 2too many callback functionstimer when must be positive: unexpected return pc for 363797880709171295166015625Easter Island Standard Timeabi.NewName: tag too long: httpservecontentkeepheadersinput overflows the modulusinvalid P224 poin$stackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of rangeruntime: type offset out of range14210854715202003717422485351
API String ID: 0-3297325912
Opcode ID: 0ace2dd884c2c9b2a9dd0fe7d6b03c7c7630ebf38c269c6cd8c3b7aeba19d8f2
Instruction ID: 99eb2ddcafff6ab7ca29e679582a3d3442a979dd6a659216c0aecd6c1c033336
Opcode Fuzzy Hash: 0ace2dd884c2c9b2a9dd0fe7d6b03c7c7630ebf38c269c6cd8c3b7aeba19d8f2
Instruction Fuzzy Hash: CAA18C746183559FC704EF69D48062EBBE5FF99700F50882DE8888B351E738DA55CF82

Function 001EFD40 Relevance: 6.5, Strings: 5, Instructions: 202COMMON

Download Yara Rule

Strings

gc: unswept span KiB work (bg), mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 001EFFD6
sweep B -> % util alloc free span= prev= list=, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base 390625SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minutesecondGetACPexec: Commonrdtscppopcntcmd/gonetdnsX25519he, xrefs: 001EFF89
non in-use span found with specials bit setgrew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=ru, xrefs: 001F002D
s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=, xrefs: 001EFFF5
+, xrefs: 001F0036

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: +$gc: unswept span KiB work (bg), mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$non in-use span found with specials bit setgrew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=ru$s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=$sweep B -> % util alloc free span= prev= list=, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base 390625SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minutesecondGetACPexec: Commonrdtscppopcntcmd/gonetdnsX25519he
API String ID: 0-2331573037
Opcode ID: 816f2cc14e684e900c11cc5bb7ee01bc06ad474ab12378385d4fded76d73a3e0
Instruction ID: e96f479ede69f2a7ae61add674d65dd393b283c243bd6068e1fc5480cffed0bd
Opcode Fuzzy Hash: 816f2cc14e684e900c11cc5bb7ee01bc06ad474ab12378385d4fded76d73a3e0
Instruction Fuzzy Hash: B59125741097858FC704EF65C090A2EBBE1BF99304F45886EF8888B392D735D94ACF52

Function 001E0C30 Relevance: 6.4, Strings: 5, Instructions: 181COMMON

Download Yara Rule

Strings

1, xrefs: 001E0E74
runtime: unable to acquire - semaphore out of syncmallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largex509: RSA , xrefs: 001E0E55
@L, xrefs: 001E0C82, 001E0D0B, 001E0D53, 001E0E98
runtime: unexpected waitm - semaphore out of syncs.allocCount != s.nelems && freeIndex == s.nelemssweeper left outstanding across sweep generationsfully empty unfreed span set block found in resetcasgstatus: waiting for Gwaiting but is Grunnablenot enough sign, xrefs: 001E0E6B
notetsleep - waitm out of syncfailed to get system page sizeruntime: found in object at *( in prepareForSweep; sweepgen /cpu/classes/total:cpu-seconds/gc/cycles/automatic:gc-cycles/sched/pauses/total/gc:seconds/sync/mutex/wait/total:seconds/godebug/non-default, xrefs: 001E0CDF

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: 1$@L$notetsleep - waitm out of syncfailed to get system page sizeruntime: found in object at *( in prepareForSweep; sweepgen /cpu/classes/total:cpu-seconds/gc/cycles/automatic:gc-cycles/sched/pauses/total/gc:seconds/sync/mutex/wait/total:seconds/godebug/non-default$runtime: unable to acquire - semaphore out of syncmallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largex509: RSA $runtime: unexpected waitm - semaphore out of syncs.allocCount != s.nelems && freeIndex == s.nelemssweeper left outstanding across sweep generationsfully empty unfreed span set block found in resetcasgstatus: waiting for Gwaiting but is Grunnablenot enough sign
API String ID: 0-694617117
Opcode ID: db122008031216791ac7b595fe4bb75c182626284a172137e8a832355407c109
Instruction ID: 95ea2b64e8e1e6f1da14fc0f8d725b33e029051072e012809cafafe3c234dfbb
Opcode Fuzzy Hash: db122008031216791ac7b595fe4bb75c182626284a172137e8a832355407c109
Instruction Fuzzy Hash: 0C714B74608B519FC705DF69C480B2EBBE1AB98704F09896CE8D48B392D771DC84CB92

Function 001E3EE0 Relevance: 6.4, Strings: 5, Instructions: 180COMMON

Download Yara Rule

Strings

persistentalloc: size == 0/gc/cycles/total:gc-cyclesnegative idle mark workersuse of invalid sweepLockerruntime: bad span s.state=forEachP: P did not run fnwakep: negative nmspinningstartlockedm: locked to meinittask with no functionscorrupted semaphore ticket, xrefs: 001E4158
persistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freefailed to get or create weak handleattempt to clear non-empty span setruntime: close , xrefs: 001E412C
persistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classes/gc/mark/dedicated:cpu-seconds/memory/classes/metadata/mcache/free:bytes/memory/classes/metadata/mspan/inuse:bytesnon-empty mark queue after concurrent marksweep: t, xrefs: 001E4142
*, xrefs: 001E414B
runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin, xrefs: 001E4104

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: *$persistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classes/gc/mark/dedicated:cpu-seconds/memory/classes/metadata/mcache/free:bytes/memory/classes/metadata/mspan/inuse:bytesnon-empty mark queue after concurrent marksweep: t$persistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freefailed to get or create weak handleattempt to clear non-empty span setruntime: close $persistentalloc: size == 0/gc/cycles/total:gc-cyclesnegative idle mark workersuse of invalid sweepLockerruntime: bad span s.state=forEachP: P did not run fnwakep: negative nmspinningstartlockedm: locked to meinittask with no functionscorrupted semaphore ticket$runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin
API String ID: 0-3049536017
Opcode ID: 1e2b7d79990d49dbeeea772818df6d0af8fdf874cb03a6506b63afb4c3eb5485
Instruction ID: 90b73812afd2de7eedcbe0029764cbf53562ae5c0dd75793b75c79d64afb2361
Opcode Fuzzy Hash: 1e2b7d79990d49dbeeea772818df6d0af8fdf874cb03a6506b63afb4c3eb5485
Instruction Fuzzy Hash: 9E713774A09B858FC704DF25C48466EB7F1FB99304F00882EE8998B351E735EA89CF42

