Edit tour

Windows Analysis Report
NLBgWmWGow.exe

Overview

General Information

Sample name:	NLBgWmWGow.exe renamed because original name is a hash value
Original sample name:	f34858ad51b208fba47332eebcfa2cd0.exe
Analysis ID:	1522526
MD5:	f34858ad51b208fba47332eebcfa2cd0
SHA1:	68a1f0b10fb9a75efa3f62fbf4984624f5b04809
SHA256:	82be5b66142d4141a92f318cf0b103e9dd01a5508e0ca468652376faa9d4b2e7
Tags:	exeuser-abuse_ch
Infos:

Detection

Sliver

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Sliver Implants

AI detected suspicious sample

Machine Learning detection for sample

Potentially malicious time measurement code found

Contains functionality for execution timing, often used to detect debuggers

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Installs a raw input device (often for capturing keystrokes)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

NLBgWmWGow.exe (PID: 2192 cmdline: "C:\Users\user\Desktop\NLBgWmWGow.exe" MD5: F34858AD51B208FBA47332EEBCFA2CD0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Sliver	According to VK9 Seecurity, Sliver is a Command and Control (C2) system made for penetration testers, red teams, and advanced persistent threats. It generates implants (slivers) that can run on virtually every architecture out there, and securely manage these connections through a central server. Sliver supports multiple callback protocols including DNS, TCP, and HTTP(S) to make egress simple, even when those pesky blue teams block your domains. You can even have multiple operators (players) simultaneously commanding your sliver army.	No Attribution	https://asec.ahnlab.com/en/47088/ https://asec.ahnlab.com/en/55652/ https://asec.ahnlab.com/en/56941/ https://blog.cluster25.duskrise.com/2024/01/30/russian-apt-opposition https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.sliver

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
NLBgWmWGow.exe	Multi_Trojan_Bishopsliver_42298c4a	unknown	unknown	0xbb4ae4:$a1: ).RequestResend 0xbb2952:$a2: ).GetPrivInfo
NLBgWmWGow.exe	INDICATOR_TOOL_Sliver	Detects Sliver implant cross-platform adversary emulation/red team	ditekSHen	0x91fcc9:$s3: .WGTCPForwarder 0x920c77:$s3: .WGTCPForwarder 0x922b10:$s3: .WGTCPForwarder 0x9234ae:$s3: .WGTCPForwarder 0x925602:$s3: .WGTCPForwarder 0x926157:$s3: .WGTCPForwarder 0x91c117:$s6: .BackdoorReq 0x91fc27:$s7: .ProcessDumpReq 0x92294b:$s8: .InvokeSpawnDllReq 0x917a16:$s9: .SpawnDll 0x91c24f:$s9: .SpawnDll

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.2524562692.000000C000060000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Sliver	Yara detected Sliver Implants	Joe Security
00000005.00000000.1270976359.0000000001404000.00000002.00000001.01000000.00000003.sdmp	Multi_Trojan_Bishopsliver_42298c4a	unknown	unknown	0x720e4:$a1: ).RequestResend 0x6ff52:$a2: ).GetPrivInfo
00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmp	Multi_Trojan_Bishopsliver_42298c4a	unknown	unknown	0x720e4:$a1: ).RequestResend 0x6ff52:$a2: ).GetPrivInfo
Process Memory Space: NLBgWmWGow.exe PID: 2192	JoeSecurity_Sliver	Yara detected Sliver Implants	Joe Security
Process Memory Space: NLBgWmWGow.exe PID: 2192	Multi_Trojan_Bishopsliver_42298c4a	unknown	unknown	0x31d1b:$a1: ).RequestResend 0x6710b:$a1: ).RequestResend 0x2fb89:$a2: ).GetPrivInfo 0x65063:$a2: ).GetPrivInfo

Unpacked PEs

Source	Rule	Description	Author	Strings
5.0.NLBgWmWGow.exe.8c0000.0.unpack	Multi_Trojan_Bishopsliver_42298c4a	unknown	unknown	0xbb4ae4:$a1: ).RequestResend 0xbb2952:$a2: ).GetPrivInfo
5.0.NLBgWmWGow.exe.8c0000.0.unpack	INDICATOR_TOOL_Sliver	Detects Sliver implant cross-platform adversary emulation/red team	ditekSHen	0x91fcc9:$s3: .WGTCPForwarder 0x920c77:$s3: .WGTCPForwarder 0x922b10:$s3: .WGTCPForwarder 0x9234ae:$s3: .WGTCPForwarder 0x925602:$s3: .WGTCPForwarder 0x926157:$s3: .WGTCPForwarder 0x91c117:$s6: .BackdoorReq 0x91fc27:$s7: .ProcessDumpReq 0x92294b:$s8: .InvokeSpawnDllReq 0x917a16:$s9: .SpawnDll 0x91c24f:$s9: .SpawnDll
5.2.NLBgWmWGow.exe.8c0000.0.unpack	Multi_Trojan_Bishopsliver_42298c4a	unknown	unknown	0xbb4ae4:$a1: ).RequestResend 0xbb2952:$a2: ).GetPrivInfo
5.2.NLBgWmWGow.exe.8c0000.0.unpack	INDICATOR_TOOL_Sliver	Detects Sliver implant cross-platform adversary emulation/red team	ditekSHen	0x91fcc9:$s3: .WGTCPForwarder 0x920c77:$s3: .WGTCPForwarder 0x922b10:$s3: .WGTCPForwarder 0x9234ae:$s3: .WGTCPForwarder 0x925602:$s3: .WGTCPForwarder 0x926157:$s3: .WGTCPForwarder 0x91c117:$s6: .BackdoorReq 0x91fc27:$s7: .ProcessDumpReq 0x92294b:$s8: .InvokeSpawnDllReq 0x917a16:$s9: .SpawnDll 0x91c24f:$s9: .SpawnDll

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: NLBgWmWGow.exe	ReversingLabs: Detection: 65%
Source: NLBgWmWGow.exe	Virustotal: Detection: 73%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.3% probability

Machine Learning detection for sample

Source: NLBgWmWGow.exe

Joe Sandbox ML: detected

Source: NLBgWmWGow.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Code function: 4x nop then mov rdi, 0000800000000000h		5_2_008E7120
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Code function: 4x nop then mov rsi, r9		5_2_008E7EC0

Source: global traffic

TCP traffic: 192.168.2.7:49699 -> 206.189.41.151:8443

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: ns1.mtls.ink

Source: NLBgWmWGow.exe, 00000005.00000002.2524562692.000000C00001C000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

memstr_8e9ce39f-8

System Summary

Malicious sample detected (through community Yara rule)

Source: NLBgWmWGow.exe, type: SAMPLE	Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
Source: NLBgWmWGow.exe, type: SAMPLE	Matched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen
Source: 5.0.NLBgWmWGow.exe.8c0000.0.unpack, type: UNPACKEDPE	Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
Source: 5.0.NLBgWmWGow.exe.8c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen
Source: 5.2.NLBgWmWGow.exe.8c0000.0.unpack, type: UNPACKEDPE	Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
Source: 5.2.NLBgWmWGow.exe.8c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen
Source: 00000005.00000000.1270976359.0000000001404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
Source: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
Source: Process Memory Space: NLBgWmWGow.exe PID: 2192, type: MEMORYSTR	Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown

Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Code function: 5_2_008C60A0	5_2_008C60A0
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Code function: 5_2_009068C0	5_2_009068C0
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Code function: 5_2_00904000	5_2_00904000
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Code function: 5_2_008C6980	5_2_008C6980
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Code function: 5_2_008E4980	5_2_008E4980
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Code function: 5_2_00908100	5_2_00908100
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Code function: 5_2_008CD120	5_2_008CD120
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Code function: 5_2_008E9120	5_2_008E9120
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Code function: 5_2_008E7120	5_2_008E7120
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Code function: 5_2_00906AA0	5_2_00906AA0
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Code function: 5_2_008DE260	5_2_008DE260
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Code function: 5_2_008CBBA0	5_2_008CBBA0
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Code function: 5_2_008F33C0	5_2_008F33C0
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Code function: 5_2_008D4B40	5_2_008D4B40
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Code function: 5_2_008DBCA0	5_2_008DBCA0
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Code function: 5_2_008E3CC0	5_2_008E3CC0
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Code function: 5_2_008E75A0	5_2_008E75A0
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Code function: 5_2_008DF520	5_2_008DF520
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Code function: 5_2_008CC560	5_2_008CC560
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Code function: 5_2_008F0560	5_2_008F0560
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Code function: 5_2_008E7EC0	5_2_008E7EC0
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Code function: 5_2_008C6E40	5_2_008C6E40
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Code function: 5_2_008D3E60	5_2_008D3E60
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Code function: 5_2_008D8F80	5_2_008D8F80
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Code function: 5_2_008F5FE0	5_2_008F5FE0
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Code function: 5_2_008C9740	5_2_008C9740

Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Code function: String function: 00907340 appears 37 times
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Code function: String function: 008F2BC0 appears 304 times

Source: NLBgWmWGow.exe, type: SAMPLE	Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: NLBgWmWGow.exe, type: SAMPLE	Matched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team
Source: 5.0.NLBgWmWGow.exe.8c0000.0.unpack, type: UNPACKEDPE	Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: 5.0.NLBgWmWGow.exe.8c0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team
Source: 5.2.NLBgWmWGow.exe.8c0000.0.unpack, type: UNPACKEDPE	Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: 5.2.NLBgWmWGow.exe.8c0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team
Source: 00000005.00000000.1270976359.0000000001404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: Process Memory Space: NLBgWmWGow.exe PID: 2192, type: MEMORYSTR	Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14

