Joe Sandbox Cloud Basic Analysis Report
Create Interactive Tour

Windows Analysis Report platform-communicator-tray.exe

Overview

General Information

Sample Name:platform-communicator-tray.exe
Analysis ID:530670
MD5:3292cbadf492af3d058b4cdfac7a990b
SHA1:af7e2dd661039de68ce49ce9440569d89c74f33e
SHA256:292b98b6712da304c64a211434355d2d97c4905641fa104af37280f95ff74a90
Infos:

Most interesting Screenshot:

Detection

Score:2
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Uses 32bit PE files
Installs a raw input device (often for capturing keystrokes)
Program does not show much activity (idle)
PE file contains sections with non-standard names
Enables debug privileges

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook

Process Tree

  • System is w10x64
  • platform-communicator-tray.exe (PID: 3348 cmdline: "C:\Users\user\Desktop\platform-communicator-tray.exe" -install MD5: 3292CBADF492AF3D058B4CDFAC7A990B)
  • platform-communicator-tray.exe (PID: 5896 cmdline: "C:\Users\user\Desktop\platform-communicator-tray.exe" /install MD5: 3292CBADF492AF3D058B4CDFAC7A990B)
  • platform-communicator-tray.exe (PID: 6788 cmdline: "C:\Users\user\Desktop\platform-communicator-tray.exe" /load MD5: 3292CBADF492AF3D058B4CDFAC7A990B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

  • Compliance
  • Key, Mouse, Clipboard, Microphone and Screen Capturing
  • System Summary
  • Data Obfuscation
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • Anti Debugging

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: platform-communicator-tray.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DEBUG_STRIPPED
Source: platform-communicator-tray.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: platform-communicator-tray.exe, 00000000.00000000.309081922.0000000001099000.00000002.00020000.sdmpBinary or memory string: is unavailable()<>@,;:\"/[]?=,M3.2.0,M11.1.00601021504Z0700127.0.0.1:49151476837158203125: cannot parse <invalid Value>ASCII_Hex_DigitAccept-EncodingAccept-LanguageAddDllDirectoryCLSIDFromProgIDCLSIDFromStringCallWindowProcWClientAuthType(Contact detailsCreateHardLinkWCreatePopupMenuCreateWindowExWDeviceIoControlDialogBoxParamWDragAcceptFilesDrawThemeTextExDuplicateHandleExcludeClipRectFailed to find Failed to load FindNextVolumeWFindVolumeCloseFlush DNS cacheFlushViewOfFileGateway TimeoutGdiplusShutdownGetActiveObjectGetActiveWindowGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetDpiForWindowGetEnhMetaFileWGetMonitorInfoWGetProcessTimesGetRawInputDataGetSecurityInfoGetStartupInfoWGetTextMetricsWGetThreadLocaleHanifi_RohingyaIdempotency-KeyImpersonateSelfInsertMenuItemWIsWindowEnabledIsWindowVisibleIsWow64Process2Length RequiredLoadLibraryExA
Source: platform-communicator-tray.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DEBUG_STRIPPED
Source: platform-communicator-tray.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\platform-communicator-tray.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: platform-communicator-tray.exeString found in binary or memory: /home/engguser/workspace/dev_platform-communicator-tray/pkg/mod/gitlab.connectwisedev.com/platform/platform-api-model@v0.0.0-20210906153107-89021d285879/clients/model/Golang/resourceModel/communicator/tray/loader.go
Source: classification engineClassification label: clean2.winEXE@3/0@0/0
Source: unknownProcess created: C:\Users\user\Desktop\platform-communicator-tray.exe "C:\Users\user\Desktop\platform-communicator-tray.exe" -install
