Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe
Analysis ID:1521527
MD5:7b4035b7052f56004af9eaab53827574
SHA1:302e9ca36501728f2e2415f75a2677d2f181f65a
SHA256:a1b6bc527346f83980b95415abf3a30e636926afcc5e0cdc5d3b6c497b03f204
Tags:exe
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Contains functionality for execution timing, often used to detect debuggers
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
PE file contains more sections than normal
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe (PID: 3436 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe" MD5: 7B4035B7052F56004AF9EAAB53827574)
    • conhost.exe (PID: 2640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • calc.exe (PID: 6184 cmdline: calc MD5: 5DA8C98136D98DFEC4716EDD79C7145F)
  • Calculator.exe (PID: 1680 cmdline: "C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca MD5: 94675EB54AC5DAA11ACE736DBFA9E7A2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeReversingLabs: Detection: 34%
Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeCode function: 4x nop then sub rbx, qword ptr [rax+18h]0_2_0034F340
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeCode function: 4x nop then mov rdi, 0000800000000000h0_2_003593A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeCode function: 0_2_003598200_2_00359820
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeCode function: 0_2_003360400_2_00336040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeCode function: 0_2_00355C800_2_00355C80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeCode function: 0_2_0037C8800_2_0037C880
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeCode function: 0_2_003398C00_2_003398C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeCode function: 0_2_003569600_2_00356960
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeCode function: 0_2_0036A1E00_2_0036A1E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeCode function: 0_2_0034C9C00_2_0034C9C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeCode function: 0_2_0033D2600_2_0033D260
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeCode function: 0_2_0034F6400_2_0034F640
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeCode function: 0_2_0033C6A00_2_0033C6A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeCode function: 0_2_00377EA00_2_00377EA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeCode function: 0_2_00342E800_2_00342E80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeCode function: 0_2_003352C00_2_003352C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeCode function: 0_2_003457200_2_00345720
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeCode function: 0_2_00344BA50_2_00344BA5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeCode function: 0_2_003593A00_2_003593A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeCode function: 0_2_00335BC00_2_00335BC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeCode function: String function: 00367680 appears 32 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeCode function: String function: 00367F00 appears 223 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeCode function: String function: 00365D40 appears 181 times
Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeStatic PE information: Number of sections : 13 > 10
Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeStatic PE information: Section: /19 ZLIB complexity 0.9968444172597865
Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeStatic PE information: Section: /32 ZLIB complexity 0.9955409787735849
Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeStatic PE information: Section: /65 ZLIB complexity 0.9977410827020202
Source: classification engineClassification label: mal60.evad.winEXE@5/2@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2640:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeFile opened: C:\Windows\system32\cbfd95aba991de69d27a9d80aaf7b1fd8d6e6c984cd99446f612f699565a35c8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJump to behavior
Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeReversingLabs: Detection: 34%
Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeString found in binary or memory: C:/Users/ADMIN/sdk/go1.19.3/src/net/addrselect.go
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeProcess created: C:\Windows\System32\calc.exe calc
Source: unknownProcess created: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe "C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeProcess created: C:\Windows\System32\calc.exe calcJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: mlang.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: twinui.appcore.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: mrmcorer.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: windows.staterepositorycore.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: bcp47mrm.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\calc.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: vccorlib140_app.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: msvcp140_app.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: concrt140_app.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: vcruntime140_app.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: vcruntime140_app.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: msvcp140_app.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: vcruntime140_app.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.ui.xaml.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.applicationmodel.datatransfer.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: wldp.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: rometadata.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.staterepositorycore.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: propsys.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: netutils.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: mrmcorer.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.staterepositoryclient.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: profapi.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: bcp47mrm.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.applicationmodel.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.shell.servicehostbuilder.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: uiamanager.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.ui.core.textinput.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.ui.immersive.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.storage.applicationdata.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.globalization.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.globalization.fontgroups.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: fontgroupsoverride.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.ui.xaml.controls.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.energy.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.graphics.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: winrttracing.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.ui.xaml.phone.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: directmanipulation.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: twinapi.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: profext.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.web.dllJump to behavior
Source: C:\Windows\System32\calc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FBF23B40-E3F0-101B-8488-00AA003E56F8}\InProcServer32Jump to behavior
Source: C:\Windows\System32\calc.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Access\Capabilities\UrlAssociationsJump to behavior
Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeStatic file information: File size 2576896 > 1048576
Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeStatic PE information: section name: /4
Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeStatic PE information: section name: /19
Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeStatic PE information: section name: /32
Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeStatic PE information: section name: /46
Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeStatic PE information: section name: /65
Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeStatic PE information: section name: /78
Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeStatic PE information: section name: /90
Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeStatic PE information: section name: .symtab
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\calc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\calc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\calc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\calc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeCode function: 0_2_0038FDA0 rdtscp0_2_0038FDA0
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe, 00000000.00000002.2146460764.000001BFD1C4C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

barindex
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeCode function: 0_2_0038FDA0 Start: 0038FDA9 End: 0038FDBF0_2_0038FDA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exeCode function: 0_2_0038FDA0 rdtscp0_2_0038FDA0
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformationJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		1
Software Packing		OS Credential Dumping11
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory12
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1521527 Sample: SecuriteInfo.com.Win64.Gosh... Startdate: 28/09/2024 Architecture: WINDOWS Score: 60 15 Antivirus / Scanner detection for submitted sample 2->15 17 Multi AV Scanner detection for submitted file 2->17 6 SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe 1 2->6         started        9 Calculator.exe 2 2->9         started        process3 signatures4 19 Potentially malicious time measurement code found 6->19 11 conhost.exe 6->11         started        13 calc.exe 12 6->13         started        process5

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe34%ReversingLabsWin64.Trojan.Goshell
SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe100%AviraTR/Redcap.csgyk

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1521527
Start date and time:2024-09-28 22:24:08 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 47s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:10
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe
Detection:MAL
Classification:mal60.evad.winEXE@5/2@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, login.live.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • VT rate limit hit for: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\Settings\settings.dat

Download File
Process:C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe
File Type:MS Windows registry file, NT/2000 or above
Category:dropped
Size (bytes):8192
Entropy (8bit):0.7318385106717678
Encrypted:false
SSDEEP:24:1E44WinhlDuUbwB71Ph/+wB7ipadnW/6ZPo:TJa/87pb79
MD5:97D1E055B1028A89296C4BD64E958B28
SHA1:551FBC0F8FE2E308404FF42CD6112FE1153B431E
SHA-256:2A860D2D7A579B2DA6E8B976CB85251F906CB7EDA359169CBC4E20E7A9023C4E
SHA-512:EA7337F0DAC27B194A4E2B23F6CED27A4AAFA6A074C0DA9BDE12315A155EB53863B56CF005D58E209044BF3BE918F5A518F8605E6E0C3ABEE6346E921C38BC40
Malicious:false
Reputation:low
Preview:regf........b.Q.7.................. ...........y.b.3.d.8.b.b.w.e.\.S.e.t.t.i.n.g.s.\.s.e.t.t.i.n.g.s...d.a.t...y..j.....J.....y..j.....J.........z..j.....J.....rmtm..q.................................................................................................................................................................................................................................................................................................................................................QN..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\Settings\settings.dat.LOG1

Download File
Process:C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe
File Type:MS Windows registry file, NT/2000 or above
Category:dropped
Size (bytes):8192
Entropy (8bit):0.7685429523812254
Encrypted:false
SSDEEP:24:6e44Wqp47nhlDuUbwB71Ph/+wB7ipadnW/6ZPo:IJq6j/87pb79
MD5:3C40D38E9390916D54B535B4F481B167
SHA1:DDF4532F71F092AA6B2E5BDB681EDCBD74F03F22
SHA-256:1AECC9A42528EAF563C54F70A9755F6CCF86643E9BD180FF44B781C5F5E44EE2
SHA-512:8EDC9936A4A8C95986A31E826856958C1862529E2C5F677339DC1C0A132F9AD89D4D69E12BB250C15BC244CAC3D37B02F18EE390EFADC2CA8ED64C13ECE65BAD
Malicious:false
Preview:regf........b.Q.7.................. ...........y.b.3.d.8.b.b.w.e.\.S.e.t.t.i.n.g.s.\.s.e.t.t.i.n.g.s...d.a.t...y..j.....J.....y..j.....J.........z..j.....J.....rmtm..q.................................................................................................................................................................................................................................................................................................................................................VN..HvLE.......................l.5..m..RZ..........hbin................b.Q.7..........nk,.T...7......@#..........................x...............................Test....p...sk..h...h.......t.......H...X.............4.........?.......................?....................... ... ...............YQ..fr]%dc;.............vk......0...........VeryFirstLaunch.......Wo....................vk................y Mode....p...sk..x...x.......t.......H...X.............4.........?.......................

Static File Info

General

File type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):6.891363921323847
TrID:
  • Win64 Executable (generic) (12005/4) 74.95%
  • Generic Win/DOS Executable (2004/3) 12.51%
  • DOS Executable Generic (2002/1) 12.50%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe
File size:2'576'896 bytes
MD5:7b4035b7052f56004af9eaab53827574
SHA1:302e9ca36501728f2e2415f75a2677d2f181f65a
SHA256:a1b6bc527346f83980b95415abf3a30e636926afcc5e0cdc5d3b6c497b03f204
SHA512:ec968194b8246ab34050d1eb9db3bd4f194a00fc200ff30904f975b618faa0bd9affcd329e34af75e289ebf87d057a994134ed005cb2af46a89f243d5c6a9ad0
SSDEEP:49152:WDIWtQDaS3jlrcpuCUN66gRgjK9ED1wgYPfpZPRcX:WDY33jz6s+3gSjR
TLSH:35C58C03BC9464B5C9EA92328A7592913B30BC490F3177D73E54B6BA2F367D82E35364
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........"%.n....."......X....................@..............................p-...........`... ............................

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x4615c0
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:1
File Version Major:6
File Version Minor:1
Subsystem Version Major:6
Subsystem Version Minor:1
Import Hash:9cbefe68f395e67356e2a5d8d1b285c0

Entrypoint Preview

Instruction
jmp 00007FDA2D168810h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
pushfd
cld
dec eax
sub esp, 000000E0h
dec eax
mov dword ptr [esp], edi
dec eax
mov dword ptr [esp+08h], esi
dec eax
mov dword ptr [esp+10h], ebp
dec eax
mov dword ptr [esp+18h], ebx
dec esp
mov dword ptr [esp+20h], esp
dec esp
mov dword ptr [esp+28h], ebp
dec esp
mov dword ptr [esp+30h], esi
dec esp
mov dword ptr [esp+38h], edi
movups dqword ptr [esp+40h], xmm6
movups dqword ptr [esp+50h], xmm7
inc esp
movups dqword ptr [esp+60h], xmm0
inc esp
movups dqword ptr [esp+70h], xmm1
inc esp
movups dqword ptr [esp+00000080h], xmm2
inc esp
movups dqword ptr [esp+00000090h], xmm3
inc esp
movups dqword ptr [esp+000000A0h], xmm4
inc esp
movups dqword ptr [esp+000000B0h], xmm5
inc esp
movups dqword ptr [esp+000000C0h], xmm6
inc esp
movups dqword ptr [esp+000000D0h], xmm7
dec eax
sub esp, 30h
dec ecx
mov edi, eax
dec eax
mov edx, dword ptr [00000028h]
dec eax
cmp edx, 00000000h
jne 00007FDA2D16C4DEh
dec eax
mov eax, 00000000h
jmp 00007FDA2D16C555h
dec eax
mov edx, dword ptr [edx+00000000h]
dec eax
cmp edx, 00000000h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x2af0000x47c.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x2b00000x3482.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x17a1200x140.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000xb56f00xb5800b0a423d6c74198dcb9b2de3cb7cca67fFalse0.45799705148071623data6.181993494036477IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0xb70000xc26e80xc28004747118e400356b392e3cc3af3c53434False0.4050324349293059data5.336613243685146IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x17a0000x730e80x18200f7e06f7707f397dfe46c9cf31546497aFalse0.39126254857512954data4.578366809922597IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
/40x1ee0000x1270x20043dc7a0ae5a7067502907db800396667False0.6171875data5.097874074212899IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/190x1ef0000x231be0x23200ff0398fa4f65d6ba4198d7be9ee83326False0.9968444172597865data7.990091352131561IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/320x2130000x69910x6a00d097c091399f8b18f1b25b66ff8c443bFalse0.9955409787735849data7.929275538980879IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/460x21a0000x380x200d95f4071ba497f202d8980154767b4cdFalse0.119140625data0.9936791567963514IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/650x21b0000x62f280x630001a0da4755c92eca7ebfc4f957030a683False0.9977410827020202data7.997316626051625IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/780x27e0000x25f780x26000ce909f344a5020dbefcba5293bf4d73fFalse0.9801282380756579data7.991080985927538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/900x2a40000xacb90xae00c473ccdadc30d8e06bf63f4e4dd27e20False0.9703439295977011data7.785306676095716IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.idata0x2af0000x47c0x600a72292ef25f488cacb762d0a08b5f6d0False0.3326822916666667data3.569079691151672IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc0x2b00000x34820x3600649693b93fc9fd9ec89a09461ce3fdd8False0.35149016203703703data5.387316801807309IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab0x2b40000x22f340x230008f718eeb069ccd746673aec52a9cd9b4False0.24630301339285715data5.239269010659436IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLLImport
kernel32.dllWriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:16:25:10
Start date:28/09/2024
Path:C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe"
Imagebase:0x330000
File size:2'576'896 bytes
MD5 hash:7B4035B7052F56004AF9EAAB53827574
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Go lang
Reputation:low
Has exited:true

General

Target ID:2
Start time:16:25:10
Start date:28/09/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff6d64d0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:3
Start time:16:25:10
Start date:28/09/2024
Path:C:\Windows\System32\calc.exe
Wow64 process (32bit):false
Commandline:calc
Imagebase:0x7ff602c20000
File size:27'648 bytes
MD5 hash:5DA8C98136D98DFEC4716EDD79C7145F
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:true

General

Target ID:4
Start time:16:25:11
Start date:28/09/2024
Path:C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe
Wow64 process (32bit):false
Commandline:"C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca
Imagebase:0x7ff727f70000
File size:4'099'584 bytes
MD5 hash:94675EB54AC5DAA11ACE736DBFA9E7A2
Has elevated privileges:false
Has administrator privileges:false
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:false

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:0.1%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:0%
    Total number of Nodes:3
    Total number of Limit Nodes:0
    execution_graph 12706 1bfd1e90000 12707 1bfd1e9003c 12706->12707 12707->12707 12708 1bfd1e9004d WinExec 12707->12708

    Executed Functions

    Function 000001BFD1E90000 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55processCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 1bfd1e90000-1bfd1e90038 1 1bfd1e9003c-1bfd1e9004b 0->1 1->1 2 1bfd1e9004d-1bfd1e90068 WinExec 1->2
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2146526406.000001BFD1E90000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001BFD1E90000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1bfd1e90000_SecuriteInfo.jbxd
    Similarity
    • API ID: Exec
    • String ID: WinE
    • API String ID: 459137531-3444632478
    • Opcode ID: 700bca52c49ff2f5de0782ad143191bd45380c9fa07a9882aea2b0c75f19539b
    • Instruction ID: 7874ba6c86559042dac1da217d06722913a5bdd5b706aeb5fedc40429998d81c
    • Opcode Fuzzy Hash: 700bca52c49ff2f5de0782ad143191bd45380c9fa07a9882aea2b0c75f19539b
    • Instruction Fuzzy Hash: 8301BC72901D1AAFDA60DF09D8808B2F3E4FB9533675A0746DC08E7208C365BC61CBD0