Function 001E6130 Relevance: 6.4, Strings: 5, Instructions: 154COMMON

Download Yara Rule

Strings

refill of span with free space remaining/cpu/classes/scavenge/assist:cpu-secondsruntime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unknown mark worker modecannot free workbufs when work.full != 0runtime: out of memo, xrefs: 001E6380
bad sweepgen in refillspan has no free space/gc/scan/globals:bytes/gc/heap/frees:objectsruntime: work.nwait = runtime:scanstack: gp=scanstack - bad statusheadTailIndex overflowruntime.main not on m0set_crosscall2 missingbad g->status in readywirep: invalid p s, xrefs: 001E636A
(, xrefs: 001E6389
span has no free space/gc/scan/globals:bytes/gc/heap/frees:objectsruntime: work.nwait = runtime:scanstack: gp=scanstack - bad statusheadTailIndex overflowruntime.main not on m0set_crosscall2 missingbad g->status in readywirep: invalid p stateassembly checks fa, xrefs: 001E6332
out of memoryunimplemented is nil, not value method span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=, xrefs: 001E6348

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: ($bad sweepgen in refillspan has no free space/gc/scan/globals:bytes/gc/heap/frees:objectsruntime: work.nwait = runtime:scanstack: gp=scanstack - bad statusheadTailIndex overflowruntime.main not on m0set_crosscall2 missingbad g->status in readywirep: invalid p s$out of memoryunimplemented is nil, not value method span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=$refill of span with free space remaining/cpu/classes/scavenge/assist:cpu-secondsruntime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unknown mark worker modecannot free workbufs when work.full != 0runtime: out of memo$span has no free space/gc/scan/globals:bytes/gc/heap/frees:objectsruntime: work.nwait = runtime:scanstack: gp=scanstack - bad statusheadTailIndex overflowruntime.main not on m0set_crosscall2 missingbad g->status in readywirep: invalid p stateassembly checks fa
API String ID: 0-1541570056
Opcode ID: e0b93c77185434bdc7c82e2f56d284ca1ae012989681a0e55d4c35d4c2a45b70
Instruction ID: 5012da8a0ff1bdfa39a5484df90258db5e395212e86e677b622d15f131e2773d
Opcode Fuzzy Hash: e0b93c77185434bdc7c82e2f56d284ca1ae012989681a0e55d4c35d4c2a45b70
Instruction Fuzzy Hash: 57612BB05197448FC344EF29C490A6EBBE1FF98344F81886EE4898B392E734D959CF56

Function 00235C60 Relevance: 6.4, Strings: 5, Instructions: 141COMMON

Download Yara Rule

Strings

attempted to trace a bad status for a proc173472347597680709441192448139190673828125867361737988403547205962240695953369140625Time.MarshalBinary: unexpected zone offsetx509: RSA modulus is not a positive numberPrintableString contains invalid charactercrypto/s, xrefs: 00235DA4
runtime: pid=3814697265625invalid base parsing time out of rangedalTLDpSugct?GetTempPath2WModule32NextWRtlGetVersionSHA256-RSAPSSSHA384-RSAPSSSHA512-RSAPSSbad IV lengthcrypto/subtlegocacheverifyinstallgoroothtml/templatetlsmaxrsasizeRegDeleteKeyWRegEnumValueW, xrefs: 00235D70
tried to trace dead goroutineruntime: impossible type kindruntime.semasleep wait_failed45474735088646411895751953125Central America Standard TimeNorth Asia East Standard TimeN. Central Asia Standard TimeChatham Islands Standard TimeCentral Pacific Standard Tim, xrefs: 00235E67
;, xrefs: 00235E55
tried to trace goroutine with invalid or unsupported statusecdsa: internal error: ordInverse produced an invalid valuecrypto/md5: use of MD5 is not allowed in FIPS 140-only modereflect: call of reflect.Value.Len on ptr to non-array Valuecalled CompareAndDelete, xrefs: 00235E4C

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: ;$attempted to trace a bad status for a proc173472347597680709441192448139190673828125867361737988403547205962240695953369140625Time.MarshalBinary: unexpected zone offsetx509: RSA modulus is not a positive numberPrintableString contains invalid charactercrypto/s$runtime: pid=3814697265625invalid base parsing time out of rangedalTLDpSugct?GetTempPath2WModule32NextWRtlGetVersionSHA256-RSAPSSSHA384-RSAPSSSHA512-RSAPSSbad IV lengthcrypto/subtlegocacheverifyinstallgoroothtml/templatetlsmaxrsasizeRegDeleteKeyWRegEnumValueW$tried to trace dead goroutineruntime: impossible type kindruntime.semasleep wait_failed45474735088646411895751953125Central America Standard TimeNorth Asia East Standard TimeN. Central Asia Standard TimeChatham Islands Standard TimeCentral Pacific Standard Tim$tried to trace goroutine with invalid or unsupported statusecdsa: internal error: ordInverse produced an invalid valuecrypto/md5: use of MD5 is not allowed in FIPS 140-only modereflect: call of reflect.Value.Len on ptr to non-array Valuecalled CompareAndDelete
API String ID: 0-131851361
Opcode ID: 6697bd8eff03747dcc37a6c14b7c241472201696b074dd65559d0222a632b419
Instruction ID: e1f03541d66967ac3f42dc034b40b5100295727b49e41ff440402931aa41afdd
Opcode Fuzzy Hash: 6697bd8eff03747dcc37a6c14b7c241472201696b074dd65559d0222a632b419
Instruction Fuzzy Hash: 9351FFB411D7958FD750DF69C18062EBBE1AB8A704F44882EF8D887382D378DA588F53

Function 001EF030 Relevance: 6.4, Strings: 5, Instructions: 137COMMON

Download Yara Rule

Strings

limiterEvent.stop: invalid limiter event type foundpotentially overlapping in-use allocations detectedruntime: netpoll: PostQueuedCompletionStatus failedfatal: systemstack called from unexpected goroutinegodebug: Value of name not listed in godebugs.All: ecdsa, xrefs: 001EF18E
limiterEvent.stop: found wrong event in p's limiter event slotslice length too short to convert to array or pointer to arrayruntime: internal error: misuse of lockOSThread/unlockOSThread0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZcrypto/sha1:, xrefs: 001EF20F
got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:1562578125MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930monthLocalGreeksse41sse42ssse3SHA-1P-256P-384P-521P-224filesstring hangupkilledlistensocketreadatdelete/quietString, xrefs: 001EF1DB
>, xrefs: 001EF218
runtime: want=MB; allocated RtlGetVersion, xrefs: 001EF1AD

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:1562578125MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930monthLocalGreeksse41sse42ssse3SHA-1P-256P-384P-521P-224filesstring hangupkilledlistensocketreadatdelete/quietString$>$limiterEvent.stop: found wrong event in p's limiter event slotslice length too short to convert to array or pointer to arrayruntime: internal error: misuse of lockOSThread/unlockOSThread0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZcrypto/sha1:$limiterEvent.stop: invalid limiter event type foundpotentially overlapping in-use allocations detectedruntime: netpoll: PostQueuedCompletionStatus failedfatal: systemstack called from unexpected goroutinegodebug: Value of name not listed in godebugs.All: ecdsa$runtime: want=MB; allocated RtlGetVersion
API String ID: 0-2661672472
Opcode ID: 9f2b398a8d04ae7aa33f7155a7fecefcc0d504f9d0e5b1130be01c57acb16b87
Instruction ID: 17bccdd596413cc084bad78db66a85559a4884e7b36d336554b5fe3229da1d77
Opcode Fuzzy Hash: 9f2b398a8d04ae7aa33f7155a7fecefcc0d504f9d0e5b1130be01c57acb16b87
Instruction Fuzzy Hash: 6351497451AB889FC344EF65C58172EBBE2BF98704F41886EF8C887392D735D9858B42