Source: unknownProcess created: C:\Users\user\Desktop\platform-communicator-tray.exe "C:\Users\user\Desktop\platform-communicator-tray.exe" /install
Source: unknownProcess created: C:\Users\user\Desktop\platform-communicator-tray.exe "C:\Users\user\Desktop\platform-communicator-tray.exe" /load
Source: C:\Users\user\Desktop\platform-communicator-tray.exeFile created: C:\Users\user\.CommunicatorTrayResourcesJump to behavior
Source: platform-communicator-tray.exeStatic file information: File size 5227008 > 1048576
Source: platform-communicator-tray.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: platform-communicator-tray.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x268000
Source: platform-communicator-tray.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x22fc00
Source: platform-communicator-tray.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: platform-communicator-tray.exeStatic PE information: section name: .symtab
Source: C:\Users\user\Desktop\platform-communicator-tray.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\platform-communicator-tray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\platform-communicator-tray.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\platform-communicator-tray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\platform-communicator-tray.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\platform-communicator-tray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\platform-communicator-tray.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\platform-communicator-tray.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\platform-communicator-tray.exeProcess token adjusted: DebugJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter2Path InterceptionProcess Injection1Masquerading1Input Capture11System Information Discovery1Remote ServicesInput Capture11Exfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 530670 Sample: platform-communicator-tray.exe Startdate: 29/11/2021 Architecture: WINDOWS Score: 2 4 platform-communicator-tray.exe 2->4         started        6 platform-communicator-tray.exe 2->6         started        8 platform-communicator-tray.exe 1 2->8         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
platform-communicator-tray.exe3%VirustotalBrowse
platform-communicator-tray.exe4%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:530670
Start date:29.11.2021
Start time:20:34:10
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 35s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:platform-communicator-tray.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:Cmdline fuzzy
Number of analysed new started processes analysed:8
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean2.winEXE@3/0@0/0
EGA Information:Failed
HDC Information:
  • Successful, ratio: 96.8% (good quality ratio 51.6%)
  • Quality average: 42.1%
  • Quality standard deviation: 43.8%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
Warnings:
  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 20.82.209.183
  • Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, arc.trafficmanager.net, arc.msn.com
  • Execution Graph export aborted for target platform-communicator-tray.exe, PID 3348 because there are no executed function
  • Execution Graph export aborted for target platform-communicator-tray.exe, PID 5896 because there are no executed function
  • Execution Graph export aborted for target platform-communicator-tray.exe, PID 6788 because there are no executed function