    Non-executed Functions

    Function 00359820 Relevance: 19.3, Strings: 15, Instructions: 546COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 3 359820-35982c 4 359832-3598ae 3->4 5 35a399-35a3b2 call 38dce0 3->5 7 3598ce-3598d2 4->7 5->3 9 3599e5-3599f3 7->9 10 3598d8-359923 7->10 13 3599f9-359a24 call 35c4e0 9->13 14 359c58-359c60 call 3903e0 9->14 11 35a390-35a398 call 390440 10->11 12 359929-35992c 10->12 11->5 16 359932-3599a3 12->16 17 35a388-35a38b call 390480 12->17 28 359acc-359ae7 13->28 29 359a2a-359acb call 359740 13->29 20 359c65-359c6b 14->20 21 3599a5-3599ac 16->21 22 3599ae 16->22 17->11 26 359c75-359c78 20->26 27 3599b1-3599e0 21->27 22->27 32 359ee0-359ee3 26->32 33 359c7e-359c80 26->33 27->26 30 359c53 call 3903c0 28->30 31 359aed-359b15 28->31 30->14 36 359c3c-359c49 31->36 37 359b1b-359b2a 31->37 40 35a18f-35a200 call 359740 32->40 41 359ee9-359eec 32->41 38 359c86-359c8d 33->38 39 35a37d-35a383 call 3903c0 33->39 36->30 43 359b30-359c28 call 367600 call 367f00 call 367d00 call 367f00 call 367d00 call 367f00 call 367c00 call 367f00 call 367c00 call 367f00 call 367c00 call 367f00 call 367680 call 367600 call 367f00 call 367c00 call 367860 call 367680 call 365d40 37->43 44 359c2d-359c37 37->44 45 359c93-359d4a 38->45 46 359c8f-359c91 38->46 39->17 48 35a176-35a18e 41->48 49 359ef2-359f1c 41->49 43->44 60 359d50-359d55 45->60 61 359e7a-359edd 45->61 46->20 53 359f26-359f42 49->53 54 359f1e-359f24 49->54 58 359f49-359f53 53->58 54->58 62 359f55-359f5b 58->62 63 359f5d-359f61 58->63 66 359d57-359d5c 60->66 67 359d5e-359d6e 60->67 61->32 64 359f68-35a2e3 call 367600 call 367f00 call 367d00 call 367f00 call 367d00 call 367f00 call 367c00 call 367f00 call 367c00 call 367f00 call 367c00 call 367860 call 367680 call 367600 call 367f00 call 367d00 call 367f00 call 367c00 call 367f00 call 367d00 call 367860 call 367680 call 367600 call 367f00 call 367d60 call 367f00 call 367d00 call 367860 call 367680 call 367600 call 367f00 call 367c00 call 367f00 call 367c00 call 367860 call 367680 62->64 63->64 185 35a36c-35a378 call 365d40 64->185 186 35a2e9-35a31a 64->186 70 359d71-359d74 66->70 67->70 73 3598b0-3598cb 70->73 74 359d7a-359d7d 70->74 73->7 75 359d7f-359d89 74->75 76 359d8b-359da6 74->76 79 359dad 75->79 80 359e25-359e75 76->80 81 359da8 76->81 84 359daf-359db8 79->84 85 359dba-359dc4 79->85 80->20 81->79 89 359dc8-359e20 84->89 85->89 89->20 185->39 187 35a324-35a33c 186->187 188 35a31c-35a322 186->188 190 35a33f-35a351 187->190 188->190 191 35a353 190->191 192 35a35d-35a361 190->192 191->192 192->185
    Strings
    • , ->25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTDltEATEDTEETEOFESTGMTHDTHS, xrefs: 00359B93, 00359BAF, 00359FCF, 00359FEF
    • , npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDives_AkuruEnumWindowsExitProcessFreeLibraryGOMEMLIMIT=GOTRACEBACKGetFileTypeIdeographicMedefaidrinMessageBoxWMoveFileExWNandinagariNetShareAddNetShar, xrefs: 0035A03C
    • runtime: p.searchAddr = span has no free objectsstack trace unavailablestructure needs cleaningupdate during transition bytes failed with errno= to unused region of span with too many arguments 2910383045673370361328125AUS Central Standard TimeAUS Eastern Sta, xrefs: 0035A0A5
    • ] = (arrayclosedebugdeferfalsefaultfilesfloatgFreegcinggscanhchanhttpsimap2imap3imapsinit int16int32int64mheapntohspanicpop3sscav schedsleepslicesse41sse42ssse3sudogsweeptraceuint8usagevaluewrite B -> Value addr= alloc base code= ctxt: curg= free goid jobs, xrefs: 00359B78
    • runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcunknown type kindwait for GC cyclewrong medium type but memory size because dotdotdot in async preempt t, xrefs: 00359B3F, 00359F72
    • runtime: npages = runtime: range = {runtime: textAddr server misbehavingstreams pipe errorsystem page size (tracebackancestorsuse of closed filevalue out of range [controller reset] called using nil *, g->atomicstatus=, gp->atomicstatus=1490116119384765625745, xrefs: 00359BEF
    • ), ->25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTDltEATEDTEETEOFESTGMTHDT, xrefs: 00359BCF
    • bad summary databad symbol tablecastogscanstatuscontext canceledgc: unswept spangcshrinkstackoffinteger overflowinvalid argumentinvalid exchangeinvalid g statusmSpanList.insertmSpanList.removemessage too longmissing stackmapnewmHandoff.lockno route to hostnon-, xrefs: 00359C1C, 0035A36C
    • , levelBits[level] = 186264514923095703125931322574615478515625AdjustTokenPrivilegesAlaskan Standard TimeAnatolian_HieroglyphsArabian Standard TimeBelarus Standard TimeCM_Get_DevNode_StatusCentral Standard TimeChangeServiceConfig2WDeregisterEventSourceDwmGetWi, xrefs: 0035A145
    • , i = , not 390625<-chanAnswerArabicBrahmiCarianChakmaCommonCopticFormatGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianRejangSCHED StringSyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11WanchoYezidi[]byte ch, xrefs: 0035A0C5
    • runtime: levelShift[level] = runtime: marking free object runtime: p.gcMarkWorkerMode= runtime: split stack overflowruntime: sudog with non-nil cruntime: summary max pages = runtime: traceback stuck. pc=semacquire not on the G stackstring concatenation too lon, xrefs: 0035A125
    • ][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTDltEATEDTEETEOFESTGMTHDTHSTHanIDTISTJSTKSTLaoMDTMSKMSTMroNDTNSTNaNNkoPC=PDTPKTPSTStdUTCVaiWAT]:adxaesav, xrefs: 00359B5A, 00359F99
    • runtime: level = runtime: nameOff runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcunknown type kindwait for GC cyclewrong medium type but, xrefs: 0035A01E
    • ] = ] n=allgallpavx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchttpicmpidleigmpint8itabkindpipepop3rootsbrksmtpsse3tcp4trueudp4uint -%s ... MB, and cnt= got= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, xrefs: 00359FB4
    • , j0 = 19531259765625: type ::1/128AvestanBengaliBrailleChanDirCopySidCypriotDeseretElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitKannadaMUI_DltMUI_StdMakasarMandaicMarchenMultaniMyanmarOsmanyaRadicalSharadaShavianSiddhamSinhalaSleepExSogdianSoyomboSwapperT, xrefs: 0035A05A
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: ), ->25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTDltEATEDTEETEOFESTGMTHDT$, ->25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTDltEATEDTEETEOFESTGMTHDTHS$, i = , not 390625<-chanAnswerArabicBrahmiCarianChakmaCommonCopticFormatGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianRejangSCHED StringSyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11WanchoYezidi[]byte ch$, j0 = 19531259765625: type ::1/128AvestanBengaliBrailleChanDirCopySidCypriotDeseretElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitKannadaMUI_DltMUI_StdMakasarMandaicMarchenMultaniMyanmarOsmanyaRadicalSharadaShavianSiddhamSinhalaSleepExSogdianSoyomboSwapperT$, levelBits[level] = 186264514923095703125931322574615478515625AdjustTokenPrivilegesAlaskan Standard TimeAnatolian_HieroglyphsArabian Standard TimeBelarus Standard TimeCM_Get_DevNode_StatusCentral Standard TimeChangeServiceConfig2WDeregisterEventSourceDwmGetWi$, npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDives_AkuruEnumWindowsExitProcessFreeLibraryGOMEMLIMIT=GOTRACEBACKGetFileTypeIdeographicMedefaidrinMessageBoxWMoveFileExWNandinagariNetShareAddNetShar$] = (arrayclosedebugdeferfalsefaultfilesfloatgFreegcinggscanhchanhttpsimap2imap3imapsinit int16int32int64mheapntohspanicpop3sscav schedsleepslicesse41sse42ssse3sudogsweeptraceuint8usagevaluewrite B -> Value addr= alloc base code= ctxt: curg= free goid jobs$] = ] n=allgallpavx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchttpicmpidleigmpint8itabkindpipepop3rootsbrksmtpsse3tcp4trueudp4uint -%s ... MB, and cnt= got= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345$][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTDltEATEDTEETEOFESTGMTHDTHSTHanIDTISTJSTKSTLaoMDTMSKMSTMroNDTNSTNaNNkoPC=PDTPKTPSTStdUTCVaiWAT]:adxaesav$bad summary databad symbol tablecastogscanstatuscontext canceledgc: unswept spangcshrinkstackoffinteger overflowinvalid argumentinvalid exchangeinvalid g statusmSpanList.insertmSpanList.removemessage too longmissing stackmapnewmHandoff.lockno route to hostnon-$runtime: level = runtime: nameOff runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcunknown type kindwait for GC cyclewrong medium type but$runtime: levelShift[level] = runtime: marking free object runtime: p.gcMarkWorkerMode= runtime: split stack overflowruntime: sudog with non-nil cruntime: summary max pages = runtime: traceback stuck. pc=semacquire not on the G stackstring concatenation too lon$runtime: npages = runtime: range = {runtime: textAddr server misbehavingstreams pipe errorsystem page size (tracebackancestorsuse of closed filevalue out of range [controller reset] called using nil *, g->atomicstatus=, gp->atomicstatus=1490116119384765625745$runtime: p.searchAddr = span has no free objectsstack trace unavailablestructure needs cleaningupdate during transition bytes failed with errno= to unused region of span with too many arguments 2910383045673370361328125AUS Central Standard TimeAUS Eastern Sta$runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcunknown type kindwait for GC cyclewrong medium type but memory size because dotdotdot in async preempt t
    • API String ID: 0-2727621137
    • Opcode ID: 83e68da4eda480828d4f0141bcaafb878fd930d2d1ee70c3512777799ea71ba1
    • Instruction ID: 8adb77695b6209c6bf06a52491a4744df4ba88e81a92c7217e40edc2c8dc71ba
    • Opcode Fuzzy Hash: 83e68da4eda480828d4f0141bcaafb878fd930d2d1ee70c3512777799ea71ba1
    • Instruction Fuzzy Hash: DE32AD76328BC481DB22AF15E4417DAA365F789BC4F808522DF9D5BB6ACF78C449C740
    Function 0033C6A0 Relevance: 9.3, Strings: 7, Instructions: 539COMMON
    Download Yara Rule
    Strings
    • mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewruntime: unable to acquire - semaphore out of syncfatal: systemstack called from unexpected goroutinelimiterEvent.stop: invalid limiter event type foundpotentia, xrefs: 0033CF56
    • malloc during signalnotetsleep not on g0p mcache not flushedpacer: assist ratio=preempt off reason: reflect.makeFuncStubruntime: double waitsemaRoot rotateRighttime: invalid numbertrace: out of memoryunexpected IP lengthwirep: already in goworkbuf is not empty, xrefs: 0033CF30
    • delayed zeroing on data that may contain pointersfully empty unfreed span set block found in resetinvalid memory address or nil pointer dereferenceinvalid or incomplete multibyte or wide characternot enough significant bits after mult128bitPow10panicwrap: unex, xrefs: 0033CED7
    • @, xrefs: 0033C92D
    • mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: GetQueuedCompletionStatusEx failed (errno= runtime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in reset, xrefs: 0033CF1F
    • malloc deadlockmisaligned maskmissing addressmissing mcache?ms: gomaxprocs=network is downno medium foundno such processpreempt SPWRITErecovery failedruntime error: runtime: frame runtime: max = runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm, xrefs: 0033CF45
    • !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 0033CA56
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC$@$delayed zeroing on data that may contain pointersfully empty unfreed span set block found in resetinvalid memory address or nil pointer dereferenceinvalid or incomplete multibyte or wide characternot enough significant bits after mult128bitPow10panicwrap: unex$malloc deadlockmisaligned maskmissing addressmissing mcache?ms: gomaxprocs=network is downno medium foundno such processpreempt SPWRITErecovery failedruntime error: runtime: frame runtime: max = runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm$malloc during signalnotetsleep not on g0p mcache not flushedpacer: assist ratio=preempt off reason: reflect.makeFuncStubruntime: double waitsemaRoot rotateRighttime: invalid numbertrace: out of memoryunexpected IP lengthwirep: already in goworkbuf is not empty$mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewruntime: unable to acquire - semaphore out of syncfatal: systemstack called from unexpected goroutinelimiterEvent.stop: invalid limiter event type foundpotentia$mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: GetQueuedCompletionStatusEx failed (errno= runtime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in reset
    • API String ID: 0-3898167177
    • Opcode ID: 10280f0a17e650da5adb7d9c06032eb2a9ddc6adfbf3b982422f17a3edbdf416
    • Instruction ID: 74a56d6f43d10c25cf4b66d7349e8949b7f6f30925e04c5f4b5e97370c5d068b
    • Opcode Fuzzy Hash: 10280f0a17e650da5adb7d9c06032eb2a9ddc6adfbf3b982422f17a3edbdf416
    • Instruction Fuzzy Hash: F732C576218B80C6DB56CF15E4803AABB65F349BD0F59A116EF9D27B59CF78C884CB00
    Function 0034F640 Relevance: 6.4, Strings: 5, Instructions: 170COMMON
    Download Yara Rule
    Strings
    • +-./05:<=?CFLMPSUZ[\, xrefs: 0034F8EF
    • (scan (scan) MB in Value> allocs dying= locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie% CPU (, goid=, j0 = 19531259765625: type ::1/128AvestanBengaliBrailleChanDirCopySidCypriotDeseretElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitKannadaMUI_DltM, xrefs: 0034F874
    • pacer: assist ratio=preempt off reason: reflect.makeFuncStubruntime: double waitsemaRoot rotateRighttime: invalid numbertrace: out of memoryunexpected IP lengthwirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not found of unexported metho, xrefs: 0034F852
    • MB) workers= called from flushedWork idlethreads= is nil, not nStackRoots= pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625: unknown pc ::ffff:0:0/96CertOpenStoreCoTaskMemFree, xrefs: 0034F8D3
    • ->25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTDltEATEDTEETEOFESTGMTHDTHSTH, xrefs: 0034F8B3
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: (scan (scan) MB in Value> allocs dying= locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie% CPU (, goid=, j0 = 19531259765625: type ::1/128AvestanBengaliBrailleChanDirCopySidCypriotDeseretElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitKannadaMUI_DltM$ MB) workers= called from flushedWork idlethreads= is nil, not nStackRoots= pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625: unknown pc ::ffff:0:0/96CertOpenStoreCoTaskMemFree$+-./05:<=?CFLMPSUZ[\$->25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTDltEATEDTEETEOFESTGMTHDTHSTH$pacer: assist ratio=preempt off reason: reflect.makeFuncStubruntime: double waitsemaRoot rotateRighttime: invalid numbertrace: out of memoryunexpected IP lengthwirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not found of unexported metho
    • API String ID: 0-3540231504
    • Opcode ID: 6c93832ed27617ac6d27fd02c31e9031ce1daa778be40a12aed78389d298b5e9
    • Instruction ID: aafe2ccaa75d5a14e8c7263329468411c0228d4fcffa486509fcdfdad483b3da
    • Opcode Fuzzy Hash: 6c93832ed27617ac6d27fd02c31e9031ce1daa778be40a12aed78389d298b5e9
    • Instruction Fuzzy Hash: E171A432519F8485D703EF25E48039A77A4FB99BC4F598636EA8D1BB29CF38D091C750
    Function 003352C0 Relevance: 5.4, Strings: 4, Instructions: 380COMMON
    Download Yara Rule
    Strings
    • unreachableuserenv.dllversion.dll B (goal KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= maxTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<n, xrefs: 003353C5
    • chansend: spurious wakeupcheckdead: no m for timercheckdead: no p for timerinconsistent poll.fdMutexinvalid cross-device linkinvalid network interfacemissing stack in newstackmissing traceGCSweepStartno answer from DNS serverno buffer space availableno such de, xrefs: 00335888
    • G waiting list is corruptedGetSecurityDescriptorLengthGetUserPreferredUILanguagesSetupDiClassNameFromGuidExWSetupDiGetDeviceInstanceIdWSetupDiGetDriverInfoDetailWStartServiceCtrlDispatcherWaddress not a stack addresschannel number out of rangecommunication err, xrefs: 003358AC
    • @i3, xrefs: 003356DB
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: @i3$G waiting list is corruptedGetSecurityDescriptorLengthGetUserPreferredUILanguagesSetupDiClassNameFromGuidExWSetupDiGetDeviceInstanceIdWSetupDiGetDriverInfoDetailWStartServiceCtrlDispatcherWaddress not a stack addresschannel number out of rangecommunication err$chansend: spurious wakeupcheckdead: no m for timercheckdead: no p for timerinconsistent poll.fdMutexinvalid cross-device linkinvalid network interfacemissing stack in newstackmissing traceGCSweepStartno answer from DNS serverno buffer space availableno such de$unreachableuserenv.dllversion.dll B (goal KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= maxTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<n
    • API String ID: 0-2363621854
    • Opcode ID: dcad457877139190d488eeb3887716209d150c0c4e8a57e248b1c45d714f4f66
    • Instruction ID: b6b485cf7eba347648a9ccd0825a83334a44afe46d2b48fc08beabdb918a5140
    • Opcode Fuzzy Hash: dcad457877139190d488eeb3887716209d150c0c4e8a57e248b1c45d714f4f66
    • Instruction Fuzzy Hash: 48F1F472204F84C6DB21DB25E48439EB7A1F385BE4F959225DB9C5BBA9CF38C495CB00
    Function 0036A1E0 Relevance: 5.2, Strings: 4, Instructions: 232COMMON
    Download Yara Rule
    Strings
    • casgstatus: bad incoming valuescheckmark found unmarked objectencoding/hex: invalid byte: %#Uentersyscallblock inconsistent fmt: unknown base; can't happeninternal error - misuse of itabinvalid network interface indexmalformed time zone informationnon in-use s, xrefs: 0036A5CF
    • runtime: casgstatus: oldval=runtime: no module data for save on system g not allowed45474735088646411895751953125CM_Get_Device_Interface_ListWCentral America Standard TimeCentral Pacific Standard TimeChatham Islands Standard TimeDeleteProcThreadAttributeListGe, xrefs: 0036A58D
    • casgstatus: waiting for Gwaiting but is Grunnabledelayed zeroing on data that may contain pointersfully empty unfreed span set block found in resetinvalid memory address or nil pointer dereferenceinvalid or incomplete multibyte or wide characternot enough sign, xrefs: 0036A546
    • newval= nfreed= packed= pointer stack=[ status 48828125AcceptExArmenianBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDuployanEqualSidEthiopicExtenderGeorgianGoStringGujaratiGurmukhiHiraganaIsWindowJavaneseKatakanaKayah_LiLinear_ALinear_BMahajaniOl_C, xrefs: 0036A5A8
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: newval= nfreed= packed= pointer stack=[ status 48828125AcceptExArmenianBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDuployanEqualSidEthiopicExtenderGeorgianGoStringGujaratiGurmukhiHiraganaIsWindowJavaneseKatakanaKayah_LiLinear_ALinear_BMahajaniOl_C$casgstatus: bad incoming valuescheckmark found unmarked objectencoding/hex: invalid byte: %#Uentersyscallblock inconsistent fmt: unknown base; can't happeninternal error - misuse of itabinvalid network interface indexmalformed time zone informationnon in-use s$casgstatus: waiting for Gwaiting but is Grunnabledelayed zeroing on data that may contain pointersfully empty unfreed span set block found in resetinvalid memory address or nil pointer dereferenceinvalid or incomplete multibyte or wide characternot enough sign$runtime: casgstatus: oldval=runtime: no module data for save on system g not allowed45474735088646411895751953125CM_Get_Device_Interface_ListWCentral America Standard TimeCentral Pacific Standard TimeChatham Islands Standard TimeDeleteProcThreadAttributeListGe
    • API String ID: 0-1337210721
    • Opcode ID: e64125d87b7416295ee9ae43bfdd0ae5761b72e44b63d45795b79876c1176fc6
    • Instruction ID: 246b3f7ba28651d94e846209158363a2020faa31c6f82bd5180624e307534946
    • Opcode Fuzzy Hash: e64125d87b7416295ee9ae43bfdd0ae5761b72e44b63d45795b79876c1176fc6
    • Instruction Fuzzy Hash: 69A1FF76709F8086DB16CB25E48536AB760F34A7D4F108622EF9D57BA9CF39C445CB01
    Function 00336040 Relevance: 4.2, Strings: 3, Instructions: 415COMMON
    Download Yara Rule
    Strings
    • unreachableuserenv.dllversion.dll B (goal KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= maxTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<n, xrefs: 003361F0
    • G waiting list is corruptedGetSecurityDescriptorLengthGetUserPreferredUILanguagesSetupDiClassNameFromGuidExWSetupDiGetDeviceInstanceIdWSetupDiGetDriverInfoDetailWStartServiceCtrlDispatcherWaddress not a stack addresschannel number out of rangecommunication err, xrefs: 003365A4
    • @i3, xrefs: 003364BB
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: @i3$G waiting list is corruptedGetSecurityDescriptorLengthGetUserPreferredUILanguagesSetupDiClassNameFromGuidExWSetupDiGetDeviceInstanceIdWSetupDiGetDriverInfoDetailWStartServiceCtrlDispatcherWaddress not a stack addresschannel number out of rangecommunication err$unreachableuserenv.dllversion.dll B (goal KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= maxTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<n
    • API String ID: 0-3361651983
    • Opcode ID: a11bf7c9026542654afb0b2ce733a4783db45cb400d3d77bef46d3be50de15ec
    • Instruction ID: bbd756cc7580d1048d0c4dbf43f71f6d18d5c111790fceedac1ad165f0582bb9
    • Opcode Fuzzy Hash: a11bf7c9026542654afb0b2ce733a4783db45cb400d3d77bef46d3be50de15ec
    • Instruction Fuzzy Hash: DB020372704B809ADB66DB26E48239AB7A1F789BC0F99D025DB8C4BB19CF3DC445C700
    Function 00356960 Relevance: 3.0, Strings: 2, Instructions: 468COMMON
    Download Yara Rule
    Strings
    • grew heap, but no adequate free space foundheapBitsSetTypeGCProg: unexpected bit countinterrupted system call should be restartedmethodValueCallFrameObjs is not in a modulemult64bitPow10: power of 10 is out of rangemultiple Read calls return no data or errorno, xrefs: 00357157
    • @i5, xrefs: 00356ED4
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: @i5$grew heap, but no adequate free space foundheapBitsSetTypeGCProg: unexpected bit countinterrupted system call should be restartedmethodValueCallFrameObjs is not in a modulemult64bitPow10: power of 10 is out of rangemultiple Read calls return no data or errorno
    • API String ID: 0-3134700341
    • Opcode ID: 2cbbb8bdc843c40c2a970cb46ce22a8b81a59f849e120d90ba350d7016726a09
    • Instruction ID: 18055d15dd7654fb240e9a3aaa4891ef239864b3a443208cb5b2cb575a2ee0dd
    • Opcode Fuzzy Hash: 2cbbb8bdc843c40c2a970cb46ce22a8b81a59f849e120d90ba350d7016726a09
    • Instruction Fuzzy Hash: 48228D72209BC486DB618F15E48179AB7A1F78ABD1F885126EFCD47B69CF38C458CB40
    Function 00377EA0 Relevance: 1.6, Strings: 1, Instructions: 392COMMON
    Download Yara Rule
    Strings
    • !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 00377F90, 00378070, 00378190, 00378298
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
    • API String ID: 0-2911004680
    • Opcode ID: 7854181240ea8b9e04d88ee854efa3ede088e5fb9bcb1bdf7de6e2d2c7fd5093
    • Instruction ID: 9df9123b97d339470382b32ee79d9e00e5764f9bc65dedf153dff7c060d92aba
    • Opcode Fuzzy Hash: 7854181240ea8b9e04d88ee854efa3ede088e5fb9bcb1bdf7de6e2d2c7fd5093
    • Instruction Fuzzy Hash: F0E115B2B44BA086EB258B05E4443ADA765F745BD0F84C532EB9E57B98DF7CC841C740
    Function 00342E80 Relevance: 1.5, Strings: 1, Instructions: 297COMMON
    Download Yara Rule
    Strings
    • bulkBarrierPreWrite: unaligned argumentscannot free workbufs when work.full != 0failed to acquire lock to reset capacitymarkWorkerStop: unknown mark worker modemust be able to track idle limiter eventrefill of span with free space remainingruntime.SetFinalizer, xrefs: 003432DA
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: bulkBarrierPreWrite: unaligned argumentscannot free workbufs when work.full != 0failed to acquire lock to reset capacitymarkWorkerStop: unknown mark worker modemust be able to track idle limiter eventrefill of span with free space remainingruntime.SetFinalizer
    • API String ID: 0-2482137747
    • Opcode ID: b01c3bce5637f32c9b392b1d0fc8e191639423b4d77d7ac184535605bef6cec7
    • Instruction ID: 1bd3cf05eba82f7b17ad8463c83cb89a22bfb48b272222603c193d13135daeca
    • Opcode Fuzzy Hash: b01c3bce5637f32c9b392b1d0fc8e191639423b4d77d7ac184535605bef6cec7
    • Instruction Fuzzy Hash: 00B1E076719B8482CB21DF16E440B9AB7A5F385BC0F958126EF8E5BB18DF38E554CB00
    Function 00345720 Relevance: 1.4, Strings: 1, Instructions: 135COMMON
    Download Yara Rule
    Strings
    • out of memoryprofMemActiveprofMemFutureruntime: seq=runtime: val=srmount errortimer expiredtraceStackTabvalue method xadd64 failedxchg64 failed}sched={pc: but progSize nmidlelocked= on zero Value out of range procedure in to finalizer untyped args -threa, xrefs: 00345925, 00345936
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: out of memoryprofMemActiveprofMemFutureruntime: seq=runtime: val=srmount errortimer expiredtraceStackTabvalue method xadd64 failedxchg64 failed}sched={pc: but progSize nmidlelocked= on zero Value out of range procedure in to finalizer untyped args -threa
    • API String ID: 0-3908290088
    • Opcode ID: 3537aad6a351cf29caba4f07d9988c45e3bcbe56a1d568bf6e767fb23e7eaaf1
    • Instruction ID: 06e96094d324138bbb8593d72a4f907318ad8926e776e46569edcb0028e41654
    • Opcode Fuzzy Hash: 3537aad6a351cf29caba4f07d9988c45e3bcbe56a1d568bf6e767fb23e7eaaf1
    • Instruction Fuzzy Hash: CE51B072314F8187CB15DB15E4903AAB7A1F389B81F885526EB8E4BB25DF3CC549CB40
    Function 0034F340 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
    Download Yara Rule
    Strings
    • gcmarknewobject called while doing checkmarkinsufficient data for calculated length typemult128bitPow10: power of 10 is out of rangeno P available, write barriers are forbiddenout of memory allocating heap arena metadatareflect: funcLayout with interface recei, xrefs: 0034F42F
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: gcmarknewobject called while doing checkmarkinsufficient data for calculated length typemult128bitPow10: power of 10 is out of rangeno P available, write barriers are forbiddenout of memory allocating heap arena metadatareflect: funcLayout with interface recei
    • API String ID: 0-3662980403
    • Opcode ID: 4ac08ae495ef58e8184acb17db41035f7fe86dc3c61cb784b25e63d82ca9c0c1
    • Instruction ID: 53f7eb391a758d149291c6487e47f89d6ef1cb78c4e3fdade53e553e1107da9a
    • Opcode Fuzzy Hash: 4ac08ae495ef58e8184acb17db41035f7fe86dc3c61cb784b25e63d82ca9c0c1
    • Instruction Fuzzy Hash: 8D21AFB3715BC98BDF019F25D8803996BA1F3A6B94F8AA276CB4C5B745CB6CC445C300
    Function 00344BA5 Relevance: .3, Instructions: 281COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 3accb9baa71d3a977aa77b5377bfff99dce23e43cc728e08947df4e6afd495b1
    • Instruction ID: 0b61af2bc3d00f6d48a7bb4620fea8cc6ddea0f1219c2f65451ce5488a0a15ac
    • Opcode Fuzzy Hash: 3accb9baa71d3a977aa77b5377bfff99dce23e43cc728e08947df4e6afd495b1
    • Instruction Fuzzy Hash: 1F719BA3B186F453EE02CA91A400BB46698F356FD0B555531EE2F2FF45D668DE06D304
    Function 00335BC0 Relevance: .3, Instructions: 261COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 90ef78fb904d9c932ecd125c623c1bf8db54f1359adff1d41ea42ba53c97d051
    • Instruction ID: ce2b63e99c084ee1ab98010276e3bd0624d36b9795cd7fc2eedc43e09060fa8c
    • Opcode Fuzzy Hash: 90ef78fb904d9c932ecd125c623c1bf8db54f1359adff1d41ea42ba53c97d051
    • Instruction Fuzzy Hash: 78B12132205F84CADB12DB15E5843AAB3A1F745BC8F599532DE8D0BB68CF39C896C740
    Function 003593A0 Relevance: .2, Instructions: 207COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d565dcb257dbdb37e948e4f3b29a4c2af09ce6184344736d99acfe7e4ca26489
    • Instruction ID: 3a0dcaf13ff53a64b50d5e83ca709471569dc850d159c5d684b0def2ce708b92
    • Opcode Fuzzy Hash: d565dcb257dbdb37e948e4f3b29a4c2af09ce6184344736d99acfe7e4ca26489
    • Instruction Fuzzy Hash: 18914877618B8486DB108B25F08035AB7A5F78ABE4F545226EFAD57BA9CF3CC055CB00
    Function 0034C9C0 Relevance: .2, Instructions: 182COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b3af7125e9a0eb3efba0a0cccb4aa9a3ac44a9fe8b83e9376e6c429e5d231533
    • Instruction ID: 6df4cb0b3b9706588945c9b6c48fb1f0fde4bdc04ff7ec91f1456cd4b8a72fcf
    • Opcode Fuzzy Hash: b3af7125e9a0eb3efba0a0cccb4aa9a3ac44a9fe8b83e9376e6c429e5d231533
    • Instruction Fuzzy Hash: DF617C7261AB8486D787DB36E4403AAB7A1F786BD0F45A312EE9D1BB85CF38D451C700
    Function 0037C880 Relevance: .2, Instructions: 172COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c0e249996f86d138e649be0a7856094a8c264ede9a9d63cab15d9d0eb7721da5
    • Instruction ID: 10ab5846482023ea6525b281423b018b0718e75abea62b2d587b8b85b803a0cd
    • Opcode Fuzzy Hash: c0e249996f86d138e649be0a7856094a8c264ede9a9d63cab15d9d0eb7721da5
    • Instruction Fuzzy Hash: 51515922B14A40CADF35DF66908136AE791F385B84FC9E939DB6D47786D73CC4908B04
    Function 003398C0 Relevance: .2, Instructions: 161COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: cec824fe755d5de3c4eb6748d741e2813c7d5083b459d9ffff1d52dd85d3690a
    • Instruction ID: dfd3a0be87c82727612297f08b75de05315c5308b515a20d083c15f888645eeb
    • Opcode Fuzzy Hash: cec824fe755d5de3c4eb6748d741e2813c7d5083b459d9ffff1d52dd85d3690a
    • Instruction Fuzzy Hash: 3B412AA2700A55C1AE058B6785502AAE361E74EFD0799E23BCF2D77B6CC77CD506C344
    Function 0033D260 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 828b7a1463c6d836a45cb48c8ff53709129b057a3ac697af8291e2e46b1a11cd
    • Instruction ID: 57e7510c2621e22f03eec11c19e025ff69dacf2b251f51fc164de8684b035d01
    • Opcode Fuzzy Hash: 828b7a1463c6d836a45cb48c8ff53709129b057a3ac697af8291e2e46b1a11cd
    • Instruction Fuzzy Hash: E4214BA2F25F444BCA47DB3A9440315831AAF96BD0F58C722AE1FB7795E738D4D34240
    Function 00355C80 Relevance: .1, Instructions: 78COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f2b9b8516b68641737e60d6cae9b3d97fda78f7c0d4cdbf960191381571580e1
    • Instruction ID: dc887e38c6f5e997d062e9577d383bbf667b5718936cc7dfff22bdb781372ebd
    • Opcode Fuzzy Hash: f2b9b8516b68641737e60d6cae9b3d97fda78f7c0d4cdbf960191381571580e1
    • Instruction Fuzzy Hash: 4731B67A318F8591DB468B15E9803EA67A1E784BC0F858032DE4F4BB29DF38D149C700