Function 00211A20 Relevance: 5.3, Strings: 4, Instructions: 271COMMON

Download Yara Rule

Strings

", xrefs: 00211DF8
forEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notinvalid timer channel: no capacity3552713678800500929355621337890625: day-of-year does not, xrefs: 00211DEF
forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeup298023223876953125Cuba Standard TimeOmsk Standard TimeArab Standard TimeIran Standard TimeRussia Time Zone 3Fiji Sta, xrefs: 00211DD9
forEachP: P did not run fnwakep: negative nmspinningstartlockedm: locked to meinittask with no functionscorrupted semaphore ticketout of memory (stackalloc)shrinking stack in libcallruntime: pcHeader: magic= traceRegion: out of memory14551915228366851806640625, xrefs: 00211DC3

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: "$forEachP: P did not run fnwakep: negative nmspinningstartlockedm: locked to meinittask with no functionscorrupted semaphore ticketout of memory (stackalloc)shrinking stack in libcallruntime: pcHeader: magic= traceRegion: out of memory14551915228366851806640625$forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeup298023223876953125Cuba Standard TimeOmsk Standard TimeArab Standard TimeIran Standard TimeRussia Time Zone 3Fiji Sta$forEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notinvalid timer channel: no capacity3552713678800500929355621337890625: day-of-year does not
API String ID: 0-2689501307
Opcode ID: 71634c20e73f6751ef2663ed46f3c6ead0a26743f7e2ddd7a6a9dbfae9017647
Instruction ID: 8573d026726caa30ebc6721b1123815e5b591f26156cfcb2e9bb661cd9a71b6a
Opcode Fuzzy Hash: 71634c20e73f6751ef2663ed46f3c6ead0a26743f7e2ddd7a6a9dbfae9017647
Instruction Fuzzy Hash: 10C13874619741CFC744DF24D480A6ABBF1FBA9304F10886EEA898B352D730E9A5CF56

Function 00209BC0 Relevance: 5.3, Strings: 4, Instructions: 251COMMON

Download Yara Rule

Strings

(, xrefs: 00209FFE
self-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timers152587890625762939453125OpenServiceWRevertToSelfCreateEventWGetConso, xrefs: 0020A00B
runtime.preemptM: duplicatehandle failedstopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 213877787807814456755, xrefs: 00209FF5
runtime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=strconv: illegal AppendFloat/FormatFloat bitSizenot enough significa, xrefs: 00209FBE

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: ($runtime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=strconv: illegal AppendFloat/FormatFloat bitSizenot enough significa$runtime.preemptM: duplicatehandle failedstopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 213877787807814456755$self-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timers152587890625762939453125OpenServiceWRevertToSelfCreateEventWGetConso
API String ID: 0-2243997142
Opcode ID: c2684e3ae79309e1de0db3a529367f8d5e69f7b9f3169eaac6e2fdd6dfe49b6f
Instruction ID: e1859a6e9d6d6b156c7962cd280f44014a6d1e6243fa0f9826f118c4f4efa25a
Opcode Fuzzy Hash: c2684e3ae79309e1de0db3a529367f8d5e69f7b9f3169eaac6e2fdd6dfe49b6f
Instruction Fuzzy Hash: 46C121B451A7418FC765EF28D090BAEBBE4BF89304F00896DE48987393D7749A94CF46

Function 001F90D0 Relevance: 5.2, Strings: 4, Instructions: 155COMMON

Download Yara Rule

Strings

sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=active < 0unknown pcruntime: ggoroutine 12207031256103515625, xrefs: 001F92E6
s.sweepgen= allocCount ProcessPrng, xrefs: 001F92BC
runtime: bad span s.state=forEachP: P did not run fnwakep: negative nmspinningstartlockedm: locked to meinittask with no functionscorrupted semaphore ticketout of memory (stackalloc)shrinking stack in libcallruntime: pcHeader: magic= traceRegion: out of memory, xrefs: 001F928E
non in-use span in unswept listcasgstatus: bad incoming valuesresetspinning: not a spinning mruntime: profBuf already closedruntime: split stack overflow: ...additional frames elided...unsafe.String: len out of range1136868377216160297393798828125568434188608, xrefs: 001F931A

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: s.sweepgen= allocCount ProcessPrng$ sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=active < 0unknown pcruntime: ggoroutine 12207031256103515625$non in-use span in unswept listcasgstatus: bad incoming valuesresetspinning: not a spinning mruntime: profBuf already closedruntime: split stack overflow: ...additional frames elided...unsafe.String: len out of range1136868377216160297393798828125568434188608$runtime: bad span s.state=forEachP: P did not run fnwakep: negative nmspinningstartlockedm: locked to meinittask with no functionscorrupted semaphore ticketout of memory (stackalloc)shrinking stack in libcallruntime: pcHeader: magic= traceRegion: out of memory
API String ID: 0-3450100782
Opcode ID: 02c2c5be3f9389027efc4ccd0da1d28a308d6b0a73faa1ec99226874c35ebe47
Instruction ID: 352d5e21d145415e207d990bfd8d84efcbddd7539164dff261f562f0f53f8cb1
Opcode Fuzzy Hash: 02c2c5be3f9389027efc4ccd0da1d28a308d6b0a73faa1ec99226874c35ebe47
Instruction Fuzzy Hash: 036113B41093459FC740EF28C190A6ABBF0AF99704F41486EF8D8873A2E734D948DF52

Function 001DB3E0 Relevance: 5.2, Strings: 4, Instructions: 153COMMON

Download Yara Rule

Strings

'l9, xrefs: 001DB608
&, xrefs: 001DB5F2
m changed unexpectedly in cgocallbackgmakechan: invalid channel element typeunreachable method called. linker bug?gcBgMarkWorker: blackening not enabledcannot read stack of running goroutineruntime: blocked read on free polldescruntime: LoadLibraryExW failed; , xrefs: 001DB5E9
runtime: bad g in cgocallback (types from different scopes)notetsleep - waitm out of syncfailed to get system page sizeruntime: found in object at *( in prepareForSweep; sweepgen /cpu/classes/total:cpu-seconds/gc/cycles/automatic:gc-cycles/sched/pauses/total/, xrefs: 001DB3FF