Source: classification engine

Classification label: mal76.troj.evad.winEXE@1/1@1/1

Source: C:\Users\user\Desktop\NLBgWmWGow.exe

File opened: C:\Windows\system32\33db74b0aa7deaed71a182d6a7ac4a6e49cb377fd8b76bee27669bf3bf1f0a09AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Jump to behavior

Source: NLBgWmWGow.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\NLBgWmWGow.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: NLBgWmWGow.exe	ReversingLabs: Detection: 65%
Source: NLBgWmWGow.exe	Virustotal: Detection: 73%

Source: C:\Users\user\Desktop\NLBgWmWGow.exe

File read: C:\Users\user\Desktop\NLBgWmWGow.exe

Jump to behavior

Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Section loaded: samlib.dll	Jump to behavior

Source: NLBgWmWGow.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: NLBgWmWGow.exe

Static file information: File size 15672832 > 1048576

Source: NLBgWmWGow.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x900400
Source: NLBgWmWGow.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x587c00

Source: NLBgWmWGow.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: NLBgWmWGow.exe

Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\NLBgWmWGow.exe

Code function: 5_2_008D8BD4 push rax; retn 00A9h

5_2_008D8BD5

Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\NLBgWmWGow.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Users\user\Desktop\NLBgWmWGow.exe

Code function: 5_2_0091B800 rdtscp

5_2_0091B800

Source: NLBgWmWGow.exe, 00000005.00000002.2526349223.000001A9EB02C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\NLBgWmWGow.exe

Code function: 5_2_0091B800 Start: 0091B809 End: 0091B81F

5_2_0091B800

Source: C:\Users\user\Desktop\NLBgWmWGow.exe

Code function: 5_2_0091B800 rdtscp

5_2_0091B800

Source: C:\Users\user\Desktop\NLBgWmWGow.exe

Queries volume information: C:\Users\user\Desktop\NLBgWmWGow.exe VolumeInformation

Jump to behavior

Stealing of Sensitive Information

Yara detected Sliver Implants

Source: Yara match	File source: 00000005.00000002.2524562692.000000C000060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NLBgWmWGow.exe PID: 2192, type: MEMORYSTR

Remote Access Functionality

Yara detected Sliver Implants

Source: Yara match	File source: 00000005.00000002.2524562692.000000C000060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NLBgWmWGow.exe PID: 2192, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	11 Input Capture	11 Security Software Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 DLL Side-Loading	LSASS Memory	11 System Information Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
NLBgWmWGow.exe	66%	ReversingLabs	Win64.Trojan.SliverMarte
NLBgWmWGow.exe	74%	Virustotal		Browse
NLBgWmWGow.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
ns1.mtls.ink	1%	Virustotal		Browse

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ns1.mtls.ink	206.189.41.151	true	false	1%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
206.189.41.151	ns1.mtls.ink	United States		14061	DIGITALOCEAN-ASNUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522526
Start date and time:	2024-09-30 10:03:37 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	NLBgWmWGow.exe renamed because original name is a hash value
Original Sample Name:	f34858ad51b208fba47332eebcfa2cd0.exe
Detection:	MAL
Classification:	mal76.troj.evad.winEXE@1/1@1/1
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target NLBgWmWGow.exe, PID 2192 because there are no executed function
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ns1.mtls.ink	uK3aba8QDg.exe	Get hash	malicious	Sliver	Browse	167.71.205.181
ns1.mtls.ink	n4s7yoSvzD.exe	Get hash	malicious	Sliver	Browse	167.71.205.181

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DIGITALOCEAN-ASNUS	https://polidos.com/	Get hash	malicious	Unknown	Browse	157.245.65.101
	https://downcheck.nyc3.cdn.digitaloceanspaces.com/peltgon.zip	Get hash	malicious	LummaC	Browse	178.62.201.34
	https://www.newtoin.com/	Get hash	malicious	Unknown	Browse	159.89.102.253
	https://hayanami-4df5b.web.app/verifyDelivery	Get hash	malicious	Unknown	Browse	159.89.102.253
	https://hayanami-4df5b.firebaseapp.com/verifyDelivery	Get hash	malicious	Unknown	Browse	159.89.102.253
	http://ingresosoporte.ru/	Get hash	malicious	Unknown	Browse	64.227.29.131
	http://support-inc-riccardopulcini733255.codeanyapp.com/wp-admin/css/colors/blue/am/3dsece.php	Get hash	malicious	Unknown	Browse	198.199.109.95
	http://support-inc-riccardopulcini733255.codeanyapp.com/wp-admin/css/colors/blue/am/paiement.php	Get hash	malicious	Unknown	Browse	198.199.109.95
	http://support-inc-riccardopulcini733255.codeanyapp.com/wp-admin/css/colors/blue/am/	Get hash	malicious	Unknown	Browse	198.199.109.95
	http://support-inc-riccardopulcini733255.codeanyapp.com/wp-admin/css/colors/blue/am/3dsec.php	Get hash	malicious	Unknown	Browse	198.199.109.95

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

\Device\Mup\user-PC\PIPE\samr

Download File

Process:	C:\Users\user\Desktop\NLBgWmWGow.exe
File Type:	GLS_BINARY_LSB_FIRST
Category:	dropped
Size (bytes):	160
Entropy (8bit):	4.438743916256937
Encrypted:	false
SSDEEP:	3:rmHfvtH//STGlA1yqGlYUGk+ldyHGlgZty:rmHcKtGFlqty
MD5:	E467C82627F5E1524FDB4415AF19FC73
SHA1:	B86E3AA40E9FBED0494375A702EABAF1F2E56F8E
SHA-256:	116CD35961A2345CE210751D677600AADA539A66F046811FA70E1093E01F2540
SHA-512:	2A969893CC713D6388FDC768C009055BE1B35301A811A7E313D1AEEC1F75C88CCDDCD8308017A852093B1310811E90B9DA76B6330AACCF5982437D84F553183A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	................................xW4.4.....#Eg.......]..........+.H`........xW4.4.....#Eg......3.qq..7I......6........xW4.4.....#Eg......,..l..@E............

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.10917788007758
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	NLBgWmWGow.exe
File size:	15'672'832 bytes
MD5:	f34858ad51b208fba47332eebcfa2cd0
SHA1:	68a1f0b10fb9a75efa3f62fbf4984624f5b04809
SHA256:	82be5b66142d4141a92f318cf0b103e9dd01a5508e0ca468652376faa9d4b2e7
SHA512:	2adba33e4a9e1fa1c9d362190515ec37c3c46edecbefd14d547d29e04d633a7ae468189c146ed01f95b7616e3663bb1c5ccb27811d82f1e7ad7c473bbcae4039
SSDEEP:	98304:h63dpYiApoaf25MqGpseB//7C7Y6bEZHCiOUTra2sE3KPcq7:0dpY9oaIGpz//7C7FEZHCiOUTm2Fz8
TLSH:	33F60803E8D51198C8F9D1B489254272BA70785C1B7933DB2B61F7B52B327F09EBA790
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........$........"...........................@..............................P............`... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x45d0a0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	f0ea7b7844bbc5bfa9bb32efdcea957c