    Function 0038FDA0 Relevance: .0, Instructions: 11COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9950cd9dd804cb85b63014e6eb4adcf3b80c536f480256d5bba2c82f494fe937
    • Instruction ID: 6353d83ddb98cc1755ebaaef183c28a4266e66f6a6d4f40b9e7d04e2569bcc1c
    • Opcode Fuzzy Hash: 9950cd9dd804cb85b63014e6eb4adcf3b80c536f480256d5bba2c82f494fe937
    • Instruction Fuzzy Hash: 68C02BF1907FC11CFB21C3047A003D139C58F143C0DA0C0E083484061CDA2CC2884308
    Function 0033BC00 Relevance: 15.4, Strings: 12, Instructions: 357COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 193 33bc00-33bc09 194 33c2f0-33c309 call 38dce0 193->194 195 33bc0f-33bc63 call 33d7a0 193->195 194->193 200 33bc77 195->200 201 33bc65-33bc72 195->201 203 33bc7c-33bca5 200->203 202 33bfc9-33bfd3 201->202 204 33c0c3-33c0d3 202->204 205 33bfd9-33bffa 202->205 206 33bcd1-33bceb 203->206 207 33c0d5-33c0d8 204->207 208 33c00a-33c027 205->208 209 33bffc-33c008 205->209 210 33bcf1-33bd04 206->210 211 33bf16-33bf2b 206->211 212 33c191-33c19b 207->212 213 33c0de-33c0f0 call 33c320 207->213 215 33c029-33c02b 208->215 216 33c02d-33c05b call 346de0 208->216 214 33c065-33c06b 209->214 217 33bf87-33bf8f call 3903e0 210->217 218 33bd0a-33bd25 210->218 224 33c1b6-33c1cf 212->224 225 33c19d-33c1b4 212->225 241 33c0f6-33c18e call 347f00 * 2 213->241 242 33c234-33c247 213->242 226 33c0af-33c0c1 214->226 227 33c06d-33c070 214->227 215->214 216->214 228 33bf94-33bfc6 217->228 222 33bd2b-33bd84 call 3630c0 218->222 223 33bdbc-33bdd0 218->223 251 33bf76-33bf82 call 365d40 222->251 252 33bd8a-33bdb2 222->252 236 33bdd6-33be03 call 33d7a0 223->236 237 33bf65-33bf71 call 365d40 223->237 234 33c1e2-33c20e 224->234 235 33c1d1-33c1e0 224->235 232 33c212-33c215 225->232 226->207 227->228 233 33c076-33c0aa call 346ca0 227->233 228->202 239 33c217-33c227 232->239 240 33c259-33c2ef call 367600 call 367f00 call 367d60 call 367f00 call 367d60 call 367f00 * 2 call 367860 call 367680 call 365d40 232->240 233->228 234->232 235->232 254 33be05-33be23 call 33d3c0 236->254 255 33be29-33be47 236->255 237->251 247 33c229-33c22f 239->247 248 33c248-33c254 call 365d40 239->248 240->194 241->212 247->203 248->240 251->217 252->223 254->255 274 33bf50-33bf60 call 365d40 254->274 261 33bee6-33befb 255->261 262 33be4d-33be59 255->262 265 33bf37-33bf3a call 390440 261->265 266 33befd-33bf0e 261->266 268 33be62-33be83 call 33d3c0 262->268 269 33be5b 262->269 279 33bf3f-33bf4b call 365d40 265->279 272 33bca7-33bcce 266->272 273 33bf14-33bf32 call 3903c0 266->273 268->279 285 33be89-33bece 268->285 269->268 272->206 273->265 274->237 279->274 287 33bee1 285->287 288 33bed0-33bed9 call 390d40 285->288 287->261 288->287
    Strings
    • !, xrefs: 0033C1D1
    • out of memory allocating heap arena metadatareflect: funcLayout with interface receiver runtime: lfstack.push invalid packing: node=unsafe.Slice: ptr is nil and len is not zerouse of WriteTo with pre-connected connectioncannot send after transport endpoint shu, xrefs: 0033BF50
    • base outside usable address spaceconcurrent map read and map writefindrunnable: negative nmspinningfreeing stack not in a stack spanheapBitsSetType: unexpected shiftinvalid value %q for flag -%s: %vmin must be a non-zero power of 2misrounded allocation in sysA, xrefs: 0033C1D7
    • , ->25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTDltEATEDTEETEOFESTGMTHDTHS, xrefs: 0033C28F
    • region exceeds uintptr rangeruntime.semasleep unexpectedruntime: bad lfnode address runtime: casgstatus: oldval=runtime: no module data for save on system g not allowed45474735088646411895751953125CM_Get_Device_Interface_ListWCentral America Standard TimeCentr, xrefs: 0033C1AD
    • out of memory allocating heap arena mapruntime: blocked write on free polldescruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system callsuspendG from non-preemptible goroutinetraceback: unexpected SPWRITE function transport endpoint is alre, xrefs: 0033BF76
    • memory reservation exceeds address space limitpanicwrap: unexpected string after type name: reflect.Value.Slice: slice index out of boundsreleased less than one physical page of memoryruntime: failed to create new OS thread (have runtime: name offset base poin, xrefs: 0033C2DE
    • ) not in usable address space: ...additional frames elided....lib section in a.out corrupted11368683772161602973937988281255684341886080801486968994140625Central Brazilian Standard TimeCertDuplicateCertificateContextMountain Standard Time (Mexico)SetupDiGetDe, xrefs: 0033C2AF
    • out of memory allocating allArenasreflect: Field index out of boundsreflect: Field of non-struct type reflect: string index out of rangeruntime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of ra, xrefs: 0033BF3F
    • end outside usable address spaceinvalid limiter event type foundnumerical argument out of domainpanic while printing panic valuereflect.nameFrom: tag too long: removespecial on invalid pointerresource temporarily unavailableruntime.semasleep wait_abandonedrunt, xrefs: 0033C207
    • arena already initializedbad status in shrinkstackbad system huge page sizechansend: spurious wakeupcheckdead: no m for timercheckdead: no p for timerinconsistent poll.fdMutexinvalid cross-device linkinvalid network interfacemissing stack in newstackmissing tr, xrefs: 0033BF65
    • runtime: memory allocated by OS [runtime: name offset out of rangeruntime: text offset out of rangeruntime: type offset out of rangeslice bounds out of range [%x:%y]stackalloc not on scheduler stackstoplockedm: inconsistent lockingtimer period must be non-nega, xrefs: 0033C272
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: !$) not in usable address space: ...additional frames elided....lib section in a.out corrupted11368683772161602973937988281255684341886080801486968994140625Central Brazilian Standard TimeCertDuplicateCertificateContextMountain Standard Time (Mexico)SetupDiGetDe$, ->25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTDltEATEDTEETEOFESTGMTHDTHS$arena already initializedbad status in shrinkstackbad system huge page sizechansend: spurious wakeupcheckdead: no m for timercheckdead: no p for timerinconsistent poll.fdMutexinvalid cross-device linkinvalid network interfacemissing stack in newstackmissing tr$base outside usable address spaceconcurrent map read and map writefindrunnable: negative nmspinningfreeing stack not in a stack spanheapBitsSetType: unexpected shiftinvalid value %q for flag -%s: %vmin must be a non-zero power of 2misrounded allocation in sysA$end outside usable address spaceinvalid limiter event type foundnumerical argument out of domainpanic while printing panic valuereflect.nameFrom: tag too long: removespecial on invalid pointerresource temporarily unavailableruntime.semasleep wait_abandonedrunt$memory reservation exceeds address space limitpanicwrap: unexpected string after type name: reflect.Value.Slice: slice index out of boundsreleased less than one physical page of memoryruntime: failed to create new OS thread (have runtime: name offset base poin$out of memory allocating allArenasreflect: Field index out of boundsreflect: Field of non-struct type reflect: string index out of rangeruntime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of ra$out of memory allocating heap arena mapruntime: blocked write on free polldescruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system callsuspendG from non-preemptible goroutinetraceback: unexpected SPWRITE function transport endpoint is alre$out of memory allocating heap arena metadatareflect: funcLayout with interface receiver runtime: lfstack.push invalid packing: node=unsafe.Slice: ptr is nil and len is not zerouse of WriteTo with pre-connected connectioncannot send after transport endpoint shu$region exceeds uintptr rangeruntime.semasleep unexpectedruntime: bad lfnode address runtime: casgstatus: oldval=runtime: no module data for save on system g not allowed45474735088646411895751953125CM_Get_Device_Interface_ListWCentral America Standard TimeCentr$runtime: memory allocated by OS [runtime: name offset out of rangeruntime: text offset out of rangeruntime: type offset out of rangeslice bounds out of range [%x:%y]stackalloc not on scheduler stackstoplockedm: inconsistent lockingtimer period must be non-nega
    • API String ID: 0-157883763
    • Opcode ID: 612c79f7705668e6428a232539129b73610e939b12352b651af39978953b1536
    • Instruction ID: c1a8b66910a4bbf607f4f093182a18a46d1a32bd0a6d99d32af03b995931179c
    • Opcode Fuzzy Hash: 612c79f7705668e6428a232539129b73610e939b12352b651af39978953b1536
    • Instruction Fuzzy Hash: 89F18A72218BC0C2DB219F55E48039AB3A4F789B94F849626EFAD5BB99CF7CD454C700
    Function 003476E0 Relevance: 14.1, Strings: 11, Instructions: 333COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 304 3476e0-3476e9 305 347d07-347d39 call 38dce0 304->305 306 3476ef-34772d 304->306 305->304 307 347733-347743 306->307 308 3479c9-3479d8 306->308 310 347cf5-347d06 call 365d40 307->310 311 347749-347753 307->311 310->305 313 347cc5-347cf0 call 387ee0 call 37ba60 call 365d40 311->313 314 347759-347760 311->314 313->310 316 347766-34777b call 342b00 314->316 317 347cb3-347cc0 call 365d40 314->317 326 3477ad-3477bb 316->326 327 34777d-34778f 316->327 317->313 331 3477e7 326->331 332 3477bd-3477c9 326->332 329 347791-347798 327->329 330 34779d-3477ac 327->330 334 347c2f-347c32 329->334 333 3477ec-3477f7 331->333 335 347c10-347c20 call 365d40 332->335 336 3477cf-3477d4 332->336 339 3477fd-347808 333->339 340 34796b-3479c8 call 38dba0 333->340 337 347c34-347c47 334->337 338 347ca2-347cae call 365d40 334->338 349 347c25-347c2c 335->349 336->335 342 3477da-3477e0 336->342 344 347c52-347c59 337->344 345 347c49-347c50 337->345 338->317 346 347bdc-347c0b call 387ee0 call 37ba60 call 365d40 339->346 347 34780e-347825 339->347 342->333 350 3477e2 342->350 353 347c69-347c70 344->353 354 347c5b-347c67 344->354 345->344 352 347c92-347ca1 345->352 346->335 355 347b74-347bd7 call 387ee0 * 2 call 37bc40 call 365d40 347->355 356 34782b-347830 347->356 349->334 350->335 358 347c80-347c87 353->358 359 347c72-347c79 353->359 354->352 354->353 355->346 360 347836-347844 356->360 361 347b1c-347b6f call 387ee0 * 2 call 37bb40 call 365d40 356->361 358->349 369 347c89-347c90 358->369 359->352 365 347c7b 359->365 366 347846-34784b 360->366 367 34784d 360->367 361->355 365->358 372 347852-347863 366->372 367->372 369->349 369->352 376 347913-34791a 372->376 377 347869-347876 372->377 384 347923 376->384 385 34791c-347921 376->385 381 3478c2-3478cd call 387f80 377->381 382 347878-347884 377->382 399 3478d6-3478e8 call 387f80 381->399 400 3478cf-3478d4 381->400 388 347aba-347b09 call 387ee0 * 2 call 37bb40 call 365d40 382->388 389 34788a-34788f 382->389 391 347928-347943 384->391 385->391 416 347b0e-347b13 388->416 389->376 394 347895-3478ab call 33aba0 389->394 397 347ab3-347ab5 call 390480 391->397 398 347949-347966 391->398 417 347b15-347b1a 394->417 418 3478b1-3478c0 394->418 397->388 405 3479f6-3479f9 398->405 406 3478eb-3478ed 399->406 400->406 408 3479d9-3479f3 405->408 409 3479fb-347ab2 call 3471e0 call 38dba0 405->409 415 3478f3-347905 406->415 406->416 408->405 415->388 421 34790b-347910 415->421 416->388 417->388 418->376 421->376
    Strings
    • , not pointer-byte block (3814697265625: unknown pc ::ffff:0:0/96CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsExFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGetClassNameWGetDriveTypeWGunjala_GondiMapViewOfFileMasaram_GondiMende_Kikakui, xrefs: 00347CD5
    • nil elem type!no module datano such devicepollCache.lockprotocol errorruntime: full=runtime: want=s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytoo many linkstoo many usersunexpected EOFunknown methodunreacha, xrefs: 00347CB3
    • because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnprotectDataCuba Sta, xrefs: 00347B90
    • to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assist waitGC worker initGetConso, xrefs: 00347AE8, 00347B4E, 00347BB6
    • runtime.SetFinalizer: pointer not in allocated blockruntime: GetQueuedCompletionStatusEx failed (errno= runtime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in reset[DEBUG]Copying shellcode to memory with RtlCopyMemor, xrefs: 00347CA2
    • runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.netpoll error: 1776356839400250464677, xrefs: 00347AFD, 00347B63, 00347BCB
    • runtime.SetFinalizer: pointer not at beginning of allocated blockbytes.Buffer: UnreadByte: previous operation was not a successful readcannot convert slice with length %y to pointer to array with length %xtoo many concurrent operations on a single file or sock, xrefs: 00347C10
    • runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt baseunexpected call to os.Exit(0) during test17347234759768, xrefs: 00347BFF
    • , not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFindFirstVolumeWFlushFileBuffersGC s, xrefs: 00347BF0
    • runtime.SetFinalizer: first argument is nilruntime: casfrom_Gscanstatus bad oldval gp=runtime: heapBitsSetTypeGCProg: total bits runtime: releaseSudog with non-nil gp.paramruntime:stoplockedm: lockedg (atomicstatus=unfinished open-coded defers in deferreturnun, xrefs: 00347CF5
    • runtime.SetFinalizer: first argument is runtime.preemptM: duplicatehandle failedruntime: SyscallN has too many argumentsruntime: out of memory: cannot allocate runtime: typeBitsBulkBarrier with type ryuFtoaFixed32 called with negative prec34694469519536141888, xrefs: 00347CE4
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnprotectDataCuba Sta$ to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assist waitGC worker initGetConso$, not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFindFirstVolumeWFlushFileBuffersGC s$, not pointer-byte block (3814697265625: unknown pc ::ffff:0:0/96CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsExFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGetClassNameWGetDriveTypeWGunjala_GondiMapViewOfFileMasaram_GondiMende_Kikakui$nil elem type!no module datano such devicepollCache.lockprotocol errorruntime: full=runtime: want=s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytoo many linkstoo many usersunexpected EOFunknown methodunreacha$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.netpoll error: 1776356839400250464677$runtime.SetFinalizer: first argument is nilruntime: casfrom_Gscanstatus bad oldval gp=runtime: heapBitsSetTypeGCProg: total bits runtime: releaseSudog with non-nil gp.paramruntime:stoplockedm: lockedg (atomicstatus=unfinished open-coded defers in deferreturnun$runtime.SetFinalizer: first argument is runtime.preemptM: duplicatehandle failedruntime: SyscallN has too many argumentsruntime: out of memory: cannot allocate runtime: typeBitsBulkBarrier with type ryuFtoaFixed32 called with negative prec34694469519536141888$runtime.SetFinalizer: pointer not at beginning of allocated blockbytes.Buffer: UnreadByte: previous operation was not a successful readcannot convert slice with length %y to pointer to array with length %xtoo many concurrent operations on a single file or sock$runtime.SetFinalizer: pointer not in allocated blockruntime: GetQueuedCompletionStatusEx failed (errno= runtime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in reset[DEBUG]Copying shellcode to memory with RtlCopyMemor$runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt baseunexpected call to os.Exit(0) during test17347234759768
    • API String ID: 0-1661741443
    • Opcode ID: 8b7202737aba9c70a78f5e4624f1909401679c1ca4d077599731c65b177fd119
    • Instruction ID: 208ac1282767e8cdf8921c9f84f2307b75b855f93c1d170964eb7b72387cf18d
    • Opcode Fuzzy Hash: 8b7202737aba9c70a78f5e4624f1909401679c1ca4d077599731c65b177fd119
    • Instruction Fuzzy Hash: 6CE19F32609BC086DB629B11F4403AEB7A5F785B80F598536DB8D1BB59DF3CE484CB10
    Function 00336BA0 Relevance: 14.0, Strings: 11, Instructions: 201COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 426 336ba0-336ba4 427 336baa-336bd5 call 37e460 426->427 428 336eef-336ef4 call 38dc40 426->428 433 336bd7-336beb 427->433 434 336c0f-336c24 call 37ebe0 427->434 428->426 435 336bf9-336c00 call 38ff20 433->435 436 336bed-336bf7 433->436 441 336ce5-336ce9 434->441 442 336c2a-336c2e 434->442 438 336c05-336c0e 435->438 436->438 443 336d77-336d95 call 3326e0 441->443 444 336cef-336cf3 441->444 445 336c30-336c43 442->445 446 336c85-336c89 442->446 465 336d97-336dac 443->465 466 336dd8-336ded 443->466 448 336e29-336e2d 444->448 449 336cf9-336d09 444->449 451 336c63 445->451 452 336c45-336c4b 445->452 446->448 450 336c8f-336ca3 446->450 457 336e78-336e94 call 37e240 448->457 458 336e2f-336e3c 448->458 454 336d0b-336d12 449->454 455 336d2e 449->455 459 336cb5 450->459 460 336ca5-336cac 450->460 451->448 456 336c69-336c6f 451->456 461 336c60 452->461 462 336c4d-336c51 452->462 467 336d14-336d20 454->467 468 336d2b 454->468 470 336d30-336d37 455->470 471 336d4e 455->471 456->448 469 336c75-336c79 456->469 497 336e96-336e99 457->497 498 336e9c-336eb5 call 37f220 457->498 458->457 472 336e3e-336e52 458->472 474 336cb7-336cc0 459->474 475 336cc9 459->475 463 336e17-336e20 460->463 473 336cb2 460->473 461->451 462->463 464 336c57-336c5a 462->464 464->451 484 336dc5 465->484 485 336dae-336db5 465->485 488 336e06 466->488 489 336def-336df6 466->489 467->463 477 336d26-336d29 467->477 468->455 469->463 486 336c7f-336c80 469->486 478 336d4b 470->478 479 336d39-336d40 470->479 471->448 482 336d54-336d60 471->482 480 336e62-336e69 call 38ff20 472->480 481 336e54-336e60 472->481 473->459 474->463 487 336cc6 474->487 475->448 490 336ccf-336cd6 475->490 477->455 478->471 479->463 493 336d46-336d49 479->493 494 336e6e-336e77 480->494 481->494 482->448 496 336d66-336d6c 482->496 491 336e21-336e24 484->491 501 336dc7-336dce 484->501 499 336dc2 485->499 500 336db7-336dbb 485->500 486->448 487->475 488->491 492 336e08-336e0f 488->492 502 336e03 489->502 503 336df8-336dfc 489->503 490->463 504 336cdc-336ce0 490->504 491->448 492->491 505 336e11-336e15 492->505 493->471 496->463 506 336d72 496->506 497->498 513 336eb7-336ecb 498->513 514 336ee5-336eee 498->514 499->484 500->463 508 336dbd-336dc0 500->508 501->491 509 336dd0-336dd4 501->509 502->488 503->463 510 336dfe-336e01 503->510 504->448 505->463 505->491 506->448 508->484 509->463 512 336dd6 509->512 510->488 512->491 515 336ed9-336ee0 call 38ff20 513->515 516 336ecd-336ed7 513->516 515->514 516->514
    Strings
    • debugCal, xrefs: 00336DE0
    • call from within the Go runtimecannot assign requested addresscasgstatus: bad incoming valuescheckmark found unmarked objectencoding/hex: invalid byte: %#Uentersyscallblock inconsistent fmt: unknown base; can't happeninternal error - misuse of itabinvalid netw, xrefs: 00336E54, 00336E62
    • l819, xrefs: 00336E08
    • debugCal, xrefs: 00336C33
    • debugCal, xrefs: 00336CFC
    • debugCall2048double unlockexchange fullfatal error: gethostbynamegetservbynamelame referrallevel 3 resetload64 failedmin too largenil stackbaseout of memoryprofMemActiveprofMemFutureruntime: seq=runtime: val=srmount errortimer expiredtraceStackTabvalue method , xrefs: 00336D81
    • call from unknown functioncannot marshal DNS messagecorrupted semaphore ticketentersyscall inconsistent forEachP: P did not run fnfreedefer with d.fn != nilinitSpan: unaligned lengthinvalid request descriptorname not unique on networknegative idle mark workers, xrefs: 00336BED, 00336BF9
    • call not at safe pointcannot allocate memorycompileCallabck: type duplicated defer entryfreeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversion: kernel32.dll not foundminpc or maxpc invalidnetwork is unreach, xrefs: 00336ECD, 00336ED9
    • debugCal, xrefs: 00336D9F
    • runtime., xrefs: 00336E2F
    • debugCal, xrefs: 00336C92
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: call from unknown functioncannot marshal DNS messagecorrupted semaphore ticketentersyscall inconsistent forEachP: P did not run fnfreedefer with d.fn != nilinitSpan: unaligned lengthinvalid request descriptorname not unique on networknegative idle mark workers$call from within the Go runtimecannot assign requested addresscasgstatus: bad incoming valuescheckmark found unmarked objectencoding/hex: invalid byte: %#Uentersyscallblock inconsistent fmt: unknown base; can't happeninternal error - misuse of itabinvalid netw$call not at safe pointcannot allocate memorycompileCallabck: type duplicated defer entryfreeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversion: kernel32.dll not foundminpc or maxpc invalidnetwork is unreach$debugCal$debugCal$debugCal$debugCal$debugCal$debugCall2048double unlockexchange fullfatal error: gethostbynamegetservbynamelame referrallevel 3 resetload64 failedmin too largenil stackbaseout of memoryprofMemActiveprofMemFutureruntime: seq=runtime: val=srmount errortimer expiredtraceStackTabvalue method $l819$runtime.
    • API String ID: 0-3007852601
    • Opcode ID: d08770744cfc3b726aacc2541ba5aa0cc9106fa73cd648fe4e8b7c3e742fe674
    • Instruction ID: a8253bb4f2d4420cee98775eea4f9f71c8f1c54a81897fb56d34bf5ae6709e72
    • Opcode Fuzzy Hash: d08770744cfc3b726aacc2541ba5aa0cc9106fa73cd648fe4e8b7c3e742fe674
    • Instruction Fuzzy Hash: 6D81C27A605B80EDDE36DB05D2C2328BB61E394BD4F5AD416D74A03B24DB78C898C702
    Function 003655A0 Relevance: 12.9, Strings: 10, Instructions: 401COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 518 3655a0-3655a9 519 365cb1-365ccf call 38dce0 518->519 520 3655af-3655e7 518->520 519->518 521 3655ed-3655f4 520->521 522 365c5b-365cb0 call 367600 call 367f00 call 367680 call 3386a0 call 367600 call 367860 call 367680 call 365d40 520->522 524 365c05-365c56 call 367600 call 367f00 call 367680 call 3386a0 call 367600 call 367860 call 367680 call 365d40 521->524 525 3655fa-365607 521->525 522->519 524->522 529 365b46-365c00 call 367600 call 367f00 call 367680 call 3386a0 call 367600 call 367860 call 367680 call 367600 call 367f00 call 367680 call 367600 call 367f00 call 367680 call 367600 call 367860 call 367680 call 365d40 525->529 530 36560d-365614 525->530 529->524 534 365af6-365b41 call 367600 call 367f00 call 367680 call 3386a0 call 367600 call 367860 call 367680 call 365d40 530->534 535 36561a-365667 530->535 534->529 540 365674-365685 call 390080 535->540 541 365669-365672 535->541 546 36568a-3656ad call 364e00 540->546 541->546 559 3656b2-3656c3 546->559 564 365943-365972 call 364b80 call 3661e0 559->564 565 3656c9-3656d0 559->565 566 3656d6-3656dd 565->566 567 365765-365773 565->567 573 3656e3-3656ea 566->573 574 3656df 566->574 575 365775-365780 567->575 576 365782-365792 call 390080 567->576 583 3656f6-365707 call 390080 573->583 584 3656ec-3656f4 573->584 574->573 585 365795-3657a8 575->585 576->585 593 36570a-36570e 583->593 584->593 597 3657ea-365807 call 365ce0 585->597 598 3657aa-3657b4 call 3651c0 585->598 593->567 605 365710-365717 593->605 627 36580c-365824 597->627 622 3657b6-3657c3 598->622 623 3657e3-3657e8 598->623 612 365723-365734 call 390080 605->612 613 365719-365721 605->613 620 365737-365742 612->620 613->620 632 365744-365748 620->632 633 36574a-36574d call 390040 620->633 622->627 634 3657c5-3657e1 call 364e00 622->634 623->627 638 365ae5-365af1 call 365d40 627->638 639 36582a-365831 627->639 640 365752-365760 call 364600 632->640 633->640 634->627 638->534 647 365833-36583b 639->647 648 36583d-36584c call 390080 639->648 640->559 651 36584f-365863 647->651 648->651 655 365865-36586c 651->655 656 3658d0-3658d8 651->656 659 36586e-365876 655->659 660 365878-36588a call 3900c0 655->660 656->559 658 3658de-3658ed 656->658 664 3658ef-3658f8 658->664 665 3658fa-365900 call 390060 658->665 661 36588d-36589c 659->661 660->661 667 3658a7-3658af call 390060 661->667 668 36589e-3658a5 661->668 670 365905-365908 664->670 665->670 674 3658b4-3658cb call 364600 667->674 668->674 672 36591a-365931 670->672 673 36590a-36590e 670->673 678 365937-365941 672->678 679 365933-365935 672->679 673->672 677 365910-365914 673->677 674->656 677->672 682 365ab1-365ae0 call 38db20 call 365d40 677->682 683 365980-365983 678->683 679->683 682->638 686 365a2d-365a3c 683->686 687 365989-36598c 683->687 690 365a44 call 390060 686->690 691 365a3e-365a42 686->691 687->686 692 365992-365996 687->692 696 365a49-365a50 690->696 691->696 697 36599e-3659a6 692->697 698 365998-36599c 692->698 703 365aa5-365aaf 696->703 704 365a52-365a56 696->704 701 3659cf-3659da 697->701 702 3659a8-3659b3 697->702 705 365973-365979 698->705 712 3659ec-3659f4 call 3900a0 701->712 713 3659dc-3659ea 701->713 708 3659b5-3659b9 702->708 709 3659bb-3659cd call 3900a0 702->709 714 365a77-365aa0 call 38db20 call 365d40 703->714 710 365a72-365a75 704->710 711 365a58-365a63 704->711 705->683 716 3659f9-365a28 call 364600 708->716 709->716 710->703 710->714 718 365a65-365a69 711->718 719 365a6b-365a70 call 390060 711->719 712->716 713->716 714->703 716->705 718->696 719->696
    Strings
    • bypassed recovery failedcan't scan our own stackconnection reset by peerdouble traceGCSweepStartfunction not implementedgcDrainN phase incorrecthash of unhashable type initSpan: unaligned baselevel 2 not synchronizedlink number out of rangenot supported by win, xrefs: 00365AD3
    • @_6, xrefs: 00365A85, 00365AC7
    • bad defer entry in panicbypassed recovery failedcan't scan our own stackconnection reset by peerdouble traceGCSweepStartfunction not implementedgcDrainN phase incorrecthash of unhashable type initSpan: unaligned baselevel 2 not synchronizedlink number out of r, xrefs: 00365AE5
    • panic on system stackpreempt at unknown pcread-only file systemreflect.Value.Complexreflect.Value.Pointerreleasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= stale NFS file handlestartloc, xrefs: 00365C9F
    • panic during preemptoffprocresize: invalid argreflect.Value.Interfacereflect.Value.NumMethodreflect.methodValueCallruntime: internal errorruntime: invalid type runtime: netpoll failedruntime: s.allocCount= s.allocCount > s.nelemsschedule: holding lockssegment, xrefs: 00365BF4
    • panic: runningsyscalluintptrunknownverbosewaiting bytes, etypes is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= packed= pointer stack=[ status 48828125AcceptExArmenianBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDuployanEqualSidEth, xrefs: 00365AFB, 00365B4B, 00365C0A, 00365C65
    • preempt off reason: reflect.makeFuncStubruntime: double waitsemaRoot rotateRighttime: invalid numbertrace: out of memoryunexpected IP lengthwirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not found of unexported method pcHeader.textStart, xrefs: 00365B8F
    • recovery failedruntime error: runtime: frame runtime: max = runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm holding ptraceback stuck already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcd, xrefs: 00365A91
    • panic during mallocpanic during panicpanic holding lockspanicwrap: no ( in panicwrap: no ) in reflect.Value.Bytesreflect.Value.Fieldreflect.Value.Floatreflect.Value.Indexreflect.Value.IsNilreflect.Value.Sliceruntime: g0 stack [runtime: pcdata is runtime: pree, xrefs: 00365C4A
    • panic holding lockspanicwrap: no ( in panicwrap: no ) in reflect.Value.Bytesreflect.Value.Fieldreflect.Value.Floatreflect.Value.Indexreflect.Value.IsNilreflect.Value.Sliceruntime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this dir, xrefs: 00365B35
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: @_6$bad defer entry in panicbypassed recovery failedcan't scan our own stackconnection reset by peerdouble traceGCSweepStartfunction not implementedgcDrainN phase incorrecthash of unhashable type initSpan: unaligned baselevel 2 not synchronizedlink number out of r$bypassed recovery failedcan't scan our own stackconnection reset by peerdouble traceGCSweepStartfunction not implementedgcDrainN phase incorrecthash of unhashable type initSpan: unaligned baselevel 2 not synchronizedlink number out of rangenot supported by win$panic during mallocpanic during panicpanic holding lockspanicwrap: no ( in panicwrap: no ) in reflect.Value.Bytesreflect.Value.Fieldreflect.Value.Floatreflect.Value.Indexreflect.Value.IsNilreflect.Value.Sliceruntime: g0 stack [runtime: pcdata is runtime: pree$panic during preemptoffprocresize: invalid argreflect.Value.Interfacereflect.Value.NumMethodreflect.methodValueCallruntime: internal errorruntime: invalid type runtime: netpoll failedruntime: s.allocCount= s.allocCount > s.nelemsschedule: holding lockssegment$panic holding lockspanicwrap: no ( in panicwrap: no ) in reflect.Value.Bytesreflect.Value.Fieldreflect.Value.Floatreflect.Value.Indexreflect.Value.IsNilreflect.Value.Sliceruntime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this dir$panic on system stackpreempt at unknown pcread-only file systemreflect.Value.Complexreflect.Value.Pointerreleasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= stale NFS file handlestartloc$panic: runningsyscalluintptrunknownverbosewaiting bytes, etypes is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= packed= pointer stack=[ status 48828125AcceptExArmenianBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDuployanEqualSidEth$preempt off reason: reflect.makeFuncStubruntime: double waitsemaRoot rotateRighttime: invalid numbertrace: out of memoryunexpected IP lengthwirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not found of unexported method pcHeader.textStart$recovery failedruntime error: runtime: frame runtime: max = runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm holding ptraceback stuck already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcd
    • API String ID: 0-3674995270
    • Opcode ID: 83bb2af89dce7f1564281dcbcf17a5cda3cd86212e8075a9558a7ec2e69fc872
    • Instruction ID: 4882c8deb6cb5106c439b4abdc4247360526c641e4aaabffa73f5a82b3e98b63
    • Opcode Fuzzy Hash: 83bb2af89dce7f1564281dcbcf17a5cda3cd86212e8075a9558a7ec2e69fc872
    • Instruction Fuzzy Hash: 06027E72609F80C6DB229F25E54139EB7A5F748B94F598122DB8C0BB6DCF38C495CB50
    Function 0033B900 Relevance: 12.6, Strings: 10, Instructions: 150COMMON
    Download Yara Rule