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: &$'l9$m changed unexpectedly in cgocallbackgmakechan: invalid channel element typeunreachable method called. linker bug?gcBgMarkWorker: blackening not enabledcannot read stack of running goroutineruntime: blocked read on free polldescruntime: LoadLibraryExW failed; $runtime: bad g in cgocallback (types from different scopes)notetsleep - waitm out of syncfailed to get system page sizeruntime: found in object at *( in prepareForSweep; sweepgen /cpu/classes/total:cpu-seconds/gc/cycles/automatic:gc-cycles/sched/pauses/total/
API String ID: 0-1202122651
Opcode ID: 6c49b7269bf02cd852cc256adbb5105fe719eac9001c56549be7598cad6e026a
Instruction ID: 71d364725018522e62c818316d86bad0aa5006ec4ee60e5b844241114d969150
Opcode Fuzzy Hash: 6c49b7269bf02cd852cc256adbb5105fe719eac9001c56549be7598cad6e026a
Instruction Fuzzy Hash: 6B71C774609740DFC345DF28C090A5ABBF1BF99304F5588AEE8898B362D772E845CF52

Function 00226CE0 Relevance: 5.1, Strings: 4, Instructions: 148COMMON

Download Yara Rule

Strings

-, xrefs: 00226D06
-, xrefs: 00226E2C
-, xrefs: 00226E5B
-, xrefs: 00226E39

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: -$-$-$-
API String ID: 0-1033403326
Opcode ID: a8cebf142198451463e10877b7e6c15c6f7389d049040c33b8e1d8d990183693
Instruction ID: f6fa7b43680256819d3d329b41827575942b93968d6b3d53fc911273e39aef32
Opcode Fuzzy Hash: a8cebf142198451463e10877b7e6c15c6f7389d049040c33b8e1d8d990183693
Instruction Fuzzy Hash: 3E513976A183664FD715CE68E45432EBBC2ABD0308F4D452CD8944B3E2E3B98A1D87C3

Function 00232930 Relevance: 5.1, Strings: 4, Instructions: 141COMMON

Download Yara Rule

Strings

traceRegion: out of memory1455191522836685180664062572759576141834259033203125South Africa Standard TimeSaint Pierre Standard TimeNewfoundland Standard TimeCentral Asia Standard TimeEkaterinburg Standard TimeE. Australia Standard TimeW. Australia Standard Time, xrefs: 00232AE5
', xrefs: 00232B0E
traceRegion: alloc too large18189894035458564758300781259094947017729282379150390625Canada Central Standard TimeCen. Australia Standard TimeAus Central W. Standard TimeCentral Europe Standard TimeEnglish name for time zone "crypto/rsa: decryption errorx509: in, xrefs: 00232B1B
traceRegion: alloc with concurrent drop2775557561562891351059079170227050781252006-01-02 15:04:05.999999999 -0700 MSTmath/big: buffer too small to fit valueexec: environment variable contains NULtags don't match (%d vs %+v) %+v %s @%dasn1: Unmarshal recipient , xrefs: 00232B05

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: '$traceRegion: alloc too large18189894035458564758300781259094947017729282379150390625Canada Central Standard TimeCen. Australia Standard TimeAus Central W. Standard TimeCentral Europe Standard TimeEnglish name for time zone "crypto/rsa: decryption errorx509: in$traceRegion: alloc with concurrent drop2775557561562891351059079170227050781252006-01-02 15:04:05.999999999 -0700 MSTmath/big: buffer too small to fit valueexec: environment variable contains NULtags don't match (%d vs %+v) %+v %s @%dasn1: Unmarshal recipient $traceRegion: out of memory1455191522836685180664062572759576141834259033203125South Africa Standard TimeSaint Pierre Standard TimeNewfoundland Standard TimeCentral Asia Standard TimeEkaterinburg Standard TimeE. Australia Standard TimeW. Australia Standard Time
API String ID: 0-1855588292
Opcode ID: 4e2045e01afba1ed913c8c84144b7efb4e9eb7e68a5fa7886b8af54b71db72e3
Instruction ID: dee9583139fc5998a470de3d46bcbfaf16cfdb7d9f506ced52c55422bcd21883
Opcode Fuzzy Hash: 4e2045e01afba1ed913c8c84144b7efb4e9eb7e68a5fa7886b8af54b71db72e3
Instruction Fuzzy Hash: 0D51D0B06187028FC700EF64C081A2EBBE0EF99354F44882EE899D7341E738D999DB42

Function 0022F900 Relevance: 5.1, Strings: 4, Instructions: 132COMMON

Download Yara Rule

Strings

]:???pc= G125625SunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02-01EDTASTADTPSTPDTNSTNDT+03+04+07+06IST+09+08IDT+12PKT+11KST+05JST+10-11-12-08-09+13CETBSTMSK-06+14StdDlt\\.\\?\??NUL:\/adxaessh, xrefs: 0022F956
2, xrefs: 0022FA2D
[originating from goroutine traceRegion: alloc too large18189894035458564758300781259094947017729282379150390625Canada Central Standard TimeCen. Australia Standard TimeAus Central W. Standard TimeCentral Europe Standard TimeEnglish name for time zone "crypto/r, xrefs: 0022F92C
...additional frames elided...unsafe.String: len out of range11368683772161602973937988281255684341886080801486968994140625W. Central Africa Standard TimeCentral Brazilian Standard TimeMountain Standard Time (Mexico)crypto/ecdh: invalid public keyecdsa: signa, xrefs: 0022FA39

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: ...additional frames elided...unsafe.String: len out of range11368683772161602973937988281255684341886080801486968994140625W. Central Africa Standard TimeCentral Brazilian Standard TimeMountain Standard Time (Mexico)crypto/ecdh: invalid public keyecdsa: signa$2$[originating from goroutine traceRegion: alloc too large18189894035458564758300781259094947017729282379150390625Canada Central Standard TimeCen. Australia Standard TimeAus Central W. Standard TimeCentral Europe Standard TimeEnglish name for time zone "crypto/r$]:???pc= G125625SunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02-01EDTASTADTPSTPDTNSTNDT+03+04+07+06IST+09+08IDT+12PKT+11KST+05JST+10-11-12-08-09+13CETBSTMSK-06+14StdDlt\\.\\?\??NUL:\/adxaessh
API String ID: 0-1700818374
Opcode ID: 5b0fcd9c0dca2e57abcc7dce935b06552925f1fa8eb57606d8aa9ab1099f7461
Instruction ID: d062e17d90f26c2e3f0a2d5df03c050802b11085a996e1c40c189ab86c0601bb
Opcode Fuzzy Hash: 5b0fcd9c0dca2e57abcc7dce935b06552925f1fa8eb57606d8aa9ab1099f7461
Instruction Fuzzy Hash: 9251D074619352AFC344EFA9D280A1ABBF1AF88704F44882DF8C887352E734D954DF52

