Edit tour

Windows Analysis Report
SecuriteInfo.com.FileRepMalware.23518.16980.exe

Overview

General Information

Sample name:	SecuriteInfo.com.FileRepMalware.23518.16980.exe
Analysis ID:	1521532
MD5:	ea94a1fe3c2921313e7ea2b77675c7db
SHA1:	dd0388d8bdfd510256f26a8e9efe025fd9381867
SHA256:	ecbbb2801bb4d27db737c96ac45b2a51b449ddd9e2e2af42c1e85b79caa5a5ab
Tags:	exe
Infos:

Detection

CobaltStrike, Metasploit

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected CobaltStrike

Yara detected Metasploit Payload

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Potentially malicious time measurement code found

Uses known network protocols on non-standard ports

Contains functionality for execution timing, often used to detect debuggers

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

PE file contains more sections than normal

PE file contains sections with non-standard names

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.FileRepMalware.23518.16980.exe (PID: 7872 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe" MD5: EA94A1FE3C2921313E7EA2B77675C7DB)

conhost.exe (PID: 7880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Cobalt Strike, CobaltStrike	Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.	APT 29 APT32 APT41 AQUATIC PANDA Anunak Cobalt Codoso CopyKittens DarkHydrus Earth Baxia FIN6 FIN7 Leviathan Mustang Panda Shell Crew Stone Panda TianWu UNC1878 UNC2452 Winnti Umbrella	http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems http://blog.nsfocus.net/murenshark http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa http://www.secureworks.com/research/threat-profiles/gold-drake	https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"C2Server": "http://106.14.141.209:8087/hkDF", "User Agent": "User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)\r\n"}

Threatname: Metasploit

{"Headers": "User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)\r\n", "Type": "Metasploit Download", "URL": "http://106.14.141.209/hkDF"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1518956360.0000029C510F0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000002.1518956360.0000029C510F0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.1518956360.0000029C510F0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x11:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
00000000.00000002.1518956360.0000029C510F0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x7d:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
00000000.00000002.1517779379.000000C000110000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000002.1517779379.000000C000110000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.1517779379.000000C000110000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0xe11:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
00000000.00000002.1517779379.000000C000110000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0xe7d:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
Click to see the 3 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.1518956360.0000029C510F0000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: CobaltStrike {"C2Server": "http://106.14.141.209:8087/hkDF", "User Agent": "User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)\r\n"}
Source: 00000000.00000002.1518956360.0000029C510F0000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Metasploit {"Headers": "User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)\r\n", "Type": "Metasploit Download", "URL": "http://106.14.141.209/hkDF"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe

ReversingLabs: Detection: 70%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.7% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Code function: 4x nop then sub rbx, qword ptr [rax+18h]		0_2_0069D240
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Code function: 4x nop then mov r8, 0000800000000000h		0_2_006A6B60

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://106.14.141.209:8087/hkDF
Source: Malware configuration extractor	URLs: http://106.14.141.209/hkDF

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 49701 -> 8087

Source: global traffic

TCP traffic: 192.168.2.10:49701 -> 106.14.141.209:8087

Source: Joe Sandbox View

ASN Name: CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd

Source: unknown

DNS traffic detected: query: 18.31.95.13.in-addr.arpa replaycode: Name error (3)

Source: global traffic

HTTP traffic detected: GET /hkDF HTTP/1.1User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)Host: 106.14.141.209:8087Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 106.14.141.209
Source: unknown	TCP traffic detected without corresponding DNS query: 106.14.141.209
Source: unknown	TCP traffic detected without corresponding DNS query: 106.14.141.209
Source: unknown	TCP traffic detected without corresponding DNS query: 106.14.141.209
Source: unknown	TCP traffic detected without corresponding DNS query: 106.14.141.209
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /hkDF HTTP/1.1User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)Host: 106.14.141.209:8087Connection: Keep-AliveCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa

Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe, 00000000.00000002.1518227006.0000029C2A49C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23518.16980.exe, 00000000.00000002.1518227006.0000029C2A4F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://106.14.141.209:8087/hkDF
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe, 00000000.00000002.1518227006.0000029C2A4F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://106.14.141.209:8087/hkDF&
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe, 00000000.00000002.1518227006.0000029C2A4F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://106.14.141.209:8087/hkDFN
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe, 00000000.00000002.1518227006.0000029C2A49C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://106.14.141.209:8087/hkDFly

Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe

Binary or memory string: github.com/lxn/win.registerRawInputDevices

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1518956360.0000029C510F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.1518956360.0000029C510F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000002.1517779379.000000C000110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.1517779379.000000C000110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Code function: 0_2_006C8060	0_2_006C8060
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Code function: 0_2_00685040	0_2_00685040
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Code function: 0_2_0069D440	0_2_0069D440
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Code function: 0_2_0068B020	0_2_0068B020
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Code function: 0_2_006A7000	0_2_006A7000
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Code function: 0_2_006B70E0	0_2_006B70E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Code function: 0_2_006854A0	0_2_006854A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Code function: 0_2_0069A9A0	0_2_0069A9A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Code function: 0_2_00688D80	0_2_00688D80
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Code function: 0_2_00694260	0_2_00694260
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Code function: 0_2_0069EA60	0_2_0069EA60
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Code function: 0_2_0068BA40	0_2_0068BA40
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Code function: 0_2_0068C640	0_2_0068C640
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Code function: 0_2_006A42E0	0_2_006A42E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Code function: 0_2_00684AC7	0_2_00684AC7
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Code function: 0_2_0069E2A0	0_2_0069E2A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Code function: 0_2_006A6B60	0_2_006A6B60
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Code function: 0_2_00693705	0_2_00693705

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Code function: String function: 006B2D80 appears 173 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Code function: String function: 006B4E20 appears 186 times

Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe

Static PE information: Number of sections : 13 > 10

Source: 00000000.00000002.1518956360.0000029C510F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000002.1518956360.0000029C510F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000002.1517779379.000000C000110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000002.1517779379.000000C000110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23

Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe	Static PE information: Section: /19 ZLIB complexity 0.9934974272088354
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe	Static PE information: Section: /32 ZLIB complexity 0.9958333333333333
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe	Static PE information: Section: /65 ZLIB complexity 0.9972217085798817

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/1@1/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7880:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe

File opened: C:\Windows\system32\999e755d965c3dfa7a285ddb818297cd4da7f6037d10a9b7a28f683b480e87bfAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Jump to behavior

Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe

ReversingLabs: Detection: 70%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe

Static file information: File size 2407936 > 1048576

Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe	Static PE information: section name: /4
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe	Static PE information: section name: /19
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe	Static PE information: section name: /32
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe	Static PE information: section name: /46
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe	Static PE information: section name: /65
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe	Static PE information: section name: /78
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe	Static PE information: section name: /90
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe	Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Code function: 0_2_0000029C510F0128 push eax; ret		0_2_0000029C510F0364
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Code function: 0_2_0000029C510F02FD push eax; ret		0_2_0000029C510F0364

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 49701 -> 8087

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe

Code function: 0_2_006DB920 rdtscp

0_2_006DB920

Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe, 00000000.00000002.1518227006.0000029C2A514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe, 00000000.00000002.1518227006.0000029C2A514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW,
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe, 00000000.00000002.1518227006.0000029C2A49C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe

Code function: 0_2_006DB920 Start: 006DB929 End: 006DB93F

0_2_006DB920

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe

Code function: 0_2_006DB920 rdtscp

0_2_006DB920

Remote Access Functionality

Yara detected CobaltStrike

Source: Yara match	File source: 00000000.00000002.1518956360.0000029C510F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1517779379.000000C000110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Metasploit Payload

Source: Yara match	File source: 00000000.00000002.1518956360.0000029C510F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1517779379.000000C000110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Process Injection	11 Input Capture	11 Security Software Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	1 Archive Collected Data	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	112 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
SecuriteInfo.com.FileRepMalware.23518.16980.exe	71%	ReversingLabs	Win64.Trojan.CobaltStrike
SecuriteInfo.com.FileRepMalware.23518.16980.exe	100%	Avira	TR/Rozena.ofeud
SecuriteInfo.com.FileRepMalware.23518.16980.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
18.31.95.13.in-addr.arpa	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://106.14.141.209/hkDF	true		unknown
http://106.14.141.209:8087/hkDF	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://106.14.141.209:8087/hkDF&	SecuriteInfo.com.FileRepMalware.23518.16980.exe, 00000000.00000002.1518227006.0000029C2A4F9000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://106.14.141.209:8087/hkDFly	SecuriteInfo.com.FileRepMalware.23518.16980.exe, 00000000.00000002.1518227006.0000029C2A49C000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://106.14.141.209:8087/hkDFN	SecuriteInfo.com.FileRepMalware.23518.16980.exe, 00000000.00000002.1518227006.0000029C2A4F9000.00000004.00000020.00020000.00000000.sdmp	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
106.14.141.209	unknown	China		37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1521532
Start date and time:	2024-09-28 22:25:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.FileRepMalware.23518.16980.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/1@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: SecuriteInfo.com.FileRepMalware.23518.16980.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	d3r1KVj317.exe	Get hash	malicious	Unknown	Browse	112.74.185.5
	http://aa5aa5aa5aa5aa44.app/	Get hash	malicious	Unknown	Browse	59.82.132.217
	http://hbyczyz.com/xrr	Get hash	malicious	Unknown	Browse	47.108.5.198
	http://www.tpckn.app/	Get hash	malicious	Unknown	Browse	203.107.62.140
	http://alibinaadi.com/.well-known/alibaba/Alibaba/index.php	Get hash	malicious	Unknown	Browse	59.82.33.225
	cjg7obu8xR.exe	Get hash	malicious	Unknown	Browse	112.74.185.5
	cjg7obu8xR.exe	Get hash	malicious	Unknown	Browse	112.74.185.5
	http://promo1.spik.ru/CN/	Get hash	malicious	HTMLPhisher	Browse	59.82.132.149
	https://oxbike-br.com/XRpb24t/zc2liaWx/	Get hash	malicious	HTMLPhisher	Browse	59.82.33.225
	http://wwwhd4480.com/	Get hash	malicious	Unknown	Browse	106.11.43.113

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1213
Entropy (8bit):	4.942310874298255
Encrypted:	false
SSDEEP:	24:BF2sFq0vCRja73EWyv8rR6XafbaZzB2cjvG9wsZ0HaLQ8u/rFgFrl:Zc63PB6XR98n9ws6d8er+L
MD5:	17EFF328E6554BCB6308F8B4D2A3F8EF
SHA1:	E2E7BF7ECB1E881F1DC00F7C37A7E125724B486E
SHA-256:	5F4E0A663969E10F8500DEDC85BAC32BFDD78FC09977E9C61AF27C78D1C86487
SHA-512:	F87FF47532924CFD56CCA7241DCF4FA8402BB5EAA946BF0F9814CE5E10A3B24B9F60ACD478E7AF21563AB0D68A3A57FA90BD0770FD6EC717DA1070F8623F6411
Malicious:	false
Reputation:	low
Preview:	Exception 0xc0000005 0x0 0x0 0x29c510f0030.PC=0x29c510f0030..runtime.cgocall(0x6dd2c0, 0x7f10a0)..F:/Base/Go/src/runtime/cgocall.go:157 +0x4a fp=0xc00007bcb8 sp=0xc00007bc80 pc=0x6832ca.syscall.SyscallN(0x29c510f0000?, {0xc00007bd50?, 0x3?, 0x68c467?})..F:/Base/Go/src/runtime/syscall_windows.go:538 +0x109 fp=0xc00007bd30 sp=0xc00007bcb8 pc=0x6d87c9.syscall.Syscall(0xc000004150?, 0xc000012200?, 0xc?, 0xc000112800?, 0xc000110700?)..F:/Base/Go/src/runtime/syscall_windows.go:476 +0x3b fp=0xc00007bd78 sp=0xc00007bd30 pc=0x6d85fb.main.main()..C:/Users/TianJing/Downloads/GobypassAV-shellcode-main/Base85+XOR+RC4/decode.go:52 +0x38a fp=0xc00007bf80 sp=0xc00007bd78 pc=0x725d4a.runtime.main()..F:/Base/Go/src/runtime/proc.go:250 +0x1fe fp=0xc00007bfe0 sp=0xc00007bf80 pc=0x6b53fe.runtime.goexit()..F:/Base/Go/src/runtime/asm_amd64.s:1571 +0x1 fp=0xc00007bfe8 sp=0xc00007bfe0 pc=0x6dba61.rax 0x0.rbx 0x29c510f01d6.rcx 0x0.rdi 0x0.rsi 0x0.rbp 0x29c510f000a.rsp 0xf9a47ff330.r8

Static File Info

General

File type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.9090934306154255
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	SecuriteInfo.com.FileRepMalware.23518.16980.exe
File size:	2'407'936 bytes
MD5:	ea94a1fe3c2921313e7ea2b77675c7db
SHA1:	dd0388d8bdfd510256f26a8e9efe025fd9381867
SHA256:	ecbbb2801bb4d27db737c96ac45b2a51b449ddd9e2e2af42c1e85b79caa5a5ab
SHA512:	75faeea680fea9fa1ba1980aceb9f7c85208664d568d3d4a45079eb64fa542228a8f204cd48075af86b6ff25f599e6b186c5965ebb6bc7c19e5e45151b062c81
SSDEEP:	49152:9cUopVYb8CZgJEy4YqQD1qywbLTqFPO6KqMvdv2hSfrfX:jByQywfTYm6K7Aq
TLSH:	1EB58D06BC9570B6CAE99232897592A03731B8490F3167C32E11B7BA3F767D41F753A8
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........x"......."......N....................@...............................*...........`... ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x45d100
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	9cbefe68f395e67356e2a5d8d1b285c0

Entrypoint Preview

Instruction
jmp 00007F09D4EBB820h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
pushfd
cld
dec eax
sub esp, 000000E0h
dec eax
mov dword ptr [esp], edi
dec eax
mov dword ptr [esp+08h], esi
dec eax
mov dword ptr [esp+10h], ebp
dec eax
mov dword ptr [esp+18h], ebx
dec esp
mov dword ptr [esp+20h], esp
dec esp
mov dword ptr [esp+28h], ebp
dec esp
mov dword ptr [esp+30h], esi
dec esp
mov dword ptr [esp+38h], edi
movups dqword ptr [esp+40h], xmm6
movups dqword ptr [esp+50h], xmm7
inc esp
movups dqword ptr [esp+60h], xmm0
inc esp
movups dqword ptr [esp+70h], xmm1
inc esp
movups dqword ptr [esp+00000080h], xmm2
inc esp
movups dqword ptr [esp+00000090h], xmm3
inc esp
movups dqword ptr [esp+000000A0h], xmm4
inc esp
movups dqword ptr [esp+000000B0h], xmm5
inc esp
movups dqword ptr [esp+000000C0h], xmm6
inc esp
movups dqword ptr [esp+000000D0h], xmm7
dec eax
sub esp, 30h
dec ecx
mov edi, eax
dec eax
mov edx, dword ptr [00000028h]
dec eax
cmp edx, 00000000h
jne 00007F09D4EBF4AEh
dec eax
mov eax, 00000000h
jmp 00007F09D4EBF525h
dec eax
mov edx, dword ptr [edx+00000000h]
dec eax
cmp edx, 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x286000	0x47c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x287000	0x2e3c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x156220	0x140	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa4d90	0xa4e00	2114996714e50068dfa6488b100672cf	False	0.45603765873768004	data	6.18924062305756	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xa6000	0xafff0	0xb0000	280090d388b88bc7ad9446e8f0036935	False	0.4012686989524148	data	5.3260154839437455	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x156000	0x73ea0	0x18000	c139068775b55bb5887ae3ad1c031551	False	0.3939412434895833	data	4.611186910610202	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
/4	0x1ca000	0x127	0x200	43dc7a0ae5a7067502907db800396667	False	0.6171875	data	5.097874074212899	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/19	0x1cb000	0x1f15c	0x1f200	a5082d32ba749de000d4c096f6ea8c67	False	0.9934974272088354	data	7.992062259347675	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/32	0x1eb000	0x599f	0x5a00	25da92f88190240ca5a5c424fe39b0ae	False	0.9958333333333333	data	7.926076700406343	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/46	0x1f1000	0x27	0x200	e3c686c1e9fc992a4ad08d9ebc8a8364	False	0.0859375	data	0.706281805748948	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/65	0x1f2000	0x69955	0x69a00	93ca2dd031c76f2741fc6d8fee5e0a2e	False	0.9972217085798817	data	7.99767609028745	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/78	0x25c000	0x1f1ef	0x1f200	da3acf57134fee9b24b6996fd9274a7c	False	0.9679969879518072	data	7.987802316638694	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/90	0x27c000	0x9163	0x9200	fcc996d775c1e032bd5a6a9169d14e06	False	0.9744488441780822	data	7.788007124940507	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.idata	0x286000	0x47c	0x600	40ddbb53e57d8e9741f88746c888c315	False	0.3313802083333333	data	3.520510903145283	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x287000	0x2e3c	0x3000	2eabf79e4217edd339301fd1cdd4ddad	False	0.3770345052083333	data	5.373007243001511	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0x28a000	0x24443	0x24600	686f67828ec537f91db1333a8ab6d21b	False	0.24097938144329897	data	5.238010156875437	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 28, 2024 22:26:02.134365082 CEST	49701	8087	192.168.2.10	106.14.141.209
Sep 28, 2024 22:26:02.139309883 CEST	8087	49701	106.14.141.209	192.168.2.10
Sep 28, 2024 22:26:02.139400005 CEST	49701	8087	192.168.2.10	106.14.141.209
Sep 28, 2024 22:26:02.139569998 CEST	49701	8087	192.168.2.10	106.14.141.209
Sep 28, 2024 22:26:02.144712925 CEST	8087	49701	106.14.141.209	192.168.2.10
Sep 28, 2024 22:26:23.513449907 CEST	8087	49701	106.14.141.209	192.168.2.10
Sep 28, 2024 22:26:23.513541937 CEST	49701	8087	192.168.2.10	106.14.141.209
Sep 28, 2024 22:26:23.513778925 CEST	49701	8087	192.168.2.10	106.14.141.209
Sep 28, 2024 22:26:23.518942118 CEST	8087	49701	106.14.141.209	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 28, 2024 22:26:34.627815962 CEST	53	50279	162.159.36.2	192.168.2.10
Sep 28, 2024 22:26:35.114304066 CEST	49469	53	192.168.2.10	1.1.1.1
Sep 28, 2024 22:26:35.128185034 CEST	53	49469	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 28, 2024 22:26:35.114304066 CEST	192.168.2.10	1.1.1.1	0x2f27	Standard query (0)	18.31.95.13.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 28, 2024 22:26:35.128185034 CEST	1.1.1.1	192.168.2.10	0x2f27	Name error (3)	18.31.95.13.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