    Control-flow Graph

    Strings
    • ) is smaller than minimum page size (2220446049250313080847263336181640625The operation completed successfully.UnsubscribeServiceChangeNotifications[!]VirtualAlloc failed and returned 0_cgo_notify_runtime_init_done missingall goroutines are asleep - deadlock!c, xrefs: 0033BB11
    • failed to get system page sizefreedefer with d._panic != nilinappropriate ioctl for deviceinvalid network interface nameinvalid pointer found on stacknotetsleep - waitm out of syncprotocol wrong type for socketreflect: Elem of invalid type reflect: Len of non-, xrefs: 0033BBCC
    • bad system huge page sizechansend: spurious wakeupcheckdead: no m for timercheckdead: no p for timerinconsistent poll.fdMutexinvalid cross-device linkinvalid network interfacemissing stack in newstackmissing traceGCSweepStartno answer from DNS serverno buffer , xrefs: 0033BA90
    • system huge page size (too many pointers (>10)work.nwait > work.nproc116415321826934814453125582076609134674072265625AllocateAndInitializeSidAssignProcessToJobObjectAzerbaijan Standard TimeBangladesh Standard TimeBuildSecurityDescriptorWCape Verde Standard Tim, xrefs: 0033BA5D
    • bad TinySizeClassdebugPtrmask.lockentersyscallblockexec format errorg already scannedglobalAlloc.mutexlocked m0 woke upmark - bad statusmarkBits overflownil resource bodyno data availablenotetsleepg on g0permission deniedreflect.Value.Intreflect.Value.Lenrefle, xrefs: 0033BBDD
    • ) is larger than maximum page size () is not Grunnable or Gscanrunnable0123456789abcdefghijklmnopqrstuvwxyz444089209850062616169452667236328125Go pointer stored into non-Go memoryUnable to determine system directoryaccessing a corrupted shared librarycompress, xrefs: 0033BB85
    • system page size (tracebackancestorsuse of closed filevalue out of range [controller reset] called using nil *, g->atomicstatus=, gp->atomicstatus=14901161193847656257450580596923828125Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard Ti, xrefs: 0033BAAA, 0033BAF3, 0033BB65
    • ) must be a power of 223283064365386962890625<invalid reflect.Value>Argentina Standard TimeAstrakhan Standard TimeCertGetCertificateChainDeleteVolumeMountPointWDestroyEnvironmentBlockE. Africa Standard TimeE. Europe Standard TimeFreeEnvironmentStringsWGetActi, xrefs: 0033BA7A, 0033BAC7
    • bad system page sizebad use of bucket.bpbad use of bucket.mpchan send (nil chan)close of nil channelconnection timed outdodeltimer0: wrong Pflag: help requestedfloating point errorforcegc: phase errorgo of nil func valuegopark: bad g statusinconsistent lockedm, xrefs: 0033BADD, 0033BB4A, 0033BBBB
    • ), ->25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTDltEATEDTEETEOFESTGMTHDT, xrefs: 0033BB2F, 0033BBA5
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: ), ->25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTDltEATEDTEETEOFESTGMTHDT$) is larger than maximum page size () is not Grunnable or Gscanrunnable0123456789abcdefghijklmnopqrstuvwxyz444089209850062616169452667236328125Go pointer stored into non-Go memoryUnable to determine system directoryaccessing a corrupted shared librarycompress$) is smaller than minimum page size (2220446049250313080847263336181640625The operation completed successfully.UnsubscribeServiceChangeNotifications[!]VirtualAlloc failed and returned 0_cgo_notify_runtime_init_done missingall goroutines are asleep - deadlock!c$) must be a power of 223283064365386962890625<invalid reflect.Value>Argentina Standard TimeAstrakhan Standard TimeCertGetCertificateChainDeleteVolumeMountPointWDestroyEnvironmentBlockE. Africa Standard TimeE. Europe Standard TimeFreeEnvironmentStringsWGetActi$bad TinySizeClassdebugPtrmask.lockentersyscallblockexec format errorg already scannedglobalAlloc.mutexlocked m0 woke upmark - bad statusmarkBits overflownil resource bodyno data availablenotetsleepg on g0permission deniedreflect.Value.Intreflect.Value.Lenrefle$bad system huge page sizechansend: spurious wakeupcheckdead: no m for timercheckdead: no p for timerinconsistent poll.fdMutexinvalid cross-device linkinvalid network interfacemissing stack in newstackmissing traceGCSweepStartno answer from DNS serverno buffer $bad system page sizebad use of bucket.bpbad use of bucket.mpchan send (nil chan)close of nil channelconnection timed outdodeltimer0: wrong Pflag: help requestedfloating point errorforcegc: phase errorgo of nil func valuegopark: bad g statusinconsistent lockedm$failed to get system page sizefreedefer with d._panic != nilinappropriate ioctl for deviceinvalid network interface nameinvalid pointer found on stacknotetsleep - waitm out of syncprotocol wrong type for socketreflect: Elem of invalid type reflect: Len of non-$system huge page size (too many pointers (>10)work.nwait > work.nproc116415321826934814453125582076609134674072265625AllocateAndInitializeSidAssignProcessToJobObjectAzerbaijan Standard TimeBangladesh Standard TimeBuildSecurityDescriptorWCape Verde Standard Tim$system page size (tracebackancestorsuse of closed filevalue out of range [controller reset] called using nil *, g->atomicstatus=, gp->atomicstatus=14901161193847656257450580596923828125Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard Ti
    • API String ID: 0-2547825618
    • Opcode ID: 3d5febd0258cd420c18a14df1a269b24b8aa07094390879667a89389734d1175
    • Instruction ID: c29970ef064468d8fc305562d96b6f6beedc2eea70e6c7c669611ffce72b9420
    • Opcode Fuzzy Hash: 3d5febd0258cd420c18a14df1a269b24b8aa07094390879667a89389734d1175
    • Instruction Fuzzy Hash: FB612DB1329E0495EB02EF50E8853A9A328FB08785FC18935DB4C4F36ADF78C558C765
    Function 003428C5 Relevance: 12.6, Strings: 10, Instructions: 100COMMON
    Download Yara Rule