Entrypoint Preview

Instruction
jmp 00007F1E98806BB0h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
pushfd
cld
dec eax
sub esp, 000000E0h
dec eax
mov dword ptr [esp], edi
dec eax
mov dword ptr [esp+08h], esi
dec eax
mov dword ptr [esp+10h], ebp
dec eax
mov dword ptr [esp+18h], ebx
dec esp
mov dword ptr [esp+20h], esp
dec esp
mov dword ptr [esp+28h], ebp
dec esp
mov dword ptr [esp+30h], esi
dec esp
mov dword ptr [esp+38h], edi
movups dqword ptr [esp+40h], xmm6
movups dqword ptr [esp+50h], xmm7
inc esp
movups dqword ptr [esp+60h], xmm0
inc esp
movups dqword ptr [esp+70h], xmm1
inc esp
movups dqword ptr [esp+00000080h], xmm2
inc esp
movups dqword ptr [esp+00000090h], xmm3
inc esp
movups dqword ptr [esp+000000A0h], xmm4
inc esp
movups dqword ptr [esp+000000B0h], xmm5
inc esp
movups dqword ptr [esp+000000C0h], xmm6
inc esp
movups dqword ptr [esp+000000D0h], xmm7
dec eax
sub esp, 30h
dec ecx
mov ebp, ecx
dec ecx
mov edi, eax
dec eax
mov edx, dword ptr [00EC8B63h]
dec eax
mov edx, dword ptr [edx]
dec eax
cmp edx, 00000000h
jne 00007F1E9880A87Eh
dec eax
mov eax, 00000000h
jmp 00007F1E9880A943h
dec eax
mov edx, dword ptr [edx]
dec eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf3a000	0x490	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf3b000	0x284d6	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xe8a040	0x148	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9002fd	0x900400	675bd67d71e08d8a302d0991b341f00c	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x902000	0x587b08	0x587c00	124275e4b4bf4b15b3576dfc0cdec530	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xe8a000	0xaf370	0x41200	eb5c7d00ae6f649d5bb1048bd90f2a0c	False	0.38792586372360843	data	4.7843240249317125	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xf3a000	0x490	0x600	441873a8a8adf8196028290db6812a9c	False	0.3365885416666667	data	3.6138419384379086	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0xf3b000	0x284d6	0x28600	d79d74bba0145021f540c69a9e37200b	False	0.13766205495356038	data	5.449915994087614	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0xf64000	0x4	0x200	07b5472d347d42780469fb2654b7fc54	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 10:04:34.806612015 CEST	49699	8443	192.168.2.7	206.189.41.151
Sep 30, 2024 10:04:34.820440054 CEST	8443	49699	206.189.41.151	192.168.2.7
Sep 30, 2024 10:04:34.820544004 CEST	49699	8443	192.168.2.7	206.189.41.151
Sep 30, 2024 10:04:34.821121931 CEST	49699	8443	192.168.2.7	206.189.41.151
Sep 30, 2024 10:04:34.825954914 CEST	8443	49699	206.189.41.151	192.168.2.7
Sep 30, 2024 10:04:35.859658957 CEST	8443	49699	206.189.41.151	192.168.2.7
Sep 30, 2024 10:04:35.877702951 CEST	49699	8443	192.168.2.7	206.189.41.151
Sep 30, 2024 10:04:35.882590055 CEST	8443	49699	206.189.41.151	192.168.2.7
Sep 30, 2024 10:04:35.994426012 CEST	49699	8443	192.168.2.7	206.189.41.151
Sep 30, 2024 10:04:35.994473934 CEST	49699	8443	192.168.2.7	206.189.41.151
Sep 30, 2024 10:04:35.999464035 CEST	8443	49699	206.189.41.151	192.168.2.7
Sep 30, 2024 10:04:35.999483109 CEST	8443	49699	206.189.41.151	192.168.2.7
Sep 30, 2024 10:04:36.992240906 CEST	49699	8443	192.168.2.7	206.189.41.151
Sep 30, 2024 10:04:36.992240906 CEST	49699	8443	192.168.2.7	206.189.41.151
Sep 30, 2024 10:04:36.994107008 CEST	49701	8443	192.168.2.7	206.189.41.151
Sep 30, 2024 10:04:36.997140884 CEST	8443	49699	206.189.41.151	192.168.2.7
Sep 30, 2024 10:04:36.997454882 CEST	8443	49699	206.189.41.151	192.168.2.7
Sep 30, 2024 10:04:36.997524977 CEST	49699	8443	192.168.2.7	206.189.41.151
Sep 30, 2024 10:04:36.998960972 CEST	8443	49701	206.189.41.151	192.168.2.7
Sep 30, 2024 10:04:36.999051094 CEST	49701	8443	192.168.2.7	206.189.41.151
Sep 30, 2024 10:04:36.999294996 CEST	49701	8443	192.168.2.7	206.189.41.151
Sep 30, 2024 10:04:37.004489899 CEST	8443	49701	206.189.41.151	192.168.2.7
Sep 30, 2024 10:04:38.022294044 CEST	8443	49701	206.189.41.151	192.168.2.7
Sep 30, 2024 10:04:38.024441957 CEST	49701	8443	192.168.2.7	206.189.41.151
Sep 30, 2024 10:04:38.024475098 CEST	49701	8443	192.168.2.7	206.189.41.151
Sep 30, 2024 10:04:38.024475098 CEST	49701	8443	192.168.2.7	206.189.41.151
Sep 30, 2024 10:04:38.029514074 CEST	8443	49701	206.189.41.151	192.168.2.7
Sep 30, 2024 10:04:38.029520988 CEST	8443	49701	206.189.41.151	192.168.2.7
Sep 30, 2024 10:04:38.029536009 CEST	8443	49701	206.189.41.151	192.168.2.7
Sep 30, 2024 10:04:38.419040918 CEST	8443	49701	206.189.41.151	192.168.2.7
Sep 30, 2024 10:04:38.462344885 CEST	49701	8443	192.168.2.7	206.189.41.151
Sep 30, 2024 10:04:39.455280066 CEST	49701	8443	192.168.2.7	206.189.41.151
Sep 30, 2024 10:04:39.455338955 CEST	49701	8443	192.168.2.7	206.189.41.151
Sep 30, 2024 10:04:39.460334063 CEST	8443	49701	206.189.41.151	192.168.2.7
Sep 30, 2024 10:04:39.460549116 CEST	8443	49701	206.189.41.151	192.168.2.7
Sep 30, 2024 10:04:39.460629940 CEST	49701	8443	192.168.2.7	206.189.41.151
Sep 30, 2024 10:06:00.857736111 CEST	49707	8443	192.168.2.7	206.189.41.151
Sep 30, 2024 10:06:00.887259007 CEST	8443	49707	206.189.41.151	192.168.2.7
Sep 30, 2024 10:06:00.887403011 CEST	49707	8443	192.168.2.7	206.189.41.151
Sep 30, 2024 10:06:00.890764952 CEST	49707	8443	192.168.2.7	206.189.41.151
Sep 30, 2024 10:06:00.897571087 CEST	8443	49707	206.189.41.151	192.168.2.7
Sep 30, 2024 10:06:01.800367117 CEST	8443	49707	206.189.41.151	192.168.2.7
Sep 30, 2024 10:06:01.802351952 CEST	49707	8443	192.168.2.7	206.189.41.151
Sep 30, 2024 10:06:01.802397966 CEST	49707	8443	192.168.2.7	206.189.41.151
Sep 30, 2024 10:06:01.802449942 CEST	49707	8443	192.168.2.7	206.189.41.151
Sep 30, 2024 10:06:01.807192087 CEST	8443	49707	206.189.41.151	192.168.2.7
Sep 30, 2024 10:06:01.807301044 CEST	8443	49707	206.189.41.151	192.168.2.7
Sep 30, 2024 10:06:01.807310104 CEST	8443	49707	206.189.41.151	192.168.2.7
Sep 30, 2024 10:06:02.137115002 CEST	8443	49707	206.189.41.151	192.168.2.7
Sep 30, 2024 10:06:02.178258896 CEST	49707	8443	192.168.2.7	206.189.41.151
Sep 30, 2024 10:06:02.275116920 CEST	8443	49707	206.189.41.151	192.168.2.7
Sep 30, 2024 10:06:02.318856001 CEST	49707	8443	192.168.2.7	206.189.41.151
Sep 30, 2024 10:06:03.287885904 CEST	49707	8443	192.168.2.7	206.189.41.151
Sep 30, 2024 10:06:03.287976027 CEST	49707	8443	192.168.2.7	206.189.41.151
Sep 30, 2024 10:06:03.293414116 CEST	8443	49707	206.189.41.151	192.168.2.7
Sep 30, 2024 10:06:03.293431044 CEST	8443	49707	206.189.41.151	192.168.2.7
Sep 30, 2024 10:06:03.293581963 CEST	49707	8443	192.168.2.7	206.189.41.151

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 10:04:34.587204933 CEST	50109	53	192.168.2.7	1.1.1.1
Sep 30, 2024 10:04:34.782253027 CEST	53	50109	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 30, 2024 10:04:34.587204933 CEST	192.168.2.7	1.1.1.1	0x6304	Standard query (0)	ns1.mtls.ink	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 30, 2024 10:04:34.782253027 CEST	1.1.1.1	192.168.2.7	0x6304	No error (0)	ns1.mtls.ink		206.189.41.151	A (IP address)	IN (0x0001)	false

Target ID:	5
Start time:	04:04:33
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\NLBgWmWGow.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\NLBgWmWGow.exe"
Imagebase:	0x8c0000
File size:	15'672'832 bytes
MD5 hash:	F34858AD51B208FBA47332EEBCFA2CD0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Yara matches:	Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000005.00000002.2524562692.000000C000060000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Multi_Trojan_Bishopsliver_42298c4a, Description: unknown, Source: 00000005.00000000.1270976359.0000000001404000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: Multi_Trojan_Bishopsliver_42298c4a, Description: unknown, Source: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Function 008CC560 Relevance: 8.0, Strings: 6, Instructions: 510COMMON

Download Yara Rule

Strings

mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockspan set block with unpopped elements found in resetcompileCallback: argument size is larger than uintptrgcControllerState.findRunnable: blackening not enab, xrefs: 008CCD3F
malloc during signalnotetsleep not on g0p mcache not flushedreflect.makeFuncStubruntime: double waitselectgo: bad wakeupsemaRoot rotateRighttrace: out of memorywirep: already in goworkbuf is not emptyws2_32.dll not foundExtensionRangeOptionsasync stack too lar, xrefs: 008CCD50
malloc deadlockmisaligned maskmissing mcache?preempt SPWRITErecovery failedruntime error: runtimer: bad pscan missed a gstartm: m has pstopm holding psync.Mutex.Locktraceback stuck, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle), xrefs: 008CCD65
delayed zeroing on data that may contain pointersfully empty unfreed span set block found in resetinvalid memory address or nil pointer dereferencepanicwrap: unexpected string after package name: runtime.reflect_makemap: unsupported map key typeruntime: unexpe, xrefs: 008CCCF7
!"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 008CC8CD
mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewruntime: unable to acquire - semaphore out of syncfatal: systemstack called from unexpected goroutinelimiterEvent.stop: invalid limiter event type foundpotentia, xrefs: 008CCD76

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC$delayed zeroing on data that may contain pointersfully empty unfreed span set block found in resetinvalid memory address or nil pointer dereferencepanicwrap: unexpected string after package name: runtime.reflect_makemap: unsupported map key typeruntime: unexpe$malloc deadlockmisaligned maskmissing mcache?preempt SPWRITErecovery failedruntime error: runtimer: bad pscan missed a gstartm: m has pstopm holding psync.Mutex.Locktraceback stuck, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)$malloc during signalnotetsleep not on g0p mcache not flushedreflect.makeFuncStubruntime: double waitselectgo: bad wakeupsemaRoot rotateRighttrace: out of memorywirep: already in goworkbuf is not emptyws2_32.dll not foundExtensionRangeOptionsasync stack too lar$mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewruntime: unable to acquire - semaphore out of syncfatal: systemstack called from unexpected goroutinelimiterEvent.stop: invalid limiter event type foundpotentia$mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockspan set block with unpopped elements found in resetcompileCallback: argument size is larger than uintptrgcControllerState.findRunnable: blackening not enab
API String ID: 0-101214207
Opcode ID: c8f1c5823884667f2266482cbfcaede1af1f6ae635b97b52b4e3bed179697fcd
Instruction ID: 44bce2dfd0f67f5afd93e6e7fbfd6ed90dba87d03cb3d6b2941d94c7b50d57bb
Opcode Fuzzy Hash: c8f1c5823884667f2266482cbfcaede1af1f6ae635b97b52b4e3bed179697fcd
Instruction Fuzzy Hash: 9622B272618B94C2DB10CF55E440BAABB75F389BD4F48522AEF8D87B55CB78C984CB00