106.14.141.209:8087

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49701	106.14.141.209	8087	7872	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe

Timestamp	Bytes transferred	Direction	Data
Sep 28, 2024 22:26:02.139569998 CEST	175	OUT	GET /hkDF HTTP/1.1 User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Host: 106.14.141.209:8087 Connection: Keep-Alive Cache-Control: no-cache

Target ID:	0
Start time:	16:26:01
Start date:	28/09/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe"
Imagebase:	0x680000
File size:	2'407'936 bytes
MD5 hash:	EA94A1FE3C2921313E7EA2B77675C7DB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.1518956360.0000029C510F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.1518956360.0000029C510F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.1518956360.0000029C510F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.1518956360.0000029C510F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.1517779379.000000C000110000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.1517779379.000000C000110000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.1517779379.000000C000110000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.1517779379.000000C000110000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	16:26:01
Start date:	28/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	9
Total number of Limit Nodes:	1

Executed Functions

Function 0000029C510F0109 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 177
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetConnectA.WININET(00000003,00000003,00000002,00000001), ref: 0000029C510F0124

Part of subcall function 0000029C510F0128: HttpOpenRequestA.WININET(00000000,00000000,84400200,00000000), ref: 0000029C510F0143

Strings

U.;, xrefs: 0000029C510F013E

Memory Dump Source

Source File: 00000000.00000002.1518956360.0000029C510F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000029C510F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29c510f0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ConnectHttpInternetOpenRequest
String ID: U.;
API String ID: 1341064763-4213443877
Opcode ID: 68cff7655bd4aeab329f58e5418a888a89b77a2ed6238346b8879eb87c52e368
Instruction ID: 6a3a7fc491ffde345bfb587df6d91f69f21af8a4241dd8ec611ca7d3105a0653
Opcode Fuzzy Hash: 68cff7655bd4aeab329f58e5418a888a89b77a2ed6238346b8879eb87c52e368
Instruction Fuzzy Hash: EB51ED6926CA906BF3A5873C894F3B73BC6EBD2304FF9429DD08197297D550E802C3A5

Function 0000029C510F0128 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HttpOpenRequestA.WININET(00000000,00000000,84400200,00000000), ref: 0000029C510F0143

Strings

U.;, xrefs: 0000029C510F013E

Memory Dump Source

Source File: 00000000.00000002.1518956360.0000029C510F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000029C510F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29c510f0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: HttpOpenRequest
String ID: U.;
API String ID: 1984915467-4213443877
Opcode ID: d48c2d9fb8955299c963e91b26be717bbe84ba6b4bf8f8c02f85d3d37a0ae8aa
Instruction ID: abf898ee9b3798b7c373c0f4dc28a90a2d134338f3d2807847d76210687a7dbf
Opcode Fuzzy Hash: d48c2d9fb8955299c963e91b26be717bbe84ba6b4bf8f8c02f85d3d37a0ae8aa
Instruction Fuzzy Hash: 1C11796034980D0BF66895AE7C9A73B11CBD7D8765F75822FB40ED33D9ED54CC82812A

Non-executed Functions

Function 006A7000 Relevance: 20.5, Strings: 16, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

runtime: level = runtime: nameOff runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcunknown type kindwait for GC cyclewglGetProcAddresswrong, xrefs: 006A781E
bad summary databad symbol tablecastogscanstatuscontext canceledgc: unswept spangcshrinkstackoffinteger overflowinvalid argumentinvalid exchangeinvalid g statusmSpanList.insertmSpanList.removemessage too longmissing stackmapnewmHandoff.lockno route to hostnon-, xrefs: 006A741C, 006A7B6C
, i = , not 390625<-chanAnswerArabicBitBltBrahmiCarianChakmaCommonCopticEndDocFormatGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLineToLycianLydianMulDivRejangSCHED SaveDCStringSyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UT, xrefs: 006A78C5
, j0 = 19531259765625AvestanBengaliBrailleChanDirCopySidCypriotDeseretElbasanEllipseElymaicEndPageFillRgnFreeSidGODEBUGGranthaHanunooIO waitIsChildKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaRadicalSetMenuSetRectSharadaShavianSiddhamSinhalaSleepExSogdianS, xrefs: 006A785A
, levelBits[level] = 186264514923095703125931322574615478515625AdjustTokenPrivilegesAlaskan Standard TimeAnatolian_HieroglyphsArabian Standard TimeBelarus Standard TimeCM_Get_DevNode_StatusCentral Standard TimeChangeServiceConfig2WDeregisterEventSourceDwmGetWi, xrefs: 006A7945
][]i)msnss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTEATEDTEETEOFESTGMTHDTHSTHanIDTISTJSTKSTLaoMDTMSKMSTMroNDTNSTNaNNkoPC=PDTPKTPSTUTCVaiWAT]:adxaesavxendfinf, xrefs: 006A7356, 006A7799
] = (arrayclosedeferfalsefaultgFreegcinggscanhchanhttpsimap2imap3imapsinit int16int32int64mheapntohspanicpop3sscav schedsleepslicesse41sse42ssse3sudogsweeptraceuint8usage B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= , xrefs: 006A7374
runtime: levelShift[level] = runtime: marking free object runtime: p.gcMarkWorkerMode= runtime: split stack overflowruntime: sudog with non-nil cruntime: summary max pages = semacquire not on the G stackstring concatenation too longsyntax error scanning boolea, xrefs: 006A7925
runtime: p.searchAddr = span has no free objectsstack trace unavailablestructure needs cleaning bytes failed with errno= to unused region of span2910383045673370361328125AUS Central Standard TimeAUS Eastern Standard TimeAfghanistan Standard TimeExpandEnvironm, xrefs: 006A78A5
runtime: npages = runtime: range = {runtime: textAddr streams pipe errorsystem page size (tracebackancestorsuse of closed filevalue out of rangewglUseFontBitmapsW [controller reset] called using nil *, g->atomicstatus=, gp->atomicstatus=1490116119384765625745, xrefs: 006A73EF
, ->25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msnss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTEATEDTEETEOFESTGMTHDTHSTHanI, xrefs: 006A738F, 006A73AF, 006A77CF, 006A77EF
, npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDestroyIconDestroyMenuDives_AkuruDrawMenuBarDrawTextExWEnumWindowsExitProcessFindWindowWFreeLibraryGOTRACEBACKGetAncestorGetCaretPosGetFileTypeGetIcon, xrefs: 006A783C
] = ] n=allgallpavx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchttpicmpidleigmpint8itabkindpipepop3profrootsbrksmtpsse3tcp4trueudp4uint ... MB, and cnt= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-, xrefs: 006A77B4
runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcunknown type kindwait for GC cyclewglGetProcAddresswrong medium type but memory size because dotdotdot in, xrefs: 006A733B, 006A7772
), ->25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msnss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTEATEDTEETEOFESTGMTHDTHSTHa, xrefs: 006A73CF
~~j, xrefs: 006A7BA8

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ), ->25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msnss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTEATEDTEETEOFESTGMTHDTHSTHa$, ->25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msnss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTEATEDTEETEOFESTGMTHDTHSTHanI$, i = , not 390625<-chanAnswerArabicBitBltBrahmiCarianChakmaCommonCopticEndDocFormatGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLineToLycianLydianMulDivRejangSCHED SaveDCStringSyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UT$, j0 = 19531259765625AvestanBengaliBrailleChanDirCopySidCypriotDeseretElbasanEllipseElymaicEndPageFillRgnFreeSidGODEBUGGranthaHanunooIO waitIsChildKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaRadicalSetMenuSetRectSharadaShavianSiddhamSinhalaSleepExSogdianS$, levelBits[level] = 186264514923095703125931322574615478515625AdjustTokenPrivilegesAlaskan Standard TimeAnatolian_HieroglyphsArabian Standard TimeBelarus Standard TimeCM_Get_DevNode_StatusCentral Standard TimeChangeServiceConfig2WDeregisterEventSourceDwmGetWi$, npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDestroyIconDestroyMenuDives_AkuruDrawMenuBarDrawTextExWEnumWindowsExitProcessFindWindowWFreeLibraryGOTRACEBACKGetAncestorGetCaretPosGetFileTypeGetIcon$] = (arrayclosedeferfalsefaultgFreegcinggscanhchanhttpsimap2imap3imapsinit int16int32int64mheapntohspanicpop3sscav schedsleepslicesse41sse42ssse3sudogsweeptraceuint8usage B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= $] = ] n=allgallpavx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchttpicmpidleigmpint8itabkindpipepop3profrootsbrksmtpsse3tcp4trueudp4uint ... MB, and cnt= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-$][]i)msnss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTEATEDTEETEOFESTGMTHDTHSTHanIDTISTJSTKSTLaoMDTMSKMSTMroNDTNSTNaNNkoPC=PDTPKTPSTUTCVaiWAT]:adxaesavxendfinf$bad summary databad symbol tablecastogscanstatuscontext canceledgc: unswept spangcshrinkstackoffinteger overflowinvalid argumentinvalid exchangeinvalid g statusmSpanList.insertmSpanList.removemessage too longmissing stackmapnewmHandoff.lockno route to hostnon-$runtime: level = runtime: nameOff runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcunknown type kindwait for GC cyclewglGetProcAddresswrong$runtime: levelShift[level] = runtime: marking free object runtime: p.gcMarkWorkerMode= runtime: split stack overflowruntime: sudog with non-nil cruntime: summary max pages = semacquire not on the G stackstring concatenation too longsyntax error scanning boolea$runtime: npages = runtime: range = {runtime: textAddr streams pipe errorsystem page size (tracebackancestorsuse of closed filevalue out of rangewglUseFontBitmapsW [controller reset] called using nil *, g->atomicstatus=, gp->atomicstatus=1490116119384765625745$runtime: p.searchAddr = span has no free objectsstack trace unavailablestructure needs cleaning bytes failed with errno= to unused region of span2910383045673370361328125AUS Central Standard TimeAUS Eastern Standard TimeAfghanistan Standard TimeExpandEnvironm$runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcunknown type kindwait for GC cyclewglGetProcAddresswrong medium type but memory size because dotdotdot in$~~j
API String ID: 0-1605743319
Opcode ID: dd3f9f0d31b2d4a497eac34beea0c17faab4a9fbc320958152d216ffab8cf97d
Instruction ID: 89239c7b4e64edc2dc6934b596c0bd15f6d34ab1028b5829e94a1245d00b1dc9
Opcode Fuzzy Hash: dd3f9f0d31b2d4a497eac34beea0c17faab4a9fbc320958152d216ffab8cf97d
Instruction Fuzzy Hash: DF32A9B6718AC481DB60AF15F8413DAA726F789BC0F448126DF8D17B5ADF38D986CB04

Function 0068B020 Relevance: 15.3, Strings: 12, Instructions: 340
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

out of memory allocating heap arena metadatareflect: funcLayout with interface receiver runtime: lfstack.push invalid packing: node=use of WriteTo with pre-connected connectioncannot send after transport endpoint shutdowncharacter string exceeds maximum length, xrefs: 0068B307
!, xrefs: 0068B57D
out of memory allocating allArenasreflect: Field index out of boundsreflect: Field of non-struct type reflect: string index out of rangeruntime.SetFinalizer: cannot pass runtime: g is running but p is notruntime: unexpected return pc for schedule: spinning wit, xrefs: 0068B2F6
end outside usable address spacenumerical argument out of domainpanic while printing panic valuereflect.nameFrom: tag too long: removespecial on invalid pointerresource temporarily unavailableruntime.semasleep wait_abandonedruntime: failed to release pagesrunt, xrefs: 0068B5B1
runtime: memory allocated by OS [runtime: name offset out of rangeruntime: text offset out of rangeruntime: type offset out of rangeslice bounds out of range [%x:%y]stackalloc not on scheduler stackstoplockedm: inconsistent lockingtimer period must be non-nega, xrefs: 0068B617
, ->25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msnss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTEATEDTEETEOFESTGMTHDTHSTHanI, xrefs: 0068B632
base outside usable address spaceconcurrent map read and map writefindrunnable: negative nmspinningfreeing stack not in a stack spanheapBitsSetType: unexpected shiftmin must be a non-zero power of 2misrounded allocation in sysAllocreflect.nameFrom: name too lo, xrefs: 0068B583
region exceeds uintptr rangeruntime.semasleep unexpectedruntime: bad lfnode address runtime: casgstatus: oldval=runtime: no module data for save on system g not allowedunreserving unaligned region45474735088646411895751953125CM_Get_Device_Interface_ListWCentra, xrefs: 0068B559
out of memory allocating heap arena mapruntime: blocked write on free polldescruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system callsuspendG from non-preemptible goroutinetraceback: unexpected SPWRITE function transport endpoint is alre, xrefs: 0068B329
) not in usable address space: ...additional frames elided....lib section in a.out corrupted11368683772161602973937988281255684341886080801486968994140625Central Brazilian Standard TimeCertDuplicateCertificateContextMountain Standard Time (Mexico)SetupDiGetDe, xrefs: 0068B64F
memory reservation exceeds address space limitpanicwrap: unexpected string after type name: reflect.Value.Slice: slice index out of boundsreleased less than one physical page of memoryruntime: failed to create new OS thread (have runtime: name offset base poin, xrefs: 0068B67E
arena already initializedbad status in shrinkstackbad system huge page sizechansend: spurious wakeupcheckdead: no m for timerinconsistent poll.fdMutexinvalid cross-device linkinvalid network interfacemissing stack in newstackmissing traceGCSweepStartno buffer , xrefs: 0068B318

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: !$) not in usable address space: ...additional frames elided....lib section in a.out corrupted11368683772161602973937988281255684341886080801486968994140625Central Brazilian Standard TimeCertDuplicateCertificateContextMountain Standard Time (Mexico)SetupDiGetDe$, ->25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msnss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTEATEDTEETEOFESTGMTHDTHSTHanI$arena already initializedbad status in shrinkstackbad system huge page sizechansend: spurious wakeupcheckdead: no m for timerinconsistent poll.fdMutexinvalid cross-device linkinvalid network interfacemissing stack in newstackmissing traceGCSweepStartno buffer $base outside usable address spaceconcurrent map read and map writefindrunnable: negative nmspinningfreeing stack not in a stack spanheapBitsSetType: unexpected shiftmin must be a non-zero power of 2misrounded allocation in sysAllocreflect.nameFrom: name too lo$end outside usable address spacenumerical argument out of domainpanic while printing panic valuereflect.nameFrom: tag too long: removespecial on invalid pointerresource temporarily unavailableruntime.semasleep wait_abandonedruntime: failed to release pagesrunt$memory reservation exceeds address space limitpanicwrap: unexpected string after type name: reflect.Value.Slice: slice index out of boundsreleased less than one physical page of memoryruntime: failed to create new OS thread (have runtime: name offset base poin$out of memory allocating allArenasreflect: Field index out of boundsreflect: Field of non-struct type reflect: string index out of rangeruntime.SetFinalizer: cannot pass runtime: g is running but p is notruntime: unexpected return pc for schedule: spinning wit$out of memory allocating heap arena mapruntime: blocked write on free polldescruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system callsuspendG from non-preemptible goroutinetraceback: unexpected SPWRITE function transport endpoint is alre$out of memory allocating heap arena metadatareflect: funcLayout with interface receiver runtime: lfstack.push invalid packing: node=use of WriteTo with pre-connected connectioncannot send after transport endpoint shutdowncharacter string exceeds maximum length$region exceeds uintptr rangeruntime.semasleep unexpectedruntime: bad lfnode address runtime: casgstatus: oldval=runtime: no module data for save on system g not allowedunreserving unaligned region45474735088646411895751953125CM_Get_Device_Interface_ListWCentra$runtime: memory allocated by OS [runtime: name offset out of rangeruntime: text offset out of rangeruntime: type offset out of rangeslice bounds out of range [%x:%y]stackalloc not on scheduler stackstoplockedm: inconsistent lockingtimer period must be non-nega
API String ID: 0-2302844595
Opcode ID: 190ac760c7cb68a64f16627a2821d270fcc7431969160bc5e7f2f4824e39751d
Instruction ID: 429af1f99667a9d127902e53ed53ccd86d14455ec2b943ece5c7dd99b945ab24
Opcode Fuzzy Hash: 190ac760c7cb68a64f16627a2821d270fcc7431969160bc5e7f2f4824e39751d
Instruction Fuzzy Hash: 3FE1BA72604B8482DB60AF66F4403DAA366F749B90F84522AEFEC47799DF3CD585C740

Function 0068BA40 Relevance: 8.1, Strings: 6, Instructions: 553COMMON

Download Yara Rule

Strings

malloc during signalnotetsleep not on g0p mcache not flushedpacer: assist ratio=preempt off reason: reflect.makeFuncStubruntime: unknown pc semaRoot rotateRighttime: invalid numbertrace: out of memorywglGetCurrentContextwirep: already in goworkbuf is not empty, xrefs: 0068C316
!"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 0068BE13
mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: GetQueuedCompletionStatusEx failed (errno= runtime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in reset, xrefs: 0068C305
delayed zeroing on data that may contain pointersfully empty unfreed span set block found in resetinvalid memory address or nil pointer dereferenceinvalid or incomplete multibyte or wide characternot enough significant bits after mult128bitPow10panicwrap: unex, xrefs: 0068C2BC
mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewruntime: unable to acquire - semaphore out of syncfatal: systemstack called from unexpected goroutinepotentially overlapping in-use allocations detectedruntime:, xrefs: 0068C338
malloc deadlockmisaligned maskmissing addressmissing mcache?ms: gomaxprocs=network is downno medium foundno such processpreempt SPWRITErecovery failedruntime error: runtime: frame runtime: max = runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm, xrefs: 0068C327