    Control-flow Graph

    Strings
    • +-./05:<=?CFLMPSUZ[\, xrefs: 00342A30
    • to unallocated span37252902984619140625Arabic Standard TimeAzores Standard TimeCertFindChainInStoreCertOpenSystemStoreWChangeServiceConfigWCheckTokenMembershipCreateProcessAsUserWCryptAcquireContextWEgyptian_HieroglyphsEnumProcessModulesExGetAcceptExSockaddrs, xrefs: 0034293F
    • found bad pointer in Go heap (incorrect use of unsafe or cgo?)limiterEvent.stop: found wrong event in p's limiter event slotreflect: reflect.Value.Pointer on an invalid notinheap pointerruntime: internal error: misuse of lockOSThread/unlockOSThreadmalformed GO, xrefs: 003429FF
    • to unused region of span with too many arguments 2910383045673370361328125AUS Central Standard TimeAUS Eastern Standard TimeAfghanistan Standard TimeExpandEnvironmentStringsWFindNextVolumeMountPointWFindVolumeMountPointCloseGODEBUG: can not enable "GetFinalPa, xrefs: 00342A8F
    • span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625: unknown pc ::ffff:0:0/96CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsExFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGetClassNameW, xrefs: 00342971
    • span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>) p->status=, cons/mark -byte limit152587890625762939453125Bidi_ControlCIDR addressCfgMgr32.dllCoCreateGuidCreateEventWCreateMutexWGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHa, xrefs: 0034298F
    • runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcunknown type kindwait for GC cyclewrong medium type but memory size because dotdotdot in, xrefs: 003428F6
    • runtime: found in object at *(runtime: impossible type kind socket operation on non-socketsync: inconsistent mutex statesync: unlock of unlocked mutexunsafe.Slice: len out of range) not in usable address space: ...additional frames elided....lib section in a., xrefs: 00342A15
    • ), ->25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTDltEATEDTEETEOFESTGMTHDT, xrefs: 00342A4F
    • objectpopcntrdtscpselectsendtosocketstringstructsweep sysmontelnettimersuint16uint32uint64 (scan (scan) MB in Value> allocs dying= locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie% CPU (, goid=, j0 = 19531259765625: type ::1/128AvestanBengaliBrailleCh, xrefs: 00342A6A
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625: unknown pc ::ffff:0:0/96CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsExFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGetClassNameW$ span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>) p->status=, cons/mark -byte limit152587890625762939453125Bidi_ControlCIDR addressCfgMgr32.dllCoCreateGuidCreateEventWCreateMutexWGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHa$ to unallocated span37252902984619140625Arabic Standard TimeAzores Standard TimeCertFindChainInStoreCertOpenSystemStoreWChangeServiceConfigWCheckTokenMembershipCreateProcessAsUserWCryptAcquireContextWEgyptian_HieroglyphsEnumProcessModulesExGetAcceptExSockaddrs$ to unused region of span with too many arguments 2910383045673370361328125AUS Central Standard TimeAUS Eastern Standard TimeAfghanistan Standard TimeExpandEnvironmentStringsWFindNextVolumeMountPointWFindVolumeMountPointCloseGODEBUG: can not enable "GetFinalPa$), ->25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTDltEATEDTEETEOFESTGMTHDT$+-./05:<=?CFLMPSUZ[\$found bad pointer in Go heap (incorrect use of unsafe or cgo?)limiterEvent.stop: found wrong event in p's limiter event slotreflect: reflect.Value.Pointer on an invalid notinheap pointerruntime: internal error: misuse of lockOSThread/unlockOSThreadmalformed GO$objectpopcntrdtscpselectsendtosocketstringstructsweep sysmontelnettimersuint16uint32uint64 (scan (scan) MB in Value> allocs dying= locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie% CPU (, goid=, j0 = 19531259765625: type ::1/128AvestanBengaliBrailleCh$runtime: found in object at *(runtime: impossible type kind socket operation on non-socketsync: inconsistent mutex statesync: unlock of unlocked mutexunsafe.Slice: len out of range) not in usable address space: ...additional frames elided....lib section in a.$runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcunknown type kindwait for GC cyclewrong medium type but memory size because dotdotdot in
    • API String ID: 0-1699467117
    • Opcode ID: 544d0b278e8def89af44cbd8f020fd61364a6caa0e90aa8121ab09584d0578f3
    • Instruction ID: e2cb4213ca7ee4f2a1362e1d3dd5ceafa32abed404f9cd3b885b0e05604b0260
    • Opcode Fuzzy Hash: 544d0b278e8def89af44cbd8f020fd61364a6caa0e90aa8121ab09584d0578f3
    • Instruction Fuzzy Hash: 16411932229B448AD712BF64E48179EB7A4FB89748FC58421FB4D4B76ACF78C414C761
    Function 00339360 Relevance: 11.4, Strings: 9, Instructions: 170COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 890 339360-33936c 891 339372-3393d7 call 37e460 call 37ebe0 call 332ea0 890->891 892 3396eb-3396f0 call 38dce0 890->892 901 3396bd-3396ea call 37b9c0 call 365d40 891->901 902 3393dd-3393e9 891->902 892->890 901->892 903 3396b5-3396b8 call 390400 902->903 904 3393ef-3393f6 902->904 903->901 906 33941b-339420 904->906 907 3393f8-339416 call 37b9c0 call 365d40 904->907 911 339426-339429 906->911 912 3396ad-3396b0 call 390400 906->912 907->906 915 3396a5-3396a8 call 390480 911->915 916 33942f-33944f 911->916 912->903 915->912 916->907 921 339451-33945b 916->921 921->907 922 33945d-3394c3 call 332ea0 921->922 925 33967a-3396a0 call 37b9c0 call 365d40 922->925 926 3394c9-3394d5 922->926 925->915 928 3394d7-3394f5 call 37b9c0 call 365d40 926->928 929 3394fa-339500 926->929 928->929 931 339672-339675 call 390400 929->931 932 339506-339509 929->932 931->925 937 339667-33966d call 390480 932->937 938 33950f-339526 932->938 937->931 938->928 940 339528-339662 call 390659 call 37b720 call 33a8e0 call 3655a0 938->940 940->937
    Strings
    • ./05:<=?CFLMPSUZ[\, xrefs: 0033958B
    • pointer stack=[ status 48828125AcceptExArmenianBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDuployanEqualSidEthiopicExtenderGeorgianGoStringGujaratiGurmukhiHiraganaIsWindowJavaneseKatakanaKayah_LiLinear_ALinear_BMahajaniOl_ChikiPhags_PaQuestionRead, xrefs: 00339621
    • panicwrap: no ) in reflect.Value.Bytesreflect.Value.Fieldreflect.Value.Floatreflect.Value.Indexreflect.Value.IsNilreflect.Value.Sliceruntime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssysMemStat ov, xrefs: 0033967F
    • panicwrap: unexpected string after type name: reflect.Value.Slice: slice index out of boundsreleased less than one physical page of memoryruntime: failed to create new OS thread (have runtime: name offset base pointer out of rangeruntime: panic before malloc h, xrefs: 003394D9
    • panicwrap: no ( in panicwrap: no ) in reflect.Value.Bytesreflect.Value.Fieldreflect.Value.Floatreflect.Value.Indexreflect.Value.IsNilreflect.Value.Sliceruntime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding, xrefs: 003396C2
    • panicwrap: unexpected string after package name: reflect.Value.Slice: slice of unaddressable arrayruntime: unexpected waitm - semaphore out of syncs.allocCount != s.nelems && freeIndex == s.nelemsslice bounds out of range [::%x] with capacity %ysweeper left ou, xrefs: 003393FA
    • called using nil *, g->atomicstatus=, gp->atomicstatus=14901161193847656257450580596923828125Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreateSymbolicLinkWCryptReleaseContextEgypt Standard TimeEnable debug outputGC work not f, xrefs: 003395F6
    • value method xadd64 failedxchg64 failed}sched={pc: but progSize nmidlelocked= on zero Value out of range procedure in to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreCoInitializeExCoUninitializeControlServiceCreateEventE, xrefs: 00339553
    • ), xrefs: 00339494
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: called using nil *, g->atomicstatus=, gp->atomicstatus=14901161193847656257450580596923828125Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreateSymbolicLinkWCryptReleaseContextEgypt Standard TimeEnable debug outputGC work not f$ pointer stack=[ status 48828125AcceptExArmenianBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDuployanEqualSidEthiopicExtenderGeorgianGoStringGujaratiGurmukhiHiraganaIsWindowJavaneseKatakanaKayah_LiLinear_ALinear_BMahajaniOl_ChikiPhags_PaQuestionRead$)$./05:<=?CFLMPSUZ[\$panicwrap: no ( in panicwrap: no ) in reflect.Value.Bytesreflect.Value.Fieldreflect.Value.Floatreflect.Value.Indexreflect.Value.IsNilreflect.Value.Sliceruntime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding$panicwrap: no ) in reflect.Value.Bytesreflect.Value.Fieldreflect.Value.Floatreflect.Value.Indexreflect.Value.IsNilreflect.Value.Sliceruntime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssysMemStat ov$panicwrap: unexpected string after package name: reflect.Value.Slice: slice of unaddressable arrayruntime: unexpected waitm - semaphore out of syncs.allocCount != s.nelems && freeIndex == s.nelemsslice bounds out of range [::%x] with capacity %ysweeper left ou$panicwrap: unexpected string after type name: reflect.Value.Slice: slice index out of boundsreleased less than one physical page of memoryruntime: failed to create new OS thread (have runtime: name offset base pointer out of rangeruntime: panic before malloc h$value method xadd64 failedxchg64 failed}sched={pc: but progSize nmidlelocked= on zero Value out of range procedure in to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreCoInitializeExCoUninitializeControlServiceCreateEventE
    • API String ID: 0-471936205
    • Opcode ID: 7d715b637f3c27795418988453c1f11951afda6556e49e950630c6ca63f6d450
    • Instruction ID: 9ac028926de1b74f05d0fb9861fcb1e44c8cfc83df4d98558dcdfd99db25cd3e
    • Opcode Fuzzy Hash: 7d715b637f3c27795418988453c1f11951afda6556e49e950630c6ca63f6d450
    • Instruction Fuzzy Hash: 04815772209BC085CBA59B21F88139EB7A5F789780F448226EBDD5BB59DF7CC144CB00
    Function 00337BC0 Relevance: 11.4, Strings: 9, Instructions: 167COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 949 337bc0-337bc9 950 337f55-337f64 call 38dce0 949->950 951 337bcf-337bf4 949->951 950->949 953 337bf6-337c02 951->953 954 337c04-337c0f call 387ee0 951->954 956 337c17-337c43 call 387ee0 953->956 954->956 961 337f15-337f54 call 37bb40 956->961 962 337c49-337c6b call 387ee0 956->962 967 337c71-337d59 call 39066b call 37b720 962->967 968 337e35-337f14 call 39066b call 37b720 962->968 977 337e25-337e34 967->977 978 337d5f-337d82 call 332a00 967->978 981 337d93-337dce call 387fe0 * 2 978->981 982 337d84-337d8e 978->982 987 337dd0-337de7 call 332a00 981->987 988 337de9-337e06 call 37b9c0 981->988 982->977 987->988 993 337e08-337e20 call 37b9c0 987->993 988->977 993->977
    Strings
    • , not 390625<-chanAnswerArabicBrahmiCarianChakmaCommonCopticFormatGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianRejangSCHED StringSyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11WanchoYezidi[]byte chan<-do, xrefs: 00337CFD
    • (types from different packages)28421709430404007434844970703125CertAddCertificateContextToStoreCertVerifyCertificateChainPolicyGetVolumePathNamesForVolumeNameWMapIter.Value called before NextWSAGetOverlappedResult not found" not supported for cpu option "end , xrefs: 00337DF5
    • is nil, not nStackRoots= pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625: unknown pc ::ffff:0:0/96CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsExFindNextFileW, xrefs: 00337F24
    • is lr: of on pc= sp: sp=) = ) m=+Inf-Inf3125: p=::/0ACDTACSTAEDTAESTAKDTAKSTAWSTAhomCESTChamDashEESTGOGCLEAFLisuMiaoModiNZDTNZSTNewaSASTThaim=] = ] n=allgallpavx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchttpicmpidleigmpint8, xrefs: 00337CD2
    • : missing method AdjustTokenGroupsCertFindExtensionCryptDecodeObjectDnsRecordListFreeFLE Standard TimeGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetShortPathNameWIsTokenRestrictedLookupAccountSidWOld_North_ArabianOld_South_ArabianOther, xrefs: 00337EB7
    • (types from different scopes) in prepareForSweep; sweepgen locals stack map entries for 227373675443232059478759765625Central European Standard TimeCentral Standard Time (Mexico)CertDeleteCertificateFromStoreE. South America Standard TimeEastern Standard Tim, xrefs: 00337E14
    • interfaceinvalid nipv6-icmpmSpanDeadmSpanFreentdll.dllole32.dllpanicwaitpclmulqdqpreemptedprofBlockpsapi.dllrecover: reflect: scavtracestackpooltracebackwbufSpans} stack=[ MB goal, flushGen gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base(), xrefs: 00337BFB
    • is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= packed= pointer stack=[ status 48828125AcceptExArmenianBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDuployanEqualSidEthiopicExtenderGeorgianGoStringGujaratiGurmukhiHiraganaIsWindowJava, xrefs: 00337E7F
    • interface conversion: kernel32.dll not foundminpc or maxpc invalidnetwork is unreachablenon-Go function at pc=oldoverflow is not nilprotocol not availableprotocol not supportedremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack:, xrefs: 00337C9D, 00337E54, 00337F39
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: (types from different packages)28421709430404007434844970703125CertAddCertificateContextToStoreCertVerifyCertificateChainPolicyGetVolumePathNamesForVolumeNameWMapIter.Value called before NextWSAGetOverlappedResult not found" not supported for cpu option "end $ (types from different scopes) in prepareForSweep; sweepgen locals stack map entries for 227373675443232059478759765625Central European Standard TimeCentral Standard Time (Mexico)CertDeleteCertificateFromStoreE. South America Standard TimeEastern Standard Tim$ is lr: of on pc= sp: sp=) = ) m=+Inf-Inf3125: p=::/0ACDTACSTAEDTAESTAKDTAKSTAWSTAhomCESTChamDashEESTGOGCLEAFLisuMiaoModiNZDTNZSTNewaSASTThaim=] = ] n=allgallpavx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchttpicmpidleigmpint8$ is nil, not nStackRoots= pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625: unknown pc ::ffff:0:0/96CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsExFindNextFileW$ is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= packed= pointer stack=[ status 48828125AcceptExArmenianBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDuployanEqualSidEthiopicExtenderGeorgianGoStringGujaratiGurmukhiHiraganaIsWindowJava$, not 390625<-chanAnswerArabicBrahmiCarianChakmaCommonCopticFormatGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianRejangSCHED StringSyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11WanchoYezidi[]byte chan<-do$: missing method AdjustTokenGroupsCertFindExtensionCryptDecodeObjectDnsRecordListFreeFLE Standard TimeGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetShortPathNameWIsTokenRestrictedLookupAccountSidWOld_North_ArabianOld_South_ArabianOther$interface conversion: kernel32.dll not foundminpc or maxpc invalidnetwork is unreachablenon-Go function at pc=oldoverflow is not nilprotocol not availableprotocol not supportedremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack:$interfaceinvalid nipv6-icmpmSpanDeadmSpanFreentdll.dllole32.dllpanicwaitpclmulqdqpreemptedprofBlockpsapi.dllrecover: reflect: scavtracestackpooltracebackwbufSpans} stack=[ MB goal, flushGen gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()
    • API String ID: 0-3165482525
    • Opcode ID: 6b1b24c17ec430afd994b3b4960020f97c1fd7be57d9322441d050220f864e48
    • Instruction ID: cc540d9e6b0e2e360ba5d282fa75c35c4cfe96beac6d85791c720697e77a90ce
    • Opcode Fuzzy Hash: 6b1b24c17ec430afd994b3b4960020f97c1fd7be57d9322441d050220f864e48
    • Instruction Fuzzy Hash: D791E1B6208BC485DB71DB15F48039AB3A5F788B84F548426DBDC5BB19EF79C499CB00
    Function 00372720 Relevance: 11.4, Strings: 9, Instructions: 130COMMON
    Download Yara Rule