Function 008CBBA0 Relevance: 6.6, Strings: 5, Instructions: 349COMMON

Download Yara Rule

Strings

out of memory allocating heap arena metadataspan on userArena.faultList has invalid sizeunsafe.Slice: ptr is nil and len is not zeroexitsyscall: syscall frame is no longer validproduced a trigger greater than the heap goaltransitioning GC to the same state as , xrefs: 008CBF46
out of memory allocating heap arena mapruntime: blocked write on free polldescstack growth not allowed in system callsuspendG from non-preemptible goroutinetrailing backslash at end of expressionbulkBarrierPreWrite: unaligned argumentscannot free workbufs when, xrefs: 008CBF68
memory reservation exceeds address space limitpanicwrap: unexpected string after type name: released less than one physical page of memoryruntime: name offset base pointer out of rangeruntime: text offset base pointer out of rangeruntime: type offset base poin, xrefs: 008CC24B
misrounded allocation in sysAllocruntime: failed to decommit pagesruntime: name offset out of rangeruntime: text offset out of rangeruntime: type offset out of rangeslice bounds out of range [%x:%y]stackalloc not on scheduler stackstoplockedm: inconsistent loc, xrefs: 008CC23A
out of memory allocating allArenasruntime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll, xrefs: 008CBF35

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: memory reservation exceeds address space limitpanicwrap: unexpected string after type name: released less than one physical page of memoryruntime: name offset base pointer out of rangeruntime: text offset base pointer out of rangeruntime: type offset base poin$misrounded allocation in sysAllocruntime: failed to decommit pagesruntime: name offset out of rangeruntime: text offset out of rangeruntime: type offset out of rangeslice bounds out of range [%x:%y]stackalloc not on scheduler stackstoplockedm: inconsistent loc$out of memory allocating allArenasruntime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll$out of memory allocating heap arena mapruntime: blocked write on free polldescstack growth not allowed in system callsuspendG from non-preemptible goroutinetrailing backslash at end of expressionbulkBarrierPreWrite: unaligned argumentscannot free workbufs when$out of memory allocating heap arena metadataspan on userArena.faultList has invalid sizeunsafe.Slice: ptr is nil and len is not zeroexitsyscall: syscall frame is no longer validproduced a trigger greater than the heap goaltransitioning GC to the same state as
API String ID: 0-1643033615
Opcode ID: c7fda9a2bbd62545477c825ac673fd6707ce92f9006ba9dea74200ebcba3debe
Instruction ID: 0d8545418cb4c519c2e6aec8e8d9e4091c19b6210e6260a6d9dc1650d6915d87
Opcode Fuzzy Hash: c7fda9a2bbd62545477c825ac673fd6707ce92f9006ba9dea74200ebcba3debe
Instruction Fuzzy Hash: F1F19B72609B8482DB60CB56F4407AAB7B5F789B94F44822AEFAD97789CF3CC544C740

Function 008D8F80 Relevance: 5.5, Strings: 4, Instructions: 545COMMON

Download Yara Rule

Strings

gc done but gcphase != _GCoffgfput: bad status (not Gdead)invalid character class rangeinvalid function symbol tableinvalid length of trace eventneed padding in bucket (elem)notesleep - waitm out of syncruntime.semasleep wait_failedruntime: impossible type kin, xrefs: 008D997D
failed to set sweep barriergcstopm: not waiting for gcgrowslice: len out of rangeinternal lockOSThread errorinvalid profile bucket typemakechan: size out of rangemakeslice: cap out of rangemakeslice: len out of rangemspan.sweep: bad span stateprogToPointerMask, xrefs: 008D996C
gcinggnamegroupgscanhchanhost@hostshttpsimap2imap3imapsint16int32int64json=kind=labelmatchmheapmkdirmonthmtimename=ndr:"no IPntohsoneofpanicparsepop3srangerouterune schedsleepslicesse41sse42ssse3startsudogsweeptext/tls: traceuint8unameusageutf-8valueweak=write, xrefs: 008D9057, 008D906D
., xrefs: 008D9666

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: .$failed to set sweep barriergcstopm: not waiting for gcgrowslice: len out of rangeinternal lockOSThread errorinvalid profile bucket typemakechan: size out of rangemakeslice: cap out of rangemakeslice: len out of rangemspan.sweep: bad span stateprogToPointerMask$gc done but gcphase != _GCoffgfput: bad status (not Gdead)invalid character class rangeinvalid function symbol tableinvalid length of trace eventneed padding in bucket (elem)notesleep - waitm out of syncruntime.semasleep wait_failedruntime: impossible type kin$gcinggnamegroupgscanhchanhost@hostshttpsimap2imap3imapsint16int32int64json=kind=labelmatchmheapmkdirmonthmtimename=ndr:"no IPntohsoneofpanicparsepop3srangerouterune schedsleepslicesse41sse42ssse3startsudogsweeptext/tls: traceuint8unameusageutf-8valueweak=write
API String ID: 0-2811292124
Opcode ID: 59e9d46feee3c29f492a168dddc6060132b43638e2d82c01c90eb0bedd1081d1
Instruction ID: 63da0958997fdd118e1521380c3518fb443016382904c531b6a6370b6968c386
Opcode Fuzzy Hash: 59e9d46feee3c29f492a168dddc6060132b43638e2d82c01c90eb0bedd1081d1
Instruction Fuzzy Hash: BB428B36609B8985EB10CF25F8903EA77B5F78AB94F449226DA8D93765DF3CC099C700

Function 009068C0 Relevance: 3.9, Strings: 3, Instructions: 124COMMON

Download Yara Rule

Strings

reflect mismatchschedule: in cgossh: MAC failureworkbuf is empty0123456789ABCDEFX: missing method GC assist markingbad TinySizeClassentersyscallblockg already scannedgp.waiting != nilkey align too biglocked m0 woke upmark - bad statusmarkBits overflowmissing c, xrefs: 00906A3E, 00906A78
reflect.makeFuncStubruntime: double waitselectgo: bad wakeupsemaRoot rotateRighttrace: out of memorywirep: already in goworkbuf is not emptyws2_32.dll not foundExtensionRangeOptionsasync stack too largecheckdead: runnable gconcurrent map writesdefer on system , xrefs: 00906946
reflect.methodValueCallruntime: internal errorruntime: netpoll faileds.allocCount > s.nelemsschedule: holding locksshrinkstack at bad timespan has no free stacksstack growth after forkwork.nwait > work.nprocbad defer entry in panicbypassed recovery failedcan't, xrefs: 0090692C

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: reflect mismatchschedule: in cgossh: MAC failureworkbuf is empty0123456789ABCDEFX: missing method GC assist markingbad TinySizeClassentersyscallblockg already scannedgp.waiting != nilkey align too biglocked m0 woke upmark - bad statusmarkBits overflowmissing c$reflect.makeFuncStubruntime: double waitselectgo: bad wakeupsemaRoot rotateRighttrace: out of memorywirep: already in goworkbuf is not emptyws2_32.dll not foundExtensionRangeOptionsasync stack too largecheckdead: runnable gconcurrent map writesdefer on system $reflect.methodValueCallruntime: internal errorruntime: netpoll faileds.allocCount > s.nelemsschedule: holding locksshrinkstack at bad timespan has no free stacksstack growth after forkwork.nwait > work.nprocbad defer entry in panicbypassed recovery failedcan't
API String ID: 0-3319628484
Opcode ID: 890b35dd813b5604ddac77eed26b1bf59601b1b7250ce8820cd5d30ab0882f0d
Instruction ID: d334f1cde5811d682b7b521386b4a29636bf7cbc41bce025c451b4369b7c8d9f
Opcode Fuzzy Hash: 890b35dd813b5604ddac77eed26b1bf59601b1b7250ce8820cd5d30ab0882f0d
Instruction Fuzzy Hash: AE518273314A40CACB10DF19E18025EB765F7C8BA4F589622EBAD57BA9CB38C951CB40

Function 008C6E40 Relevance: 2.9, Strings: 2, Instructions: 418COMMON

Download Yara Rule

Strings

G waiting list is corruptedaddress not a stack addresscould not find QPC syscallsexpression nests too deeplyfailed to set sweep barriergcstopm: not waiting for gcgrowslice: len out of rangeinternal lockOSThread errorinvalid profile bucket typemakechan: size ou, xrefs: 008C73A4
unreachableabi mismatchbad flushGenbad g statusbad g0 stackbad recoverycan't happencas64 failedchan receivedumping heapentersyscallgcBitsArenaslfstack.pushmheapSpecialmspanSpecialself-preemptspanSetSpinesweepWaiterstraceStringsunexpected ) is nil, not , not po, xrefs: 008C6FF0