Function 001DB050 Relevance: 5.1, Strings: 4, Instructions: 124COMMON

Download Yara Rule

Strings

(, xrefs: 001DB239
span on userArena.faultList has invalid sizesend on synctest channel from outside bubbleout of memory allocating heap arena metadata/cpu/classes/scavenge/background:cpu-secondsruntime: unexpected metric registration for gcmarknewobject called while doing check, xrefs: 001DB21A
invalid span in heapArena for user arenabulkBarrierPreWrite: unaligned argumentsruntime: typeBitsBulkBarrier with type refill of span with free space remaining/cpu/classes/scavenge/assist:cpu-secondsruntime.SetFinalizer: first argument is failed to acquire lo, xrefs: 001DB230
am Files (x86)/Go/src/unique/clone.go, xrefs: 001DB07D

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: ($am Files (x86)/Go/src/unique/clone.go$invalid span in heapArena for user arenabulkBarrierPreWrite: unaligned argumentsruntime: typeBitsBulkBarrier with type refill of span with free space remaining/cpu/classes/scavenge/assist:cpu-secondsruntime.SetFinalizer: first argument is failed to acquire lo$span on userArena.faultList has invalid sizesend on synctest channel from outside bubbleout of memory allocating heap arena metadata/cpu/classes/scavenge/background:cpu-secondsruntime: unexpected metric registration for gcmarknewobject called while doing check
API String ID: 0-1885139921
Opcode ID: b3e1ef94a323f5c2f035cea525ccf3e62af6b7d5fdcf7451ed2c09d093bb5f77
Instruction ID: 4ffeb9200ea146223452ac412888603db25a809e12d655d6819ac464f6410f61
Opcode Fuzzy Hash: b3e1ef94a323f5c2f035cea525ccf3e62af6b7d5fdcf7451ed2c09d093bb5f77
Instruction Fuzzy Hash: AF51D1B45193409FD748EF28C094B6ABBE0FB98344F41896EF8998B392E735D944CF42

Function 001E7580 Relevance: 5.1, Strings: 4, Instructions: 121COMMON

Download Yara Rule

Strings

runtime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinning: not a spinning mruntime: profBuf already closedruntime: spl, xrefs: 001E7753
runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p has runnable gsstoplockedm: not runnablereleasep: invalid p statecheckdead:, xrefs: 001E7675, 001E76F5
bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p has runnable gsstoplockedm: not runnablereleasep: , xrefs: 001E769F, 001E771F
out of memoryunimplemented is nil, not value method span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=, xrefs: 001E76D3

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p has runnable gsstoplockedm: not runnablereleasep: $out of memoryunimplemented is nil, not value method span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=$runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p has runnable gsstoplockedm: not runnablereleasep: invalid p statecheckdead:$runtime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinning: not a spinning mruntime: profBuf already closedruntime: spl
API String ID: 0-231815244
Opcode ID: abd4e97892827b1407faf48568a2eda5cca7b8c1a260ba917f2b3090413f14f1
Instruction ID: 7298b3bd975e1b5b290d79837d382f7ced21f9461b60c3260ecf343d031636c6
Opcode Fuzzy Hash: abd4e97892827b1407faf48568a2eda5cca7b8c1a260ba917f2b3090413f14f1
Instruction Fuzzy Hash: E75104B0119B418FE744EFA9D48472EBBE4BF88304F41882DF58887382E77498549F52

Function 00225110 Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

shrinkstack at bad timereflect.methodValueCall23283064365386962890625E. Africa Standard TimeTocantins Standard TimeArgentina Standard TimeVenezuela Standard TimeGreenland Standard TimeSri Lanka Standard TimeWest Bank Standard TimeQyzylorda Standard TimeSingapo, xrefs: 0022523F
shrinking stack in libcallruntime: pcHeader: magic= traceRegion: out of memory1455191522836685180664062572759576141834259033203125South Africa Standard TimeSaint Pierre Standard TimeNewfoundland Standard TimeCentral Asia Standard TimeEkaterinburg Standard Time, xrefs: 00225229
bad status in shrinkstackmissing traceGCSweepStart2910383045673370361328125South Sudan Standard TimeUS Mountain Standard TimeMiddle East Standard TimeTransbaikal Standard TimeW. Mongolia Standard TimeAfghanistan Standard TimeNorth Korea Standard TimeUlaanbaata, xrefs: 00225255
missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for mismatched isSending updates[originating from goroutine traceRegion: alloc too large18189894035458564758300781259094947017729282379150390625Canada C, xrefs: 0022526B

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: bad status in shrinkstackmissing traceGCSweepStart2910383045673370361328125South Sudan Standard TimeUS Mountain Standard TimeMiddle East Standard TimeTransbaikal Standard TimeW. Mongolia Standard TimeAfghanistan Standard TimeNorth Korea Standard TimeUlaanbaata$missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for mismatched isSending updates[originating from goroutine traceRegion: alloc too large18189894035458564758300781259094947017729282379150390625Canada C$shrinking stack in libcallruntime: pcHeader: magic= traceRegion: out of memory1455191522836685180664062572759576141834259033203125South Africa Standard TimeSaint Pierre Standard TimeNewfoundland Standard TimeCentral Asia Standard TimeEkaterinburg Standard Time$shrinkstack at bad timereflect.methodValueCall23283064365386962890625E. Africa Standard TimeTocantins Standard TimeArgentina Standard TimeVenezuela Standard TimeGreenland Standard TimeSri Lanka Standard TimeWest Bank Standard TimeQyzylorda Standard TimeSingapo
API String ID: 0-2611100542
Opcode ID: 4ddfbef7d43d7647850df058e1aa3688d1d174961a2c0b3ff4ae3856f9cc3788
Instruction ID: 0744dabfae250acf5b986fab834dae187357d6b48d42d2bad9d8d41b4f7b7268
Opcode Fuzzy Hash: 4ddfbef7d43d7647850df058e1aa3688d1d174961a2c0b3ff4ae3856f9cc3788
Instruction Fuzzy Hash: AC417A74624B21DFCB18DF64E4D1A2973E5FB98700F94886DE8498B392E774DD68CB02

Function 001FEC40 Relevance: 5.1, Strings: 4, Instructions: 95COMMON

Download Yara Rule

Strings

root level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=methodValueCallFrameObjs is not in a modulesy, xrefs: 001FEDB3
runtime: root level max pages = NtAssociateWaitCompletionPacket, xrefs: 001FED39
runtime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket, xrefs: 001FED7F
+, xrefs: 001FEDBC

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: +$root level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=methodValueCallFrameObjs is not in a modulesy$runtime: root level max pages = NtAssociateWaitCompletionPacket$runtime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket
API String ID: 0-2773132953
Opcode ID: 87ebf1eca4862c3058c1d268d1debb054134f4bf44abc249d452890c1ff3075d
Instruction ID: 17e168459c1f2e964b43ed8327c8d6e5c237acab09dfe35dd3de9d67ccb400d0
Opcode Fuzzy Hash: 87ebf1eca4862c3058c1d268d1debb054134f4bf44abc249d452890c1ff3075d
Instruction Fuzzy Hash: 564103B45193448FD308EF68C095A2ABBE1BF89304F05886EF9898B3A3D735D954CF52