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC$delayed zeroing on data that may contain pointersfully empty unfreed span set block found in resetinvalid memory address or nil pointer dereferenceinvalid or incomplete multibyte or wide characternot enough significant bits after mult128bitPow10panicwrap: unex$malloc deadlockmisaligned maskmissing addressmissing mcache?ms: gomaxprocs=network is downno medium foundno such processpreempt SPWRITErecovery failedruntime error: runtime: frame runtime: max = runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm$malloc during signalnotetsleep not on g0p mcache not flushedpacer: assist ratio=preempt off reason: reflect.makeFuncStubruntime: unknown pc semaRoot rotateRighttime: invalid numbertrace: out of memorywglGetCurrentContextwirep: already in goworkbuf is not empty$mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewruntime: unable to acquire - semaphore out of syncfatal: systemstack called from unexpected goroutinepotentially overlapping in-use allocations detectedruntime:$mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: GetQueuedCompletionStatusEx failed (errno= runtime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in reset
API String ID: 0-1308267341
Opcode ID: bcd028a9f677ec3ca78667ff0c7571ec1f9023209dfcdd6b4cd664ebd56cb835
Instruction ID: aafc7e17c1feddb260829edf5210a8f40bc84c264327f43130092a546daa41ae
Opcode Fuzzy Hash: bcd028a9f677ec3ca78667ff0c7571ec1f9023209dfcdd6b4cd664ebd56cb835
Instruction Fuzzy Hash: 9032E872208B80C2DB64DB15E4407AABB66F789BD4F599216EF9D07B69CF7CC845CB00

Function 0069D440 Relevance: 6.4, Strings: 5, Instructions: 144COMMON

Download Yara Rule

Strings

(scan (scan) MB in Value> allocs dying= locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie% CPU (, goid=, j0 = 19531259765625AvestanBengaliBrailleChanDirCopySidCypriotDeseretElbasanEllipseElymaicEndPageFillRgnFreeSidGODEBUGGranthaHanunooIO waitIsChildK, xrefs: 0069D626
MB) workers= called from flushedWork idlethreads= is nil, not nStackRoots= pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625AnimateWindowCertOpenStoreCoTaskMemFreeCreateActCtxW, xrefs: 0069D685
+-./5<=?CLMPSUZ[\, xrefs: 0069D6A5
pacer: assist ratio=preempt off reason: reflect.makeFuncStubruntime: unknown pc semaRoot rotateRighttime: invalid numbertrace: out of memorywglGetCurrentContextwirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not found of unexported metho, xrefs: 0069D606
->25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msnss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTEATEDTEETEOFESTGMTHDTHSTHanIDT, xrefs: 0069D665

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: (scan (scan) MB in Value> allocs dying= locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie% CPU (, goid=, j0 = 19531259765625AvestanBengaliBrailleChanDirCopySidCypriotDeseretElbasanEllipseElymaicEndPageFillRgnFreeSidGODEBUGGranthaHanunooIO waitIsChildK$ MB) workers= called from flushedWork idlethreads= is nil, not nStackRoots= pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625AnimateWindowCertOpenStoreCoTaskMemFreeCreateActCtxW$+-./5<=?CLMPSUZ[\$->25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msnss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTEATEDTEETEOFESTGMTHDTHSTHanIDT$pacer: assist ratio=preempt off reason: reflect.makeFuncStubruntime: unknown pc semaRoot rotateRighttime: invalid numbertrace: out of memorywglGetCurrentContextwirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not found of unexported metho
API String ID: 0-276758692
Opcode ID: 162c147808f1654806f8404f910aae7cd4a2c619c39510d8d77baefe221c97ac
Instruction ID: 1e20b95d9d07e4763a14c00ef053280673ca910ebd5131de27a00cdb674c9a39
Opcode Fuzzy Hash: 162c147808f1654806f8404f910aae7cd4a2c619c39510d8d77baefe221c97ac
Instruction Fuzzy Hash: F561B172908F8085CB41EF25E44039AB7AAFB9ABC0F05D336AA4D17B26DF38D081C740

Function 006854A0 Relevance: 5.4, Strings: 4, Instructions: 413COMMON

Download Yara Rule

Strings

xTh, xrefs: 00685B4F
G waiting list is corruptedGdipCreateBitmapFromHBITMAPGdipCreateHBITMAPFromBitmapGetSecurityDescriptorLengthGetUserPreferredUILanguagesPdhGetFormattedCounterValueSetupDiClassNameFromGuidExWSetupDiGetDeviceInstanceIdWSetupDiGetDriverInfoDetailWStartServiceCtrlD, xrefs: 00685B2A
unreachableuserenv.dlluxtheme.dllversion.dll B (goal KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<ni, xrefs: 00685646
xTh, xrefs: 006854A0

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: G waiting list is corruptedGdipCreateBitmapFromHBITMAPGdipCreateHBITMAPFromBitmapGetSecurityDescriptorLengthGetUserPreferredUILanguagesPdhGetFormattedCounterValueSetupDiClassNameFromGuidExWSetupDiGetDeviceInstanceIdWSetupDiGetDriverInfoDetailWStartServiceCtrlD$unreachableuserenv.dlluxtheme.dllversion.dll B (goal KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<ni$xTh$xTh
API String ID: 0-3665277182
Opcode ID: b5cdd342e3facc60dc067063ba73ad607790ca4368bd12db30005878ec31fe44
Instruction ID: b56f1f0cc2c0cf01cb4b55159c6141ed2e1ec37e4617bfc5633afabfcdb4c75f
Opcode Fuzzy Hash: b5cdd342e3facc60dc067063ba73ad607790ca4368bd12db30005878ec31fe44
Instruction Fuzzy Hash: CB02B172604F84C5DB60EB25E44039EB7A2F789BD0F99A62ADA8D47B19CF7DC485C700

Function 006B70E0 Relevance: 5.3, Strings: 4, Instructions: 251COMMON

Download Yara Rule

Strings

newval= nfreed= packed= pointer stack=[ status 48828125AbortDocAcceptExArmenianBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDeleteDCDuployanEndPaintEqualSidEthiopicExtenderGdiFlushGeorgianGetFocusGetPixelGoStringGujaratiGurmukhiHiraganaIsIconicIsWi, xrefs: 006B74C8
casgstatus: bad incoming valuescheckmark found unmarked objectencoding/hex: invalid byte: %#Uentersyscallblock inconsistent fmt: unknown base; can't happeninternal error - misuse of itabinvalid network interface indexmalformed time zone informationnon in-use s, xrefs: 006B74EF
runtime: casgstatus: oldval=runtime: no module data for save on system g not allowedunreserving unaligned region45474735088646411895751953125CM_Get_Device_Interface_ListWCentral America Standard TimeCentral Pacific Standard TimeChatham Islands Standard TimeDel, xrefs: 006B74AD
casgstatus: waiting for Gwaiting but is Grunnabledelayed zeroing on data that may contain pointersfully empty unfreed span set block found in resetinvalid memory address or nil pointer dereferenceinvalid or incomplete multibyte or wide characternot enough sign, xrefs: 006B7450

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: newval= nfreed= packed= pointer stack=[ status 48828125AbortDocAcceptExArmenianBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDeleteDCDuployanEndPaintEqualSidEthiopicExtenderGdiFlushGeorgianGetFocusGetPixelGoStringGujaratiGurmukhiHiraganaIsIconicIsWi$casgstatus: bad incoming valuescheckmark found unmarked objectencoding/hex: invalid byte: %#Uentersyscallblock inconsistent fmt: unknown base; can't happeninternal error - misuse of itabinvalid network interface indexmalformed time zone informationnon in-use s$casgstatus: waiting for Gwaiting but is Grunnabledelayed zeroing on data that may contain pointersfully empty unfreed span set block found in resetinvalid memory address or nil pointer dereferenceinvalid or incomplete multibyte or wide characternot enough sign$runtime: casgstatus: oldval=runtime: no module data for save on system g not allowedunreserving unaligned region45474735088646411895751953125CM_Get_Device_Interface_ListWCentral America Standard TimeCentral Pacific Standard TimeChatham Islands Standard TimeDel
API String ID: 0-3229847984
Opcode ID: 794dddfd5d7c5b9bd4db76c3b89601f99917f0a6924ec1140a24e6d231b19fa6
Instruction ID: 86ace7fbdbc635d0b3a3c4272119ec8b75e7c49fe31faeb7506416cfe8fa0a54
Opcode Fuzzy Hash: 794dddfd5d7c5b9bd4db76c3b89601f99917f0a6924ec1140a24e6d231b19fa6
Instruction Fuzzy Hash: 0BA1AFB6709B84C6DB54CB25E4813AEBBA2F389794F448126EF9D43B65CF39D485CB00

Function 00684AC7 Relevance: 4.1, Strings: 3, Instructions: 378COMMON

Download Yara Rule

Strings

chansend: spurious wakeupcheckdead: no m for timerinconsistent poll.fdMutexinvalid cross-device linkinvalid network interfacemissing stack in newstackmissing traceGCSweepStartno buffer space availableno such device or addressno such network interfaceno suitabl, xrefs: 00684D22
G waiting list is corruptedGdipCreateBitmapFromHBITMAPGdipCreateHBITMAPFromBitmapGetSecurityDescriptorLengthGetUserPreferredUILanguagesPdhGetFormattedCounterValueSetupDiClassNameFromGuidExWSetupDiGetDeviceInstanceIdWSetupDiGetDriverInfoDetailWStartServiceCtrlD, xrefs: 00684D46
unreachableuserenv.dlluxtheme.dllversion.dll B (goal KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<ni, xrefs: 00684865

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: G waiting list is corruptedGdipCreateBitmapFromHBITMAPGdipCreateHBITMAPFromBitmapGetSecurityDescriptorLengthGetUserPreferredUILanguagesPdhGetFormattedCounterValueSetupDiClassNameFromGuidExWSetupDiGetDeviceInstanceIdWSetupDiGetDriverInfoDetailWStartServiceCtrlD$chansend: spurious wakeupcheckdead: no m for timerinconsistent poll.fdMutexinvalid cross-device linkinvalid network interfacemissing stack in newstackmissing traceGCSweepStartno buffer space availableno such device or addressno such network interfaceno suitabl$unreachableuserenv.dlluxtheme.dllversion.dll B (goal KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<ni
API String ID: 0-2605431326
Opcode ID: d62f6864bc5859e73c6e2302b99312e790633f1390e793afc6712c74903da29c
Instruction ID: f89b8cf1ee61721b89eec744355530fd1ceb83376c53d553171d2b500628bd35
Opcode Fuzzy Hash: d62f6864bc5859e73c6e2302b99312e790633f1390e793afc6712c74903da29c
Instruction Fuzzy Hash: F5F1E472604B85C6D760EB25E44039EB7A2F785BE4F94A72ADA9C47B99CF3CC485C700

Function 0069EA60 Relevance: 4.0, Strings: 3, Instructions: 219COMMON

Download Yara Rule

Strings

i, xrefs: 0069EAE9, 0069EB09
released less than one physical page of memoryruntime: failed to create new OS thread (have runtime: name offset base pointer out of rangeruntime: panic before malloc heap initializedruntime: text offset base pointer out of rangeruntime: type offset base poin, xrefs: 0069EE6B
fki, xrefs: 0069EE90

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: i$fki$released less than one physical page of memoryruntime: failed to create new OS thread (have runtime: name offset base pointer out of rangeruntime: panic before malloc heap initializedruntime: text offset base pointer out of rangeruntime: type offset base poin
API String ID: 0-2307413615
Opcode ID: 5e8dd6d8c4e18fac07524ecf927c5d378f048e52529648daf6fbb928e4b65632
Instruction ID: c93a2da61cccc9c7f0111feef17e1eaf0defa07cf8a64a3c0b0d8fd7d8cecf73
Opcode Fuzzy Hash: 5e8dd6d8c4e18fac07524ecf927c5d378f048e52529648daf6fbb928e4b65632
Instruction Fuzzy Hash: 1CA1F231A1AF45C5EB42DF25E840366A36AFB867C0F509626E98E17B36EF3DD481C740

Function 006A42E0 Relevance: 1.6, Strings: 1, Instructions: 379COMMON

Download Yara Rule

Strings

grew heap, but no adequate free space foundheapBitsSetTypeGCProg: unexpected bit countinterrupted system call should be restartedmethodValueCallFrameObjs is not in a modulemult64bitPow10: power of 10 is out of rangemultiple Read calls return no data or errorno, xrefs: 006A48EC

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: grew heap, but no adequate free space foundheapBitsSetTypeGCProg: unexpected bit countinterrupted system call should be restartedmethodValueCallFrameObjs is not in a modulemult64bitPow10: power of 10 is out of rangemultiple Read calls return no data or errorno
API String ID: 0-4206827478
Opcode ID: 7c71561da07ece110732b5930d4cbccca8573dc03a591c4e60cdeaf0fc9fef1f
Instruction ID: e589502ed9b43813700e182eb34a9c4cac909dcd9e1e9ce0a5a829867cd39158
Opcode Fuzzy Hash: 7c71561da07ece110732b5930d4cbccca8573dc03a591c4e60cdeaf0fc9fef1f
Instruction Fuzzy Hash: 88F17172609B8482DB609F15E48039EB7A2F78ABD4F585126EBCD47B29DF7CC851CB40

Function 00685040 Relevance: 1.5, Strings: 1, Instructions: 242COMMON

Download Yara Rule

Strings

KRt, xrefs: 00685423

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: KRt
API String ID: 0-1550528960
Opcode ID: d8291b3acbc0bfd67cce348c61f84461b2d8c1e253c83d34187d2b2e4fc79c8d
Instruction ID: c5b162144f2c760627720d6967a888785b2fd4f69029af51a7342b368ce59dd8
Opcode Fuzzy Hash: d8291b3acbc0bfd67cce348c61f84461b2d8c1e253c83d34187d2b2e4fc79c8d
Instruction Fuzzy Hash: D4A1C272608F44C6DB10EF24E05439AB7B2F746BC4F98A62ADA8E17718DF79C586C740

Function 006C8060 Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

string concatenation too longsyntax error scanning booleantimeBegin/EndPeriod not foundtoo many open files in system (types from different scopes) in prepareForSweep; sweepgen locals stack map entries for 227373675443232059478759765625Central European Standar, xrefs: 006C82A5

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: string concatenation too longsyntax error scanning booleantimeBegin/EndPeriod not foundtoo many open files in system (types from different scopes) in prepareForSweep; sweepgen locals stack map entries for 227373675443232059478759765625Central European Standar
API String ID: 0-538685461
Opcode ID: 54205acfbc63e5a2e59cf2a552693b8ae04736e648d92cd230e4e2a8c766042d
Instruction ID: 180f1112d219b046d143a185956b75dff52320252781424efdec64440f091b49
Opcode Fuzzy Hash: 54205acfbc63e5a2e59cf2a552693b8ae04736e648d92cd230e4e2a8c766042d
Instruction Fuzzy Hash: B751A032708BA485DB20CF52E840BAAA766F388FC4F58841AEE8D57F18CF38C5528740

Function 00694260 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

out of memoryruntime: seq=runtime: val=srmount errortimer expiredtraceStackTabvalue method wglShareListsxadd64 failedxchg64 failed}sched={pc: but progSize nmidlelocked= on zero Value out of range procedure in to finalizer untyped args -thread limit19073, xrefs: 00694448, 00694459

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: out of memoryruntime: seq=runtime: val=srmount errortimer expiredtraceStackTabvalue method wglShareListsxadd64 failedxchg64 failed}sched={pc: but progSize nmidlelocked= on zero Value out of range procedure in to finalizer untyped args -thread limit19073
API String ID: 0-319304838
Opcode ID: 34010e9cce1147ce06215cdd713c60b841466cce8e29d20b3b92d1ef05b22e47
Instruction ID: dc36437735268b5207a8a4ebda37c2a666109eeccb99244a7f9d0652cc41834c
Opcode Fuzzy Hash: 34010e9cce1147ce06215cdd713c60b841466cce8e29d20b3b92d1ef05b22e47
Instruction Fuzzy Hash: C151C572314B8186CF50DB15E4907AEB7A6F789B84F84542AEB8E43B29DF3CC559CB40

Function 0069D240 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

gcmarknewobject called while doing checkmarkinsufficient data for calculated length typemult128bitPow10: power of 10 is out of rangeout of memory allocating heap arena metadatareflect: funcLayout with interface receiver runtime: lfstack.push invalid packing: n, xrefs: 0069D32F

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: gcmarknewobject called while doing checkmarkinsufficient data for calculated length typemult128bitPow10: power of 10 is out of rangeout of memory allocating heap arena metadatareflect: funcLayout with interface receiver runtime: lfstack.push invalid packing: n
API String ID: 0-1289113390
Opcode ID: 7118516241a2f39ca3b61dc9722878126e2055adbf66fa2eb8bf976de8563089
Instruction ID: daefc03005058176b45ec40089f5579f75a5316b490ddc668b678d6b03425687
Opcode Fuzzy Hash: 7118516241a2f39ca3b61dc9722878126e2055adbf66fa2eb8bf976de8563089
Instruction Fuzzy Hash: 6B21AFA3B11BC987EF009F25D4803986B62F3A6B84F89A576CA4D47B59CB6CC556C300

Function 00693705 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8994d8bd32671462db21b55cd07723a2fbe01b74233fc7a35c99f5d2bda09d48
Instruction ID: d105906971885453dc7531f60efc3bfe16b23d25e416b8630983f3b3a6117fe6
Opcode Fuzzy Hash: 8994d8bd32671462db21b55cd07723a2fbe01b74233fc7a35c99f5d2bda09d48
Instruction Fuzzy Hash: 3471CDA3B182F493EE00CA96A400DF9661EE366FD4B445511EE6F27F49D678CB07E304