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: G waiting list is corruptedaddress not a stack addresscould not find QPC syscallsexpression nests too deeplyfailed to set sweep barriergcstopm: not waiting for gcgrowslice: len out of rangeinternal lockOSThread errorinvalid profile bucket typemakechan: size ou$unreachableabi mismatchbad flushGenbad g statusbad g0 stackbad recoverycan't happencas64 failedchan receivedumping heapentersyscallgcBitsArenaslfstack.pushmheapSpecialmspanSpecialself-preemptspanSetSpinesweepWaiterstraceStringsunexpected ) is nil, not , not po
API String ID: 0-3976933040
Opcode ID: 8a8b1015463ded16ab720f5607e3356bc9b114f2ccef6b7fb274e3d4f3e3a316
Instruction ID: 22e787e9b14872c25b57fe48e5c377c95e8894bfb5d0aae4b40f683dc2f8feaf
Opcode Fuzzy Hash: 8a8b1015463ded16ab720f5607e3356bc9b114f2ccef6b7fb274e3d4f3e3a316
Instruction Fuzzy Hash: C802A372308B88C5DB64DB25E44079AB7B1F789BC4F98902ADB8C87B59CF79C495CB00

Function 008C60A0 Relevance: 2.9, Strings: 2, Instructions: 381COMMON

Download Yara Rule

Strings

G waiting list is corruptedaddress not a stack addresscould not find QPC syscallsexpression nests too deeplyfailed to set sweep barriergcstopm: not waiting for gcgrowslice: len out of rangeinternal lockOSThread errorinvalid profile bucket typemakechan: size ou, xrefs: 008C6686
unreachableabi mismatchbad flushGenbad g statusbad g0 stackbad recoverycan't happencas64 failedchan receivedumping heapentersyscallgcBitsArenaslfstack.pushmheapSpecialmspanSpecialself-preemptspanSetSpinesweepWaiterstraceStringsunexpected ) is nil, not , not po, xrefs: 008C619B

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: G waiting list is corruptedaddress not a stack addresscould not find QPC syscallsexpression nests too deeplyfailed to set sweep barriergcstopm: not waiting for gcgrowslice: len out of rangeinternal lockOSThread errorinvalid profile bucket typemakechan: size ou$unreachableabi mismatchbad flushGenbad g statusbad g0 stackbad recoverycan't happencas64 failedchan receivedumping heapentersyscallgcBitsArenaslfstack.pushmheapSpecialmspanSpecialself-preemptspanSetSpinesweepWaiterstraceStringsunexpected ) is nil, not , not po
API String ID: 0-3976933040
Opcode ID: 805c6b72472db84a243aa7cc4745d5e4fc272e08102eb6ddc1ffbac5c4645bca
Instruction ID: c08034ff7c48190bbeaffb9b6e1d4a16d7b4084b474df433a4229254f894acfb
Opcode Fuzzy Hash: 805c6b72472db84a243aa7cc4745d5e4fc272e08102eb6ddc1ffbac5c4645bca
Instruction Fuzzy Hash: C7F1A132208B88C6D710DB25E4407AEB7B1F789BE4F945239DA9C97B99DF39C4A4C740

Function 008F0560 Relevance: 2.7, Strings: 2, Instructions: 249COMMON

Download Yara Rule

Strings

self-preemptspanSetSpinesweepWaiterstraceStringsunexpected ) is nil, not , not pointerGC sweep waitbad map statedalTLDpSugct?double unlockfilter methodinvalid UTF-8load64 failedmin too largenil stackbaseout of memoryprofMemActiveprofMemFuturetraceStackTabvalue, xrefs: 008F09BF
runtime.preemptM: duplicatehandle failedruntime: SyscallN has too many argumentsattempted to add zero-sized address rangegcSweep being done but phase is not GCoffmheap.freeSpanLocked - invalid span statemheap.freeSpanLocked - invalid stack freeobjects added ou, xrefs: 008F09AE

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: runtime.preemptM: duplicatehandle failedruntime: SyscallN has too many argumentsattempted to add zero-sized address rangegcSweep being done but phase is not GCoffmheap.freeSpanLocked - invalid span statemheap.freeSpanLocked - invalid stack freeobjects added ou$self-preemptspanSetSpinesweepWaiterstraceStringsunexpected ) is nil, not , not pointerGC sweep waitbad map statedalTLDpSugct?double unlockfilter methodinvalid UTF-8load64 failedmin too largenil stackbaseout of memoryprofMemActiveprofMemFuturetraceStackTabvalue
API String ID: 0-1298296546
Opcode ID: 11d29dd6b664cbdfc80d4efb89c631e1da971e2df326118422beb3602c452dd1
Instruction ID: 719c08c79a86411dc58030b81975032231fd69beeb380c4ad986fe5f86f59131
Opcode Fuzzy Hash: 11d29dd6b664cbdfc80d4efb89c631e1da971e2df326118422beb3602c452dd1
Instruction Fuzzy Hash: A6C17036609F8486DB20DF25E4513AA7774F38AB94F158236DBAC8379ADF39C491CB40

Function 008F33C0 Relevance: 2.7, Strings: 2, Instructions: 246COMMON

Download Yara Rule

Strings

invalid g statusmSpanList.insertmSpanList.removemissing stackmapreflect mismatchschedule: in cgossh: MAC failureworkbuf is empty0123456789ABCDEFX: missing method GC assist markingbad TinySizeClassentersyscallblockg already scannedgp.waiting != nilkey align too, xrefs: 008F37D6
suspendG from non-preemptible goroutinetrailing backslash at end of expressionbulkBarrierPreWrite: unaligned argumentscannot free workbufs when work.full != 0deferproc: d.panic != nil after newdeferfailed to acquire lock to reset capacityinvalid span in heapAr, xrefs: 008F37E7

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: invalid g statusmSpanList.insertmSpanList.removemissing stackmapreflect mismatchschedule: in cgossh: MAC failureworkbuf is empty0123456789ABCDEFX: missing method GC assist markingbad TinySizeClassentersyscallblockg already scannedgp.waiting != nilkey align too$suspendG from non-preemptible goroutinetrailing backslash at end of expressionbulkBarrierPreWrite: unaligned argumentscannot free workbufs when work.full != 0deferproc: d.panic != nil after newdeferfailed to acquire lock to reset capacityinvalid span in heapAr
API String ID: 0-3430136995
Opcode ID: 986dda33b78d4a491117312a69bddc3882a63ea803def8779547d41a26e4eb0f
Instruction ID: e84b519081479f0a045e322cbb5230cc6f91c507642a821fa045efe9320caeaa
Opcode Fuzzy Hash: 986dda33b78d4a491117312a69bddc3882a63ea803def8779547d41a26e4eb0f
Instruction Fuzzy Hash: 1DA18176209B88C2CB24CF26E04076ABB61F39ABD4F149166EF9D93B59DB3CC541CB40

Function 008F5FE0 Relevance: 2.7, Strings: 2, Instructions: 237COMMON

Download Yara Rule

Strings

casgstatus: waiting for Gwaiting but is Grunnabledelayed zeroing on data that may contain pointersfully empty unfreed span set block found in resetinvalid memory address or nil pointer dereferencepanicwrap: unexpected string after package name: runtime.reflect, xrefs: 008F6365
casgstatus: bad incoming valuescheckmark found unmarked objectinternal error - misuse of itabnon in-use span in unswept listresetspinning: not a spinning mruntime: cannot allocate memoryruntime: failed to commit pagesslice bounds out of range [%x:]slice bounds, xrefs: 008F6394

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: casgstatus: bad incoming valuescheckmark found unmarked objectinternal error - misuse of itabnon in-use span in unswept listresetspinning: not a spinning mruntime: cannot allocate memoryruntime: failed to commit pagesslice bounds out of range [%x:]slice bounds$casgstatus: waiting for Gwaiting but is Grunnabledelayed zeroing on data that may contain pointersfully empty unfreed span set block found in resetinvalid memory address or nil pointer dereferencepanicwrap: unexpected string after package name: runtime.reflect
API String ID: 0-2061123795
Opcode ID: fce58fc4980e159baac9ebe78e1c19bdf8a07236485830d5cdf9f1ae6211e7a4
Instruction ID: 2b3f39ef1ccf143e4212371e5a082ce5b4859f9fd6297af989a6b06f7674d050
Opcode Fuzzy Hash: fce58fc4980e159baac9ebe78e1c19bdf8a07236485830d5cdf9f1ae6211e7a4
Instruction Fuzzy Hash: A7A19336709A88C6DB14CF25E08536AB771F78AB84F148622DF9D83765EF3AC466C700

Function 00904000 Relevance: 1.6, Strings: 1, Instructions: 391COMMON

Download Yara Rule

Strings

!"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 009040F0, 009041D0, 009042F0, 009043EE

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
API String ID: 0-2911004680
Opcode ID: e2927302c48882e7d5c7fead827b5c8f10964207d6aaa49ae8f67f61f975199c
Instruction ID: 443d8911cdb11cc49514856ea32a43b769dff03c92bac53d596f6cbc41679845
Opcode Fuzzy Hash: e2927302c48882e7d5c7fead827b5c8f10964207d6aaa49ae8f67f61f975199c
Instruction Fuzzy Hash: B4E1D2F2304B898ADB148B01E5103EDA667F799BD0F449526EB5E47BE8EB7CC494CB40

Function 008E75A0 Relevance: 1.6, Strings: 1, Instructions: 346COMMON

Download Yara Rule

Strings

bad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpanList.removemissing stackmapreflect mismatchschedule: in cgossh: MAC failureworkbuf is empty0123456789ABCDEFX: missing method GC, xrefs: 008E7845, 008E7B67

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: bad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpanList.removemissing stackmapreflect mismatchschedule: in cgossh: MAC failureworkbuf is empty0123456789ABCDEFX: missing method GC
API String ID: 0-3708075424
Opcode ID: e87e0647b57ac725957d170b2ef544a797a0454e245a19bda38efd4156c5ef04
Instruction ID: a2f38072cce375700b205b7d758d268f5cd4403d2d866f5e6d5fc09c13e36fd8
Opcode Fuzzy Hash: e87e0647b57ac725957d170b2ef544a797a0454e245a19bda38efd4156c5ef04
Instruction Fuzzy Hash: 73D1BB76718BD882EB20CB66F4407DAA725F39ABD0F444122EE9E97B58DF38C545C700