Function 001E7420 Relevance: 5.1, Strings: 4, Instructions: 88COMMON

Download Yara Rule

Strings

runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incorrectpageAlloc: out of memoryruntime: p.searchAdd, xrefs: 001E74FB
runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec, xrefs: 001E7559
bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p has runnable gsstoplockedm: not runnablereleasep: , xrefs: 001E7525
!, xrefs: 001E7562

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p has runnable gsstoplockedm: not runnablereleasep: $!$runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incorrectpageAlloc: out of memoryruntime: p.searchAdd$runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
API String ID: 0-464846790
Opcode ID: 283acab85e73142f4da9079c487c3ef3591428eb70e7987280eccbddccecb5d0
Instruction ID: 266f87e4e8395aeb3ed67a1b9225924d7797d4dfa84236c0679bf0c55c1084ea
Opcode Fuzzy Hash: 283acab85e73142f4da9079c487c3ef3591428eb70e7987280eccbddccecb5d0
Instruction Fuzzy Hash: A63102B461D7418FD308EF69D09162EBBE1AF88704F01892DF98987392E734D994CF56

Function 001EF4B0 Relevance: 5.1, Strings: 4, Instructions: 75COMMON

Download Yara Rule

Strings

gp *(in n= ) - NaN P m= MPC= < end > ]:???pc= G125625SunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02-01EDTASTADTPSTPDTNSTNDT+03+04+07+06IST+09+08IDT+12PKT+11KST+05JST+10-11-12-08-09+13CE, xrefs: 001EF51F
scan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame ts se, xrefs: 001EF5C2
goid sweep B -> % util alloc free span= prev= list=, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base 390625SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minutesecondGetACPexec: Commonrdtscppopcntcmd/gonetdnsX2, xrefs: 001EF541
status unknown(trigger= npages= nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes 48828125strconv.parsing ParseIntThursdaySaturdayFebruaryNovemberDecember%!Month(nil PoolwsaioctlSHA1-RSADSA-, xrefs: 001EF56B

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: goid sweep B -> % util alloc free span= prev= list=, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base 390625SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minutesecondGetACPexec: Commonrdtscppopcntcmd/gonetdnsX2$ status unknown(trigger= npages= nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes 48828125strconv.parsing ParseIntThursdaySaturdayFebruaryNovemberDecember%!Month(nil PoolwsaioctlSHA1-RSADSA-$gp *(in n= ) - NaN P m= MPC= < end > ]:???pc= G125625SunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02-01EDTASTADTPSTPDTNSTNDT+03+04+07+06IST+09+08IDT+12PKT+11KST+05JST+10-11-12-08-09+13CE$scan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame ts se
API String ID: 0-942138141
Opcode ID: de3d6aea05f09397bda85986750e7db2f275f4a0e11fa9e69f83c6167b79ec81
Instruction ID: b19704e93939eb63ae63fc05772a38cb9e5cf304c5b59ab40e4913e830f482da
Opcode Fuzzy Hash: de3d6aea05f09397bda85986750e7db2f275f4a0e11fa9e69f83c6167b79ec81
Instruction Fuzzy Hash: CC31E7B451A7408FC305EF64C191A2EBBE5BF89300F45886EE8D88B392D734D959DF52

Function 00210320 Relevance: 5.1, Strings: 4, Instructions: 63COMMON

Download Yara Rule

Strings

!, xrefs: 002103A0
castogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go functionpointerless type not in ranges:23841857910156250123456789ABCDEFtime: bad [0-9]*DuplicateTokenExGetCurrentThreadGetModuleHandleWRtlV, xrefs: 002103F5
newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes 48828125strconv.parsing ParseIntThursdaySaturdayFebruaryNovemberDecember%!Month(nil PoolwsaioctlSHA1-RSADSA-SHA1overflowavx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlsmlkem#fip, xrefs: 002103C1
runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-nega, xrefs: 00210397

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes 48828125strconv.parsing ParseIntThursdaySaturdayFebruaryNovemberDecember%!Month(nil PoolwsaioctlSHA1-RSADSA-SHA1overflowavx512bwavx512vlgo/typesnet/httpgo/buildnetedns0tlsmlkem#fip$!$castogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go functionpointerless type not in ranges:23841857910156250123456789ABCDEFtime: bad [0-9]*DuplicateTokenExGetCurrentThreadGetModuleHandleWRtlV$runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-nega
API String ID: 0-704761767
Opcode ID: bbce482ffd3b93e6409eff61916a1ab850e6ed25382dfee3d58ffcf12103cbc0
Instruction ID: 6eb6e6ead3a77bbc2e026c01fd65304f4600c626ce42b3b3a03fc76e2a52cf98
Opcode Fuzzy Hash: bbce482ffd3b93e6409eff61916a1ab850e6ed25382dfee3d58ffcf12103cbc0
Instruction Fuzzy Hash: 5621367061A7418FD300EF64C09076EBBE1FB99704F4088AEE8988B393D7709895CB52

Function 001F81D0 Relevance: 5.1, Strings: 4, Instructions: 57COMMON

Download Yara Rule

Strings

too many pages allocated in chunk?mspan.ensureSwept: m is not lockedVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running , xrefs: 001F8299
", xrefs: 001F82A2
runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame ts set in timertraceback stuckruntime.gopanicunexp, xrefs: 001F8237
npages= nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes 48828125strconv.parsing ParseIntThursdaySaturdayFebruaryNovemberDecember%!Month(nil PoolwsaioctlSHA1-RSADSA-SHA1overflowavx512bwavx5, xrefs: 001F8265

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: npages= nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes 48828125strconv.parsing ParseIntThursdaySaturdayFebruaryNovemberDecember%!Month(nil PoolwsaioctlSHA1-RSADSA-SHA1overflowavx512bwavx5$"$runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame ts set in timertraceback stuckruntime.gopanicunexp$too many pages allocated in chunk?mspan.ensureSwept: m is not lockedVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running
API String ID: 0-2544485644
Opcode ID: aecadc8c47d71e8fdf91c284fcb7f3439044b920aa387b04e98b764e3e0c5615
Instruction ID: 576a7383a84810e5989fc6e0aa195356673bfb14db1eea068f5fbc982da24327
Opcode Fuzzy Hash: aecadc8c47d71e8fdf91c284fcb7f3439044b920aa387b04e98b764e3e0c5615
Instruction Fuzzy Hash: 77214A7041A704CFC344EF64D09573ABBE1EF98704F45886DE5998B6A2E7349868DB22