Simulations

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):6.326117582386043
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:platform-communicator-tray.exe
File size:5227008
MD5:3292cbadf492af3d058b4cdfac7a990b
SHA1:af7e2dd661039de68ce49ce9440569d89c74f33e
SHA256:292b98b6712da304c64a211434355d2d97c4905641fa104af37280f95ff74a90
SHA512:436a28e86f9636a22a7490f5b3d4410a9d03534fedbe3d1ada5aebfb8f906fdea6d601dd91c9d201f1f530d4a1289eb3b037e88793c015400b53151453b29b60
SSDEEP:49152:I/tWX6c2Logwt7aK8RC5V1MgoRVRqbJUkSWHuzNPAhwqz+2a8hg+zHj4tgFbNuk+:A8pZHLG9wWkhHuzBAEF8N0kyz/vny
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........O...............&..x................I...@..........................PR...........@................................

File Icon

Icon Hash:00828e8e8686b000

Static PE Info

General

Entrypoint:0x45ffd0
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DEBUG_STRIPPED
DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:1
File Version Major:6
File Version Minor:1
Subsystem Version Major:6
Subsystem Version Minor:1
Import Hash:4035d2883e01d64f3e7a9dccb1d63af5
Instruction
jmp 00007F2FFCEC2CF0h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ecx, dword ptr [esp+04h]
sub esp, 28h
mov dword ptr [esp+1Ch], ebx
mov dword ptr [esp+10h], ebp
mov dword ptr [esp+14h], esi
mov dword ptr [esp+18h], edi
mov esi, eax
mov edx, dword ptr fs:[00000014h]
cmp edx, 00000000h
jne 00007F2FFCEC51D9h
mov eax, 00000000h
jmp 00007F2FFCEC523Fh
mov edx, dword ptr [edx+00000000h]
cmp edx, 00000000h
jne 00007F2FFCEC51D7h
call 00007F2FFCEC52C9h
mov dword ptr [esp+20h], edx
mov dword ptr [esp+24h], esp
mov ebx, dword ptr [edx+18h]
mov ebx, dword ptr [ebx]
cmp edx, ebx
je 00007F2FFCEC51F3h
mov ebp, dword ptr fs:[00000014h]
mov dword ptr [ebp+00000000h], ebx
mov edi, dword ptr [ebx+1Ch]
sub edi, 04h
mov dword ptr [edi], 00437B80h
sub edi, 28h
mov dword ptr [edi+24h], esp
mov esp, edi
mov ebx, dword ptr [ecx]
mov ecx, dword ptr [ecx+04h]
mov dword ptr [esp], ebx
mov dword ptr [esp+04h], ecx
mov dword ptr [esp+08h], edx
call esi
mov eax, dword ptr [esp+0Ch]
mov esp, dword ptr [esp+24h]
mov edx, dword ptr [esp+20h]
mov ebp, dword ptr fs:[00000014h]
mov dword ptr [ebp+00000000h], edx
mov edi, dword ptr [esp+18h]
mov esi, dword ptr [esp+14h]
mov ebp, dword ptr [esp+10h]
mov ebx, dword ptr [esp+1Ch]
add esp, 28h
retn 0004h
ret
mov ecx, dword ptr [esp+04h]
mov edx, dword ptr [ecx]
mov eax, esp
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x4f60000x3d6.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x5240000x2d0.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x4f70000x2bf4e.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x4990200xa0.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x267ffa0x268000unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0x2690000x22faf00x22fc00unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x4990000x5c9000x37800False0.471886437218data5.82112060393IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata0x4f60000x3d60x400False0.490234375data4.5925006423IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc0x4f70000x2bf4e0x2c000False0.525268554688data6.54373481302IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab0x5230000x40x200False0.02734375data0.0203931352361IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc0x5240000x2d00x400False0.333984375data2.39977154539IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountry
RT_VERSION0x5240580x278dataEnglishUnited States
DLLImport
kernel32.dllWriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, SwitchToThread, SuspendThread, Sleep, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler
DescriptionData
LegalCopyright@Continuum IT Management Platform
ProductNameITSPlatform
ProductVersion1.0.154
OriginalFilenameplatform-communicator-tray.exe
FileDescriptionplatform-communicator-tray
Translation0x0409 0x0000

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: platform-communicator-tray.exe PID: 3348 Parent PID: 4000

Function Logs

General

Start time:20:36:01
Start date:29/11/2021
Path:C:\Users\user\Desktop\platform-communicator-tray.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\platform-communicator-tray.exe" -install
Imagebase:0xe30000
File size:5227008 bytes
MD5 hash:3292CBADF492AF3D058B4CDFAC7A990B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

Show Windows behavior

System Activities

Show Windows behavior

Timing Activities

Show Windows behavior

Process Token Activities

Show Windows behavior

LPC Port Activities

Analysis Process: platform-communicator-tray.exe PID: 5896 Parent PID: 4000

Function Logs

General

Start time:20:36:04
Start date:29/11/2021
Path:C:\Users\user\Desktop\platform-communicator-tray.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\platform-communicator-tray.exe" /install
Imagebase:0xe30000
File size:5227008 bytes
MD5 hash:3292CBADF492AF3D058B4CDFAC7A990B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

Show Windows behavior

System Activities

Show Windows behavior

Timing Activities

Show Windows behavior

Process Token Activities

Show Windows behavior

LPC Port Activities

Analysis Process: platform-communicator-tray.exe PID: 6788 Parent PID: 4000

Function Logs

General

Start time:20:36:08
Start date:29/11/2021
Path:C:\Users\user\Desktop\platform-communicator-tray.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\platform-communicator-tray.exe" /load
Imagebase:0xe30000
File size:5227008 bytes
MD5 hash:3292CBADF492AF3D058B4CDFAC7A990B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

Show Windows behavior

System Activities

Show Windows behavior

Timing Activities

Show Windows behavior

Process Token Activities

Show Windows behavior

LPC Port Activities

Disassembly

Code Analysis

Analysis Process: platform-communicator-tray.exe PID: 3348 Parent PID: 4000 platform-communicator-tray.exeCOMMON