Function 008E4980 Relevance: 1.6, Strings: 1, Instructions: 324COMMON

Download Yara Rule

Strings

grew heap, but no adequate free space foundmethodValueCallFrameObjs is not in a modulenon in-use span found with specials bit setroot level max pages doesn't fit in summaryruntime.SetFinalizer: finalizer already setruntime.SetFinalizer: first argument is nilru, xrefs: 008E4EC9

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: grew heap, but no adequate free space foundmethodValueCallFrameObjs is not in a modulenon in-use span found with specials bit setroot level max pages doesn't fit in summaryruntime.SetFinalizer: finalizer already setruntime.SetFinalizer: first argument is nilru
API String ID: 0-3933224645
Opcode ID: b46b87af893849322203fa089bb264b41f84a2a357aa6bf5a3434fcde46b09bd
Instruction ID: ddd13d2f8c455a9abe2d40047336baadae3c18df9295bc95782f53f496f40fd2
Opcode Fuzzy Hash: b46b87af893849322203fa089bb264b41f84a2a357aa6bf5a3434fcde46b09bd
Instruction Fuzzy Hash: 7EE16F72209BC881DB60CF56F44079AB7A5F78ABD0F54A126EE9D83B69CF38C454CB40

Function 00906AA0 Relevance: 1.5, Strings: 1, Instructions: 243COMMON

Download Yara Rule

Strings

bad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpanList.removemissing stackmapreflect mismatchschedule: in cgossh: MAC failureworkbuf is empty0123456789ABCDEFX: missing method GC assist markingb, xrefs: 00906DB3, 00906DE6

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: bad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpanList.removemissing stackmapreflect mismatchschedule: in cgossh: MAC failureworkbuf is empty0123456789ABCDEFX: missing method GC assist markingb
API String ID: 0-989636611
Opcode ID: c70b7b3eb36a8c68ed499001324bf2bfde4ff67a8623b086a02e38cb34609f46
Instruction ID: a30f8516c23a24f96e08fc0a8e8dfc42c8a58bdd6c7008aaa895ad4ade05e65d
Opcode Fuzzy Hash: c70b7b3eb36a8c68ed499001324bf2bfde4ff67a8623b086a02e38cb34609f46
Instruction Fuzzy Hash: C491EFB2308A90CACB149F29E44039AB776F789BD0F549511EF8D47BD8DB78C961CB00

Function 008D3E60 Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

bulkBarrierPreWrite: unaligned argumentscannot free workbufs when work.full != 0deferproc: d.panic != nil after newdeferfailed to acquire lock to reset capacityinvalid span in heapArena for user arenamarkWorkerStop: unknown mark worker modemust be able to trac, xrefs: 008D414F

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: bulkBarrierPreWrite: unaligned argumentscannot free workbufs when work.full != 0deferproc: d.panic != nil after newdeferfailed to acquire lock to reset capacityinvalid span in heapArena for user arenamarkWorkerStop: unknown mark worker modemust be able to trac
API String ID: 0-2536305361
Opcode ID: 1eb2daeefa06eef645680338e17b9a2e2b7d9a745c0bd88c3e3e924b917acc09
Instruction ID: edb705fe6502158cd8f27c6cea835faf5a475d2da48ba27f1b9fda811234a05d
Opcode Fuzzy Hash: 1eb2daeefa06eef645680338e17b9a2e2b7d9a745c0bd88c3e3e924b917acc09
Instruction Fuzzy Hash: F0719EB6609A88C2DB508F5AE14039AB7B2F754BC0F549627EF8887B59DF38C4A1C700

Function 008E9120 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

bad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpanList.removemissing stackmapreflect mismatchschedule: in cgossh: MAC failureworkbuf is empty0123456789ABCDEFX: missing method GC, xrefs: 008E93A6

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: bad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpanList.removemissing stackmapreflect mismatchschedule: in cgossh: MAC failureworkbuf is empty0123456789ABCDEFX: missing method GC
API String ID: 0-3708075424
Opcode ID: 1595bdc19ac37078b0e6e5e14033519324da3bea356b30c7f120bd71085a0af9
Instruction ID: 03bfd52a4f9ae3f79835e8ef1e8ef70509df5685a5eb0079b8f5079a169ecb1b
Opcode Fuzzy Hash: 1595bdc19ac37078b0e6e5e14033519324da3bea356b30c7f120bd71085a0af9
Instruction Fuzzy Hash: 5E51C0B7610B8882DB109F56E0403DEA761F78ABE0F445226EFAD9379ACB78C594C740

Function 008D4B40 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c649b3c172b4b247aa5a07cff3016b675e172a6289f4f4fc084141e5b176f78f
Instruction ID: 38d272ed545e4aedbae243d3951dc68489fc0bac2d80548c3210c5bdf9a461e7
Opcode Fuzzy Hash: c649b3c172b4b247aa5a07cff3016b675e172a6289f4f4fc084141e5b176f78f
Instruction Fuzzy Hash: 7AC14866709BC882CA609B57F84079AA765F389FD4F449227EF9DA7B58CF38C450CB40

Function 008C6980 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f765301f82f5942bd5cdcccb7b178fd8eeb8dcc25429f9ed4b21e5da9d905e9b
Instruction ID: cd4e07711a7cbe983e6774262a165906c613313103dc2e97cd0cb98ee6883bb2
Opcode Fuzzy Hash: f765301f82f5942bd5cdcccb7b178fd8eeb8dcc25429f9ed4b21e5da9d905e9b
Instruction Fuzzy Hash: 75B1B132209B8CC5DB10CB15E1407AAB3B5FB49BD8F589539DA4E87B54EF39D8A5C340

Function 008E7120 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3710b85e2aa183e942ef7525d24f65d15c9b52c3346dcc053194677c1546739
Instruction ID: 1fd88e849cd57d855fcc75599fec3a236e158256534c90a7543e88c0dbd9dfa6
Opcode Fuzzy Hash: c3710b85e2aa183e942ef7525d24f65d15c9b52c3346dcc053194677c1546739
Instruction Fuzzy Hash: 5F912B76618BC882DB108F15F48039AB7A5F78ABD4F545226EB9D93B99CF38C055CB00

Function 008E7EC0 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2c13c0e08c090ead6c863d3c153435ef87806bdb93740d8c0f93cf94ecc983c
Instruction ID: fceaa8e85b630c33ff1b0ca3789e040dd2789456e503873fa55c2e07c0e4de7c
Opcode Fuzzy Hash: a2c13c0e08c090ead6c863d3c153435ef87806bdb93740d8c0f93cf94ecc983c
Instruction Fuzzy Hash: D8719CB2718BC882DB108F56E4807AEA762F796BC0F585126EB8D93B59CF7CC445CB40

Function 008DBCA0 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a4df2e2018a08343c349de9ea754853a4cf8f2c413df38b5867ed8b364f1337
Instruction ID: 1288a790314495212301c22a08863d0062275933d1fa1e25dd7b72404cbf76ab
Opcode Fuzzy Hash: 0a4df2e2018a08343c349de9ea754853a4cf8f2c413df38b5867ed8b364f1337
Instruction Fuzzy Hash: 7F612772608B84C6DB05CB36E44079AB7A2F796BD0F499323EA9D93785DF38C054CB00

Function 008C9740 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84ccb885c10b16e0dd90c5aecce43b0d0ed939e9838a25c5fe02d584c22fc0b0
Instruction ID: dfaf9c7dcbb71da8efc5e6d0ebd3296baa9e3e191320a9a4cae9ee471e09616e
Opcode Fuzzy Hash: 84ccb885c10b16e0dd90c5aecce43b0d0ed939e9838a25c5fe02d584c22fc0b0
Instruction Fuzzy Hash: C34136A6B11A5941AE008E2285245AAE371F74FFD0399F2B7CF2DB7768C63CD442C344

Function 00908100 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8dd43a2ddb58c2c63f327fd5de1ab3b235b750cba0dd5d5acba9b7a411f7cb0
Instruction ID: 9a963ee4c45cbdc946e76fa2de160e9fcbc8ca3c4aa339d51e891286bc981a08
Opcode Fuzzy Hash: c8dd43a2ddb58c2c63f327fd5de1ab3b235b750cba0dd5d5acba9b7a411f7cb0
Instruction Fuzzy Hash: 0541C332B08E00CEDF14DB6A9481367A396AB98794F884A31D7BD437C7DE7CC4958A04

Function 008DE260 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70291c8f2590e7b1be4bb59c5eb648d36df77579694d12de88bf9fb16887e36c
Instruction ID: d589c24965c9ecaa6419824439c292ecf34c041aad0445f040e5dd4edff9974b
Opcode Fuzzy Hash: 70291c8f2590e7b1be4bb59c5eb648d36df77579694d12de88bf9fb16887e36c
Instruction Fuzzy Hash: 2651B372609F4485D716EF26E44036A77A6FBDABC4F08D736AA4EA7725CF38C0918740

Function 008DF520 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56239efa215e5269b98243bbb29c9c20634c60e742a59a79b6cc1f8e80f9d2e5
Instruction ID: 3b8d7bc97491bdf73311eadc6df0ca3f8d00486b34d1a932fb156af77457d970
Opcode Fuzzy Hash: 56239efa215e5269b98243bbb29c9c20634c60e742a59a79b6cc1f8e80f9d2e5
Instruction Fuzzy Hash: EB41F872A0FE4445CD07DB3A6061394936AFBA7BE4F94C3335E2BA67E5DB1980429200