Function 002071F0 Relevance: 5.1, Strings: 4, Instructions: 57COMMON

Download Yara Rule

Strings

3, xrefs: 002072D2
runtime: netpoll: PostQueuedCompletionStatus failedfatal: systemstack called from unexpected goroutinegodebug: Value of name not listed in godebugs.All: ecdsa: internal error: request size exceeds maximumSOFTWARE\Policies\Microsoft\Windows NT\SystemRestorerunt, xrefs: 002072C9
runtime: netpoll: PostQueuedCompletionStatus failed (errno= runtime: malformed profBuf buffer - tag and data out of sync USDT within three days as requestedEmail:exec: Cmd started a Process but leaked without a call to Waitreflect: reflect.V, xrefs: 00207284
) - NaN P m= MPC= < end > ]:???pc= G125625SunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02-01EDTASTADTPSTPDTNSTNDT+03+04+07+06IST+09+08IDT+12PKT+11KST+05JST+10-11-12-08-09+13CETBSTMSK-06+1, xrefs: 002072AE

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: ) - NaN P m= MPC= < end > ]:???pc= G125625SunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02-01EDTASTADTPSTPDTNSTNDT+03+04+07+06IST+09+08IDT+12PKT+11KST+05JST+10-11-12-08-09+13CETBSTMSK-06+1$3$runtime: netpoll: PostQueuedCompletionStatus failed (errno= runtime: malformed profBuf buffer - tag and data out of sync USDT within three days as requestedEmail:exec: Cmd started a Process but leaked without a call to Waitreflect: reflect.V$runtime: netpoll: PostQueuedCompletionStatus failedfatal: systemstack called from unexpected goroutinegodebug: Value of name not listed in godebugs.All: ecdsa: internal error: request size exceeds maximumSOFTWARE\Policies\Microsoft\Windows NT\SystemRestorerunt
API String ID: 0-1024452611
Opcode ID: be6a42782f46fd0435fb9dabd6fecbbfe9f3a90d9d0bed0ac91184963400376e
Instruction ID: c3639d60121a0f6a4e5f41173379f6f53c2a00c0c42a1b2dfc8ebb3bb2835ab2
Opcode Fuzzy Hash: be6a42782f46fd0435fb9dabd6fecbbfe9f3a90d9d0bed0ac91184963400376e
Instruction Fuzzy Hash: 6C2138B09297018FE300EF24D59572ABBE5BF99304F40882DE48887392E775A968DF53

Function 001F5B50 Relevance: 5.1, Strings: 4, Instructions: 57COMMON

Download Yara Rule

Strings

GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: running < 0runtime, xrefs: 001F5BE5
?, xrefs: 001F5C22
GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=active < 0unknown pcruntime: g, xrefs: 001F5B67
malformed GOMEMLIMIT; see `go doc runtime/debug.SetMemoryLimit`crypto/ecdh: use of X25519 is not allowed in FIPS 140-only moderuntime.SetFinalizer: first argument was allocated into an arenacompileCallback: expected function with one uintptr-sized resultattemp, xrefs: 001F5C19

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: ?$GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=active < 0unknown pcruntime: g$GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: running < 0runtime$malformed GOMEMLIMIT; see `go doc runtime/debug.SetMemoryLimit`crypto/ecdh: use of X25519 is not allowed in FIPS 140-only moderuntime.SetFinalizer: first argument was allocated into an arenacompileCallback: expected function with one uintptr-sized resultattemp
API String ID: 0-1594171866
Opcode ID: 4c75f57cbc95d00e827a97e04c2c3c1de7c9a37c4612f84e54f31cb0b76895e2
Instruction ID: 3e94063c096e0afacc245ac683f867d8bcf22e577db82f79ab9857b068a63ef6
Opcode Fuzzy Hash: 4c75f57cbc95d00e827a97e04c2c3c1de7c9a37c4612f84e54f31cb0b76895e2
Instruction Fuzzy Hash: 032147B4919B048FC700EF64D08262ABBE6BF98314F40896EE5D887392D7359954CF53

Function 001E7780 Relevance: 5.0, Strings: 4, Instructions: 45COMMON

Download Yara Rule

Strings

runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incorrectpageAlloc: out of memoryruntime: p.searchAdd, xrefs: 001E77C6
bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p has runnable gsstoplockedm: not runnablereleasep: , xrefs: 001E77F0
runtime: failed to release pagesruntime: fixalloc size too largeinvalid limiter event type foundscanstack: goroutine not stoppedscavenger state is already wiredsweep increased allocation countremovespecial on invalid pointergetWeakHandle on invalid pointerrunt, xrefs: 001E7824
, xrefs: 001E782D

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: $ bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p has runnable gsstoplockedm: not runnablereleasep: $runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incorrectpageAlloc: out of memoryruntime: p.searchAdd$runtime: failed to release pagesruntime: fixalloc size too largeinvalid limiter event type foundscanstack: goroutine not stoppedscavenger state is already wiredsweep increased allocation countremovespecial on invalid pointergetWeakHandle on invalid pointerrunt
API String ID: 0-3522022193
Opcode ID: 2292c618a7a7e7d8f5fc2ebdd13fd18e7e2388247e902645afc236b195063af2
Instruction ID: 05bd72d96f726bf3f4862cc0a29a6ac8249ff43493b05e0fa29f27e8cd9df4e3
Opcode Fuzzy Hash: 2292c618a7a7e7d8f5fc2ebdd13fd18e7e2388247e902645afc236b195063af2
Instruction Fuzzy Hash: 4B11E2B402A7008FD340FFA8D08531EBBE4BF88704F41882DE48887382E77495589F63

Function 002070A0 Relevance: 5.0, Strings: 4, Instructions: 43COMMON

Download Yara Rule

Strings

runtime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len ou, xrefs: 0020714D
runtime: CreateIoCompletionPort failed (errno= racy sudog adjustment due to parking on channelfunction symbol table not sorted by PC offset: attempted to trace a bad status for a goroutineFIPS 140-3 mode is not supported on windows-386bigmod: modulus for ExpSh, xrefs: 00207108
) - NaN P m= MPC= < end > ]:???pc= G125625SunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02-01EDTASTADTPSTPDTNSTNDT+03+04+07+06IST+09+08IDT+12PKT+11KST+05JST+10-11-12-08-09+13CETBSTMSK-06+1, xrefs: 00207132
/, xrefs: 00207111

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: ) - NaN P m= MPC= < end > ]:???pc= G125625SunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02-01EDTASTADTPSTPDTNSTNDT+03+04+07+06IST+09+08IDT+12PKT+11KST+05JST+10-11-12-08-09+13CETBSTMSK-06+1$/$runtime: CreateIoCompletionPort failed (errno= racy sudog adjustment due to parking on channelfunction symbol table not sorted by PC offset: attempted to trace a bad status for a goroutineFIPS 140-3 mode is not supported on windows-386bigmod: modulus for ExpSh$runtime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len ou
API String ID: 0-1754601229
Opcode ID: 41c9b3f4fa778547941e8974b44c23145426af1b4fe85e2663bbdc56e262d5ff
Instruction ID: ddcf8d3d5190fc1af073766fc24404cfb04e8e658da5e246327c4d906d9f8d68
Opcode Fuzzy Hash: 41c9b3f4fa778547941e8974b44c23145426af1b4fe85e2663bbdc56e262d5ff
Instruction Fuzzy Hash: 6911F5B082A7019FC300FF68D59572ABBE4AF59314F40496DE49887392E7349968CF63