    Control-flow Graph

    Strings
    • m->p= max= min= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicBrahmiCarianChakmaCommonCopticFormatGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianRejangSCHED StringSyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UT, xrefs: 003728F8
    • ) p->status=, cons/mark -byte limit152587890625762939453125Bidi_ControlCIDR addressCfgMgr32.dllCoCreateGuidCreateEventWCreateMutexWGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHandleGetTempPathWJoin_ControlLoadLibraryWLoadResourceLockReso, xrefs: 003727E5
    • wirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not found of unexported method pcHeader.textStart= previous allocCount=%s flag redefined: %s, levelBits[level] = 186264514923095703125931322574615478515625AdjustTokenPrivilegesAlaskan Stan, xrefs: 0037282C
    • ()+-./05:<=?CFLMPSUZ[\, xrefs: 003727C5
    • releasep: m=runtime: gp=runtime: sp=self-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringswintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB globals, MB) workers= called from flushedWork idlethreads=, xrefs: 003728DD
    • wirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB globals, MB) workers= called from flushedWork idlethreads= is nil, not nStackRoots= pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, n, xrefs: 003727A5
    • releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= stale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptionunexpected value step%SystemR, xrefs: 0037296A
    • p->status= s.nelems= schedtick= span.list= timerslen=, elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDives_AkuruEnumWindowsExitProcessFreeLibraryGOMEMLIMIT=GOTRACEBACKGetFileTypeIdeogra, xrefs: 0037292F
    • wirep: invalid p state) must be a power of 223283064365386962890625<invalid reflect.Value>Argentina Standard TimeAstrakhan Standard TimeCertGetCertificateChainDeleteVolumeMountPointWDestroyEnvironmentBlockE. Africa Standard TimeE. Europe Standard TimeFreeEnvi, xrefs: 0037280F
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: m->p= max= min= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicBrahmiCarianChakmaCommonCopticFormatGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianRejangSCHED StringSyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UT$ p->status= s.nelems= schedtick= span.list= timerslen=, elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDives_AkuruEnumWindowsExitProcessFreeLibraryGOMEMLIMIT=GOTRACEBACKGetFileTypeIdeogra$()+-./05:<=?CFLMPSUZ[\$) p->status=, cons/mark -byte limit152587890625762939453125Bidi_ControlCIDR addressCfgMgr32.dllCoCreateGuidCreateEventWCreateMutexWGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHandleGetTempPathWJoin_ControlLoadLibraryWLoadResourceLockReso$releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= stale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptionunexpected value step%SystemR$releasep: m=runtime: gp=runtime: sp=self-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringswintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB globals, MB) workers= called from flushedWork idlethreads=$wirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not found of unexported method pcHeader.textStart= previous allocCount=%s flag redefined: %s, levelBits[level] = 186264514923095703125931322574615478515625AdjustTokenPrivilegesAlaskan Stan$wirep: invalid p state) must be a power of 223283064365386962890625<invalid reflect.Value>Argentina Standard TimeAstrakhan Standard TimeCertGetCertificateChainDeleteVolumeMountPointWDestroyEnvironmentBlockE. Africa Standard TimeE. Europe Standard TimeFreeEnvi$wirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB globals, MB) workers= called from flushedWork idlethreads= is nil, not nStackRoots= pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, n
    • API String ID: 0-118312622
    • Opcode ID: 7d4acfd133da60c2ec3bd0762d65963f08baa339f8d18498bec6d2abd5cc411a
    • Instruction ID: c10f1c118093167d4fb97ea934e70bcc8bb50320a6cec5dc452b06d28c744736
    • Opcode Fuzzy Hash: 7d4acfd133da60c2ec3bd0762d65963f08baa339f8d18498bec6d2abd5cc411a
    • Instruction Fuzzy Hash: 63517D76229B44CADB12EF10E48135ABBA4F788B88F85D521EF4D0B32ACF39C454C751
    Function 0037E5E0 Relevance: 10.3, Strings: 8, Instructions: 309COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1064 37e5e0-37e5e9 1065 37eb96-37ebd6 call 38dce0 1064->1065 1066 37e5ef-37e618 1064->1066 1065->1064 1067 37e632-37e648 1066->1067 1068 37e61a-37e61d 1066->1068 1070 37e61f-37e62d 1068->1070 1071 37e649-37e64c 1068->1071 1073 37eb4d-37eb51 1070->1073 1074 37e6f7-37e6fa 1071->1074 1075 37e652-37e664 1071->1075 1076 37eb53-37eb6c 1073->1076 1077 37eb8e-37eb91 1073->1077 1080 37e705-37e71b 1074->1080 1081 37e6fc-37e703 1074->1081 1078 37eb3b-37eb41 call 390480 1075->1078 1079 37e66a-37e6f5 call 37e400 1075->1079 1083 37eb46-37eb4a 1076->1083 1084 37eb6e-37eb75 1076->1084 1077->1071 1078->1083 1091 37e776-37e7d2 call 37e400 call 37f400 1079->1091 1081->1080 1086 37e71c-37e765 call 37e400 call 367600 call 367f00 call 367d60 call 367860 call 367680 call 365d40 1081->1086 1083->1073 1084->1083 1088 37eb77-37eb8d 1084->1088 1103 37e76a-37e773 1086->1103 1100 37e8ac-37e8b3 1091->1100 1101 37e7d8-37e7e8 1091->1101 1106 37ea30-37ea46 1100->1106 1107 37e8b9-37e8c3 1100->1107 1101->1103 1104 37e7ea-37e7f5 1101->1104 1103->1091 1108 37e893-37e8ab 1104->1108 1109 37e7fb-37e864 1104->1109 1107->1106 1111 37e8c9-37e9c9 call 37ebe0 call 367600 call 367f00 * 3 call 367d60 call 367f00 call 367d60 call 367f00 call 367f80 call 367860 call 367680 1107->1111 1112 37eb31-37eb36 call 3903c0 1109->1112 1113 37e86a-37e88f 1109->1113 1143 37e9cf-37ea2b call 37e400 1111->1143 1144 37eb2c call 390480 1111->1144 1112->1078 1113->1108 1148 37eac1-37eb15 call 37e400 call 37f400 1143->1148 1144->1112 1153 37ea47-37eab9 call 367600 call 367f00 call 367d00 call 367f00 call 367d60 call 367860 call 367680 1148->1153 1154 37eb1b-37eb27 call 365d40 1148->1154 1153->1148 1154->1144
    Strings
    • pc= sp: sp=) = ) m=+Inf-Inf3125: p=::/0ACDTACSTAEDTAESTAKDTAKSTAWSTAhomCESTChamDashEESTGOGCLEAFLisuMiaoModiNZDTNZSTNewaSASTThaim=] = ] n=allgallpavx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchttpicmpidleigmpint8itabkindpipepop3, xrefs: 0037E92F
    • runtime: no module data for save on system g not allowed45474735088646411895751953125CM_Get_Device_Interface_ListWCentral America Standard TimeCentral Pacific Standard TimeChatham Islands Standard TimeDeleteProcThreadAttributeListGetSystemPreferredUILanguagesG, xrefs: 0037E72F
    • tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-09301562578125::/96<nil>AdlamBamumBatakBuhidCall DograErrorGreekKhmerLatinLimbuLocalNushuOghamOriyaOsageRunicSTermTakriTamilTypeA] = (arrayclosedebugdeferfalsefaultfilesfloatgFreegcinggscanhchanhttps, xrefs: 0037E972
    • targetpc= throwing= until pc=, bound = , limit = /dev/stdin12207031256103515625AdditionalBad varintCancelIoExChorasmianClassCHAOSClassCSNETCreatePipeDeprecatedDevanagariDnsQuery_WException GC forcedGOMAXPROCSGOMEMLIMITGetIfEntryGetVersionGlagoliticIsValidSid, xrefs: 0037E94F
    • runtime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime: unblock on closing polldescruntime: wrong goroutine in newstackryuFtoaF, xrefs: 0037E90C
    • invalid runtime symbol tablemheap.freeSpanLocked - span missing stack in shrinkstackmspan.sweep: m is not lockednewproc1: new g is not Gdeadnewproc1: newg missing stackos: process already finishedprotocol driver not attachedregion exceeds uintptr rangeruntime., xrefs: 0037EB1B
    • no module datano such devicepollCache.lockprotocol errorruntime: full=runtime: want=s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytoo many linkstoo many usersunexpected EOFunknown methodunreachable: unsafe.P, xrefs: 0037E759
    • value=connectconsolecpuproffloat32float64forcegcgctracehead = invalidminpc= pacer: panic: runningsyscalluintptrunknownverbosewaiting bytes, etypes is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= packed= pointer stack=[ status 48828125AcceptE, xrefs: 0037EA68
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: value=connectconsolecpuproffloat32float64forcegcgctracehead = invalidminpc= pacer: panic: runningsyscalluintptrunknownverbosewaiting bytes, etypes is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= packed= pointer stack=[ status 48828125AcceptE$ pc= sp: sp=) = ) m=+Inf-Inf3125: p=::/0ACDTACSTAEDTAESTAKDTAKSTAWSTAhomCESTChamDashEESTGOGCLEAFLisuMiaoModiNZDTNZSTNewaSASTThaim=] = ] n=allgallpavx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchttpicmpidleigmpint8itabkindpipepop3$ tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-09301562578125::/96<nil>AdlamBamumBatakBuhidCall DograErrorGreekKhmerLatinLimbuLocalNushuOghamOriyaOsageRunicSTermTakriTamilTypeA] = (arrayclosedebugdeferfalsefaultfilesfloatgFreegcinggscanhchanhttps$ targetpc= throwing= until pc=, bound = , limit = /dev/stdin12207031256103515625AdditionalBad varintCancelIoExChorasmianClassCHAOSClassCSNETCreatePipeDeprecatedDevanagariDnsQuery_WException GC forcedGOMAXPROCSGOMEMLIMITGetIfEntryGetVersionGlagoliticIsValidSid$invalid runtime symbol tablemheap.freeSpanLocked - span missing stack in shrinkstackmspan.sweep: m is not lockednewproc1: new g is not Gdeadnewproc1: newg missing stackos: process already finishedprotocol driver not attachedregion exceeds uintptr rangeruntime.$no module datano such devicepollCache.lockprotocol errorruntime: full=runtime: want=s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytoo many linkstoo many usersunexpected EOFunknown methodunreachable: unsafe.P$runtime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime: unblock on closing polldescruntime: wrong goroutine in newstackryuFtoaF$runtime: no module data for save on system g not allowed45474735088646411895751953125CM_Get_Device_Interface_ListWCentral America Standard TimeCentral Pacific Standard TimeChatham Islands Standard TimeDeleteProcThreadAttributeListGetSystemPreferredUILanguagesG
    • API String ID: 0-3963104202
    • Opcode ID: efbcb52d1aa1131522db60f4f874d3da104960a7e772704795f0585fb34c7924
    • Instruction ID: 1f1942e4019789b8263e902e38c5b6dbbd553341cabf5f1d2c4aadc50ffa27e8
    • Opcode Fuzzy Hash: efbcb52d1aa1131522db60f4f874d3da104960a7e772704795f0585fb34c7924
    • Instruction Fuzzy Hash: A8D15932219BC486CB61DF19F48039EB7A5F789B94F948526EB8D47B69CF38C455CB00
    Function 003310E0 Relevance: 10.3, Strings: 8, Instructions: 308COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1170 3310e0-3310e9 1171 331619-331632 call 38dce0 1170->1171 1172 3310ef-33110e 1170->1172 1171->1170 1174 331116-331119 1172->1174 1176 33111f-331121 1174->1176 1177 33134d-331363 1174->1177 1180 331420-331423 1176->1180 1178 331365-33136c 1177->1178 1179 33136e-33137d 1177->1179 1181 331382-331395 1178->1181 1182 331126 1180->1182 1183 331429-331431 1180->1183 1184 331397-331399 1181->1184 1185 331404-33140a 1181->1185 1188 33112d-331130 1182->1188 1186 331433 1183->1186 1187 331415-331418 1183->1187 1193 331402 1184->1193 1194 33139b-3313a0 1184->1194 1191 331410 1185->1191 1192 33137e 1185->1192 1186->1188 1187->1180 1189 331132-33113a 1188->1189 1190 331140-331143 1188->1190 1195 33116d-331171 1189->1195 1196 331610-331618 call 390400 1190->1196 1197 331149-331150 1190->1197 1191->1179 1192->1181 1193->1185 1194->1193 1198 3313a2-331400 call 367600 call 367f00 * 3 call 367680 1194->1198 1201 331173-331179 1195->1201 1202 331110-331113 1195->1202 1196->1171 1199 331156-33116a 1197->1199 1200 331605-33160b call 390480 1197->1200 1198->1185 1199->1195 1200->1196 1201->1202 1205 33117b-331180 1201->1205 1202->1174 1209 331440-331443 1205->1209 1211 331185 1209->1211 1212 331449-331451 1209->1212 1214 33118c-331199 1211->1214 1215 331453 1212->1215 1216 331438-33143b 1212->1216 1218 3312f9-331348 call 367600 call 367f00 * 3 call 367680 1214->1218 1219 33119f-3311a3 1214->1219 1215->1214 1216->1209 1218->1202 1223 3315f2-331600 call 390400 1219->1223 1224 3311a9-3311ad 1219->1224 1223->1200 1228 3311b3-3311cf 1224->1228 1229 3315e5-3315ed call 390480 1224->1229 1233 3311d5-331205 1228->1233 1234 3315dc-3315e0 call 390480 1228->1234 1229->1223 1238 331220-331224 1233->1238 1239 331207-331212 1233->1239 1234->1229 1240 331226-331231 1238->1240 1241 33128c-3312f4 call 367600 call 367f00 * 5 call 367680 1238->1241 1239->1241 1243 331214-331218 1239->1243 1240->1241 1244 331233-33123d 1240->1244 1241->1202 1247 331243-33124b 1243->1247 1244->1241 1248 33123f 1244->1248 1249 331274-331287 1247->1249 1250 33124d-331258 1247->1250 1248->1247 1254 331460-331463 1249->1254 1250->1249 1253 33125a-331264 1250->1253 1253->1249 1260 331266-33126f 1253->1260 1258 331530-331575 call 367600 call 367f00 * 3 call 367680 1254->1258 1259 331469-331483 1254->1259 1258->1202 1263 331585 call 3903c0 1259->1263 1264 331489-33149c 1259->1264 1265 331593-331596 1260->1265 1275 33158a-33158f 1263->1275 1268 331458-33145c 1264->1268 1269 33149e-3314b2 call 332a00 1264->1269 1265->1202 1272 33159c-3315ad 1265->1272 1268->1254 1287 3314b4-3314d8 1269->1287 1288 3314dd-3314f3 1269->1288 1277 3315d7 call 3903c0 1272->1277 1278 3315af-3315cd 1272->1278 1275->1265 1277->1234 1278->1275 1280 3315cf-3315d2 call 3903c0 1278->1280 1280->1277 1287->1268 1292 331580 call 3903c0 1288->1292 1293 3314f9-331514 1288->1293 1292->1263 1297 331516-33152b 1293->1297 1298 33157a-33157f call 3903c0 1293->1298 1297->1202 1298->1292
    Strings
    • " not supported for cpu option "end outside usable address spaceinvalid limiter event type foundnumerical argument out of domainpanic while printing panic valuereflect.nameFrom: tag too long: removespecial on invalid pointerresource temporarily unavailablerunt, xrefs: 003312B4
    • GODEBUG: can not enable "GetFinalPathNameByHandleWGetQueuedCompletionStatusGetSecurityDescriptorDaclGetSecurityDescriptorSaclGetSidIdentifierAuthorityInitiateSystemShutdownExWIsValidSecurityDescriptorKaliningrad Standard TimeMiddle East Standard TimeNew Zealan, xrefs: 003313BB
    • ", missing CPU supportbytes.Buffer: too largechan receive (nil chan)close of closed channeldevice or resource busyfatal: morestack on g0garbage collection scangcDrain phase incorrectindex out of range [%x]interrupted system callinvalid m->lockedInt = left ov, xrefs: 003313DB
    • cpu., xrefs: 00331173
    • GODEBUG: value "GetComputerNameWGetCurrentThreadGetDesktopWindowGetFullPathNameWGetGUIThreadInfoGetLogicalDrivesGetLongPathNameWGetNamedPipeInfoGetPriorityClassImperial_AramaicMeroitic_CursiveNetApiBufferFreeOpenProcessTokenOther_AlphabeticRCodeFormatErrorRegQ, xrefs: 00331291
    • GODEBUG: no value specified for "GetVolumeNameForVolumeMountPointWInitializeProcThreadAttributeListSetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWbase outside usable address spaceconcurrent map read and map writefindrunnable: negative nmspin, xrefs: 00331308
    • " ][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTDltEATEDTEETEOFESTGMTHDTHSTHanIDTISTJSTKSTLaoMDTMSKMSTMroNDTNSTNaNNkoPC=PDTPKTPSTStdUTCVaiWAT]:ad, xrefs: 003312D4, 00331328, 00331555
    • GODEBUG: unknown cpu feature "GetProcessPreferredUILanguagesGetSecurityDescriptorRMControlGetSystemTimePreciseAsFileTimeMapIter.Key called before NextPacific Standard Time (Mexico)QueryServiceDynamicInformationSetSecurityDescriptorRMControlSetupDiCreateDeviceI, xrefs: 00331535
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: " ][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTDltEATEDTEETEOFESTGMTHDTHSTHanIDTISTJSTKSTLaoMDTMSKMSTMroNDTNSTNaNNkoPC=PDTPKTPSTStdUTCVaiWAT]:ad$" not supported for cpu option "end outside usable address spaceinvalid limiter event type foundnumerical argument out of domainpanic while printing panic valuereflect.nameFrom: tag too long: removespecial on invalid pointerresource temporarily unavailablerunt$", missing CPU supportbytes.Buffer: too largechan receive (nil chan)close of closed channeldevice or resource busyfatal: morestack on g0garbage collection scangcDrain phase incorrectindex out of range [%x]interrupted system callinvalid m->lockedInt = left ov$GODEBUG: can not enable "GetFinalPathNameByHandleWGetQueuedCompletionStatusGetSecurityDescriptorDaclGetSecurityDescriptorSaclGetSidIdentifierAuthorityInitiateSystemShutdownExWIsValidSecurityDescriptorKaliningrad Standard TimeMiddle East Standard TimeNew Zealan$GODEBUG: no value specified for "GetVolumeNameForVolumeMountPointWInitializeProcThreadAttributeListSetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWbase outside usable address spaceconcurrent map read and map writefindrunnable: negative nmspin$GODEBUG: unknown cpu feature "GetProcessPreferredUILanguagesGetSecurityDescriptorRMControlGetSystemTimePreciseAsFileTimeMapIter.Key called before NextPacific Standard Time (Mexico)QueryServiceDynamicInformationSetSecurityDescriptorRMControlSetupDiCreateDeviceI$GODEBUG: value "GetComputerNameWGetCurrentThreadGetDesktopWindowGetFullPathNameWGetGUIThreadInfoGetLogicalDrivesGetLongPathNameWGetNamedPipeInfoGetPriorityClassImperial_AramaicMeroitic_CursiveNetApiBufferFreeOpenProcessTokenOther_AlphabeticRCodeFormatErrorRegQ$cpu.
    • API String ID: 0-3930425017
    • Opcode ID: 124e9a5722fb1b4024ebb5c243c75a74006904a9695898472975e28cf9baac85
    • Instruction ID: 5bed65eeeee886e80e01f507a67960dd001805c78647d34227853d40ab3a54ce
    • Opcode Fuzzy Hash: 124e9a5722fb1b4024ebb5c243c75a74006904a9695898472975e28cf9baac85
    • Instruction Fuzzy Hash: FFC1B166719B80C1EB02DF52E4803AAA765F385BD4F948522EF8E4BB69CF78C941C750
    Function 00388340 Relevance: 10.2, Strings: 8, Instructions: 154COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1307 388340-388344 1308 38834a-38835a 1307->1308 1309 3885cb-3885e2 call 38dce0 1307->1309 1310 38835c-388363 1308->1310 1311 38836e-388379 1308->1311 1309->1307 1310->1311 1314 388365-38836c 1310->1314 1315 388381-388384 1314->1315 1316 38839a 1315->1316 1317 388386-38838d 1315->1317 1320 38839c-3883a3 1316->1320 1318 38837a 1317->1318 1319 38838f-388396 1317->1319 1318->1315 1319->1318 1321 388398 1319->1321 1322 388408-388452 call 33af60 call 33fb00 call 33b180 1320->1322 1323 3883a5-3883cb call 33fb00 1320->1323 1321->1320 1338 3884b3-3884bc 1322->1338 1339 388454-3884b1 call 367600 call 367f00 call 367d60 call 367f00 call 367d60 call 367f00 call 367680 1322->1339 1329 3883cd-3883ee 1323->1329 1330 3883fe-388407 1323->1330 1332 3883f4-3883fd 1329->1332 1333 388545-3885ca call 367600 call 367f00 call 367d60 call 367f00 call 367d60 call 367f00 call 367d60 call 367860 call 367680 call 365d40 1329->1333 1333->1309 1369 38852b-38852e 1339->1369 1371 3884bd-388524 call 367600 call 367f00 call 367d60 call 367f00 call 367d60 call 367860 call 367680 1369->1371 1372 388530-388540 call 365d40 1369->1372 1371->1369 1372->1333
    Strings
    • out of range procedure in to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis, xrefs: 00388571
    • runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcunknown type kindwait for GC cyclewrong medium type but memory size because dotdotdot in async preempt to non-Go memory , locked to thread, xrefs: 00388459, 00388554
    • runtime: type offset out of rangeslice bounds out of range [%x:%y]stackalloc not on scheduler stackstoplockedm: inconsistent lockingtimer period must be non-negativetoo many Answers to pack (>65535)too many levels of symbolic linkswaiting for unsupported file , xrefs: 003885B9
    • not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFind, xrefs: 00388491
    • base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicBrahmiCarianChakmaCommonCopticFormatGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianRejangSCHED StringSy, xrefs: 00388476
    • - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTDltEATEDTEETEOFESTGMTHDTHSTHanIDTISTJSTKSTLaoMDTMSKMSTMroNDTNSTNaNNkoPC=PDTPKTPSTStdUTCVaiWAT]:adxaesavxcgodnsendfinfmaftpgc gp in intip, xrefs: 0038858F
    • types value=connectconsolecpuproffloat32float64forcegcgctracehead = invalidminpc= pacer: panic: runningsyscalluintptrunknownverbosewaiting bytes, etypes is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= packed= pointer stack=[ status 48828125, xrefs: 003884DF
    • runtime: type offset base pointer out of rangesignal arrived during external code executionslice bounds out of range [:%x] with length %ystopTheWorld: not stopped (status != _Pgcstop)sysGrow bounds not aligned to pallocChunkBytestried to park scavenger from a, xrefs: 00388530
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: types value=connectconsolecpuproffloat32float64forcegcgctracehead = invalidminpc= pacer: panic: runningsyscalluintptrunknownverbosewaiting bytes, etypes is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= packed= pointer stack=[ status 48828125$ - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTDltEATEDTEETEOFESTGMTHDTHSTHanIDTISTJSTKSTLaoMDTMSKMSTMroNDTNSTNaNNkoPC=PDTPKTPSTStdUTCVaiWAT]:adxaesavxcgodnsendfinfmaftpgc gp in intip$ base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicBrahmiCarianChakmaCommonCopticFormatGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianRejangSCHED StringSy$ not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFind$ out of range procedure in to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis$runtime: type offset base pointer out of rangesignal arrived during external code executionslice bounds out of range [:%x] with length %ystopTheWorld: not stopped (status != _Pgcstop)sysGrow bounds not aligned to pallocChunkBytestried to park scavenger from a$runtime: type offset out of rangeslice bounds out of range [%x:%y]stackalloc not on scheduler stackstoplockedm: inconsistent lockingtimer period must be non-negativetoo many Answers to pack (>65535)too many levels of symbolic linkswaiting for unsupported file $runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcunknown type kindwait for GC cyclewrong medium type but memory size because dotdotdot in async preempt to non-Go memory , locked to thread
    • API String ID: 0-1074561078
    • Opcode ID: c2c3d1f72aeefbd3a078844db4b016b60121532e7f271dcc7d41e2e1f1e33024
    • Instruction ID: 489756e7f9f27b1e2e7fd67a7009c8ecbcdc14fcea2ddc5e0b59b9bcd2ed1b68
    • Opcode Fuzzy Hash: c2c3d1f72aeefbd3a078844db4b016b60121532e7f271dcc7d41e2e1f1e33024
    • Instruction Fuzzy Hash: 7D515636619B44C6DB22FF15E4813AA7364FB89B88FC48571EB4C0B72ADF78C5008B54
    Function 0034EBE0 Relevance: 8.9, Strings: 7, Instructions: 182COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1565 34ebe0-34ebe4 1566 34eea6-34eee7 call 38dce0 1565->1566 1567 34ebea-34ec06 1565->1567 1566->1565 1569 34ec0c-34ec40 1567->1569 1570 34ee8f-34eea5 call 365d40 1567->1570 1573 34ec46-34ec4d 1569->1573 1574 34ed2b-34ed47 call 3463e0 1569->1574 1570->1566 1577 34ec4f-34ec53 1573->1577 1578 34ec69-34ec71 1573->1578 1586 34ed8f-34ed98 1574->1586 1587 34ed49-34ed4e 1574->1587 1577->1578 1582 34ec55-34ec63 1577->1582 1579 34ec77-34eca4 1578->1579 1580 34ed21-34ed2a 1578->1580 1584 34eda6-34edae call 3903e0 1579->1584 1585 34ecaa-34ecfb 1579->1585 1582->1578 1583 34edb3-34ee8a call 367600 call 367f00 call 367d60 call 367f00 call 367d60 call 367f00 call 367d60 call 367f00 call 367680 call 34ef00 * 2 call 365d40 1582->1583 1583->1570 1584->1583 1588 34ed01-34ed08 1585->1588 1589 34ecfd 1585->1589 1592 34ed53-34ed5c 1587->1592 1588->1592 1593 34ed0a-34ed20 1588->1593 1589->1588 1595 34ed5e-34ed69 1592->1595 1596 34ed78-34ed80 call 354bc0 1592->1596 1595->1596 1599 34ed6b 1595->1599 1600 34ed85-34ed8e 1596->1600 1602 34ed6d-34ed76 1599->1602 1603 34ed99-34eda1 call 3903c0 1599->1603 1602->1600 1603->1584
    Strings
    • +-./05:<=?CFLMPSUZ[\, xrefs: 0034EE05
    • found at *( gcscandone m->gsignal= maxTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>) p->status=, cons/mark -byte limit152587890625762939453125Bidi_ControlCIDR add, xrefs: 0034EDE5
    • marking free objectmarkroot: bad indexmissing deferreturnmspan.sweep: state=notesleep not on g0ntdll.dll not foundnwait > work.nprocspageAlloc.scav.lockpanic during mallocpanic during panicpanic holding lockspanicwrap: no ( in panicwrap: no ) in reflect.Value, xrefs: 0034EE7E
    • basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchttpicmpidleigmpint8itabkindpipepop3rootsbrksmtpsse3tcp4trueudp4uint -%s ... MB, and cnt= got= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-09301562578125, xrefs: 0034EE3B