Executed Functions

Non-executed Functions

Download Yara Rule
Strings
  • runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssync.Cond is copiedsysMemStat overflowtoo many open filestoo much pixel dataunexpected g statusunknown Go type: %vunknown certificateunknown ciphe, xrefs: 00E5FCE4
  • runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=scavengeOne called with unaligned work regiontls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not, xrefs: 00E5FDD5
  • runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:, xrefs: 00E5FD7A
  • runtime.minit: duplicatehandle failedruntime: allocation size out of rangesetprofilebucket: profile already setstartTheWorld: inconsistent mp->nextptls: unsupported certificate key (%T)too many Additionals to pack (>65535)too many Authorities to pack (>65535)u, xrefs: 00E5FE64
  • CreateWaitableTimerEx when creating timer failedTime.MarshalJSON: year outside of range [0,9999]Time.MarshalText: year outside of range [0,9999]bufio: writer returned negative count from Writecould not find GetSystemTimeAsFileTime() syscallfailed to parse cert, xrefs: 00E5FE09
  • %, xrefs: 00E5FE6D
  • runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=scavengeOne called with unaligned work regiontls: internal error: failed to update binderstls: internal error: unexpected ren, xrefs: 00E5FE30
  • VirtualQuery for stack base failedadding nil Certificate to CertPoolbad scalar length: %d, expected %dchacha20: wrong HChaCha20 key sizecrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapcrypto/rsa: missing pu, xrefs: 00E5FDAE
  • bad g0 stackbad recoveryc ap trafficc hs trafficcaller errorcan't happencas64 failedchan receiveclose notifycomctl32.dllcomdlg32.dllcontent-typecontext.TODOdumping heapend tracegcentersyscallerrors.Errorexit status gcBitsArenasgcpacertracegetaddrinfowhost is , xrefs: 00E5FD53
Memory Dump Source
  • Source File: 00000000.00000002.312497083.0000000000E31000.00000020.00020000.sdmp, Offset: 00E30000, based on PE: true
  • Associated: 00000000.00000002.312492031.0000000000E30000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.312997338.0000000001099000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.313382876.00000000012C9000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.313395969.00000000012CF000.00000008.00020000.sdmp Download File
  • Associated: 00000000.00000002.313400944.00000000012D0000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.313410328.00000000012D1000.00000008.00020000.sdmp Download File
  • Associated: 00000000.00000002.313438266.00000000012FC000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.313448941.00000000012FD000.00000008.00020000.sdmp Download File
  • Associated: 00000000.00000002.313456770.00000000012FE000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.313472219.0000000001307000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.313477661.0000000001320000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.313489623.0000000001323000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.313494441.0000000001326000.00000008.00020000.sdmp Download File
  • Associated: 00000000.00000002.313506809.0000000001327000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.313538389.0000000001354000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_e30000_platform-communicator-tray.jbxd
Similarity
  • API ID:
  • String ID: %$CreateWaitableTimerEx when creating timer failedTime.MarshalJSON: year outside of range [0,9999]Time.MarshalText: year outside of range [0,9999]bufio: writer returned negative count from Writecould not find GetSystemTimeAsFileTime() syscallfailed to parse cert$VirtualQuery for stack base failedadding nil Certificate to CertPoolbad scalar length: %d, expected %dchacha20: wrong HChaCha20 key sizecrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapcrypto/rsa: missing pu$bad g0 stackbad recoveryc ap trafficc hs trafficcaller errorcan't happencas64 failedchan receiveclose notifycomctl32.dllcomdlg32.dllcontent-typecontext.TODOdumping heapend tracegcentersyscallerrors.Errorexit status gcBitsArenasgcpacertracegetaddrinfowhost is $runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=scavengeOne called with unaligned work regiontls: internal error: failed to update binderstls: internal error: unexpected ren$runtime.minit: duplicatehandle failedruntime: allocation size out of rangesetprofilebucket: profile already setstartTheWorld: inconsistent mp->nextptls: unsupported certificate key (%T)too many Additionals to pack (>65535)too many Authorities to pack (>65535)u$runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=scavengeOne called with unaligned work regiontls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not$runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:$runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssync.Cond is copiedsysMemStat overflowtoo many open filestoo much pixel dataunexpected g statusunknown Go type: %vunknown certificateunknown ciphe