Function 008CD120 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff39f2e236930d64d3b750c5a725cdd2e4d29ec70949aa19ef51efe190d600a5
Instruction ID: 1686fc61ea13c8123764265b9b663e8e834f2e9e34058e658aeeb87b99d1e002
Opcode Fuzzy Hash: ff39f2e236930d64d3b750c5a725cdd2e4d29ec70949aa19ef51efe190d600a5
Instruction Fuzzy Hash: 2C21F7B1E15F484ACA47EB3A8400355921ABF9ABD0F58C736BE1FB7796E739D0D24240

Function 008E3CC0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a2e90a1820a8edd454309b29f86c2a0a2f8432f1ba24267376397873a74388
Instruction ID: 3b278f7bb53f6178276955e10ce8b17cdd57a81a3c3c92d2a94fbd12d01f74a0
Opcode Fuzzy Hash: e9a2e90a1820a8edd454309b29f86c2a0a2f8432f1ba24267376397873a74388
Instruction Fuzzy Hash: 9431887A308B8D91DB548B19E4913EE6BA1F789BC0F848163DE4E43769DE38C549C700

Function 0091B800 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cd9f9996209b9097601042a3b0a41139fd6352b8f256ab1a982c49b55c8a4ac
Instruction ID: 8f9617ed4459f3423fd753bfa4a1aea6094c836e4bdbaa4ebc0b3c94bb1d7c44
Opcode Fuzzy Hash: 3cd9f9996209b9097601042a3b0a41139fd6352b8f256ab1a982c49b55c8a4ac
Instruction Fuzzy Hash: C3C08CB0A0BB8918FB50830075003C02ACF8B583C8F80C0C4D28800228972C82C04108

Function 008D75C0 Relevance: 12.9, Strings: 10, Instructions: 351COMMON

Download Yara Rule

Strings

runtime.SetFinalizer: first argument is nilruntime: releaseSudog with non-nil gp.paramunfinished open-coded defers in deferreturnunknown runnable goroutine during bootstrapactive sweepers found at start of mark phasecompileCallback: float results not supported, xrefs: 008D7C6A
runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not , xrefs: 008D7A76, 008D7ACD, 008D7B37
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma, xrefs: 008D7B6C
, not pointerGC sweep waitbad map statedalTLDpSugct?double unlockfilter methodinvalid UTF-8load64 failedmin too largenil stackbaseout of memoryprofMemActiveprofMemFuturetraceStackTabvalue method xadd64 failedxchg64 failed to finalizer GC assist waitGC worker i, xrefs: 008D7C46
runtime.SetFinalizer: first argument is runtime.preemptM: duplicatehandle failedruntime: SyscallN has too many argumentsattempted to add zero-sized address rangegcSweep being done but phase is not GCoffmheap.freeSpanLocked - invalid span statemheap.freeSpanLoc, xrefs: 008D7C55
to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND, xrefs: 008D7A61, 008D7AB8, 008D7B22
runtime.SetFinalizer: first argument was allocated into an arenaruntime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizecannot convert slice with length %y to array or pointer to array w, xrefs: 008D7C13
runtime.SetFinalizer: pointer not in allocated blockspan set block with unpopped elements found in resetcompileCallback: argument size is larger than uintptrgcControllerState.findRunnable: blackening not enabledno goroutines (main called runtime.Goexit) - dead, xrefs: 008D7C02
, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa, xrefs: 008D7B5D
because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping, xrefs: 008D7AFC

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping$ to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND$, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa$, not pointerGC sweep waitbad map statedalTLDpSugct?double unlockfilter methodinvalid UTF-8load64 failedmin too largenil stackbaseout of memoryprofMemActiveprofMemFuturetraceStackTabvalue method xadd64 failedxchg64 failed to finalizer GC assist waitGC worker i$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not $runtime.SetFinalizer: first argument is nilruntime: releaseSudog with non-nil gp.paramunfinished open-coded defers in deferreturnunknown runnable goroutine during bootstrapactive sweepers found at start of mark phasecompileCallback: float results not supported$runtime.SetFinalizer: first argument is runtime.preemptM: duplicatehandle failedruntime: SyscallN has too many argumentsattempted to add zero-sized address rangegcSweep being done but phase is not GCoffmheap.freeSpanLocked - invalid span statemheap.freeSpanLoc$runtime.SetFinalizer: first argument was allocated into an arenaruntime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizecannot convert slice with length %y to array or pointer to array w$runtime.SetFinalizer: pointer not in allocated blockspan set block with unpopped elements found in resetcompileCallback: argument size is larger than uintptrgcControllerState.findRunnable: blackening not enabledno goroutines (main called runtime.Goexit) - dead$runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma
API String ID: 0-4046867270
Opcode ID: a630293dbf35001db11a8477b64bb43b50c004b360bbd4e9f48d9b35063b51f2
Instruction ID: 23409cbca801e2e1ed70d91244c07d41303c690ea8b0022b4eb8c3b08e341e36
Opcode Fuzzy Hash: a630293dbf35001db11a8477b64bb43b50c004b360bbd4e9f48d9b35063b51f2
Instruction Fuzzy Hash: CCF18F32609BC486DB209F15E4503AEB7A1F785B90F448627DB9D93B99EF3CC594C710

Function 008C7A60 Relevance: 12.7, Strings: 10, Instructions: 194COMMON

Download Yara Rule

Strings

l655, xrefs: 008C7C95
debugCal, xrefs: 008C7C50
call from unknown functioncorrupted semaphore ticketforEachP: P did not run fnfreedefer with d.fn != nilnegative idle mark workersnotewakeup - double wakeupout of memory (stackalloc)persistentalloc: size == 0shrinking stack in libcallssh: invalid packet length, xrefs: 008C7AAD, 008C7AB9
call not at safe pointcompileCallabck: type duplicated defer entryfreeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversion: kernel32.dll not foundminpc or maxpc invalidnon-positive dimensionoldoverflow is not, xrefs: 008C7D62, 008C7D6E
debugCal, xrefs: 008C7C0E
debugCal, xrefs: 008C7BB8
runtime., xrefs: 008C7CB6
debugCal, xrefs: 008C7AF3
call from within the Go runtimecasgstatus: bad incoming valuescheckmark found unmarked objectinternal error - misuse of itabnon in-use span in unswept listresetspinning: not a spinning mruntime: cannot allocate memoryruntime: failed to commit pagesslice bounds, xrefs: 008C7CDB, 008C7CE7
debugCal, xrefs: 008C7B52

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: call from unknown functioncorrupted semaphore ticketforEachP: P did not run fnfreedefer with d.fn != nilnegative idle mark workersnotewakeup - double wakeupout of memory (stackalloc)persistentalloc: size == 0shrinking stack in libcallssh: invalid packet length$call from within the Go runtimecasgstatus: bad incoming valuescheckmark found unmarked objectinternal error - misuse of itabnon in-use span in unswept listresetspinning: not a spinning mruntime: cannot allocate memoryruntime: failed to commit pagesslice bounds$call not at safe pointcompileCallabck: type duplicated defer entryfreeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversion: kernel32.dll not foundminpc or maxpc invalidnon-positive dimensionoldoverflow is not$debugCal$debugCal$debugCal$debugCal$debugCal$l655$runtime.
API String ID: 0-3127990129
Opcode ID: 6b060cceff54ec3e5b77ce36aa9208f0234ab2dd26e0c83861b8c842cdc48567
Instruction ID: fa343380aac423733faad3c4a8afbdbc7b619c6b027b31d3ecbee0732d5bd82f
Opcode Fuzzy Hash: 6b060cceff54ec3e5b77ce36aa9208f0234ab2dd26e0c83861b8c842cdc48567
Instruction Fuzzy Hash: B0718DB260DA86C5DF24DB15D040B7977B1F795BA8F58C42AD74A83724EB78CA84CF02

Function 008C84E0 Relevance: 11.4, Strings: 9, Instructions: 167COMMON

Download Yara Rule

Strings

is nil, not , not pointerGC sweep waitbad map statedalTLDpSugct?double unlockfilter methodinvalid UTF-8load64 failedmin too largenil stackbaseout of memoryprofMemActiveprofMemFuturetraceStackTabvalue method xadd64 failedxchg64 failed to finalizer GC assist wa, xrefs: 008C8844
: missing method GC assist markingbad TinySizeClassentersyscallblockg already scannedgp.waiting != nilkey align too biglocked m0 woke upmark - bad statusmarkBits overflowmissing closing )missing closing ]notetsleepg on g0runtime.newosprocruntime/internal/scano, xrefs: 008C87D7
is not pointer00000000BAD RANK_UNKNOWNdeadlockpollDescrwmutexRrwmutexWscavengetraceBufatomicor8bad prunechan sendctxt != 0hchanLeafinterfacemSpanDeadmap_entrypanicwaitpclmulqdqpreemptedprofBlockrwxrwxrwxstackpooltracebackwbufSpansBad varintGOMAXPROCSGOMEMLIM, xrefs: 008C879F
interfacemSpanDeadmap_entrypanicwaitpclmulqdqpreemptedprofBlockrwxrwxrwxstackpooltracebackwbufSpansBad varintGOMAXPROCSGOMEMLIMITatomicand8debug callexitThreadfloat32nanfloat64nanmSpanInUsenotifyListprofInsertsemacquirestackLargeunknown pcassistQueuebad m valu, xrefs: 008C851B
interface conversion: kernel32.dll not foundminpc or maxpc invalidnon-positive dimensionoldoverflow is not nilruntime.main not on m0s.freeindex > s.nelemsscanstack - bad statussend on closed channelspan has no free spacestack not a power of 2trace reader (bloc, xrefs: 008C85BD, 008C8774, 008C8859
(types from different scopes)GODEBUG: unknown cpu feature "assignment to entry in nil mapcheckdead: inconsistent countsfailed to get system page sizefreedefer with d._panic != nilinvalid pointer found on stackndr:"varying,X-subStringArray"notetsleep - waitm o, xrefs: 008C8734
is on %04x><) = +Inf-Inf-inf...:.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.xml000001000x%x100010803125: %s:464:88*ABRTACDTACSTAEDTAESTAKDTAKSTALRMAWSTAhomArgsAtoiCASECESTCHARCOWSCZARCallChamDATADashEESTEnumFOZYGOGCGrayHKCCHKCRHKCUHKLMHKPDHORNHigh, xrefs: 008C85F2
, not , val .local.onion.proto0x%08x390625; and <-chanACARIDALIYOSARGALSASLOPEAnswerArabicAugustBIOGASBOINGSBOSQUEBinaryBitBltBrahmiCANCELCHAKRACHINASCINQUECarianChakmaClosedCommonCopticDREARYEMETINEndDocExpectFieldsFormatFridayGAMMEDGOAWAYGOWANSGUIROSGetACPGo, xrefs: 008C861D
(types from different packages)WSAGetOverlappedResult not found" not supported for cpu option "invalid limiter event type foundremovespecial on invalid pointerruntime.semasleep wait_abandonedruntime: failed to release pagesruntime: fixalloc size too largerunt, xrefs: 008C8715