    • runtime: marking free object runtime: p.gcMarkWorkerMode= runtime: split stack overflowruntime: sudog with non-nil cruntime: summary max pages = runtime: traceback stuck. pc=semacquire not on the G stackstring concatenation too longsyntax error scanning boolea, xrefs: 0034EDC5
    • greyobject: obj not pointer-alignedmheap.freeSpanLocked - invalid freemismatched begin/end of activeSweepnetwork dropped connection on resetno such multicast network interfacepersistentalloc: align is too largepidleput: P has non-empty run queueruntime: close , xrefs: 0034EE8F
    • ), ->25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTDltEATEDTEETEOFESTGMTHDT, xrefs: 0034EE25
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: found at *( gcscandone m->gsignal= maxTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>) p->status=, cons/mark -byte limit152587890625762939453125Bidi_ControlCIDR add$), ->25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTDltEATEDTEETEOFESTGMTHDT$+-./05:<=?CFLMPSUZ[\$basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchttpicmpidleigmpint8itabkindpipepop3rootsbrksmtpsse3tcp4trueudp4uint -%s ... MB, and cnt= got= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-09301562578125$greyobject: obj not pointer-alignedmheap.freeSpanLocked - invalid freemismatched begin/end of activeSweepnetwork dropped connection on resetno such multicast network interfacepersistentalloc: align is too largepidleput: P has non-empty run queueruntime: close $marking free objectmarkroot: bad indexmissing deferreturnmspan.sweep: state=notesleep not on g0ntdll.dll not foundnwait > work.nprocspageAlloc.scav.lockpanic during mallocpanic during panicpanic holding lockspanicwrap: no ( in panicwrap: no ) in reflect.Value$runtime: marking free object runtime: p.gcMarkWorkerMode= runtime: split stack overflowruntime: sudog with non-nil cruntime: summary max pages = runtime: traceback stuck. pc=semacquire not on the G stackstring concatenation too longsyntax error scanning boolea
    • API String ID: 0-2586820575
    • Opcode ID: e8ef11a12409a0635b265d04cf94be89d3bf33a44a7efb2b9a0daed4db7c07e6
    • Instruction ID: 271b519d4482b53cf9290bf2076ef36db1cc712722603ac9efe50f0e28719d09
    • Opcode Fuzzy Hash: e8ef11a12409a0635b265d04cf94be89d3bf33a44a7efb2b9a0daed4db7c07e6
    • Instruction Fuzzy Hash: 5B71C3B2618B80CADB11DB15E44039EB7A5F746BC4F845522EF8D1BB69CB78C554CB40
    Function 00353140 Relevance: 8.8, Strings: 7, Instructions: 91COMMON
    Download Yara Rule
    Strings
    • mismatched begin/end of activeSweepnetwork dropped connection on resetno such multicast network interfacepersistentalloc: align is too largepidleput: P has non-empty run queueruntime: close polldesc w/o unblockruntime: createevent failed; errno=ryuFtoaFixed32 , xrefs: 0035329E
    • pacer: sweep done at heap size pattern contains path separatorreflect: Len of non-array type resetspinning: not a spinning mruntime: cannot allocate memoryruntime: failed to commit pagesruntime: split stack overflow: slice bounds out of range [%x:]slice bounds, xrefs: 003531F0
    • sweeper left outstanding across sweep generationsattempt to execute system stack code on user stackcompileCallback: function argument frame too largemallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewruntime: un, xrefs: 003532AF
    • pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=, bound = , limit = /dev/stdin12207031256103515625AdditionalBad varintCancelIoExChorasmianClassCHAOSClassCSNETCreatePipeDeprecatedDevanagari, xrefs: 00353256
    • MB; allocated MakeAbsoluteSDModule32FirstWNetUserGetInfoOpenSCManagerWOther_ID_StartPattern_SyntaxProcess32NextWQuotation_MarkRCodeNameErrorRegSetValueExWSetConsoleModeSetFilePointerSetThreadTokenSizeofResourceTranslateNameWVerQueryValueWVirtualProtectVirtualQ, xrefs: 00353213
    • MB during sweep; swept Marquesas Standard TimeMauritius Standard TimeNoncharacter_Code_PointNtSetInformationProcessQueryServiceLockStatusWQyzylorda Standard TimeRegNotifyChangeKeyValueSetEnvironmentVariableWSetInformationJobObjectSetKernelObjectSecuritySetName, xrefs: 0035323B
    • pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>) p->status=, cons/mark -byte limit152587890625762939453125Bidi_ControlCIDR addressCfgMgr32.dllCoCreateGuidCreateEventWCreateMutexWGetAddrInfoWGetConso, xrefs: 00353272
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=, bound = , limit = /dev/stdin12207031256103515625AdditionalBad varintCancelIoExChorasmianClassCHAOSClassCSNETCreatePipeDeprecatedDevanagari$ pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>) p->status=, cons/mark -byte limit152587890625762939453125Bidi_ControlCIDR addressCfgMgr32.dllCoCreateGuidCreateEventWCreateMutexWGetAddrInfoWGetConso$MB during sweep; swept Marquesas Standard TimeMauritius Standard TimeNoncharacter_Code_PointNtSetInformationProcessQueryServiceLockStatusWQyzylorda Standard TimeRegNotifyChangeKeyValueSetEnvironmentVariableWSetInformationJobObjectSetKernelObjectSecuritySetName$MB; allocated MakeAbsoluteSDModule32FirstWNetUserGetInfoOpenSCManagerWOther_ID_StartPattern_SyntaxProcess32NextWQuotation_MarkRCodeNameErrorRegSetValueExWSetConsoleModeSetFilePointerSetThreadTokenSizeofResourceTranslateNameWVerQueryValueWVirtualProtectVirtualQ$mismatched begin/end of activeSweepnetwork dropped connection on resetno such multicast network interfacepersistentalloc: align is too largepidleput: P has non-empty run queueruntime: close polldesc w/o unblockruntime: createevent failed; errno=ryuFtoaFixed32 $pacer: sweep done at heap size pattern contains path separatorreflect: Len of non-array type resetspinning: not a spinning mruntime: cannot allocate memoryruntime: failed to commit pagesruntime: split stack overflow: slice bounds out of range [%x:]slice bounds$sweeper left outstanding across sweep generationsattempt to execute system stack code on user stackcompileCallback: function argument frame too largemallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewruntime: un
    • API String ID: 0-87216632
    • Opcode ID: d543cfbaec6afa0c64b9a7f7f02300f698cc89ea96d36dd9258045b61ad9f660
    • Instruction ID: 442fb16240cebdaef6538e0ca9888013a340865bc52eb36f9ed34e0721a3dedc
    • Opcode Fuzzy Hash: d543cfbaec6afa0c64b9a7f7f02300f698cc89ea96d36dd9258045b61ad9f660
    • Instruction Fuzzy Hash: 48417C32228B448AD702EF24E88075AB764F788784F848529EF4D1B76ADF3CC644CB51
    Function 00360A20 Relevance: 8.8, Strings: 7, Instructions: 67COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: PowerReg$gisterSu$ication$powrprof$rof.dll$spendRes$umeNotif
    • API String ID: 0-941992356
    • Opcode ID: b64df033417e248f892e2ef06db93dc7b66147bdb12eb0555bc29a6d60374abd
    • Instruction ID: cd12edc5c67b6af25867cf82b04c34eaf6c8734bc20a567e72d64d614a7ace57
    • Opcode Fuzzy Hash: b64df033417e248f892e2ef06db93dc7b66147bdb12eb0555bc29a6d60374abd
    • Instruction Fuzzy Hash: 5C3102B6208B8085D625DB11F44139AB7A5F7897C4F98802AEBCC4BB6EDF38C158CB40
    Function 00331640 Relevance: 7.9, Strings: 6, Instructions: 425COMMON
    Download Yara Rule
    Strings
    • popcntrdtscpselectsendtosocketstringstructsweep sysmontelnettimersuint16uint32uint64 (scan (scan) MB in Value> allocs dying= locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie% CPU (, goid=, j0 = 19531259765625: type ::1/128AvestanBengaliBrailleChanDirC, xrefs: 00331842, 00331860
    • pclmulqdqpreemptedprofBlockpsapi.dllrecover: reflect: scavtracestackpooltracebackwbufSpans} stack=[ MB goal, flushGen gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=,, xrefs: 003316C6
    • rdtscpselectsendtosocketstringstructsweep sysmontelnettimersuint16uint32uint64 (scan (scan) MB in Value> allocs dying= locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie% CPU (, goid=, j0 = 19531259765625: type ::1/128AvestanBengaliBrailleChanDirCopySid, xrefs: 003316E7
    • sse41sse42ssse3sudogsweeptraceuint8usagevaluewrite B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicBrahmiCarianChakmaCommonCopticFormatGetACPGothic, xrefs: 003318F0, 0033190D
    • avx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchttpicmpidleigmpint8itabkindpipepop3rootsbrksmtpsse3tcp4trueudp4uint -%s ... MB, and cnt= got= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930156257, xrefs: 00331B24, 00331B41
    • ermsfileftpsfunchttpicmpidleigmpint8itabkindpipepop3rootsbrksmtpsse3tcp4trueudp4uint -%s ... MB, and cnt= got= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-09301562578125::/96<nil>AdlamBamumBatakBuhidCall DograErrorGreekKhmerL, xrefs: 003316A8
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: avx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchttpicmpidleigmpint8itabkindpipepop3rootsbrksmtpsse3tcp4trueudp4uint -%s ... MB, and cnt= got= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930156257$ermsfileftpsfunchttpicmpidleigmpint8itabkindpipepop3rootsbrksmtpsse3tcp4trueudp4uint -%s ... MB, and cnt= got= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-09301562578125::/96<nil>AdlamBamumBatakBuhidCall DograErrorGreekKhmerL$pclmulqdqpreemptedprofBlockpsapi.dllrecover: reflect: scavtracestackpooltracebackwbufSpans} stack=[ MB goal, flushGen gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=,$popcntrdtscpselectsendtosocketstringstructsweep sysmontelnettimersuint16uint32uint64 (scan (scan) MB in Value> allocs dying= locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie% CPU (, goid=, j0 = 19531259765625: type ::1/128AvestanBengaliBrailleChanDirC$rdtscpselectsendtosocketstringstructsweep sysmontelnettimersuint16uint32uint64 (scan (scan) MB in Value> allocs dying= locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie% CPU (, goid=, j0 = 19531259765625: type ::1/128AvestanBengaliBrailleChanDirCopySid$sse41sse42ssse3sudogsweeptraceuint8usagevaluewrite B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicBrahmiCarianChakmaCommonCopticFormatGetACPGothic
    • API String ID: 0-3170729864
    • Opcode ID: 3cacddecdfd5c3302238613d487eaad99238cee33218a99080a2245545d2d3fc
    • Instruction ID: b0e326592c6acdcb7456b980e037c2e3c3a21898e4547490d4b8650f40d1c107
    • Opcode Fuzzy Hash: 3cacddecdfd5c3302238613d487eaad99238cee33218a99080a2245545d2d3fc
    • Instruction Fuzzy Hash: A932BD72204F80DAEB15CF25FC8139A37A4F315B89F948566CA9E47729DF78CA48C700
    Function 003436A0 Relevance: 7.6, Strings: 6, Instructions: 132COMMON
    Download Yara Rule
    Strings
    • runtime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt baseunexpected call to os.Exit(0) during test173472347597680709441192448139190673828125867361737988403547205962240695953369140625MapIter.Valu, xrefs: 003438C5
    • but memory size because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnp, xrefs: 00343885
    • with GC prog,M3.2.0,M11.1.0476837158203125<invalid Value>ASCII_Hex_DigitAddDllDirectoryCLSIDFromStringCreateHardLinkWDeviceIoControlDuplicateHandleFailed to find Failed to load FindNextVolumeWFindVolumeCloseFlushViewOfFileGetAdaptersInfoGetCommTimeoutsGetCo, xrefs: 003437F4
    • of size (targetpc= , plugin: KiB work, exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=, elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHE, xrefs: 00343865
    • runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime: unblock on closing polldescruntime: wrong goroutine in newstackryuFtoaFixed64 called with prec > 18strings., xrefs: 0034380A, 003438AF
    • runtime: typeBitsBulkBarrier with type ryuFtoaFixed32 called with negative prec34694469519536141888238489627838134765625MapIter.Next called on exhausted iterator[!]Error executing shellcode syscall:%s[DEBUG]Calling VirtualAlloc for shellcode[DEBUG]Loading k, xrefs: 003437D4, 00343845
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: but memory size because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnp$ of size (targetpc= , plugin: KiB work, exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=, elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHE$ with GC prog,M3.2.0,M11.1.0476837158203125<invalid Value>ASCII_Hex_DigitAddDllDirectoryCLSIDFromStringCreateHardLinkWDeviceIoControlDuplicateHandleFailed to find Failed to load FindNextVolumeWFindVolumeCloseFlushViewOfFileGetAdaptersInfoGetCommTimeoutsGetCo$runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime: unblock on closing polldescruntime: wrong goroutine in newstackryuFtoaFixed64 called with prec > 18strings.$runtime: typeBitsBulkBarrier with type ryuFtoaFixed32 called with negative prec34694469519536141888238489627838134765625MapIter.Next called on exhausted iterator[!]Error executing shellcode syscall:%s[DEBUG]Calling VirtualAlloc for shellcode[DEBUG]Loading k$runtime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt baseunexpected call to os.Exit(0) during test173472347597680709441192448139190673828125867361737988403547205962240695953369140625MapIter.Valu
    • API String ID: 0-4000361639
    • Opcode ID: ee52759573cd4adcfa75991f3c6f8d83ea14342c605fb80920ce65feca455189
    • Instruction ID: 75a7193943931ccb1ffc893ee5fc88274d5181b46cd264345ff11ad027058aab
    • Opcode Fuzzy Hash: ee52759573cd4adcfa75991f3c6f8d83ea14342c605fb80920ce65feca455189
    • Instruction Fuzzy Hash: 02518076628B44C6DB12EF11E48035EBBB4F789B84F958121EB8D4BB69CF38C554CB10
    Function 0033C480 Relevance: 7.6, Strings: 6, Instructions: 117COMMON
    Download Yara Rule
    Strings
    • s.nelems= schedtick= span.list= timerslen=, elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDives_AkuruEnumWindowsExitProcessFreeLibraryGOMEMLIMIT=GOTRACEBACKGetFileTypeIdeographicMedefai, xrefs: 0033C5A5, 0033C625
    • freeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversion: kernel32.dll not foundminpc or maxpc invalidnetwork is unreachablenon-Go function at pc=oldoverflow is not nilprotocol not availableprotocol not suppo, xrefs: 0033C5E5
    • s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytoo many linkstoo many usersunexpected EOFunknown methodunreachable: unsafe.Pointerwinapi error #work.full != 0 with GC prog,M3.2.0,M11.1.0476837158203125<inva, xrefs: 0033C585
    • s.allocCount > s.nelemsschedule: holding lockssegment length too longshrinkstack at bad timespan has no free stacksstack growth after forksyntax error in patternsystem huge page size (too many pointers (>10)work.nwait > work.nproc116415321826934814453125582076, xrefs: 0033C5CF
    • runtime: s.allocCount= s.allocCount > s.nelemsschedule: holding lockssegment length too longshrinkstack at bad timespan has no free stacksstack growth after forksyntax error in patternsystem huge page size (too many pointers (>10)work.nwait > work.nproc1164153, xrefs: 0033C605
    • s.allocCount != s.nelems && freeIndex == s.nelemsslice bounds out of range [::%x] with capacity %ysweeper left outstanding across sweep generationsattempt to execute system stack code on user stackcompileCallback: function argument frame too largemallocgc call, xrefs: 0033C64F
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: s.nelems= schedtick= span.list= timerslen=, elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDives_AkuruEnumWindowsExitProcessFreeLibraryGOMEMLIMIT=GOTRACEBACKGetFileTypeIdeographicMedefai$freeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversion: kernel32.dll not foundminpc or maxpc invalidnetwork is unreachablenon-Go function at pc=oldoverflow is not nilprotocol not availableprotocol not suppo$runtime: s.allocCount= s.allocCount > s.nelemsschedule: holding lockssegment length too longshrinkstack at bad timespan has no free stacksstack growth after forksyntax error in patternsystem huge page size (too many pointers (>10)work.nwait > work.nproc1164153$s.allocCount != s.nelems && freeIndex == s.nelemsslice bounds out of range [::%x] with capacity %ysweeper left outstanding across sweep generationsattempt to execute system stack code on user stackcompileCallback: function argument frame too largemallocgc call$s.allocCount > s.nelemsschedule: holding lockssegment length too longshrinkstack at bad timespan has no free stacksstack growth after forksyntax error in patternsystem huge page size (too many pointers (>10)work.nwait > work.nproc116415321826934814453125582076$s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytoo many linkstoo many usersunexpected EOFunknown methodunreachable: unsafe.Pointerwinapi error #work.full != 0 with GC prog,M3.2.0,M11.1.0476837158203125<inva
    • API String ID: 0-2741435613
    • Opcode ID: 24243ee26ad3bf337427d04e9a3d7b135b70384701355f4edd7e57be47ac3e68
    • Instruction ID: 573a4846b5c2074cabdd12856cdc305040b1dd5f2cb88f83463ab3c58dd5c316
    • Opcode Fuzzy Hash: 24243ee26ad3bf337427d04e9a3d7b135b70384701355f4edd7e57be47ac3e68
    • Instruction Fuzzy Hash: E1517272229B80C6C712AF15E48136EBBA4F789B84F859521FB8D4B76ADF38C440CB50
    Function 0035A560 Relevance: 6.4, Strings: 5, Instructions: 155COMMON
    Download Yara Rule
    Strings
    • runtime: searchIdx = runtime: work.nwait= stale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptionunexpected value step%SystemRoot%\system32\4656612873077392578125Aleutian Standard TimeAtlantic Standard TimeCauc, xrefs: 0035A785
    • , npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDives_AkuruEnumWindowsExitProcessFreeLibraryGOMEMLIMIT=GOTRACEBACKGetFileTypeIdeographicMedefaidrinMessageBoxWMoveFileExWNandinagariNetShareAddNetShar, xrefs: 0035A745
    • runtime: max = runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm holding ptraceback stuck already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirec, xrefs: 0035A727
    • , p.searchAddr = 0123456789ABCDEFX0123456789abcdefx1192092895507812559604644775390625: missing method AdjustTokenGroupsCertFindExtensionCryptDecodeObjectDnsRecordListFreeFLE Standard TimeGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetSh, xrefs: 0035A7A9
    • bad summary databad symbol tablecastogscanstatuscontext canceledgc: unswept spangcshrinkstackoffinteger overflowinvalid argumentinvalid exchangeinvalid g statusmSpanList.insertmSpanList.removemessage too longmissing stackmapnewmHandoff.lockno route to hostnon-, xrefs: 0035A7CF
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: , npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDives_AkuruEnumWindowsExitProcessFreeLibraryGOMEMLIMIT=GOTRACEBACKGetFileTypeIdeographicMedefaidrinMessageBoxWMoveFileExWNandinagariNetShareAddNetShar$, p.searchAddr = 0123456789ABCDEFX0123456789abcdefx1192092895507812559604644775390625: missing method AdjustTokenGroupsCertFindExtensionCryptDecodeObjectDnsRecordListFreeFLE Standard TimeGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetSh$bad summary databad symbol tablecastogscanstatuscontext canceledgc: unswept spangcshrinkstackoffinteger overflowinvalid argumentinvalid exchangeinvalid g statusmSpanList.insertmSpanList.removemessage too longmissing stackmapnewmHandoff.lockno route to hostnon-$runtime: max = runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm holding ptraceback stuck already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirec$runtime: searchIdx = runtime: work.nwait= stale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptionunexpected value step%SystemRoot%\system32\4656612873077392578125Aleutian Standard TimeAtlantic Standard TimeCauc
    • API String ID: 0-3848969280
    • Opcode ID: e3fe58f5bfadb40def5ac88ebd5320c3b0e4683b68437102271b876177b61ef0
    • Instruction ID: 3cbbecc8eae1f8b9db12d10ef2dab8b1365758c8ec5f884be385612d35e4d259
    • Opcode Fuzzy Hash: e3fe58f5bfadb40def5ac88ebd5320c3b0e4683b68437102271b876177b61ef0
    • Instruction Fuzzy Hash: 4351B176728F8486DB12AB15E44079DA764F789BD4F894222EF9C0BB6ACF38C584C741
    Function 00388600 Relevance: 6.4, Strings: 5, Instructions: 112COMMON
    Download Yara Rule
    Strings
    • not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFind, xrefs: 00388705
    • base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicBrahmiCarianChakmaCommonCopticFormatGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianRejangSCHED StringSy, xrefs: 003886E5
    • runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcunknown type kindwait for GC cyclewrong medium type but memory size because dotdotdot in async preempt to non-Go memory ,, xrefs: 003886C5
    • runtime: text offset base pointer out of rangeruntime: type offset base pointer out of rangesignal arrived during external code executionslice bounds out of range [:%x] with length %ystopTheWorld: not stopped (status != _Pgcstop)sysGrow bounds not aligned to , xrefs: 003887C9
    • types value=connectconsolecpuproffloat32float64forcegcgctracehead = invalidminpc= pacer: panic: runningsyscalluintptrunknownverbosewaiting bytes, etypes is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= packed= pointer stack=[ status 48828125, xrefs: 00388765
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: types value=connectconsolecpuproffloat32float64forcegcgctracehead = invalidminpc= pacer: panic: runningsyscalluintptrunknownverbosewaiting bytes, etypes is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= packed= pointer stack=[ status 48828125$ base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicBrahmiCarianChakmaCommonCopticFormatGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianRejangSCHED StringSy$ not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFind$runtime: text offset base pointer out of rangeruntime: type offset base pointer out of rangesignal arrived during external code executionslice bounds out of range [:%x] with length %ystopTheWorld: not stopped (status != _Pgcstop)sysGrow bounds not aligned to $runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcunknown type kindwait for GC cyclewrong medium type but memory size because dotdotdot in async preempt to non-Go memory ,
    • API String ID: 0-2872271705
    • Opcode ID: cf81328e4b2bec5ff6beeb3a7f2177be7b1afa6c69d0e30ea1926ce5c18b6033
    • Instruction ID: 19cb4194cf6061db0db2e98b044db751035df8617e22a11f82bc5345c9a99d13
    • Opcode Fuzzy Hash: cf81328e4b2bec5ff6beeb3a7f2177be7b1afa6c69d0e30ea1926ce5c18b6033
    • Instruction Fuzzy Hash: B5415A76219B44CADA12AF10E4813AEB774F78A788FD49571EB8D0B72ADF38C504CB40
    Function 0033AD00 Relevance: 6.3, Strings: 5, Instructions: 75COMMON
    Download Yara Rule
    Strings
    • cnt= got= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-09301562578125::/96<nil>AdlamBamumBatakBuhidCall DograErrorGreekKhmerLatinLimbuLocalNushuOghamOriyaOsageRunicSTermTakriTamilTypeA] = (arrayclosedebugdeferfalsefaultfilesfloat, xrefs: 0033ADA5
    • packed= pointer stack=[ status 48828125AcceptExArmenianBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDuployanEqualSidEthiopicExtenderGeorgianGoStringGujaratiGurmukhiHiraganaIsWindowJavaneseKatakanaKayah_LiLinear_ALinear_BMahajaniOl_ChikiPhags_PaQues, xrefs: 0033ADC5
    • -> node= B exp.) B work ( blocked= in use) lockedg= lockedm= m->curg= marked ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=(unknown), newval=, oldval=, size = , tail = 2001::/322002::/162441406253ffe::/16: status=Authorit, xrefs: 0033ADE5
    • lfstack.pushmadvdontneedmheapSpecialmspanSpecialnetapi32.dllno such hostnot pollableraceFiniLockreleasep: m=runtime: gp=runtime: sp=self-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringswintrust.dllwirep: p->m=worker mode wtsapi32.dll != swee, xrefs: 0033AE0F
    • runtime: lfstack.push invalid packing: node=unsafe.Slice: ptr is nil and len is not zerouse of WriteTo with pre-connected connectioncannot send after transport endpoint shutdowncharacter string exceeds maximum length (255)exitsyscall: syscall frame is no longe, xrefs: 0033AD87