  • API String ID: 0-3737786696
  • Opcode ID: c137826ad092a7d41cb0a424318525599292e97729bd948abd2565d1aa1eced7
  • Instruction ID: 5085ba6dc576c7986a7428077f76bd131dc646f914c5ce6ea66a7bae5e5f3707
  • Opcode Fuzzy Hash: c137826ad092a7d41cb0a424318525599292e97729bd948abd2565d1aa1eced7
  • Instruction Fuzzy Hash: 378111B45497018FD300EF64E19971EBBE0BF88748F40A92DE898A7382D774D949CF52
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
Strings
  • p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC)%+n (%s:%d)%d.%d.%d.%d, elemsize=, npages = , settings:.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=ATM adapterAppendMenuWBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256Bad Gat, xrefs: 00E6EAE9
  • m->p= next= p->m= prev= span=% util(...), i = , not , val 390625<-chanAcceptAnswerArabicAugustBasic BitBltBrahmiButtonCANCELCLOSEDCarianChakmaCommonCookieCopticDELETEEndDocExpectFormatFridayGOAWAYGOROOTGetACPGothicGray16HangulHatranHebrewHyphenKaithiKhojkiLI, xrefs: 00E6EA9D
  • releasep: m=remote errorrundll32.exeruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptshort bufferspanSetSpinesweepWaiterstraceStringstransmitfileunexpected )unknown portunknown typewinspool.drvwintrust.dllwirep: p->m=worker mode wtsapi32.dll != swee, xrefs: 00E6EA7B
  • releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptiontls.Reco, xrefs: 00E6EB33
Memory Dump Source
  • Source File: 00000000.00000002.312497083.0000000000E31000.00000020.00020000.sdmp, Offset: 00E30000, based on PE: true
  • Associated: 00000000.00000002.312492031.0000000000E30000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.312997338.0000000001099000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.313382876.00000000012C9000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.313395969.00000000012CF000.00000008.00020000.sdmp Download File
  • Associated: 00000000.00000002.313400944.00000000012D0000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.313410328.00000000012D1000.00000008.00020000.sdmp Download File
  • Associated: 00000000.00000002.313438266.00000000012FC000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.313448941.00000000012FD000.00000008.00020000.sdmp Download File
  • Associated: 00000000.00000002.313456770.00000000012FE000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.313472219.0000000001307000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.313477661.0000000001320000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.313489623.0000000001323000.00000004.00020000.sdmp Download File
  • Associated: 00000000.00000002.313494441.0000000001326000.00000008.00020000.sdmp Download File
  • Associated: 00000000.00000002.313506809.0000000001327000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.313538389.0000000001354000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_e30000_platform-communicator-tray.jbxd
Similarity
  • API ID:
  • String ID: m->p= next= p->m= prev= span=% util(...), i = , not , val 390625<-chanAcceptAnswerArabicAugustBasic BitBltBrahmiButtonCANCELCLOSEDCarianChakmaCommonCookieCopticDELETEEndDocExpectFormatFridayGOAWAYGOROOTGetACPGothicGray16HangulHatranHebrewHyphenKaithiKhojkiLI$ p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC)%+n (%s:%d)%d.%d.%d.%d, elemsize=, npages = , settings:.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=ATM adapterAppendMenuWBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256Bad Gat$releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptiontls.Reco$releasep: m=remote errorrundll32.exeruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptshort bufferspanSetSpinesweepWaiterstraceStringstransmitfileunexpected )unknown portunknown typewinspool.drvwintrust.dllwirep: p->m=worker mode wtsapi32.dll != swee
  • API String ID: 0-1384306788
  • Opcode ID: f47a7c89527e411f67698f033773a07e22bef70cbc9af3662ce7e2e7c8ffd6a2
  • Instruction ID: afbcdc8949e971f5211b321e4c25a81a4b3294e22413dc464e184149f065dd53
  • Opcode Fuzzy Hash: f47a7c89527e411f67698f033773a07e22bef70cbc9af3662ce7e2e7c8ffd6a2
  • Instruction Fuzzy Hash: 584114B8549700CFC314EF64E19571ABBF0BF98344F41992DE4989B342D734D888DB62
Uniqueness

Uniqueness Score: -1.00%