Function 006A6B60 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e454e5f73a4012067eb0d6c02dfe7c49ca4f58a69bf0829b5723d20e03b91bc
Instruction ID: 53f162c40c4165a36d5e98ecb3004abfd1cff082c6b6bd1e31e391a0a96c6da9
Opcode Fuzzy Hash: 3e454e5f73a4012067eb0d6c02dfe7c49ca4f58a69bf0829b5723d20e03b91bc
Instruction Fuzzy Hash: A5917977618B8486DB20DB15F08035AB7A2F78ABD4F58512AEBDE53B59CB3CC455CB00

Function 00688D80 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c8d7580c853090fa780d2b6ed774be28704c3aa338da57b315b5a74c926a3a7
Instruction ID: 9bb9567d958438eebd1da00d984919142f71b699eb28ba90f5ad0cddaacc8817
Opcode Fuzzy Hash: 5c8d7580c853090fa780d2b6ed774be28704c3aa338da57b315b5a74c926a3a7
Instruction Fuzzy Hash: 3A4118A6701A6586AE149B6685240AAE363E74EFD07D8F333CF1D77768CA3CD506C344

Function 0069A9A0 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75958c0b36038fcb0a4e50354b0b014c9d6bf0bdce3b23ccdf1be2c19ce7c316
Instruction ID: c052e3c231f17a6b2b0f7f83d94d5018748080e93a70c46af04736d99502d94d
Opcode Fuzzy Hash: 75958c0b36038fcb0a4e50354b0b014c9d6bf0bdce3b23ccdf1be2c19ce7c316
Instruction Fuzzy Hash: 68511632608F8486DB45CB66E0413AA77A7F786BD0F149226EA9D13F8ADF3CC095C741

Function 0069E2A0 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c77385fd8b9cf3e123f68f932efaa551cc3d4adedf4e7a27580baed2aefa8f2
Instruction ID: 056baab6c7791d8c4b79e6f0d20f72cb0fd7e647329dd4600fdb42ad98911ea4
Opcode Fuzzy Hash: 7c77385fd8b9cf3e123f68f932efaa551cc3d4adedf4e7a27580baed2aefa8f2
Instruction Fuzzy Hash: F75136A2F09F948ADE46D7399514399D31BAB56FD0F24C322AD0A3BF59E71AC4838700

Function 0068C640 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc274acb7e725ce59d9e497d95335f31032c8fbd7671e5929715436da5eabd8e
Instruction ID: 0c7ab420c16a6d8fc16a896a15ae1248f74657bf8d43582774cc826ad83f34de
Opcode Fuzzy Hash: dc274acb7e725ce59d9e497d95335f31032c8fbd7671e5929715436da5eabd8e
Instruction Fuzzy Hash: 0821F7A1E19E444ACA43EB3A9440355D217BF967D0F58C732AE1E777A6E738E0D24740

Function 006DB920 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f4a0d4820a58a1625e181f1b08e57c8c87afa8b59031d49f9920a2ff030ede7
Instruction ID: 457aaf471c97a4877fb228421fd9b505ea6b6f609b9a75ae7f884b8b542c7147
Opcode Fuzzy Hash: 9f4a0d4820a58a1625e181f1b08e57c8c87afa8b59031d49f9920a2ff030ede7
Instruction Fuzzy Hash: 50C08CA0D06AC298FB208310710035029829F063C0D81D081838C043189B2C82814204

Function 00696020 Relevance: 15.3, Strings: 12, Instructions: 337
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125AddFontResourceExWArab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWCheckMenuRadioItemCloseServiceHandleCommandLineToArgvWCreateCompatibleDCCreateDi, xrefs: 006964DC
runtime.SetFinalizer: cannot pass runtime: g is running but p is notruntime: unexpected return pc for schedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot splice1776356839400250464677, xrefs: 0069643D, 006964AC, 00696517
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base1734723475976807094411924481391906738281258673617379884, xrefs: 0069654C
to finalizer untyped args -thread limit1907348632812595367431640625ActivateActCtxCertCloseStoreClientToScreenCloseClipboardCloseThemeDataCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomDefWindo, xrefs: 00696428, 00696497, 00696502
, not a function0123456789ABCDEF0123456789abcdef2384185791015625AdjustWindowRectBringWindowToTopCloseEnhMetaFileCoCreateInstanceCoGetClassObjectConnectNamedPipeCopyEnhMetaFileWCreateDIBSectionCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryp, xrefs: 0069653D
nil elem type!no module datano such devicepollCache.lockprotocol errorruntime: full=s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytoo many linkstoo many usersunexpected EOFunknown methodunsafe.PointerwglCopyC, xrefs: 006965F3
runtime.SetFinalizer: pointer not at beginning of allocated blockbytes.Buffer: UnreadByte: previous operation was not a successful readcannot convert slice with length %y to pointer to array with length %xtoo many concurrent operations on a single file or sock, xrefs: 0069655D
runtime.SetFinalizer: first argument is runtime.preemptM: duplicatehandle failedruntime: SyscallN has too many argumentsruntime: out of memory: cannot allocate runtime: typeBitsBulkBarrier with type ryuFtoaFixed32 called with negative prec34694469519536141888, xrefs: 00696624
Nw, xrefs: 006960D1
runtime.SetFinalizer: pointer not in allocated blockruntime: GetQueuedCompletionStatusEx failed (errno= runtime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetcompileCallback: argument size is larger than uintpt, xrefs: 006965E2
runtime.SetFinalizer: first argument is nilruntime: casfrom_Gscanstatus bad oldval gp=runtime: heapBitsSetTypeGCProg: total bits runtime: releaseSudog with non-nil gp.paramruntime:stoplockedm: lockedg (atomicstatus=unfinished open-coded defers in deferreturnun, xrefs: 00696635
, not pointer-byte block (3814697265625AnimateWindowCertOpenStoreCoTaskMemFreeCreateActCtxWCreateRectRgnDeleteServiceDestroyWindowDrawFocusRectEnumPrintersWEnumProcessesExitWindowsExFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGetClassNameWGetClientRect, xrefs: 00696615

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125AddFontResourceExWArab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWCheckMenuRadioItemCloseServiceHandleCommandLineToArgvWCreateCompatibleDCCreateDi$ to finalizer untyped args -thread limit1907348632812595367431640625ActivateActCtxCertCloseStoreClientToScreenCloseClipboardCloseThemeDataCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomDefWindo$, not a function0123456789ABCDEF0123456789abcdef2384185791015625AdjustWindowRectBringWindowToTopCloseEnhMetaFileCoCreateInstanceCoGetClassObjectConnectNamedPipeCopyEnhMetaFileWCreateDIBSectionCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryp$, not pointer-byte block (3814697265625AnimateWindowCertOpenStoreCoTaskMemFreeCreateActCtxWCreateRectRgnDeleteServiceDestroyWindowDrawFocusRectEnumPrintersWEnumProcessesExitWindowsExFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGetClassNameWGetClientRect$nil elem type!no module datano such devicepollCache.lockprotocol errorruntime: full=s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytoo many linkstoo many usersunexpected EOFunknown methodunsafe.PointerwglCopyC$runtime.SetFinalizer: cannot pass runtime: g is running but p is notruntime: unexpected return pc for schedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot splice1776356839400250464677$runtime.SetFinalizer: first argument is nilruntime: casfrom_Gscanstatus bad oldval gp=runtime: heapBitsSetTypeGCProg: total bits runtime: releaseSudog with non-nil gp.paramruntime:stoplockedm: lockedg (atomicstatus=unfinished open-coded defers in deferreturnun$runtime.SetFinalizer: first argument is runtime.preemptM: duplicatehandle failedruntime: SyscallN has too many argumentsruntime: out of memory: cannot allocate runtime: typeBitsBulkBarrier with type ryuFtoaFixed32 called with negative prec34694469519536141888$runtime.SetFinalizer: pointer not at beginning of allocated blockbytes.Buffer: UnreadByte: previous operation was not a successful readcannot convert slice with length %y to pointer to array with length %xtoo many concurrent operations on a single file or sock$runtime.SetFinalizer: pointer not in allocated blockruntime: GetQueuedCompletionStatusEx failed (errno= runtime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetcompileCallback: argument size is larger than uintpt$runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base1734723475976807094411924481391906738281258673617379884$Nw
API String ID: 0-2002210619
Opcode ID: f510e99f47c2743e515f84799fdb0f3f5e8436660c9072ce87b1bb6428b95db0
Instruction ID: da48e48da6f08c2a6e76a0217b815ad0a9ee90630ac8f9886db971bfa60d901d
Opcode Fuzzy Hash: f510e99f47c2743e515f84799fdb0f3f5e8436660c9072ce87b1bb6428b95db0
Instruction Fuzzy Hash: A0E19F32609B8082DB609F55F4403EEB7AAF785B80F49952AEB8D47B59DF3CD495CB00

Function 00686000 Relevance: 14.0, Strings: 11, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

debugCal, xrefs: 006861FF
debugCal, xrefs: 00686240
runtime., xrefs: 0068628F
debugCal, xrefs: 006860F2
debugCal, xrefs: 00686093
call from unknown functioncorrupted semaphore ticketentersyscall inconsistent forEachP: P did not run fnfreedefer with d.fn != nilinitSpan: unaligned lengthinvalid request descriptorname not unique on networkno CSI structure availableno message of desired type, xrefs: 0068604D, 00686059
debugCal, xrefs: 0068615C
l819, xrefs: 00686268
call from within the Go runtimecannot assign requested addresscasgstatus: bad incoming valuescheckmark found unmarked objectencoding/hex: invalid byte: %#Uentersyscallblock inconsistent fmt: unknown base; can't happeninternal error - misuse of itabinvalid netw, xrefs: 006862B4, 006862C2
debugCall2048exchange fullfatal error: gethostbynamegetservbynamelevel 3 resetload64 failedmin too largenil stackbaseout of memoryruntime: seq=runtime: val=srmount errortimer expiredtraceStackTabvalue method wglShareListsxadd64 failedxchg64 failed}sched={pc:, xrefs: 006861E1
call not at safe pointcannot allocate memorycompileCallabck: type duplicated defer entryfreeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversion: kernel32.dll not foundminpc or maxpc invalidnetwork is unreach, xrefs: 0068632D, 00686339

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: call from unknown functioncorrupted semaphore ticketentersyscall inconsistent forEachP: P did not run fnfreedefer with d.fn != nilinitSpan: unaligned lengthinvalid request descriptorname not unique on networkno CSI structure availableno message of desired type$call from within the Go runtimecannot assign requested addresscasgstatus: bad incoming valuescheckmark found unmarked objectencoding/hex: invalid byte: %#Uentersyscallblock inconsistent fmt: unknown base; can't happeninternal error - misuse of itabinvalid netw$call not at safe pointcannot allocate memorycompileCallabck: type duplicated defer entryfreeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversion: kernel32.dll not foundminpc or maxpc invalidnetwork is unreach$debugCal$debugCal$debugCal$debugCal$debugCal$debugCall2048exchange fullfatal error: gethostbynamegetservbynamelevel 3 resetload64 failedmin too largenil stackbaseout of memoryruntime: seq=runtime: val=srmount errortimer expiredtraceStackTabvalue method wglShareListsxadd64 failedxchg64 failed}sched={pc:$l819$runtime.
API String ID: 0-3115989702
Opcode ID: 08672f7b5ab18e71500f3a55127b617c63bf8109f0e38876c862729eaca45f51
Instruction ID: 9383396c62c1246d1bb6de20f67e1d8328f46afa8e09c4a92c5c8bbe79294fc5
Opcode Fuzzy Hash: 08672f7b5ab18e71500f3a55127b617c63bf8109f0e38876c862729eaca45f51
Instruction Fuzzy Hash: 0281E172A06B80C5CE35EB09D0643B8B773F395B94F58C65AEB4903725DB78CA81CB02

Function 006B2600 Relevance: 12.9, Strings: 10, Instructions: 391
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

e(h, xrefs: 006B2D05
panic: pdh.dllrunningsyscalluintptrunknownwaiting bytes, etypes is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= packed= pointer stack=[ status 48828125AbortDocAcceptExArmenianBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDeleteDCDup, xrefs: 006B2B34, 006B2B8A, 006B2C4A, 006B2CA5
panic during preemptoffprocresize: invalid argreflect.Value.Interfacereflect.Value.NumMethodreflect.methodValueCallruntime: internal errorruntime: invalid type runtime: netpoll failedruntime: s.allocCount= s.allocCount > s.nelemsschedule: holding lockssegment, xrefs: 006B2C34
bad defer entry in panicbypassed recovery failedcan't scan our own stackconnection reset by peerdouble traceGCSweepStartfunction not implementedgcDrainN phase incorrecthash of unhashable type initSpan: unaligned baselevel 2 not synchronizedlink number out of r, xrefs: 006B2B1E
bypassed recovery failedcan't scan our own stackconnection reset by peerdouble traceGCSweepStartfunction not implementedgcDrainN phase incorrecthash of unhashable type initSpan: unaligned baselevel 2 not synchronizedlink number out of rangenot supported by win, xrefs: 006B2B0D
recovery failedruntime error: runtime: frame runtime: max = runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm holding pwglGetCurrentDC already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcd, xrefs: 006B2ACE
panic during mallocpanic during panicpanic holding lockspanicwrap: no ( in panicwrap: no ) in reflect.Value.Fieldreflect.Value.Floatreflect.Value.Indexreflect.Value.IsNilreflect.Value.Sliceruntime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rota, xrefs: 006B2C8A
panic holding lockspanicwrap: no ( in panicwrap: no ) in reflect.Value.Fieldreflect.Value.Floatreflect.Value.Indexreflect.Value.IsNilreflect.Value.Sliceruntime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding, xrefs: 006B2B6F
preempt off reason: reflect.makeFuncStubruntime: unknown pc semaRoot rotateRighttime: invalid numbertrace: out of memorywglGetCurrentContextwirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not found of unexported method pcHeader.textStart, xrefs: 006B2BCF
panic on system stackpreempt at unknown pcread-only file systemreflect.Value.Complexreflect.Value.Pointerreleasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= stale NFS file handlestartloc, xrefs: 006B2CDF

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: bad defer entry in panicbypassed recovery failedcan't scan our own stackconnection reset by peerdouble traceGCSweepStartfunction not implementedgcDrainN phase incorrecthash of unhashable type initSpan: unaligned baselevel 2 not synchronizedlink number out of r$bypassed recovery failedcan't scan our own stackconnection reset by peerdouble traceGCSweepStartfunction not implementedgcDrainN phase incorrecthash of unhashable type initSpan: unaligned baselevel 2 not synchronizedlink number out of rangenot supported by win$e(h$panic during mallocpanic during panicpanic holding lockspanicwrap: no ( in panicwrap: no ) in reflect.Value.Fieldreflect.Value.Floatreflect.Value.Indexreflect.Value.IsNilreflect.Value.Sliceruntime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rota$panic during preemptoffprocresize: invalid argreflect.Value.Interfacereflect.Value.NumMethodreflect.methodValueCallruntime: internal errorruntime: invalid type runtime: netpoll failedruntime: s.allocCount= s.allocCount > s.nelemsschedule: holding lockssegment$panic holding lockspanicwrap: no ( in panicwrap: no ) in reflect.Value.Fieldreflect.Value.Floatreflect.Value.Indexreflect.Value.IsNilreflect.Value.Sliceruntime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding$panic on system stackpreempt at unknown pcread-only file systemreflect.Value.Complexreflect.Value.Pointerreleasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= stale NFS file handlestartloc$panic: pdh.dllrunningsyscalluintptrunknownwaiting bytes, etypes is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= packed= pointer stack=[ status 48828125AbortDocAcceptExArmenianBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDeleteDCDup$preempt off reason: reflect.makeFuncStubruntime: unknown pc semaRoot rotateRighttime: invalid numbertrace: out of memorywglGetCurrentContextwirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not found of unexported method pcHeader.textStart$recovery failedruntime error: runtime: frame runtime: max = runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm holding pwglGetCurrentDC already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcd
API String ID: 0-3431632730
Opcode ID: af033656758d127cfac57e3fc960a83f2dc1298b50a17f52be2b6c599747d8c4
Instruction ID: 542cfa4dbc2a2381910e58a8f609c9af259eb7263c5170d04f00cad2b684df6e
Opcode Fuzzy Hash: af033656758d127cfac57e3fc960a83f2dc1298b50a17f52be2b6c599747d8c4
Instruction Fuzzy Hash: 4F026AB2618B85C6DB60EF25E4503DA77B6F749B80F54512AEA8C07B6ACF38C4C5CB14

Function 0068AD00 Relevance: 12.7, Strings: 10, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

) must be a power of 223283064365386962890625<invalid reflect.Value>Argentina Standard TimeAstrakhan Standard TimeCertGetCertificateChainDeleteVolumeMountPointWDestroyEnvironmentBlockE. Africa Standard TimeE. Europe Standard TimeFreeEnvironmentStringsWGetActi, xrefs: 0068AE87, 0068AED1
bad TinySizeClassdebugPtrmask.lockentersyscallblockexec format errorg already scannedglobalAlloc.mutexlocked m0 woke upmark - bad statusmarkBits overflownil resource bodyno data availablenotetsleepg on g0permission deniedreflect.Value.Intreflect.Value.Lenrefle, xrefs: 0068AFEC
bad system huge page sizechansend: spurious wakeupcheckdead: no m for timerinconsistent poll.fdMutexinvalid cross-device linkinvalid network interfacemissing stack in newstackmissing traceGCSweepStartno buffer space availableno such device or addressno such ne, xrefs: 0068AE9D
bad system page sizebad use of bucket.bpbad use of bucket.mpchan send (nil chan)close of nil channelconnection timed outdodeltimer0: wrong Pfloating point errorforcegc: phase errorgo of nil func valuegopark: bad g statusinconsistent lockedminvalid request code, xrefs: 0068AEEA, 0068AF5B, 0068AFCA
system page size (tracebackancestorsuse of closed filevalue out of rangewglUseFontBitmapsW [controller reset] called using nil *, g->atomicstatus=, gp->atomicstatus=14901161193847656257450580596923828125Altai Standard TimeAmbiguous alphabet.Bahia Standard Tim, xrefs: 0068AEB3, 0068AF05, 0068AF71
system huge page size (too many pointers (>10)work.nwait > work.nproc116415321826934814453125582076609134674072265625AllocateAndInitializeSidAssignProcessToJobObjectAzerbaijan Standard TimeBangladesh Standard TimeBuildSecurityDescriptorWCape Verde Standard Tim, xrefs: 0068AE6A
) is smaller than minimum page size (2220446049250313080847263336181640625UnsubscribeServiceChangeNotifications_cgo_notify_runtime_init_done missingall goroutines are asleep - deadlock!cannot exec a shared library directlyfailed to reserve page summary memoryi, xrefs: 0068AF25
) is larger than maximum page size () is not Grunnable or Gscanrunnable0123456789abcdefghijklmnopqrstuvwxyz444089209850062616169452667236328125Go pointer stored into non-Go memoryUnable to determine system directoryaccessing a corrupted shared librarycompress, xrefs: 0068AF91
failed to get system page sizefreedefer with d._panic != nilinappropriate ioctl for deviceinvalid network interface nameinvalid pointer found on stacknotetsleep - waitm out of syncprotocol wrong type for socketreflect: Elem of invalid type reflect: Len of non-, xrefs: 0068AFDB
), ->25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msnss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTEATEDTEETEOFESTGMTHDTHSTHa, xrefs: 0068AF45, 0068AFAF