Function 001EADF8 Relevance: 5.0, Strings: 4, Instructions: 42COMMON

Download Yara Rule

Strings

runtime: p ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32, xrefs: 001EB1A5
flushGen MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= , xrefs: 001EB1CE
!= sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase, xrefs: 001EB1F8
p mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitpreempt off reason: forcegc: phase errorgopark: bad g statusgo of nil func valueselectgo: bad wakeupsemaRoot rotateRight, xrefs: 001EB22C

Memory Dump Source

Source File: 00000000.00000002.975247987.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.975226682.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975394007.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975524022.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975552541.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975572280.00000000004AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975592324.00000000004AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004D5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975618620.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975715093.00000000004FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.975731630.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_system21.jbxd

Similarity

API ID:
String ID: != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase$ flushGen MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= $p mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitpreempt off reason: forcegc: phase errorgopark: bad g statusgo of nil func valueselectgo: bad wakeupsemaRoot rotateRight$runtime: p ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32
API String ID: 0-3187903521
Opcode ID: 8530ad7bafa5ab09b4d58e646c69a76b7cc87bfd8290a64dda0f36bea6f57dbc
Instruction ID: 4ae72e0e2a85204f8a13d662fa7356bc756625b994a0bf00f4660515df57d401
Opcode Fuzzy Hash: 8530ad7bafa5ab09b4d58e646c69a76b7cc87bfd8290a64dda0f36bea6f57dbc
Instruction Fuzzy Hash: 97119EB442A7009FD340EFA4D58571EBBE4AF88704F41882DF58887392E7B495589F23

Name	Source	Malicious	Antivirus Detection	Reputation
https://go.dev/pkg/crypto/rsa#hdr-Minimum_key_size)b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120	system21.exe	false		high
https://go.dev/issue/66821):	system21.exe	false		high

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	6.3075483835578
TrID:	Win32 Executable (generic) a (10002005/4) 99.51% InstallShield setup (43055/19) 0.43% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	system21.exe
File size:	3'198'464 bytes
MD5:	5766ef20fda9263ed77e6c00bf6ca20c
SHA1:	2e227cce2852a8711b283b12b738c30eff4ed7a3
SHA256:	04bbe3af082420e9f5ca72e3020c09e1ef16084697905e7f5b6a937d579192b0
SHA512:	f6fd69f318c65d1c91119aabb7d6e521d5e50c49454f460359921160013de2db53d5eac8a7b18f382b8321cb437a7f77efd9e825235d5edf66c0519e7662aabe
SSDEEP:	49152:Ts30bHZ24UId2zVi6jdQj3N8jyLJ9sY5E:lbHZ2ZzsWqjMyL7sqE
TLSH:	A6E53801FEDB95F1E803293115A7B26F63316D094F34CBEBFB647A6AE8776910836205
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........0..............(...F.......L........-...@...........................3...........@................................

Entrypoint:	0x474c90
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	1aae8bf580c846f39c71c05898e57e88

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x32d000	0x44c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x32e000	0xf2f0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2da280	0xb4	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1826a2	0x182800	b5d216a295f1cca10d56fd5119694ef6	False	0.4183332238437904	data	6.0366498764790375	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x184000	0x155efc	0x156000	e06b28683c07a9e8cacc5e7cec6df727	False	0.40732507538377194	data	5.685018386664799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2da000	0x52cac	0x24600	31ac9a2fe534b419888c9a480101035b	False	0.8083118556701031	data	7.260117315466492	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x32d000	0x44c	0x600	6ac4c6a89ccba58db1ec95121738ec6f	False	0.357421875	OpenPGP Public Key	3.863732104902133	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x32e000	0xf2f0	0xf400	1fdb515ce53620c69619daa9cc90c42e	False	0.6308433657786885	data	6.617886891803336	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0x33e000	0x4	0x200	07b5472d347d42780469fb2654b7fc54	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.This may deny access to available backups and recovery options.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Deletion, Command: Command Execution, File: File Deletion, Process: Process Creation, Service: Service Metadata, Snapshot: Snapshot Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report system21.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Desktop\CZQKSDDMWR\Encrypt.html

C:\Users\user\Desktop\DUUDTUBZFW.docx

C:\Users\user\Desktop\DUUDTUBZFW.docx.[X6D6Q4@proton.me].LockBit (copy)

C:\Users\user\Desktop\DUUDTUBZFW\DUUDTUBZFW.docx

C:\Users\user\Desktop\DUUDTUBZFW\DUUDTUBZFW.docx.[X6D6Q4@proton.me].LockBit (copy)

C:\Users\user\Desktop\DUUDTUBZFW\EOWRVPQCCS.xlsx

C:\Users\user\Desktop\DUUDTUBZFW\EOWRVPQCCS.xlsx.[X6D6Q4@proton.me].LockBit (copy)

C:\Users\user\Desktop\DUUDTUBZFW\Encrypt.html

C:\Users\user\Desktop\DUUDTUBZFW\ZGGKNSUKOP.pdf

C:\Users\user\Desktop\DUUDTUBZFW\ZGGKNSUKOP.pdf.[X6D6Q4@proton.me].LockBit (copy)

C:\Users\user\Desktop\EIVQSAOTAQ.xlsx

C:\Users\user\Desktop\EIVQSAOTAQ.xlsx.[X6D6Q4@proton.me].LockBit (copy)

C:\Users\user\Desktop\EOWRVPQCCS.docx

C:\Users\user\Desktop\EOWRVPQCCS.docx.[X6D6Q4@proton.me].LockBit (copy)

C:\Users\user\Desktop\EOWRVPQCCS.xlsx

C:\Users\user\Desktop\EOWRVPQCCS.xlsx.[X6D6Q4@proton.me].LockBit (copy)

C:\Users\user\Desktop\EOWRVPQCCS\EIVQSAOTAQ.xlsx

C:\Users\user\Desktop\EOWRVPQCCS\EIVQSAOTAQ.xlsx.[X6D6Q4@proton.me].LockBit (copy)

C:\Users\user\Desktop\EOWRVPQCCS\EOWRVPQCCS.docx

C:\Users\user\Desktop\EOWRVPQCCS\EOWRVPQCCS.docx.[X6D6Q4@proton.me].LockBit (copy)

C:\Users\user\Desktop\EOWRVPQCCS\Encrypt.html

Windows Analysis Report
system21.exe