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: -> node= B exp.) B work ( blocked= in use) lockedg= lockedm= m->curg= marked ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=(unknown), newval=, oldval=, size = , tail = 2001::/322002::/162441406253ffe::/16: status=Authorit$ cnt= got= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-09301562578125::/96<nil>AdlamBamumBatakBuhidCall DograErrorGreekKhmerLatinLimbuLocalNushuOghamOriyaOsageRunicSTermTakriTamilTypeA] = (arrayclosedebugdeferfalsefaultfilesfloat$ packed= pointer stack=[ status 48828125AcceptExArmenianBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDuployanEqualSidEthiopicExtenderGeorgianGoStringGujaratiGurmukhiHiraganaIsWindowJavaneseKatakanaKayah_LiLinear_ALinear_BMahajaniOl_ChikiPhags_PaQues$lfstack.pushmadvdontneedmheapSpecialmspanSpecialnetapi32.dllno such hostnot pollableraceFiniLockreleasep: m=runtime: gp=runtime: sp=self-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringswintrust.dllwirep: p->m=worker mode wtsapi32.dll != swee$runtime: lfstack.push invalid packing: node=unsafe.Slice: ptr is nil and len is not zerouse of WriteTo with pre-connected connectioncannot send after transport endpoint shutdowncharacter string exceeds maximum length (255)exitsyscall: syscall frame is no longe
    • API String ID: 0-2727833691
    • Opcode ID: 3946124f53394e41ca56b054719df5fb0324990974f1a479b66d031db14b98a1
    • Instruction ID: 4df4c841c9aee0a5b0ecc4a47c5464ed9589add4648c74465263e6675fe41821
    • Opcode Fuzzy Hash: 3946124f53394e41ca56b054719df5fb0324990974f1a479b66d031db14b98a1
    • Instruction Fuzzy Hash: 2F31F932229F44C6D711AF11E89179AB768F789B84F889521EB8D0BB2ADF78C514C750
    Function 0035EAE0 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
    Download Yara Rule
    Strings
    • attempt to clear non-empty span setencoding/hex: odd length hex stringfile type does not support deadlinefindrunnable: netpoll with spinninggreyobject: obj not pointer-alignedmheap.freeSpanLocked - invalid freemismatched begin/end of activeSweepnetwork dropped, xrefs: 0035EBDF
    • fully empty unfreed span set block found in resetinvalid memory address or nil pointer dereferenceinvalid or incomplete multibyte or wide characternot enough significant bits after mult128bitPow10panicwrap: unexpected string after package name: reflect.Value.S, xrefs: 0035EB6C
    • head = invalidminpc= pacer: panic: runningsyscalluintptrunknownverbosewaiting bytes, etypes is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= packed= pointer stack=[ status 48828125AcceptExArmenianBalineseBopomofoBugineseCancelIoCherokeeClassAN, xrefs: 0035EB9D
    • span set block with unpopped elements found in reset[DEBUG]Copying shellcode to memory with RtlCopyMemorycompileCallback: argument size is larger than uintptrreflect.Value.Slice: string slice index out of boundsgoroutine running on other thread; stack unavail, xrefs: 0035EB7D
    • , tail = 2001::/322002::/162441406253ffe::/16: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticFindCloseHex_DigitInheritedInterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanPalmyreneParseBoolSamaritanSundaneseTypeCNAMETypeHINFOTypeMINF, xrefs: 0035EBB8
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: , tail = 2001::/322002::/162441406253ffe::/16: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticFindCloseHex_DigitInheritedInterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanPalmyreneParseBoolSamaritanSundaneseTypeCNAMETypeHINFOTypeMINF$attempt to clear non-empty span setencoding/hex: odd length hex stringfile type does not support deadlinefindrunnable: netpoll with spinninggreyobject: obj not pointer-alignedmheap.freeSpanLocked - invalid freemismatched begin/end of activeSweepnetwork dropped$fully empty unfreed span set block found in resetinvalid memory address or nil pointer dereferenceinvalid or incomplete multibyte or wide characternot enough significant bits after mult128bitPow10panicwrap: unexpected string after package name: reflect.Value.S$head = invalidminpc= pacer: panic: runningsyscalluintptrunknownverbosewaiting bytes, etypes is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= packed= pointer stack=[ status 48828125AcceptExArmenianBalineseBopomofoBugineseCancelIoCherokeeClassAN$span set block with unpopped elements found in reset[DEBUG]Copying shellcode to memory with RtlCopyMemorycompileCallback: argument size is larger than uintptrreflect.Value.Slice: string slice index out of boundsgoroutine running on other thread; stack unavail
    • API String ID: 0-2355417771
    • Opcode ID: 35df9e82a071d1f0bbdad992b4a16785a276c5411dff8f9a76de5056647ed801
    • Instruction ID: 075be5c144b0b36265fc3db57f16fa946079eb44252c11920eca5b5e502ec5ff
    • Opcode Fuzzy Hash: 35df9e82a071d1f0bbdad992b4a16785a276c5411dff8f9a76de5056647ed801
    • Instruction Fuzzy Hash: 3221AE72708B0086DB1AEF60E09175E6364F788782F418826EF9E4B76ADF7CC654C790
    Function 00337540 Relevance: 5.3, Strings: 4, Instructions: 256COMMON
    Download Yara Rule
    Strings
    • cs deadlockdurationfc00::/7fs gs invalid no anodeparsing pollDescr10 r11 r12 r13 r14 r15 r8 r9 rax rbp rbx rcx rdi recvfromrflags rip rsi rsp runnablerwmutexRrwmutexWscavengeshut, xrefs: 003379A5
    • r10 r11 r12 r13 r14 r15 r8 r9 rax rbp rbx rcx rdi recvfromrflags rip rsi rsp runnablerwmutexRrwmutexWscavengeshutdownstrconv.traceBuftrigger=unknown(wsaioctl (forced) -> node= B exp.) B work (, xrefs: 003377A5
    • r8 r9 rax rbp rbx rcx rdi recvfromrflags rip rsi rsp runnablerwmutexRrwmutexWscavengeshutdownstrconv.traceBuftrigger=unknown(wsaioctl (forced) -> node= B exp.) B work ( blocked= in use) lockedg= lockedm= m->curg= ma, xrefs: 00337725
    • rax rbp rbx rcx rdi recvfromrflags rip rsi rsp runnablerwmutexRrwmutexWscavengeshutdownstrconv.traceBuftrigger=unknown(wsaioctl (forced) -> node= B exp.) B work ( blocked= in use) lockedg= lockedm= m->curg= marked ms cpu, , xrefs: 0033756B
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: cs deadlockdurationfc00::/7fs gs invalid no anodeparsing pollDescr10 r11 r12 r13 r14 r15 r8 r9 rax rbp rbx rcx rdi recvfromrflags rip rsi rsp runnablerwmutexRrwmutexWscavengeshut$r10 r11 r12 r13 r14 r15 r8 r9 rax rbp rbx rcx rdi recvfromrflags rip rsi rsp runnablerwmutexRrwmutexWscavengeshutdownstrconv.traceBuftrigger=unknown(wsaioctl (forced) -> node= B exp.) B work ($r8 r9 rax rbp rbx rcx rdi recvfromrflags rip rsi rsp runnablerwmutexRrwmutexWscavengeshutdownstrconv.traceBuftrigger=unknown(wsaioctl (forced) -> node= B exp.) B work ( blocked= in use) lockedg= lockedm= m->curg= ma$rax rbp rbx rcx rdi recvfromrflags rip rsi rsp runnablerwmutexRrwmutexWscavengeshutdownstrconv.traceBuftrigger=unknown(wsaioctl (forced) -> node= B exp.) B work ( blocked= in use) lockedg= lockedm= m->curg= marked ms cpu,
    • API String ID: 0-3126772560
    • Opcode ID: 34e27a04434eb45dbf9e01720a5384f0d6f4fb0a3556c2d4cf8dc0347ca82cc5
    • Instruction ID: ab4cbcca9b9f9814a52c8e61ff8b6d6d56d47e4a084ac2adbdb69ba5af070f81
    • Opcode Fuzzy Hash: 34e27a04434eb45dbf9e01720a5384f0d6f4fb0a3556c2d4cf8dc0347ca82cc5
    • Instruction Fuzzy Hash: 83C1AA36239B4485C652FF65E09275E7B64FB89788F81C421FA8D0B72ACF38C554CBA1
    Function 0033D4E0 Relevance: 5.2, Strings: 4, Instructions: 163COMMON
    Download Yara Rule
    Strings
    • persistentalloc: align is not a power of 2runtime: blocked write on closing polldescsync/atomic: store of nil value into Valueunexpected signal during runtime executiongcBgMarkWorker: unexpected gcMarkWorkerModegrew heap, but no adequate free space foundheapBi, xrefs: 0033D750
    • runtime: cannot allocate memoryruntime: failed to commit pagesruntime: split stack overflow: slice bounds out of range [%x:]slice bounds out of range [:%x] (types from different packages)28421709430404007434844970703125CertAddCertificateContextToStoreCertVerif, xrefs: 0033D71E
    • persistentalloc: size == 0required key not availableruntime: bad span s.state=runtime: pcHeader: magic= segment prefix is reservedshrinking stack in libcallstartlockedm: locked to meunknown ABI parameter kinduse of invalid sweepLocker not in stack roots range , xrefs: 0033D765
    • persistentalloc: align is too largepidleput: P has non-empty run queueruntime: close polldesc w/o unblockruntime: createevent failed; errno=ryuFtoaFixed32 called with prec > 9too many Questions to pack (>65535)traceback did not unwind completelytransport endpo, xrefs: 0033D73F
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: persistentalloc: align is not a power of 2runtime: blocked write on closing polldescsync/atomic: store of nil value into Valueunexpected signal during runtime executiongcBgMarkWorker: unexpected gcMarkWorkerModegrew heap, but no adequate free space foundheapBi$persistentalloc: align is too largepidleput: P has non-empty run queueruntime: close polldesc w/o unblockruntime: createevent failed; errno=ryuFtoaFixed32 called with prec > 9too many Questions to pack (>65535)traceback did not unwind completelytransport endpo$persistentalloc: size == 0required key not availableruntime: bad span s.state=runtime: pcHeader: magic= segment prefix is reservedshrinking stack in libcallstartlockedm: locked to meunknown ABI parameter kinduse of invalid sweepLocker not in stack roots range $runtime: cannot allocate memoryruntime: failed to commit pagesruntime: split stack overflow: slice bounds out of range [%x:]slice bounds out of range [:%x] (types from different packages)28421709430404007434844970703125CertAddCertificateContextToStoreCertVerif
    • API String ID: 0-2069425732
    • Opcode ID: 707278bf8f9ca8f08cdd3c1138924c85d564a06d1dccf41e6a0c6b62c80aa55f
    • Instruction ID: a8bf8a88b41e4cc9fbc418ca24c93d8de189a1aa77482fb5c82347fec2f2055f
    • Opcode Fuzzy Hash: 707278bf8f9ca8f08cdd3c1138924c85d564a06d1dccf41e6a0c6b62c80aa55f
    • Instruction Fuzzy Hash: 37617772605B8486DB12DF05F48039AB775F789BD4F849522EB9D1BB28DF38C895CB00
    Function 0036C540 Relevance: 5.2, Strings: 4, Instructions: 158COMMON
    Download Yara Rule
    Strings
    • startm: m has pstopm holding ptraceback stuck already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQu, xrefs: 0036C7A5
    • startm: p has runnable gsstoplockedm: not runnableunexpected fault address unexpected key value type1455191522836685180664062572759576141834259033203125Bougainville Standard TimeCentral Asia Standard TimeCertFindCertificateInStoreCertFreeCertificateContextE. A, xrefs: 0036C792
    • startm: negative nmspinningstopTheWorld: holding lockstime: invalid location nametimer when must be positivetoo many callback functionswork.nwait was > work.nproc args stack map entries for 18189894035458564758300781259094947017729282379150390625Aus Central W., xrefs: 0036C6FA
    • startm: m is spinningstate not recoverabletimer data corruptionunexpected value step%SystemRoot%\system32\4656612873077392578125Aleutian Standard TimeAtlantic Standard TimeCaucasus Standard TimeConvertSidToStringSidWConvertStringSidToSidWCreateEnvironmentBlock, xrefs: 0036C7B6
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: startm: m has pstopm holding ptraceback stuck already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQu$startm: m is spinningstate not recoverabletimer data corruptionunexpected value step%SystemRoot%\system32\4656612873077392578125Aleutian Standard TimeAtlantic Standard TimeCaucasus Standard TimeConvertSidToStringSidWConvertStringSidToSidWCreateEnvironmentBlock$startm: negative nmspinningstopTheWorld: holding lockstime: invalid location nametimer when must be positivetoo many callback functionswork.nwait was > work.nproc args stack map entries for 18189894035458564758300781259094947017729282379150390625Aus Central W.$startm: p has runnable gsstoplockedm: not runnableunexpected fault address unexpected key value type1455191522836685180664062572759576141834259033203125Bougainville Standard TimeCentral Asia Standard TimeCertFindCertificateInStoreCertFreeCertificateContextE. A
    • API String ID: 0-3919355718
    • Opcode ID: 593ac300e6abdd412fe7a5f1d9606db618086de97ebcb8d8bf08f876787503b0
    • Instruction ID: 1774446875ea183f7edfefe18e59ad3d226791488cff58ad77370abf87e2dd61
    • Opcode Fuzzy Hash: 593ac300e6abdd412fe7a5f1d9606db618086de97ebcb8d8bf08f876787503b0
    • Instruction Fuzzy Hash: 4F61F6B2215B808ADB51CB10E4947BEB760F3C5B64F49A225EBDD477A9DF38C444CB04
    Function 0033B420 Relevance: 5.1, Strings: 4, Instructions: 147COMMON
    Download Yara Rule
    Strings
    • runtime: unable to acquire - semaphore out of syncfatal: systemstack called from unexpected goroutinelimiterEvent.stop: invalid limiter event type foundpotentially overlapping in-use allocations detectedruntime: netpoll: PostQueuedCompletionStatus failedConver, xrefs: 0033B62D
    • notetsleep - waitm out of syncprotocol wrong type for socketreflect: Elem of invalid type reflect: Len of non-array typerunqputslow: queue is not fullruntime: bad g in cgocallbackruntime: bad pointer in frame runtime: found in object at *(runtime: impossible , xrefs: 0033B4C6
    • runtime: unexpected waitm - semaphore out of syncs.allocCount != s.nelems && freeIndex == s.nelemsslice bounds out of range [::%x] with capacity %ysweeper left outstanding across sweep generationsattempt to execute system stack code on user stackcompileCallbac, xrefs: 0033B63E
    • X L, xrefs: 0033B459, 0033B4ED, 0033B51E, 0033B66E
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: X L$notetsleep - waitm out of syncprotocol wrong type for socketreflect: Elem of invalid type reflect: Len of non-array typerunqputslow: queue is not fullruntime: bad g in cgocallbackruntime: bad pointer in frame runtime: found in object at *(runtime: impossible $runtime: unable to acquire - semaphore out of syncfatal: systemstack called from unexpected goroutinelimiterEvent.stop: invalid limiter event type foundpotentially overlapping in-use allocations detectedruntime: netpoll: PostQueuedCompletionStatus failedConver$runtime: unexpected waitm - semaphore out of syncs.allocCount != s.nelems && freeIndex == s.nelemsslice bounds out of range [::%x] with capacity %ysweeper left outstanding across sweep generationsattempt to execute system stack code on user stackcompileCallbac
    • API String ID: 0-560530639
    • Opcode ID: f3901ef08480fba5f7fb90c431dd1c981022b46ff6ef64c9e4133bd8bb924245
    • Instruction ID: e7aadb5ccd51496bbfa94687826ba25f437150e35def7e97a1257369018723a2
    • Opcode Fuzzy Hash: f3901ef08480fba5f7fb90c431dd1c981022b46ff6ef64c9e4133bd8bb924245
    • Instruction Fuzzy Hash: CD519F76305F8486DB12DB2AE48135AB764F789BD8F198221DF9E5B7A6CF39C081C710
    Function 003454C0 Relevance: 5.1, Strings: 4, Instructions: 131COMMON
    Download Yara Rule
    Strings
    • out of memoryprofMemActiveprofMemFutureruntime: seq=runtime: val=srmount errortimer expiredtraceStackTabvalue method xadd64 failedxchg64 failed}sched={pc: but progSize nmidlelocked= on zero Value out of range procedure in to finalizer untyped args -threa, xrefs: 003456A5
    • refill of span with free space remainingruntime.SetFinalizer: first argument is runtime.preemptM: duplicatehandle failedruntime: SyscallN has too many argumentsruntime: out of memory: cannot allocate runtime: typeBitsBulkBarrier with type ryuFtoaFixed32 calle, xrefs: 003456D6
    • bad sweepgen in refillcall not at safe pointcannot allocate memorycompileCallabck: type duplicated defer entryfreeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversion: kernel32.dll not foundminpc or maxpc inv, xrefs: 003456C5
    • span has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected method stepwirep: invalid p state) must be a power of 223283064365386962890625<invalid reflect.Value>Argentina Standard TimeAstrakhan Stan, xrefs: 00345691
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: bad sweepgen in refillcall not at safe pointcannot allocate memorycompileCallabck: type duplicated defer entryfreeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversion: kernel32.dll not foundminpc or maxpc inv$out of memoryprofMemActiveprofMemFutureruntime: seq=runtime: val=srmount errortimer expiredtraceStackTabvalue method xadd64 failedxchg64 failed}sched={pc: but progSize nmidlelocked= on zero Value out of range procedure in to finalizer untyped args -threa$refill of span with free space remainingruntime.SetFinalizer: first argument is runtime.preemptM: duplicatehandle failedruntime: SyscallN has too many argumentsruntime: out of memory: cannot allocate runtime: typeBitsBulkBarrier with type ryuFtoaFixed32 calle$span has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected method stepwirep: invalid p state) must be a power of 223283064365386962890625<invalid reflect.Value>Argentina Standard TimeAstrakhan Stan
    • API String ID: 0-189083857
    • Opcode ID: 12cc4a9fc6d9826f53b9f8f473b31a611db30a09deccb150a82fb04cc8686e75
    • Instruction ID: c2ba0b95660af8b2bb93480b94287e975013a4bac09e8550d01ed43da7ab71d1
    • Opcode Fuzzy Hash: 12cc4a9fc6d9826f53b9f8f473b31a611db30a09deccb150a82fb04cc8686e75
    • Instruction Fuzzy Hash: CE518B72604F9086CB11DF05E48039AB7B5F789B85F899122EB8D0B769DF3CC959C750
    Function 0037E240 Relevance: 5.1, Strings: 4, Instructions: 124COMMON
    Download Yara Rule
    Strings
    • out of range procedure in to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis, xrefs: 0037E2F6
    • - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTDltEATEDTEETEOFESTGMTHDTHSTHanIDTISTJSTKSTLaoMDTMSKMSTMroNDTNSTNaNNkoPC=PDTPKTPSTStdUTCVaiWAT]:adxaesavxcgodnsendfinfmaftpgc gp in intip, xrefs: 0037E311
    • runtime: textAddr server misbehavingstreams pipe errorsystem page size (tracebackancestorsuse of closed filevalue out of range [controller reset] called using nil *, g->atomicstatus=, gp->atomicstatus=14901161193847656257450580596923828125Altai Standard TimeB, xrefs: 0037E2DB
    • runtime: text offset out of rangeruntime: type offset out of rangeslice bounds out of range [%x:%y]stackalloc not on scheduler stackstoplockedm: inconsistent lockingtimer period must be non-negativetoo many Answers to pack (>65535)too many levels of symbolic l, xrefs: 0037E339
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTDltEATEDTEETEOFESTGMTHDTHSTHanIDTISTJSTKSTLaoMDTMSKMSTMroNDTNSTNaNNkoPC=PDTPKTPSTStdUTCVaiWAT]:adxaesavxcgodnsendfinfmaftpgc gp in intip$ out of range procedure in to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis$runtime: text offset out of rangeruntime: type offset out of rangeslice bounds out of range [%x:%y]stackalloc not on scheduler stackstoplockedm: inconsistent lockingtimer period must be non-negativetoo many Answers to pack (>65535)too many levels of symbolic l$runtime: textAddr server misbehavingstreams pipe errorsystem page size (tracebackancestorsuse of closed filevalue out of range [controller reset] called using nil *, g->atomicstatus=, gp->atomicstatus=14901161193847656257450580596923828125Altai Standard TimeB
    • API String ID: 0-3271838650
    • Opcode ID: 1876eae4e014bb707ae0712b6bd9bee9376bde482175934019b126a56aa10a41
    • Instruction ID: 1d5c43526dde967f1bef91b28e26a67b40d4c050cddfb2a839cb7825fa2d534e
    • Opcode Fuzzy Hash: 1876eae4e014bb707ae0712b6bd9bee9376bde482175934019b126a56aa10a41
    • Instruction Fuzzy Hash: 7D418C76718B40C1DA22FB55E0407AD6368F78CB84F89C962EB5C0BB2ADB7CC951C740
    Function 00387760 Relevance: 5.1, Strings: 4, Instructions: 98COMMON
    Download Yara Rule
    Strings
    • , fp:-09301562578125::/96<nil>AdlamBamumBatakBuhidCall DograErrorGreekKhmerLatinLimbuLocalNushuOghamOriyaOsageRunicSTermTakriTamilTypeA] = (arrayclosedebugdeferfalsefaultfilesfloatgFreegcinggscanhchanhttpsimap2imap3imapsinit int16int32int64mheapntohspanicpop3s, xrefs: 003877F3
    • } stack=[ MB goal, flushGen gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=, bound = , limit = /dev/stdin12207031256103515625AdditionalBad varintCancelIoExChorasmianC, xrefs: 0038780F
    • ), ->25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTDltEATEDTEETEOFESTGMTHDT, xrefs: 0038784F
    • stack: frame={sp:swept cached spanthread exhaustionunknown caller pcunknown type kindwait for GC cyclewrong medium type but memory size because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32, xrefs: 003877D8
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: ), ->25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTDltEATEDTEETEOFESTGMTHDT$, fp:-09301562578125::/96<nil>AdlamBamumBatakBuhidCall DograErrorGreekKhmerLatinLimbuLocalNushuOghamOriyaOsageRunicSTermTakriTamilTypeA] = (arrayclosedebugdeferfalsefaultfilesfloatgFreegcinggscanhchanhttpsimap2imap3imapsinit int16int32int64mheapntohspanicpop3s$stack: frame={sp:swept cached spanthread exhaustionunknown caller pcunknown type kindwait for GC cyclewrong medium type but memory size because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32$} stack=[ MB goal, flushGen gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=, bound = , limit = /dev/stdin12207031256103515625AdditionalBad varintCancelIoExChorasmianC
    • API String ID: 0-3295218320
    • Opcode ID: aaadc3ea396763610047e9c066359c5d66bddfc1f56c200986d03426a2179218
    • Instruction ID: 4944035be9d8e9c41391084bf764433555d8b630b39c75431b1fd351c19bb6a5
    • Opcode Fuzzy Hash: aaadc3ea396763610047e9c066359c5d66bddfc1f56c200986d03426a2179218
    • Instruction Fuzzy Hash: 40412872229F8485CA21EB05F88036AB764FB88B84F908525FB8D47B29DF78C555CB00
    Function 0034B9E0 Relevance: 5.1, Strings: 4, Instructions: 92COMMON
    Download Yara Rule
    Strings
    • runtime: want=s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytoo many linkstoo many usersunexpected EOFunknown methodunreachable: unsafe.Pointerwinapi error #work.full != 0 with GC prog,M3.2.0,M11.1.0476837, xrefs: 0034BAC8
    • got= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-09301562578125::/96<nil>AdlamBamumBatakBuhidCall DograErrorGreekKhmerLatinLimbuLocalNushuOghamOriyaOsageRunicSTermTakriTamilTypeA] = (arrayclosedebugdeferfalsefaultfilesfloatgFree, xrefs: 0034BAE6
    • limiterEvent.stop: found wrong event in p's limiter event slotreflect: reflect.Value.Pointer on an invalid notinheap pointerruntime: internal error: misuse of lockOSThread/unlockOSThreadmalformed GOMEMLIMIT; see `go doc runtime/debug.SetMemoryLimit`compileCall, xrefs: 0034BB0F
    • limiterEvent.stop: invalid limiter event type foundpotentially overlapping in-use allocations detectedruntime: netpoll: PostQueuedCompletionStatus failedConvertSecurityDescriptorToStringSecurityDescriptorWConvertStringSecurityDescriptorToSecurityDescriptorWcas, xrefs: 0034BAA9
    Memory Dump Source
    • Source File: 00000000.00000002.2145327347.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.2145310676.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145377085.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145464499.00000000004AA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145478871.00000000004AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145492509.00000000004B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145503723.00000000004B1000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145516366.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145527472.00000000004C0000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004EA000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145538139.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145600195.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145660499.00000000005DF000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2145673981.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: got= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-09301562578125::/96<nil>AdlamBamumBatakBuhidCall DograErrorGreekKhmerLatinLimbuLocalNushuOghamOriyaOsageRunicSTermTakriTamilTypeA] = (arrayclosedebugdeferfalsefaultfilesfloatgFree$limiterEvent.stop: found wrong event in p's limiter event slotreflect: reflect.Value.Pointer on an invalid notinheap pointerruntime: internal error: misuse of lockOSThread/unlockOSThreadmalformed GOMEMLIMIT; see `go doc runtime/debug.SetMemoryLimit`compileCall$limiterEvent.stop: invalid limiter event type foundpotentially overlapping in-use allocations detectedruntime: netpoll: PostQueuedCompletionStatus failedConvertSecurityDescriptorToStringSecurityDescriptorWConvertStringSecurityDescriptorToSecurityDescriptorWcas$runtime: want=s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytoo many linkstoo many usersunexpected EOFunknown methodunreachable: unsafe.Pointerwinapi error #work.full != 0 with GC prog,M3.2.0,M11.1.0476837
    • API String ID: 0-456014569
    • Opcode ID: 7d3f7e2e55a05b197b879f493ba14401e7fe611df3347a5957da8df85b22ca69
    • Instruction ID: 30545eb8675fd47eb7f84746a5f0ee0159743be236799bffc51e0d49c1ceb0d2
    • Opcode Fuzzy Hash: 7d3f7e2e55a05b197b879f493ba14401e7fe611df3347a5957da8df85b22ca69
    • Instruction Fuzzy Hash: 62315961719B448AEB13DB21E45136AF755E7487D0F858521EBAC0FBAACF3CC480CB50