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ), ->25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msnss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTEATEDTEETEOFESTGMTHDTHSTHa$) is larger than maximum page size () is not Grunnable or Gscanrunnable0123456789abcdefghijklmnopqrstuvwxyz444089209850062616169452667236328125Go pointer stored into non-Go memoryUnable to determine system directoryaccessing a corrupted shared librarycompress$) is smaller than minimum page size (2220446049250313080847263336181640625UnsubscribeServiceChangeNotifications_cgo_notify_runtime_init_done missingall goroutines are asleep - deadlock!cannot exec a shared library directlyfailed to reserve page summary memoryi$) must be a power of 223283064365386962890625<invalid reflect.Value>Argentina Standard TimeAstrakhan Standard TimeCertGetCertificateChainDeleteVolumeMountPointWDestroyEnvironmentBlockE. Africa Standard TimeE. Europe Standard TimeFreeEnvironmentStringsWGetActi$bad TinySizeClassdebugPtrmask.lockentersyscallblockexec format errorg already scannedglobalAlloc.mutexlocked m0 woke upmark - bad statusmarkBits overflownil resource bodyno data availablenotetsleepg on g0permission deniedreflect.Value.Intreflect.Value.Lenrefle$bad system huge page sizechansend: spurious wakeupcheckdead: no m for timerinconsistent poll.fdMutexinvalid cross-device linkinvalid network interfacemissing stack in newstackmissing traceGCSweepStartno buffer space availableno such device or addressno such ne$bad system page sizebad use of bucket.bpbad use of bucket.mpchan send (nil chan)close of nil channelconnection timed outdodeltimer0: wrong Pfloating point errorforcegc: phase errorgo of nil func valuegopark: bad g statusinconsistent lockedminvalid request code$failed to get system page sizefreedefer with d._panic != nilinappropriate ioctl for deviceinvalid network interface nameinvalid pointer found on stacknotetsleep - waitm out of syncprotocol wrong type for socketreflect: Elem of invalid type reflect: Len of non-$system huge page size (too many pointers (>10)work.nwait > work.nproc116415321826934814453125582076609134674072265625AllocateAndInitializeSidAssignProcessToJobObjectAzerbaijan Standard TimeBangladesh Standard TimeBuildSecurityDescriptorWCape Verde Standard Tim$system page size (tracebackancestorsuse of closed filevalue out of rangewglUseFontBitmapsW [controller reset] called using nil *, g->atomicstatus=, gp->atomicstatus=14901161193847656257450580596923828125Altai Standard TimeAmbiguous alphabet.Bahia Standard Tim
API String ID: 0-591411609
Opcode ID: 3dc1e685e40604c235f7c69ab6780e078135736c355670947bb4a0b953414696
Instruction ID: f4b47cee455ba373f970da637b719b5fe4fd6d74e8700a25e1954156e5cb7d8c
Opcode Fuzzy Hash: 3dc1e685e40604c235f7c69ab6780e078135736c355670947bb4a0b953414696
Instruction Fuzzy Hash: 4D619CB2715A0A96EB40BF50F8813D8636AFB09741F80652ADB4C07763EF3CD986C365

Function 006913C5 Relevance: 12.6, Strings: 10, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+-./5<=?CLMPSUZ[\, xrefs: 00691530
span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625AnimateWindowCertOpenStoreCoTaskMemFreeCreateActCtxWCreateRectRgnDeleteServiceDestroyWindowDrawFocusRectEnumPrintersWEnumProcessesExitWindowsExFindNextFileW, xrefs: 00691471
span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>) p->status=, cons/mark -byte limit152587890625762939453125Bidi_ControlCfgMgr32.dllChooseColorWCoCreateGuidCreateBitmapCreateEventWCreateMutexWDeleteObjectEnableWindowExtCreatePenExtractIconWGetAddrI, xrefs: 0069148F
runtime: found in object at *(runtime: impossible type kind socket operation on non-socketsync: inconsistent mutex statesync: unlock of unlocked mutex) not in usable address space: ...additional frames elided....lib section in a.out corrupted11368683772161602, xrefs: 00691515
objectpopcntrdtscpselectsendtosocketstringstructsweep sysmontelnettimersuint16uint32uint64 (scan (scan) MB in Value> allocs dying= locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie% CPU (, goid=, j0 = 19531259765625AvestanBengaliBrailleChanDirCopySidCy, xrefs: 0069156A
runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcunknown type kindwait for GC cyclewglGetProcAddresswrong medium type but memory size bec, xrefs: 006913F6
found bad pointer in Go heap (incorrect use of unsafe or cgo?)reflect: reflect.Value.Pointer on an invalid notinheap pointerruntime: internal error: misuse of lockOSThread/unlockOSThreadcompileCallback: expected function with one uintptr-sized resultruntime.Se, xrefs: 006914FF
to unallocated span37252902984619140625AddFontMemResourceExArabic Standard TimeAzores Standard TimeCertFindChainInStoreCertOpenSystemStoreWChangeServiceConfigWCheckTokenMembershipCommDlgExtendedErrorCreateProcessAsUserWCryptAcquireContextWEgyptian_Hieroglyphs, xrefs: 0069143F
to unused region of span2910383045673370361328125AUS Central Standard TimeAUS Eastern Standard TimeAfghanistan Standard TimeExpandEnvironmentStringsWFindNextVolumeMountPointWFindVolumeMountPointCloseGODEBUG: can not enable "GetFinalPathNameByHandleWGetQueuedC, xrefs: 0069158F
), ->25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msnss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTEATEDTEETEOFESTGMTHDTHSTHa, xrefs: 0069154F

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625AnimateWindowCertOpenStoreCoTaskMemFreeCreateActCtxWCreateRectRgnDeleteServiceDestroyWindowDrawFocusRectEnumPrintersWEnumProcessesExitWindowsExFindNextFileW$ span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>) p->status=, cons/mark -byte limit152587890625762939453125Bidi_ControlCfgMgr32.dllChooseColorWCoCreateGuidCreateBitmapCreateEventWCreateMutexWDeleteObjectEnableWindowExtCreatePenExtractIconWGetAddrI$ to unallocated span37252902984619140625AddFontMemResourceExArabic Standard TimeAzores Standard TimeCertFindChainInStoreCertOpenSystemStoreWChangeServiceConfigWCheckTokenMembershipCommDlgExtendedErrorCreateProcessAsUserWCryptAcquireContextWEgyptian_Hieroglyphs$ to unused region of span2910383045673370361328125AUS Central Standard TimeAUS Eastern Standard TimeAfghanistan Standard TimeExpandEnvironmentStringsWFindNextVolumeMountPointWFindVolumeMountPointCloseGODEBUG: can not enable "GetFinalPathNameByHandleWGetQueuedC$), ->25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msnss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTEATEDTEETEOFESTGMTHDTHSTHa$+-./5<=?CLMPSUZ[\$found bad pointer in Go heap (incorrect use of unsafe or cgo?)reflect: reflect.Value.Pointer on an invalid notinheap pointerruntime: internal error: misuse of lockOSThread/unlockOSThreadcompileCallback: expected function with one uintptr-sized resultruntime.Se$objectpopcntrdtscpselectsendtosocketstringstructsweep sysmontelnettimersuint16uint32uint64 (scan (scan) MB in Value> allocs dying= locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie% CPU (, goid=, j0 = 19531259765625AvestanBengaliBrailleChanDirCopySidCy$runtime: found in object at *(runtime: impossible type kind socket operation on non-socketsync: inconsistent mutex statesync: unlock of unlocked mutex) not in usable address space: ...additional frames elided....lib section in a.out corrupted11368683772161602$runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcunknown type kindwait for GC cyclewglGetProcAddresswrong medium type but memory size bec
API String ID: 0-2422381767
Opcode ID: d3551614b923a7e40790ed5fea89d3ff1849824198b86e3cc87a74ab71e7d907
Instruction ID: f1a87f3da1fd84b97a51539f10204789b9e1641bdaec4118ddfac467ed0ff062
Opcode Fuzzy Hash: d3551614b923a7e40790ed5fea89d3ff1849824198b86e3cc87a74ab71e7d907
Instruction Fuzzy Hash: 26413E72629B4087D790BF61F44139DBB6AFB89B40F841029EB4D03767DF28D4858765

Function 00687040 Relevance: 11.4, Strings: 9, Instructions: 167
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= packed= pointer stack=[ status 48828125AbortDocAcceptExArmenianBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDeleteDCDuployanEndPaintEqualSidEthiopicExtenderGdiFlushGeorgianGetFocusGetP, xrefs: 006872FF
is nil, not nStackRoots= pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625AnimateWindowCertOpenStoreCoTaskMemFreeCreateActCtxWCreateRectRgnDeleteServiceDestroyWindowDrawFocusRect, xrefs: 006873A4
: missing method AdjustTokenGroupsAttachThreadInputCertFindExtensionChoosePixelFormatCryptDecodeObjectDeleteEnhMetaFileDnsRecordListFreeEndDeferWindowPosFLE Standard TimeGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetProfileStringWGetSh, xrefs: 00687337
(types from different packages)28421709430404007434844970703125CertAddCertificateContextToStoreCertVerifyCertificateChainPolicyGetVolumePathNamesForVolumeNameWMapIter.Value called before NextWSAGetOverlappedResult not found" not supported for cpu option "end , xrefs: 00687275
, not 390625<-chanAnswerArabicBitBltBrahmiCarianChakmaCommonCopticEndDocFormatGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLineToLycianLydianMulDivRejangSCHED SaveDCStringSyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UT, xrefs: 0068717D
is lr: of on pc= sp: sp=) = ) m=+Inf-Inf3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomCESTChamDashEESTGOGCLEAFLisuMiaoModiNZDTNZSTNewaSASTThaim=] = ] n=allgallpavx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchttpicmpidleigmpint8itab, xrefs: 00687152
(types from different scopes) in prepareForSweep; sweepgen locals stack map entries for 227373675443232059478759765625Central European Standard TimeCentral Standard Time (Mexico)CertDeleteCertificateFromStoreE. South America Standard TimeEastern Standard Tim, xrefs: 00687294
interface conversion: kernel32.dll not foundminpc or maxpc invalidnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledprotocol not availableprotocol not supportedremote address changedruntime.main not on m0runtime: work.nwai, xrefs: 0068711D, 006872D4, 006873B9
interfaceinvalid nipv6-icmpmSpanDeadmSpanFreentdll.dllole32.dllpanicwaitpclmulqdqpreemptedpsapi.dllrecover: reflect: scavtracestackpooltracebackwbufSpans} stack=[ MB goal, flushGen gfreecnt= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwai, xrefs: 0068707B

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: (types from different packages)28421709430404007434844970703125CertAddCertificateContextToStoreCertVerifyCertificateChainPolicyGetVolumePathNamesForVolumeNameWMapIter.Value called before NextWSAGetOverlappedResult not found" not supported for cpu option "end $ (types from different scopes) in prepareForSweep; sweepgen locals stack map entries for 227373675443232059478759765625Central European Standard TimeCentral Standard Time (Mexico)CertDeleteCertificateFromStoreE. South America Standard TimeEastern Standard Tim$ is lr: of on pc= sp: sp=) = ) m=+Inf-Inf3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomCESTChamDashEESTGOGCLEAFLisuMiaoModiNZDTNZSTNewaSASTThaim=] = ] n=allgallpavx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchttpicmpidleigmpint8itab$ is nil, not nStackRoots= pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625AnimateWindowCertOpenStoreCoTaskMemFreeCreateActCtxWCreateRectRgnDeleteServiceDestroyWindowDrawFocusRect$ is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= packed= pointer stack=[ status 48828125AbortDocAcceptExArmenianBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDeleteDCDuployanEndPaintEqualSidEthiopicExtenderGdiFlushGeorgianGetFocusGetP$, not 390625<-chanAnswerArabicBitBltBrahmiCarianChakmaCommonCopticEndDocFormatGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLineToLycianLydianMulDivRejangSCHED SaveDCStringSyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UT$: missing method AdjustTokenGroupsAttachThreadInputCertFindExtensionChoosePixelFormatCryptDecodeObjectDeleteEnhMetaFileDnsRecordListFreeEndDeferWindowPosFLE Standard TimeGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetProfileStringWGetSh$interface conversion: kernel32.dll not foundminpc or maxpc invalidnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledprotocol not availableprotocol not supportedremote address changedruntime.main not on m0runtime: work.nwai$interfaceinvalid nipv6-icmpmSpanDeadmSpanFreentdll.dllole32.dllpanicwaitpclmulqdqpreemptedpsapi.dllrecover: reflect: scavtracestackpooltracebackwbufSpans} stack=[ MB goal, flushGen gfreecnt= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwai
API String ID: 0-262327624
Opcode ID: 55ed43d424edfc80cbf61a30af2e82d016667e9cdcc2799c36af5c31167fd363
Instruction ID: 285345e57fd1d8747d74c04075c82333c2dd3249bbee030361fc9c225a5c68dd
Opcode Fuzzy Hash: 55ed43d424edfc80cbf61a30af2e82d016667e9cdcc2799c36af5c31167fd363
Instruction Fuzzy Hash: 8F91E176608BC586DBA0DB15F44039AB3A2F788B84F54812ADBCC97B19DF7DC499CB00

Function 00688820 Relevance: 11.4, Strings: 9, Instructions: 167
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

value method wglShareListsxadd64 failedxchg64 failed}sched={pc: but progSize nmidlelocked= on zero Value out of range procedure in to finalizer untyped args -thread limit1907348632812595367431640625ActivateActCtxCertCloseStoreClientToScreenCloseClipboar, xrefs: 00688A13
called using nil *, g->atomicstatus=, gp->atomicstatus=14901161193847656257450580596923828125Altai Standard TimeAmbiguous alphabet.Bahia Standard TimeBeginDeferWindowPosCanadian_AboriginalChina Standard TimeCreateBrushIndirectCreateFontIndirectWCreateSymboli, xrefs: 00688AB6
panicwrap: unexpected string after type name: reflect.Value.Slice: slice index out of boundsreleased less than one physical page of memoryruntime: failed to create new OS thread (have runtime: name offset base pointer out of rangeruntime: panic before malloc h, xrefs: 00688999
./5<=?CLMPSUZ[\, xrefs: 00688A4B
panicwrap: unexpected string after package name: reflect.Value.Slice: slice of unaddressable arrayruntime: unexpected waitm - semaphore out of syncs.allocCount != s.nelems && freeIndex == s.nelemsslice bounds out of range [::%x] with capacity %ysweeper left ou, xrefs: 006888BA
panicwrap: no ) in reflect.Value.Fieldreflect.Value.Floatreflect.Value.Indexreflect.Value.IsNilreflect.Value.Sliceruntime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssysMemStat overflowtoo many open, xrefs: 00688B36
panicwrap: no ( in panicwrap: no ) in reflect.Value.Fieldreflect.Value.Floatreflect.Value.Indexreflect.Value.IsNilreflect.Value.Sliceruntime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssysMemStat ov, xrefs: 00688B7A
pointer stack=[ status 48828125AbortDocAcceptExArmenianBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDeleteDCDuployanEndPaintEqualSidEthiopicExtenderGdiFlushGeorgianGetFocusGetPixelGoStringGujaratiGurmukhiHiraganaIsIconicIsWindowIsZoomedJavaneseKata, xrefs: 00688AE1
), xrefs: 00688954

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: called using nil *, g->atomicstatus=, gp->atomicstatus=14901161193847656257450580596923828125Altai Standard TimeAmbiguous alphabet.Bahia Standard TimeBeginDeferWindowPosCanadian_AboriginalChina Standard TimeCreateBrushIndirectCreateFontIndirectWCreateSymboli$ pointer stack=[ status 48828125AbortDocAcceptExArmenianBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDeleteDCDuployanEndPaintEqualSidEthiopicExtenderGdiFlushGeorgianGetFocusGetPixelGoStringGujaratiGurmukhiHiraganaIsIconicIsWindowIsZoomedJavaneseKata$)$./5<=?CLMPSUZ[\$panicwrap: no ( in panicwrap: no ) in reflect.Value.Fieldreflect.Value.Floatreflect.Value.Indexreflect.Value.IsNilreflect.Value.Sliceruntime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssysMemStat ov$panicwrap: no ) in reflect.Value.Fieldreflect.Value.Floatreflect.Value.Indexreflect.Value.IsNilreflect.Value.Sliceruntime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssysMemStat overflowtoo many open$panicwrap: unexpected string after package name: reflect.Value.Slice: slice of unaddressable arrayruntime: unexpected waitm - semaphore out of syncs.allocCount != s.nelems && freeIndex == s.nelemsslice bounds out of range [::%x] with capacity %ysweeper left ou$panicwrap: unexpected string after type name: reflect.Value.Slice: slice index out of boundsreleased less than one physical page of memoryruntime: failed to create new OS thread (have runtime: name offset base pointer out of rangeruntime: panic before malloc h$value method wglShareListsxadd64 failedxchg64 failed}sched={pc: but progSize nmidlelocked= on zero Value out of range procedure in to finalizer untyped args -thread limit1907348632812595367431640625ActivateActCtxCertCloseStoreClientToScreenCloseClipboar
API String ID: 0-3803089235
Opcode ID: 26427b86943f7a67fb4673a55a14dfaf6c30686a26accb598e7954edcb57feb7
Instruction ID: 3b0565b28b240adc2da4c1b99842e241be14c524cb18599b009936447d8313cd
Opcode Fuzzy Hash: 26427b86943f7a67fb4673a55a14dfaf6c30686a26accb598e7954edcb57feb7
Instruction Fuzzy Hash: 5581AE72618BC085C7A0AB11F8413DEB7A6F789B80F84962AEACC53B59DF3CC555CB04

Function 006D4820 Relevance: 11.4, Strings: 9, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

out of range procedure in to finalizer untyped args -thread limit1907348632812595367431640625ActivateActCtxCertCloseStoreClientToScreenCloseClipboardCloseThemeDataCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateSe, xrefs: 006D4A51
types value=connectconsolecpuproffloat32float64forcegcgctracehead = invalidminpc= pacer: panic: pdh.dllrunningsyscalluintptrunknownwaiting bytes, etypes is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= packed= pointer stack=[ status 48828125, xrefs: 006D49BF
- < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTEATEDTEETEOFESTGMTHDTHSTHanIDTISTJSTKSTLaoMDTMSKMSTMroNDTNSTNaNNkoPC=PDTPKTPSTUTCVaiWAT]:adxaesavxendfinfmaftpgc gp in intip4mapnilobjpc, xrefs: 006D4A6F
not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625AdjustWindowRectBringWindowToTopCloseEnhMetaFileCoCreateInstanceCoGetClassObjectConnectNamedPipeCopyEnhMetaFileWCreateDIBSectionCreateDirectoryWCreateJobObjectWCrea, xrefs: 006D4971
runtime: type offset out of rangeslice bounds out of range [%x:%y]stackalloc not on scheduler stackstoplockedm: inconsistent lockingtimer period must be non-negativetoo many Answers to pack (>65535)too many levels of symbolic links35527136788005009293556213378, xrefs: 006D4A99
base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicBitBltBrahmiCarianChakmaCommonCopticEndDocFormatGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLineToLycianLy, xrefs: 006D4956
runtime: type offset base pointer out of rangesignal arrived during external code executionslice bounds out of range [:%x] with length %ystopTheWorld: not stopped (status != _Pgcstop)sysGrow bounds not aligned to pallocChunkBytesP has cached GC work at end of, xrefs: 006D4A10
Nw, xrefs: 006D4845, 006D498A
runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcunknown type kindwait for GC cyclewglGetProcAddresswrong medium type but memory size because dotdotdot in async preempt to non-Go memory ,, xrefs: 006D4939, 006D4A34

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: types value=connectconsolecpuproffloat32float64forcegcgctracehead = invalidminpc= pacer: panic: pdh.dllrunningsyscalluintptrunknownwaiting bytes, etypes is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= packed= pointer stack=[ status 48828125$ - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTEATEDTEETEOFESTGMTHDTHSTHanIDTISTJSTKSTLaoMDTMSKMSTMroNDTNSTNaNNkoPC=PDTPKTPSTUTCVaiWAT]:adxaesavxendfinfmaftpgc gp in intip4mapnilobjpc$ base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicBitBltBrahmiCarianChakmaCommonCopticEndDocFormatGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLineToLycianLy$ not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625AdjustWindowRectBringWindowToTopCloseEnhMetaFileCoCreateInstanceCoGetClassObjectConnectNamedPipeCopyEnhMetaFileWCreateDIBSectionCreateDirectoryWCreateJobObjectWCrea$ out of range procedure in to finalizer untyped args -thread limit1907348632812595367431640625ActivateActCtxCertCloseStoreClientToScreenCloseClipboardCloseThemeDataCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateSe$runtime: type offset base pointer out of rangesignal arrived during external code executionslice bounds out of range [:%x] with length %ystopTheWorld: not stopped (status != _Pgcstop)sysGrow bounds not aligned to pallocChunkBytesP has cached GC work at end of$runtime: type offset out of rangeslice bounds out of range [%x:%y]stackalloc not on scheduler stackstoplockedm: inconsistent lockingtimer period must be non-negativetoo many Answers to pack (>65535)too many levels of symbolic links35527136788005009293556213378$runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcunknown type kindwait for GC cyclewglGetProcAddresswrong medium type but memory size because dotdotdot in async preempt to non-Go memory ,$Nw
API String ID: 0-3396519956
Opcode ID: 292bcb6a39f8128044aa6d327cd89fcba302bcbebf1ed16bceb317b64fdb5157
Instruction ID: 579f9ef7e2062462ca38cc5b7a970554ab5b0c3ced011405a17b68dca1b40202
Opcode Fuzzy Hash: 292bcb6a39f8128044aa6d327cd89fcba302bcbebf1ed16bceb317b64fdb5157
Instruction Fuzzy Hash: A6516A32A09B40C6DA50EF55F4813AA7766FB89B80F84512AEB4C03766DF3CD985CB54

Function 006810E0 Relevance: 10.3, Strings: 8, Instructions: 308
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

cpu., xrefs: 00681173
GODEBUG: value "GdipDisposeImageGetClipboardDataGetComputerNameWGetConsoleTitleWGetConsoleWindowGetCurrentThreadGetDesktopWindowGetFullPathNameWGetGUIThreadInfoGetLogicalDrivesGetLongPathNameWGetMenuItemCountGetMenuItemInfoWGetModuleHandleWGetNamedPipeInfoGetN, xrefs: 00681291
", missing CPU supportbytes.Buffer: too largechan receive (nil chan)close of closed channeldevice or resource busyfatal: morestack on g0garbage collection scangcDrain phase incorrectindex out of range [%x]interrupted system callinvalid m->lockedInt = left ov, xrefs: 006813DB
GODEBUG: no value specified for "GetVolumeNameForVolumeMountPointWInitializeProcThreadAttributeListSetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWbase outside usable address spaceconcurrent map read and map writefindrunnable: negative nmspin, xrefs: 00681308
" ][]i)msnss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTEATEDTEETEOFESTGMTHDTHSTHanIDTISTJSTKSTLaoMDTMSKMSTMroNDTNSTNaNNkoPC=PDTPKTPSTUTCVaiWAT]:adxaesavxe, xrefs: 006812D4, 00681328, 00681555
" not supported for cpu option "end outside usable address spacenumerical argument out of domainpanic while printing panic valuereflect.nameFrom: tag too long: removespecial on invalid pointerresource temporarily unavailableruntime.semasleep wait_abandonedrunt, xrefs: 006812B4
GODEBUG: can not enable "GetFinalPathNameByHandleWGetQueuedCompletionStatusGetSecurityDescriptorDaclGetSecurityDescriptorSaclGetSidIdentifierAuthorityInitiateSystemShutdownExWIsValidSecurityDescriptorKaliningrad Standard TimeMiddle East Standard TimeNew Zealan, xrefs: 006813BB
GODEBUG: unknown cpu feature "GetProcessPreferredUILanguagesGetSecurityDescriptorRMControlGetSystemTimePreciseAsFileTimeMapIter.Key called before NextPacific Standard Time (Mexico)QueryServiceDynamicInformationSetSecurityDescriptorRMControlSetupDiCreateDeviceI, xrefs: 00681535

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: " ][]i)msnss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTEATEDTEETEOFESTGMTHDTHSTHanIDTISTJSTKSTLaoMDTMSKMSTMroNDTNSTNaNNkoPC=PDTPKTPSTUTCVaiWAT]:adxaesavxe$" not supported for cpu option "end outside usable address spacenumerical argument out of domainpanic while printing panic valuereflect.nameFrom: tag too long: removespecial on invalid pointerresource temporarily unavailableruntime.semasleep wait_abandonedrunt$", missing CPU supportbytes.Buffer: too largechan receive (nil chan)close of closed channeldevice or resource busyfatal: morestack on g0garbage collection scangcDrain phase incorrectindex out of range [%x]interrupted system callinvalid m->lockedInt = left ov$GODEBUG: can not enable "GetFinalPathNameByHandleWGetQueuedCompletionStatusGetSecurityDescriptorDaclGetSecurityDescriptorSaclGetSidIdentifierAuthorityInitiateSystemShutdownExWIsValidSecurityDescriptorKaliningrad Standard TimeMiddle East Standard TimeNew Zealan$GODEBUG: no value specified for "GetVolumeNameForVolumeMountPointWInitializeProcThreadAttributeListSetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWbase outside usable address spaceconcurrent map read and map writefindrunnable: negative nmspin$GODEBUG: unknown cpu feature "GetProcessPreferredUILanguagesGetSecurityDescriptorRMControlGetSystemTimePreciseAsFileTimeMapIter.Key called before NextPacific Standard Time (Mexico)QueryServiceDynamicInformationSetSecurityDescriptorRMControlSetupDiCreateDeviceI$GODEBUG: value "GdipDisposeImageGetClipboardDataGetComputerNameWGetConsoleTitleWGetConsoleWindowGetCurrentThreadGetDesktopWindowGetFullPathNameWGetGUIThreadInfoGetLogicalDrivesGetLongPathNameWGetMenuItemCountGetMenuItemInfoWGetModuleHandleWGetNamedPipeInfoGetN$cpu.
API String ID: 0-3187961178
Opcode ID: 040a7d6af234d2ade2207bda46b48ec5a1bfef2efbe5246acdf7742b3a351bce
Instruction ID: cded1389be6dad47dcee4bfbbac6b3f9bd1feba758c200bfa11c2f02ef6c1e1c
Opcode Fuzzy Hash: 040a7d6af234d2ade2207bda46b48ec5a1bfef2efbe5246acdf7742b3a351bce
Instruction Fuzzy Hash: CBC1D462608B84C1DA50EF61F4403AAA76BF386BD0F544626EB8D0BB5ACF7CD492C754

Function 006BF360 Relevance: 10.1, Strings: 8, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

m->p= max= min= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicBitBltBrahmiCarianChakmaCommonCopticEndDocFormatGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLineToLycianLydianMulDivRejangSCHED SaveDCStringSyriacTai_LeTa, xrefs: 006BF538
releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= stale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptionunexpected value stepwglCreat, xrefs: 006BF5AA
) p->status=, cons/mark -byte limit152587890625762939453125Bidi_ControlCfgMgr32.dllChooseColorWCoCreateGuidCreateBitmapCreateEventWCreateMutexWDeleteObjectEnableWindowExtCreatePenExtractIconWGetAddrInfoWGetConsoleCPGetCursorPosGetLastErrorGetLengthSidGetProce, xrefs: 006BF425
wirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not found of unexported method pcHeader.textStart= previous allocCount=, levelBits[level] = 186264514923095703125931322574615478515625AdjustTokenPrivilegesAlaskan Standard TimeAnatolian_Hi, xrefs: 006BF46C
p->status= s.nelems= schedtick= span.list= timerslen=, elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDestroyIconDestroyMenuDives_AkuruDrawMenuBarDrawTextExWEnumWindowsExitProcessFindWin, xrefs: 006BF56F
wirep: p->m=worker mode wtsapi32.dll != sweepgen MB globals, MB) workers= called from flushedWork idlethreads= is nil, not nStackRoots= pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (381, xrefs: 006BF3E5
wirep: invalid p state) must be a power of 223283064365386962890625<invalid reflect.Value>Argentina Standard TimeAstrakhan Standard TimeCertGetCertificateChainDeleteVolumeMountPointWDestroyEnvironmentBlockE. Africa Standard TimeE. Europe Standard TimeFreeEnvi, xrefs: 006BF44F
releasep: m=runtime: gp=runtime: sp=self-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringswinspool.drvwintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen MB globals, MB) workers= called from flushedWork idlethreads= is nil, not , xrefs: 006BF51D

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: m->p= max= min= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicBitBltBrahmiCarianChakmaCommonCopticEndDocFormatGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLineToLycianLydianMulDivRejangSCHED SaveDCStringSyriacTai_LeTa$ p->status= s.nelems= schedtick= span.list= timerslen=, elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDestroyIconDestroyMenuDives_AkuruDrawMenuBarDrawTextExWEnumWindowsExitProcessFindWin$) p->status=, cons/mark -byte limit152587890625762939453125Bidi_ControlCfgMgr32.dllChooseColorWCoCreateGuidCreateBitmapCreateEventWCreateMutexWDeleteObjectEnableWindowExtCreatePenExtractIconWGetAddrInfoWGetConsoleCPGetCursorPosGetLastErrorGetLengthSidGetProce$releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= stale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptionunexpected value stepwglCreat$releasep: m=runtime: gp=runtime: sp=self-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringswinspool.drvwintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen MB globals, MB) workers= called from flushedWork idlethreads= is nil, not $wirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not found of unexported method pcHeader.textStart= previous allocCount=, levelBits[level] = 186264514923095703125931322574615478515625AdjustTokenPrivilegesAlaskan Standard TimeAnatolian_Hi$wirep: invalid p state) must be a power of 223283064365386962890625<invalid reflect.Value>Argentina Standard TimeAstrakhan Standard TimeCertGetCertificateChainDeleteVolumeMountPointWDestroyEnvironmentBlockE. Africa Standard TimeE. Europe Standard TimeFreeEnvi$wirep: p->m=worker mode wtsapi32.dll != sweepgen MB globals, MB) workers= called from flushedWork idlethreads= is nil, not nStackRoots= pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (381
API String ID: 0-1918591892
Opcode ID: 9a25ed439c5b8db13deedd10d2e1bcdb4b543532c39a1d25a9949b051c40239a
Instruction ID: 1a9d7a76bff4a31a2e5be3a8888a3e2782da6cb398dc15d72f87299fac391b13
Opcode Fuzzy Hash: 9a25ed439c5b8db13deedd10d2e1bcdb4b543532c39a1d25a9949b051c40239a
Instruction Fuzzy Hash: C9517CB6215B40CADB90EF10F4813DABBA6F788B80F849529EB8C07726DF38C595C754

Function 0069CAE0 Relevance: 8.9, Strings: 7, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+-./5<=?CLMPSUZ[\, xrefs: 0069CD0F
basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchttpicmpidleigmpint8itabkindpipepop3profrootsbrksmtpsse3tcp4trueudp4uint ... MB, and cnt= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-09301562578125<nil>A, xrefs: 0069CD4A
greyobject: obj not pointer-alignedmheap.freeSpanLocked - invalid freemismatched begin/end of activeSweepnetwork dropped connection on resetno such multicast network interfacepersistentalloc: align is too largepidleput: P has non-empty run queueruntime: close , xrefs: 0069CDA5
marking free objectmarkroot: bad indexmissing deferreturnmspan.sweep: state=notesleep not on g0ntdll.dll not foundnwait > work.nprocspageAlloc.scav.lockpanic during mallocpanic during panicpanic holding lockspanicwrap: no ( in panicwrap: no ) in reflect.Value, xrefs: 0069CD90
runtime: marking free object runtime: p.gcMarkWorkerMode= runtime: split stack overflowruntime: sudog with non-nil cruntime: summary max pages = semacquire not on the G stackstring concatenation too longsyntax error scanning booleantimeBegin/EndPeriod not foun, xrefs: 0069CCD4
found at *( gcscandone m->gsignal= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>) p->status=, cons/mark -byte limit152587890625762939453125Bidi_ControlCfgMgr32.dllChooseCo, xrefs: 0069CCEF
), ->25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msnss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTEATEDTEETEOFESTGMTHDTHSTHa, xrefs: 0069CD2F

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: found at *( gcscandone m->gsignal= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>) p->status=, cons/mark -byte limit152587890625762939453125Bidi_ControlCfgMgr32.dllChooseCo$), ->25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msnss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTEATEDTEETEOFESTGMTHDTHSTHa$+-./5<=?CLMPSUZ[\$basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchttpicmpidleigmpint8itabkindpipepop3profrootsbrksmtpsse3tcp4trueudp4uint ... MB, and cnt= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-09301562578125<nil>A$greyobject: obj not pointer-alignedmheap.freeSpanLocked - invalid freemismatched begin/end of activeSweepnetwork dropped connection on resetno such multicast network interfacepersistentalloc: align is too largepidleput: P has non-empty run queueruntime: close $marking free objectmarkroot: bad indexmissing deferreturnmspan.sweep: state=notesleep not on g0ntdll.dll not foundnwait > work.nprocspageAlloc.scav.lockpanic during mallocpanic during panicpanic holding lockspanicwrap: no ( in panicwrap: no ) in reflect.Value$runtime: marking free object runtime: p.gcMarkWorkerMode= runtime: split stack overflowruntime: sudog with non-nil cruntime: summary max pages = semacquire not on the G stackstring concatenation too longsyntax error scanning booleantimeBegin/EndPeriod not foun
API String ID: 0-3767301102
Opcode ID: bc2a81dc2e9b026981b46504628a4d073f705874683bb72522b39f13c1bc0f59
Instruction ID: e2c6140a548945baba514ab36aee171482d852629c28dcfcac56543e28260460
Opcode Fuzzy Hash: bc2a81dc2e9b026981b46504628a4d073f705874683bb72522b39f13c1bc0f59
Instruction Fuzzy Hash: E671B0B2A18B80C6DB40DB11E4503AABB6AF785B90F445526EF8D03B6ACF3CC554CB44

Function 006A0B40 Relevance: 8.8, Strings: 7, Instructions: 91COMMON

Download Yara Rule

Strings

sweeper left outstanding across sweep generationsattempt to execute system stack code on user stackcompileCallback: function argument frame too largemallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewruntime: un, xrefs: 006A0CAF
pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>) p->status=, cons/mark -byte limit152587890625762939453125Bidi_ControlCfgMgr32.dllChooseColorWCoCreateGuidCreateBitmapCreateEventWCreateMutexWDeleteOb, xrefs: 006A0C72
mismatched begin/end of activeSweepnetwork dropped connection on resetno such multicast network interfacepersistentalloc: align is too largepidleput: P has non-empty run queueruntime: close polldesc w/o unblockruntime: createevent failed; errno=ryuFtoaFixed32 , xrefs: 006A0C9E
pacer: sweep done at heap size pattern contains path separatorreflect: Len of non-array type resetspinning: not a spinning mruntime: cannot allocate memoryruntime: failed to commit pagesruntime: split stack overflow: slice bounds out of range [%x:]slice bounds, xrefs: 006A0BF0
MB; allocated MakeAbsoluteSDModule32FirstWNetUserGetInfoNotifyWinEventOpenSCManagerWOther_ID_StartPattern_SyntaxPdhAddCounterWProcess32NextWQuotation_MarkRCodeNameErrorRegSetValueExWReleaseCaptureSHGetFileInfoWScreenToClientSetConsoleModeSetFilePointerSetPixel, xrefs: 006A0C13
MB during sweep; swept Marquesas Standard TimeMauritius Standard TimeNoncharacter_Code_PointNtSetInformationProcessQueryServiceLockStatusWQyzylorda Standard TimeRegNotifyChangeKeyValueRegisterRawInputDevicesRemoveFontMemResourceExSHGetSpecialFolderPathWSetEnvi, xrefs: 006A0C3B
pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=, bound = , limit = /dev/stdin12207031256103515625AdditionalAlphaBlendBad varintBeginPaintCancelIoExChorasmianClassCHAOSClassCSNETCombineRgn, xrefs: 006A0C56

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=, bound = , limit = /dev/stdin12207031256103515625AdditionalAlphaBlendBad varintBeginPaintCancelIoExChorasmianClassCHAOSClassCSNETCombineRgn$ pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>) p->status=, cons/mark -byte limit152587890625762939453125Bidi_ControlCfgMgr32.dllChooseColorWCoCreateGuidCreateBitmapCreateEventWCreateMutexWDeleteOb$MB during sweep; swept Marquesas Standard TimeMauritius Standard TimeNoncharacter_Code_PointNtSetInformationProcessQueryServiceLockStatusWQyzylorda Standard TimeRegNotifyChangeKeyValueRegisterRawInputDevicesRemoveFontMemResourceExSHGetSpecialFolderPathWSetEnvi$MB; allocated MakeAbsoluteSDModule32FirstWNetUserGetInfoNotifyWinEventOpenSCManagerWOther_ID_StartPattern_SyntaxPdhAddCounterWProcess32NextWQuotation_MarkRCodeNameErrorRegSetValueExWReleaseCaptureSHGetFileInfoWScreenToClientSetConsoleModeSetFilePointerSetPixel$mismatched begin/end of activeSweepnetwork dropped connection on resetno such multicast network interfacepersistentalloc: align is too largepidleput: P has non-empty run queueruntime: close polldesc w/o unblockruntime: createevent failed; errno=ryuFtoaFixed32 $pacer: sweep done at heap size pattern contains path separatorreflect: Len of non-array type resetspinning: not a spinning mruntime: cannot allocate memoryruntime: failed to commit pagesruntime: split stack overflow: slice bounds out of range [%x:]slice bounds$sweeper left outstanding across sweep generationsattempt to execute system stack code on user stackcompileCallback: function argument frame too largemallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewruntime: un
API String ID: 0-52867806
Opcode ID: f31152090230a5f3d088e46839c2ca08d208c846f49503cded14f7c8c5b691c5
Instruction ID: 4b34930d243d2ab6bec6a4e94d7929a542ae50d79f646f08e841f320242221e8
Opcode Fuzzy Hash: f31152090230a5f3d088e46839c2ca08d208c846f49503cded14f7c8c5b691c5
Instruction Fuzzy Hash: 1B419F75619B41CAEB40EF14F49039AB766FB89740F805529EB8E07B66DF3CC981CB14

Function 006ADBA0 Relevance: 8.8, Strings: 7, Instructions: 66COMMON

Download Yara Rule

Strings

ication, xrefs: 006ADC3B
umeNotif, xrefs: 006ADC2C
PowerReg, xrefs: 006ADBFF
gisterSu, xrefs: 006ADC0E
spendRes, xrefs: 006ADC1D
rof.dll, xrefs: 006ADBD5
powrprof, xrefs: 006ADBC6

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: PowerReg$gisterSu$ication$powrprof$rof.dll$spendRes$umeNotif
API String ID: 0-941992356
Opcode ID: e2cfe4f5c8bccca922ee199990d5c7475819ad222252fa51fa8447dd3ac3b394
Instruction ID: 82b2ce388a5f0e5075e4cb1c19e9ab49f31ac101ce39f4cfc3f68cacc52ee02f
Opcode Fuzzy Hash: e2cfe4f5c8bccca922ee199990d5c7475819ad222252fa51fa8447dd3ac3b394
Instruction Fuzzy Hash: 4E3147B2608B8085D660EB11F44039AB7A6F7867C4F94802AEBDD47B6ADF3CC554CB00

Function 006921A0 Relevance: 7.6, Strings: 6, Instructions: 132COMMON

Download Yara Rule

Strings

runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime: unblock on closing polldescruntime: wrong goroutine in newstackryuFtoaFixed64 called with prec > 18syntax e, xrefs: 0069230A, 006923AF
with GC prog476837158203125<invalid Value>ASCII_Hex_DigitAddDllDirectoryCLSIDFromStringCallWindowProcWCreateHardLinkWCreatePopupMenuCreateWindowExWDeviceIoControlDialogBoxParamWDragAcceptFilesDrawThemeTextExDuplicateHandleExcludeClipRectFailed to find Faile, xrefs: 006922F4
of size (targetpc= , plugin: KiB work, exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=, elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHE, xrefs: 00692365
but memory size because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125AddFontResourceExWArab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWCheckMenuRadioItemCloseServiceHandleCommandLineToArgvWCreateCo, xrefs: 00692385
runtime: typeBitsBulkBarrier with type ryuFtoaFixed32 called with negative prec34694469519536141888238489627838134765625MapIter.Next called on exhausted iteratorattempted to add zero-sized address rangebinary: varint overflows a 64-bit integercan't call point, xrefs: 006922D4, 00692345
runtime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base173472347597680709441192448139190673828125867361737988403547205962240695953369140625MapIter.Value called on exhausted iteratoracquireSudo, xrefs: 006923C5

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: but memory size because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125AddFontResourceExWArab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWCheckMenuRadioItemCloseServiceHandleCommandLineToArgvWCreateCo$ of size (targetpc= , plugin: KiB work, exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=, elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHE$ with GC prog476837158203125<invalid Value>ASCII_Hex_DigitAddDllDirectoryCLSIDFromStringCallWindowProcWCreateHardLinkWCreatePopupMenuCreateWindowExWDeviceIoControlDialogBoxParamWDragAcceptFilesDrawThemeTextExDuplicateHandleExcludeClipRectFailed to find Faile$runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime: unblock on closing polldescruntime: wrong goroutine in newstackryuFtoaFixed64 called with prec > 18syntax e$runtime: typeBitsBulkBarrier with type ryuFtoaFixed32 called with negative prec34694469519536141888238489627838134765625MapIter.Next called on exhausted iteratorattempted to add zero-sized address rangebinary: varint overflows a 64-bit integercan't call point$runtime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base173472347597680709441192448139190673828125867361737988403547205962240695953369140625MapIter.Value called on exhausted iteratoracquireSudo
API String ID: 0-1719771541
Opcode ID: e4db7936c34dcd0285bafd420f67ceee2c0b2a9f7be11a497ad167ddf5c763c9
Instruction ID: b478ceebfd98f5f673d2f68545f23936754f0319dcc4e25f1f840380166fbd88
Opcode Fuzzy Hash: e4db7936c34dcd0285bafd420f67ceee2c0b2a9f7be11a497ad167ddf5c763c9
Instruction Fuzzy Hash: 79517C76618B4186DB50EF51F48039EBB6AF789B80F84512AEB8D03B66CF38C595CB14

Function 0068B820 Relevance: 7.6, Strings: 6, Instructions: 117COMMON

Download Yara Rule

Strings

s.allocCount > s.nelemsschedule: holding lockssegment length too longshrinkstack at bad timespan has no free stacksstack growth after forksyntax error in patternsystem huge page size (too many pointers (>10)work.nwait > work.nproc116415321826934814453125582076, xrefs: 0068B96F
s.allocCount != s.nelems && freeIndex == s.nelemsslice bounds out of range [::%x] with capacity %ysweeper left outstanding across sweep generationsattempt to execute system stack code on user stackcompileCallback: function argument frame too largemallocgc call, xrefs: 0068B9EF
freeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversion: kernel32.dll not foundminpc or maxpc invalidnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledprotocol not avail, xrefs: 0068B985
s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytoo many linkstoo many usersunexpected EOFunknown methodunsafe.PointerwglCopyContextwglMakeCurrentwinapi error #work.full != 0 with GC prog476837158203125<inval, xrefs: 0068B925
runtime: s.allocCount= s.allocCount > s.nelemsschedule: holding lockssegment length too longshrinkstack at bad timespan has no free stacksstack growth after forksyntax error in patternsystem huge page size (too many pointers (>10)work.nwait > work.nproc1164153, xrefs: 0068B9A5
s.nelems= schedtick= span.list= timerslen=, elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDestroyIconDestroyMenuDives_AkuruDrawMenuBarDrawTextExWEnumWindowsExitProcessFindWindowWFreeLib, xrefs: 0068B945, 0068B9C5

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: s.nelems= schedtick= span.list= timerslen=, elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDestroyIconDestroyMenuDives_AkuruDrawMenuBarDrawTextExWEnumWindowsExitProcessFindWindowWFreeLib$freeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversion: kernel32.dll not foundminpc or maxpc invalidnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledprotocol not avail$runtime: s.allocCount= s.allocCount > s.nelemsschedule: holding lockssegment length too longshrinkstack at bad timespan has no free stacksstack growth after forksyntax error in patternsystem huge page size (too many pointers (>10)work.nwait > work.nproc1164153$s.allocCount != s.nelems && freeIndex == s.nelemsslice bounds out of range [::%x] with capacity %ysweeper left outstanding across sweep generationsattempt to execute system stack code on user stackcompileCallback: function argument frame too largemallocgc call$s.allocCount > s.nelemsschedule: holding lockssegment length too longshrinkstack at bad timespan has no free stacksstack growth after forksyntax error in patternsystem huge page size (too many pointers (>10)work.nwait > work.nproc116415321826934814453125582076$s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytoo many linkstoo many usersunexpected EOFunknown methodunsafe.PointerwglCopyContextwglMakeCurrentwinapi error #work.full != 0 with GC prog476837158203125<inval
API String ID: 0-945429370
Opcode ID: faf8502b13a62ccb95edf83ad97efc287b6ad9177deea4c7ea3ee64c968694cf
Instruction ID: 7c51d5dc0027a05e33b5fa1cf9f9eb0aeec2628c03ac4aadb71f17e3fd53b7d0
Opcode Fuzzy Hash: faf8502b13a62ccb95edf83ad97efc287b6ad9177deea4c7ea3ee64c968694cf
Instruction Fuzzy Hash: 0D516072619B80C6CB50AB15F4803AEBBA6F789B80F445516EB8D07B66DF3CC581CB54

Function 006A7D60 Relevance: 6.4, Strings: 5, Instructions: 155COMMON

Download Yara Rule

Strings

, p.searchAddr = 0123456789ABCDEFX0123456789abcdefx1192092895507812559604644775390625: missing method AdjustTokenGroupsAttachThreadInputCertFindExtensionChoosePixelFormatCryptDecodeObjectDeleteEnhMetaFileDnsRecordListFreeEndDeferWindowPosFLE Standard TimeGC as, xrefs: 006A7FA9
bad summary databad symbol tablecastogscanstatuscontext canceledgc: unswept spangcshrinkstackoffinteger overflowinvalid argumentinvalid exchangeinvalid g statusmSpanList.insertmSpanList.removemessage too longmissing stackmapnewmHandoff.lockno route to hostnon-, xrefs: 006A7FCF
runtime: searchIdx = runtime: work.nwait= stale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptionunexpected value stepwglCreateLayerContextwglDescribeLayerPlane/lib/time/zoneinfo.zip4656612873077392578125Aleuti, xrefs: 006A7F85
, npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDestroyIconDestroyMenuDives_AkuruDrawMenuBarDrawTextExWEnumWindowsExitProcessFindWindowWFreeLibraryGOTRACEBACKGetAncestorGetCaretPosGetFileTypeGetIcon, xrefs: 006A7F45
runtime: max = runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm holding pwglGetCurrentDC already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625AdjustWindowRectBringWindow, xrefs: 006A7F27

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: , npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDestroyIconDestroyMenuDives_AkuruDrawMenuBarDrawTextExWEnumWindowsExitProcessFindWindowWFreeLibraryGOTRACEBACKGetAncestorGetCaretPosGetFileTypeGetIcon$, p.searchAddr = 0123456789ABCDEFX0123456789abcdefx1192092895507812559604644775390625: missing method AdjustTokenGroupsAttachThreadInputCertFindExtensionChoosePixelFormatCryptDecodeObjectDeleteEnhMetaFileDnsRecordListFreeEndDeferWindowPosFLE Standard TimeGC as$bad summary databad symbol tablecastogscanstatuscontext canceledgc: unswept spangcshrinkstackoffinteger overflowinvalid argumentinvalid exchangeinvalid g statusmSpanList.insertmSpanList.removemessage too longmissing stackmapnewmHandoff.lockno route to hostnon-$runtime: max = runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm holding pwglGetCurrentDC already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625AdjustWindowRectBringWindow$runtime: searchIdx = runtime: work.nwait= stale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptionunexpected value stepwglCreateLayerContextwglDescribeLayerPlane/lib/time/zoneinfo.zip4656612873077392578125Aleuti
API String ID: 0-3438953204
Opcode ID: eeab59b283d6fc09fc81f4c4a4c8a86845f57021a568254b57fd1a31d0d77410
Instruction ID: dd18e558b5af8765219ae3c07b4fb72430f8529bde2b5222f7e6d78b4d2915bc
Opcode Fuzzy Hash: eeab59b283d6fc09fc81f4c4a4c8a86845f57021a568254b57fd1a31d0d77410
Instruction Fuzzy Hash: A451B372719F8486DB50AB15E84039DA766F78ABD0F54412AEF9C07B6ACF3CC981CB44

Function 0068A100 Relevance: 6.3, Strings: 5, Instructions: 75COMMON

Download Yara Rule

Strings

cnt= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-09301562578125<nil>AdlamBamumBatakBuhidDograErrorGetDCGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicSTermTakriTamilTypeA] = (arrayclosedeferfalsefaultgFreegcinggscanhchanhttpsimap2, xrefs: 0068A1A5
-> node= B exp.) B work ( blocked= in use) lockedg= lockedm= m->curg= marked ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=(unknown), newval=, oldval=, size = , tail = 244140625: status=AuthorityBassa_VahBhaiksukiClassINE, xrefs: 0068A1E5
runtime: lfstack.push invalid packing: node=use of WriteTo with pre-connected connectioncannot send after transport endpoint shutdowncharacter string exceeds maximum length (255)exitsyscall: syscall frame is no longer validheapBitsSetType: called with non-poin, xrefs: 0068A187
packed= pointer stack=[ status 48828125AbortDocAcceptExArmenianBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDeleteDCDuployanEndPaintEqualSidEthiopicExtenderGdiFlushGeorgianGetFocusGetPixelGoStringGujaratiGurmukhiHiraganaIsIconicIsWindowIsZoomedJava, xrefs: 0068A1C5
lfstack.pushmadvdontneedmheapSpecialmspanSpecialnetapi32.dllno such hostnot pollableoleaut32.dllopengl32.dllraceFiniLockreleasep: m=runtime: gp=runtime: sp=self-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringswinspool.drvwintrust.dllwirep: p, xrefs: 0068A20F

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: -> node= B exp.) B work ( blocked= in use) lockedg= lockedm= m->curg= marked ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=(unknown), newval=, oldval=, size = , tail = 244140625: status=AuthorityBassa_VahBhaiksukiClassINE$ cnt= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-09301562578125<nil>AdlamBamumBatakBuhidDograErrorGetDCGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicSTermTakriTamilTypeA] = (arrayclosedeferfalsefaultgFreegcinggscanhchanhttpsimap2$ packed= pointer stack=[ status 48828125AbortDocAcceptExArmenianBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDeleteDCDuployanEndPaintEqualSidEthiopicExtenderGdiFlushGeorgianGetFocusGetPixelGoStringGujaratiGurmukhiHiraganaIsIconicIsWindowIsZoomedJava$lfstack.pushmadvdontneedmheapSpecialmspanSpecialnetapi32.dllno such hostnot pollableoleaut32.dllopengl32.dllraceFiniLockreleasep: m=runtime: gp=runtime: sp=self-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringswinspool.drvwintrust.dllwirep: p$runtime: lfstack.push invalid packing: node=use of WriteTo with pre-connected connectioncannot send after transport endpoint shutdowncharacter string exceeds maximum length (255)exitsyscall: syscall frame is no longer validheapBitsSetType: called with non-poin
API String ID: 0-1135946982
Opcode ID: 5c9c63aecd4a1eeaf96ef84013a2fd7437a53f8069967a592eb805eaee539f1c
Instruction ID: 5b15c838fe144d3e10da930a271f53496c01c44b6cf1b0635815f1b8d9298b0c
Opcode Fuzzy Hash: 5c9c63aecd4a1eeaf96ef84013a2fd7437a53f8069967a592eb805eaee539f1c
Instruction Fuzzy Hash: AB318972219B81C6DB50AF11F84139EB769FB89B80F88952AEF8D03B26CF3CC1518754

Function 006869C0 Relevance: 5.3, Strings: 4, Instructions: 256COMMON

Download Yara Rule

Strings

r10 r11 r12 r13 r14 r15 r8 r9 rax rbp rbx rcx rdi recvfromrflags rip rsi rsp runnablerwmutexRrwmutexWscavengeshutdowntraceBufunknown(wsaioctl (forced) -> node= B exp.) B work ( blocked= in use, xrefs: 00686C25
r8 r9 rax rbp rbx rcx rdi recvfromrflags rip rsi rsp runnablerwmutexRrwmutexWscavengeshutdowntraceBufunknown(wsaioctl (forced) -> node= B exp.) B work ( blocked= in use) lockedg= lockedm= m->curg= marked ms cpu, , xrefs: 00686BA5
rax rbp rbx rcx rdi recvfromrflags rip rsi rsp runnablerwmutexRrwmutexWscavengeshutdowntraceBufunknown(wsaioctl (forced) -> node= B exp.) B work ( blocked= in use) lockedg= lockedm= m->curg= marked ms cpu, not in [ runtime, xrefs: 006869EB
cs deadlockfs gs no anodepollDescr10 r11 r12 r13 r14 r15 r8 r9 rax rbp rbx rcx rdi recvfromrflags rip rsi rsp runnablerwmutexRrwmutexWscavengeshutdowntraceBufunknown(wsaioctl (fo, xrefs: 00686E25

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: cs deadlockfs gs no anodepollDescr10 r11 r12 r13 r14 r15 r8 r9 rax rbp rbx rcx rdi recvfromrflags rip rsi rsp runnablerwmutexRrwmutexWscavengeshutdowntraceBufunknown(wsaioctl (fo$r10 r11 r12 r13 r14 r15 r8 r9 rax rbp rbx rcx rdi recvfromrflags rip rsi rsp runnablerwmutexRrwmutexWscavengeshutdowntraceBufunknown(wsaioctl (forced) -> node= B exp.) B work ( blocked= in use$r8 r9 rax rbp rbx rcx rdi recvfromrflags rip rsi rsp runnablerwmutexRrwmutexWscavengeshutdowntraceBufunknown(wsaioctl (forced) -> node= B exp.) B work ( blocked= in use) lockedg= lockedm= m->curg= marked ms cpu, $rax rbp rbx rcx rdi recvfromrflags rip rsi rsp runnablerwmutexRrwmutexWscavengeshutdowntraceBufunknown(wsaioctl (forced) -> node= B exp.) B work ( blocked= in use) lockedg= lockedm= m->curg= marked ms cpu, not in [ runtime
API String ID: 0-1413982224
Opcode ID: 9d645f8d185dffe5de37804407c51fba22b2570d8defdf87bd6df9001cb2c3bc
Instruction ID: b4d9fb816e3c01c1a63b996d04c94938a28b20ef252b593b373d3068fadfbdca
Opcode Fuzzy Hash: 9d645f8d185dffe5de37804407c51fba22b2570d8defdf87bd6df9001cb2c3bc
Instruction Fuzzy Hash: 71C1CD76225B4086C690FF95F0813AEAB66FB89B41F415429FA8D07B27DF38C1C48769

Function 006CA640 Relevance: 5.2, Strings: 4, Instructions: 198COMMON

Download Yara Rule

Strings

out of range procedure in to finalizer untyped args -thread limit1907348632812595367431640625ActivateActCtxCertCloseStoreClientToScreenCloseClipboardCloseThemeDataCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateSe, xrefs: 006CA6F6
- < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTEATEDTEETEOFESTGMTHDTHSTHanIDTISTJSTKSTLaoMDTMSKMSTMroNDTNSTNaNNkoPC=PDTPKTPSTUTCVaiWAT]:adxaesavxendfinfmaftpgc gp in intip4mapnilobjpc, xrefs: 006CA711
runtime: textAddr streams pipe errorsystem page size (tracebackancestorsuse of closed filevalue out of rangewglUseFontBitmapsW [controller reset] called using nil *, g->atomicstatus=, gp->atomicstatus=14901161193847656257450580596923828125Altai Standard TimeA, xrefs: 006CA6DB
runtime: text offset out of rangeruntime: type offset out of rangeslice bounds out of range [%x:%y]stackalloc not on scheduler stackstoplockedm: inconsistent lockingtimer period must be non-negativetoo many Answers to pack (>65535)too many levels of symbolic l, xrefs: 006CA739

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTEATEDTEETEOFESTGMTHDTHSTHanIDTISTJSTKSTLaoMDTMSKMSTMroNDTNSTNaNNkoPC=PDTPKTPSTUTCVaiWAT]:adxaesavxendfinfmaftpgc gp in intip4mapnilobjpc$ out of range procedure in to finalizer untyped args -thread limit1907348632812595367431640625ActivateActCtxCertCloseStoreClientToScreenCloseClipboardCloseThemeDataCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateSe$runtime: text offset out of rangeruntime: type offset out of rangeslice bounds out of range [%x:%y]stackalloc not on scheduler stackstoplockedm: inconsistent lockingtimer period must be non-negativetoo many Answers to pack (>65535)too many levels of symbolic l$runtime: textAddr streams pipe errorsystem page size (tracebackancestorsuse of closed filevalue out of rangewglUseFontBitmapsW [controller reset] called using nil *, g->atomicstatus=, gp->atomicstatus=14901161193847656257450580596923828125Altai Standard TimeA
API String ID: 0-3032699057
Opcode ID: cff16743a2d4e61cbedab35ed50bc546b1a7b3d88e0cdafab77f8143d26f7df9
Instruction ID: fd00aa005222302a8eceac3e8a13e11873f4d16ce9a48ab09ccbb01a87e7214f
Opcode Fuzzy Hash: cff16743a2d4e61cbedab35ed50bc546b1a7b3d88e0cdafab77f8143d26f7df9
Instruction Fuzzy Hash: 6071B076615B88C2DB50EF55F0407AEB7A6F788B84F99512AEB8C43B29CF78C451CB00

Function 0068C8C0 Relevance: 5.2, Strings: 4, Instructions: 163COMMON

Download Yara Rule

Strings

runtime: cannot allocate memoryruntime: failed to commit pagesruntime: split stack overflow: slice bounds out of range [%x:]slice bounds out of range [:%x] (types from different packages)28421709430404007434844970703125CertAddCertificateContextToStoreCertVerif, xrefs: 0068CAFE
persistentalloc: size == 0required key not availableruntime: bad span s.state=runtime: pcHeader: magic= segment prefix is reservedshrinking stack in libcallstartlockedm: locked to meuse of invalid sweepLocker not in stack roots range [3637978807091712951660156, xrefs: 0068CB45
persistentalloc: align is too largepidleput: P has non-empty run queueruntime: close polldesc w/o unblockruntime: createevent failed; errno=ryuFtoaFixed32 called with prec > 9too many Questions to pack (>65535)traceback did not unwind completelytransport endpo, xrefs: 0068CB1F
persistentalloc: align is not a power of 2runtime: blocked write on closing polldescsync/atomic: store of nil value into Valueunexpected signal during runtime executiongcBgMarkWorker: unexpected gcMarkWorkerModegrew heap, but no adequate free space foundheapBi, xrefs: 0068CB30

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: persistentalloc: align is not a power of 2runtime: blocked write on closing polldescsync/atomic: store of nil value into Valueunexpected signal during runtime executiongcBgMarkWorker: unexpected gcMarkWorkerModegrew heap, but no adequate free space foundheapBi$persistentalloc: align is too largepidleput: P has non-empty run queueruntime: close polldesc w/o unblockruntime: createevent failed; errno=ryuFtoaFixed32 called with prec > 9too many Questions to pack (>65535)traceback did not unwind completelytransport endpo$persistentalloc: size == 0required key not availableruntime: bad span s.state=runtime: pcHeader: magic= segment prefix is reservedshrinking stack in libcallstartlockedm: locked to meuse of invalid sweepLocker not in stack roots range [3637978807091712951660156$runtime: cannot allocate memoryruntime: failed to commit pagesruntime: split stack overflow: slice bounds out of range [%x:]slice bounds out of range [:%x] (types from different packages)28421709430404007434844970703125CertAddCertificateContextToStoreCertVerif
API String ID: 0-3020361985
Opcode ID: 73dab45d75cbff17c985ceccc9084b7bc2e31fd375ac38a56020e1224a60750e
Instruction ID: 9fab50836bdc5abef62b8de81df235c7b0182fe68ccdc353e5e7baa5394ff15b
Opcode Fuzzy Hash: 73dab45d75cbff17c985ceccc9084b7bc2e31fd375ac38a56020e1224a60750e
Instruction Fuzzy Hash: 98618B72605B86C6DB10EF05E08039AB7A6F745BE4F449226EB9D17B28DF3CC495C710

Function 006B9440 Relevance: 5.2, Strings: 4, Instructions: 159COMMON

Download Yara Rule

Strings

startm: m has pstopm holding pwglGetCurrentDC already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625AdjustWindowRectBringWindowToTopCloseEnhMetaFileCoCreateInstanceCoGetClassObjectConnect, xrefs: 006B96A7
startm: negative nmspinningstopTheWorld: holding lockstime: invalid location nametimer when must be positivetoo many callback functionswork.nwait was > work.nproc args stack map entries for 18189894035458564758300781259094947017729282379150390625Aus Central W., xrefs: 006B95FA
startm: p has runnable gsstoplockedm: not runnableunexpected fault address unexpected key value typewglGetLayerPaletteEntrieswglSetLayerPaletteEntries1455191522836685180664062572759576141834259033203125AddClipboardFormatListenerBougainville Standard TimeCentra, xrefs: 006B9696
startm: m is spinningstate not recoverabletimer data corruptionunexpected value stepwglCreateLayerContextwglDescribeLayerPlane/lib/time/zoneinfo.zip4656612873077392578125Aleutian Standard TimeAtlantic Standard TimeCaucasus Standard TimeConvertSidToStringSidWCo, xrefs: 006B96B8

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: startm: m has pstopm holding pwglGetCurrentDC already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625AdjustWindowRectBringWindowToTopCloseEnhMetaFileCoCreateInstanceCoGetClassObjectConnect$startm: m is spinningstate not recoverabletimer data corruptionunexpected value stepwglCreateLayerContextwglDescribeLayerPlane/lib/time/zoneinfo.zip4656612873077392578125Aleutian Standard TimeAtlantic Standard TimeCaucasus Standard TimeConvertSidToStringSidWCo$startm: negative nmspinningstopTheWorld: holding lockstime: invalid location nametimer when must be positivetoo many callback functionswork.nwait was > work.nproc args stack map entries for 18189894035458564758300781259094947017729282379150390625Aus Central W.$startm: p has runnable gsstoplockedm: not runnableunexpected fault address unexpected key value typewglGetLayerPaletteEntrieswglSetLayerPaletteEntries1455191522836685180664062572759576141834259033203125AddClipboardFormatListenerBougainville Standard TimeCentra
API String ID: 0-3785498658
Opcode ID: 802bf99156a1e1afac606addc95b77eb3184b8ac36292c3ba1f4b3a1f724594e
Instruction ID: ecbfc40fa9dd86c92bbc81baef5421b1e5fc26bef5563f7c96da17ed70cdf70a
Opcode Fuzzy Hash: 802bf99156a1e1afac606addc95b77eb3184b8ac36292c3ba1f4b3a1f724594e
Instruction Fuzzy Hash: D061E4B2609780CADB64CB11E0807EA7762F7867A4F48562AEB9D077A5DB3CC585CB10

Function 00694020 Relevance: 5.1, Strings: 4, Instructions: 121COMMON

Download Yara Rule

Strings

bad sweepgen in refillcall not at safe pointcannot allocate memorycompileCallabck: type duplicated defer entryfreeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversion: kernel32.dll not foundminpc or maxpc inv, xrefs: 006941FA
refill of span with free space remainingruntime.SetFinalizer: first argument is runtime.preemptM: duplicatehandle failedruntime: SyscallN has too many argumentsruntime: out of memory: cannot allocate runtime: typeBitsBulkBarrier with type ryuFtoaFixed32 calle, xrefs: 0069420B
span has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected method stepwglRealizeLayerPalettewirep: invalid p state) must be a power of 223283064365386962890625<invalid reflect.Value>Argentina Stand, xrefs: 006941D8
out of memoryruntime: seq=runtime: val=srmount errortimer expiredtraceStackTabvalue method wglShareListsxadd64 failedxchg64 failed}sched={pc: but progSize nmidlelocked= on zero Value out of range procedure in to finalizer untyped args -thread limit19073, xrefs: 006941E9

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: bad sweepgen in refillcall not at safe pointcannot allocate memorycompileCallabck: type duplicated defer entryfreeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversion: kernel32.dll not foundminpc or maxpc inv$out of memoryruntime: seq=runtime: val=srmount errortimer expiredtraceStackTabvalue method wglShareListsxadd64 failedxchg64 failed}sched={pc: but progSize nmidlelocked= on zero Value out of range procedure in to finalizer untyped args -thread limit19073$refill of span with free space remainingruntime.SetFinalizer: first argument is runtime.preemptM: duplicatehandle failedruntime: SyscallN has too many argumentsruntime: out of memory: cannot allocate runtime: typeBitsBulkBarrier with type ryuFtoaFixed32 calle$span has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected method stepwglRealizeLayerPalettewirep: invalid p state) must be a power of 223283064365386962890625<invalid reflect.Value>Argentina Stand
API String ID: 0-3402019271
Opcode ID: 3cba9db118989a8e0d87bb838962b1a2ece24a40993c05ab12943750aef3e19c
Instruction ID: 231cfea943650bc34e60d564f0e1f3f8afeca71d9434898231088b16a2ef1525
Opcode Fuzzy Hash: 3cba9db118989a8e0d87bb838962b1a2ece24a40993c05ab12943750aef3e19c
Instruction Fuzzy Hash: 5C51CC72605A9086CB50DF05E4803AE777AF788B94F884126EB8E07B69DF3CC986C750

Function 006D3C20 Relevance: 5.1, Strings: 4, Instructions: 98COMMON

Download Yara Rule

Strings

, fp:-09301562578125<nil>AdlamBamumBatakBuhidDograErrorGetDCGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicSTermTakriTamilTypeA] = (arrayclosedeferfalsefaultgFreegcinggscanhchanhttpsimap2imap3imapsinit int16int32int64mheapntohspanicpop3sscav schedsleepslicesse41, xrefs: 006D3CB3
stack: frame={sp:swept cached spanthread exhaustionunknown caller pcunknown type kindwait for GC cyclewglGetProcAddresswrong medium type but memory size because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125AddFontResourceE, xrefs: 006D3C98
} stack=[ MB goal, flushGen gfreecnt= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=, bound = , limit = /dev/stdin12207031256103515625AdditionalAlphaBlendBad varintBeginPaintCancelIoExC, xrefs: 006D3CCF
), ->25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msnss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTEATEDTEETEOFESTGMTHDTHSTHa, xrefs: 006D3D0F

Memory Dump Source

Source File: 00000000.00000002.1516899247.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.1516880995.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1516956122.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517048253.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517065056.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517080484.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517094338.00000000007DD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.000000000081D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000844000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517111755.0000000000847000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.000000000084A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517177249.0000000000872000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517247479.0000000000906000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1517263502.0000000000907000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ), ->25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msnss us} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625???ADTASTBSTCATCDTCETCSTEATEDTEETEOFESTGMTHDTHSTHa$, fp:-09301562578125<nil>AdlamBamumBatakBuhidDograErrorGetDCGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicSTermTakriTamilTypeA] = (arrayclosedeferfalsefaultgFreegcinggscanhchanhttpsimap2imap3imapsinit int16int32int64mheapntohspanicpop3sscav schedsleepslicesse41$stack: frame={sp:swept cached spanthread exhaustionunknown caller pcunknown type kindwait for GC cyclewglGetProcAddresswrong medium type but memory size because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125AddFontResourceE$} stack=[ MB goal, flushGen gfreecnt= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=, bound = , limit = /dev/stdin12207031256103515625AdditionalAlphaBlendBad varintBeginPaintCancelIoExC
API String ID: 0-878102341
Opcode ID: e749c8ee634cbd17a433cf7ccc8a720aabba11a96161349e39ed3ec4f78427e9
Instruction ID: 8733c08f97aa9fdf6f0a6d4085b123d1274aa12e9b70876ed1e51b33fefe308d
Opcode Fuzzy Hash: e749c8ee634cbd17a433cf7ccc8a720aabba11a96161349e39ed3ec4f78427e9
Instruction Fuzzy Hash: 78412C72618F9486CB60DB05F4803AAB765F789B80F444126EBCD43B6ADF3CC5958B44

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.FileRepMalware.23518.16980.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: CobaltStrike

Threatname: Metasploit

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Statistics

Windows Analysis Report
SecuriteInfo.com.FileRepMalware.23518.16980.exe

Function 0000029C510F0109 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 177
networkCOMMON

Function 0000029C510F0128 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87
networkCOMMON

Function 006A7000 Relevance: 20.5, Strings: 16, Instructions: 545
COMMON

Function 0068B020 Relevance: 15.3, Strings: 12, Instructions: 340
COMMON

Function 00696020 Relevance: 15.3, Strings: 12, Instructions: 337
COMMON

Function 00686000 Relevance: 14.0, Strings: 11, Instructions: 201
COMMON

Function 006B2600 Relevance: 12.9, Strings: 10, Instructions: 391
COMMON

Function 0068AD00 Relevance: 12.7, Strings: 10, Instructions: 155
COMMON

Function 006913C5 Relevance: 12.6, Strings: 10, Instructions: 100
COMMON

Function 00687040 Relevance: 11.4, Strings: 9, Instructions: 167
COMMON

Function 00688820 Relevance: 11.4, Strings: 9, Instructions: 167
COMMON

Function 006D4820 Relevance: 11.4, Strings: 9, Instructions: 154
COMMON

Function 006810E0 Relevance: 10.3, Strings: 8, Instructions: 308
COMMON

Function 006BF360 Relevance: 10.1, Strings: 8, Instructions: 130
COMMON

Function 0069CAE0 Relevance: 8.9, Strings: 7, Instructions: 189
COMMON