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: (types from different packages)WSAGetOverlappedResult not found" not supported for cpu option "invalid limiter event type foundremovespecial on invalid pointerruntime.semasleep wait_abandonedruntime: failed to release pagesruntime: fixalloc size too largerunt$ (types from different scopes)GODEBUG: unknown cpu feature "assignment to entry in nil mapcheckdead: inconsistent countsfailed to get system page sizefreedefer with d._panic != nilinvalid pointer found on stackndr:"varying,X-subStringArray"notetsleep - waitm o$ is on %04x><) = +Inf-Inf-inf...:.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.xml000001000x%x100010803125: %s:464:88*ABRTACDTACSTAEDTAESTAKDTAKSTALRMAWSTAhomArgsAtoiCASECESTCHARCOWSCZARCallChamDATADashEESTEnumFOZYGOGCGrayHKCCHKCRHKCUHKLMHKPDHORNHigh$ is nil, not , not pointerGC sweep waitbad map statedalTLDpSugct?double unlockfilter methodinvalid UTF-8load64 failedmin too largenil stackbaseout of memoryprofMemActiveprofMemFuturetraceStackTabvalue method xadd64 failedxchg64 failed to finalizer GC assist wa$ is not pointer00000000BAD RANK_UNKNOWNdeadlockpollDescrwmutexRrwmutexWscavengetraceBufatomicor8bad prunechan sendctxt != 0hchanLeafinterfacemSpanDeadmap_entrypanicwaitpclmulqdqpreemptedprofBlockrwxrwxrwxstackpooltracebackwbufSpansBad varintGOMAXPROCSGOMEMLIM$, not , val .local.onion.proto0x%08x390625; and <-chanACARIDALIYOSARGALSASLOPEAnswerArabicAugustBIOGASBOINGSBOSQUEBinaryBitBltBrahmiCANCELCHAKRACHINASCINQUECarianChakmaClosedCommonCopticDREARYEMETINEndDocExpectFieldsFormatFridayGAMMEDGOAWAYGOWANSGUIROSGetACPGo$: missing method GC assist markingbad TinySizeClassentersyscallblockg already scannedgp.waiting != nilkey align too biglocked m0 woke upmark - bad statusmarkBits overflowmissing closing )missing closing ]notetsleepg on g0runtime.newosprocruntime/internal/scano$interface conversion: kernel32.dll not foundminpc or maxpc invalidnon-positive dimensionoldoverflow is not nilruntime.main not on m0s.freeindex > s.nelemsscanstack - bad statussend on closed channelspan has no free spacestack not a power of 2trace reader (bloc$interfacemSpanDeadmap_entrypanicwaitpclmulqdqpreemptedprofBlockrwxrwxrwxstackpooltracebackwbufSpansBad varintGOMAXPROCSGOMEMLIMITatomicand8debug callexitThreadfloat32nanfloat64nanmSpanInUsenotifyListprofInsertsemacquirestackLargeunknown pcassistQueuebad m valu
API String ID: 0-657713465
Opcode ID: 411cbcdc4419756cf297874a20e085e5124cb238a3b8263b0a1bf2f3c08c9dc5
Instruction ID: 82622f2d0f3bbaec1eb7d5da55f1dd19a942ca0ce15b859b3210056788f13a26
Opcode Fuzzy Hash: 411cbcdc4419756cf297874a20e085e5124cb238a3b8263b0a1bf2f3c08c9dc5
Instruction Fuzzy Hash: 9991DF76208BC4D5DB64DB15F8803DAB3A1F789B84F548026DADC97B69EF78C199CB00

Function 008C1060 Relevance: 9.1, Strings: 7, Instructions: 306COMMON

Download Yara Rule

Strings

cpu., xrefs: 008C10F3
GODEBUG: can not enable "PLTE, color type mismatch_cgo_thread_start missingallgadd: bad status Gidlearena already initializedbad status in shrinkstackbad system huge page sizechansend: spurious wakeupcheckdead: no m for timercheckdead: no p for timermissing st, xrefs: 008C132C
" not supported for cpu option "invalid limiter event type foundremovespecial on invalid pointerruntime.semasleep wait_abandonedruntime: failed to release pagesruntime: fixalloc size too largeruntime: mcall function returnedruntime: stack split at bad timerunt, xrefs: 008C1234
GODEBUG: no value specified for "concurrent map read and map writefindrunnable: negative nmspinningfreeing stack not in a stack spanmin must be a non-zero power of 2misrounded allocation in sysAllocruntime: failed to decommit pagesruntime: name offset out of r, xrefs: 008C1288
GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpanList.removemissing stackmapreflect mismatchschedule: in cgossh: MAC failurework, xrefs: 008C1211
GODEBUG: unknown cpu feature "assignment to entry in nil mapcheckdead: inconsistent countsfailed to get system page sizefreedefer with d._panic != nilinvalid pointer found on stackndr:"varying,X-subStringArray"notetsleep - waitm out of syncrunqputslow: queue i, xrefs: 008C14B5
", missing CPU supportchan receive (nil chan)close of closed channelfatal: morestack on g0garbage collection scangcDrain phase incorrectindex out of range [%x]invalid escape sequenceleft over markroot jobsmakechan: bad alignmentmissing type in runfinqnanotim, xrefs: 008C134C

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: " not supported for cpu option "invalid limiter event type foundremovespecial on invalid pointerruntime.semasleep wait_abandonedruntime: failed to release pagesruntime: fixalloc size too largeruntime: mcall function returnedruntime: stack split at bad timerunt$", missing CPU supportchan receive (nil chan)close of closed channelfatal: morestack on g0garbage collection scangcDrain phase incorrectindex out of range [%x]invalid escape sequenceleft over markroot jobsmakechan: bad alignmentmissing type in runfinqnanotim$GODEBUG: can not enable "PLTE, color type mismatch_cgo_thread_start missingallgadd: bad status Gidlearena already initializedbad status in shrinkstackbad system huge page sizechansend: spurious wakeupcheckdead: no m for timercheckdead: no p for timermissing st$GODEBUG: no value specified for "concurrent map read and map writefindrunnable: negative nmspinningfreeing stack not in a stack spanmin must be a non-zero power of 2misrounded allocation in sysAllocruntime: failed to decommit pagesruntime: name offset out of r$GODEBUG: unknown cpu feature "assignment to entry in nil mapcheckdead: inconsistent countsfailed to get system page sizefreedefer with d._panic != nilinvalid pointer found on stackndr:"varying,X-subStringArray"notetsleep - waitm out of syncrunqputslow: queue i$GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpanList.removemissing stackmapreflect mismatchschedule: in cgossh: MAC failurework$cpu.
API String ID: 0-511654176
Opcode ID: 7a47d2c99a57dd3571b29c0acf22757bb3443d0a1245d335d43b7c6c3f093aa1
Instruction ID: eccdfde9bb411ae009b409a89974afc15573291db7214689422e5da5ec1f1e8d
Opcode Fuzzy Hash: 7a47d2c99a57dd3571b29c0acf22757bb3443d0a1245d335d43b7c6c3f093aa1
Instruction Fuzzy Hash: 0BC1A136208B88C1DF00DB65E0847AAAB75F38ABD4F545116EB8E87B5ADF7CC980C751

Function 008C9080 Relevance: 8.9, Strings: 7, Instructions: 170COMMON

Download Yara Rule

Strings

panicwrap: unexpected string after type name: released less than one physical page of memoryruntime: name offset base pointer out of rangeruntime: text offset base pointer out of rangeruntime: type offset base pointer out of rangeslice bounds out of range [:%x, xrefs: 008C91E8
panicwrap: no ( in panicwrap: no ) in runtime: preempt g0semaRoot rotateLeftstopm holding lockssysMemStat overflowtoo much pixel dataunexpected g statusunknown wait reasonwinmm.dll not foundbad system page sizebad use of bucket.bpbad use of bucket.mpchan send , xrefs: 008C93C2
), xrefs: 008C91AE
value method xadd64 failedxchg64 failed to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.W, xrefs: 008C9253
panicwrap: no ) in runtime: preempt g0semaRoot rotateLeftstopm holding lockssysMemStat overflowtoo much pixel dataunexpected g statusunknown wait reasonwinmm.dll not foundbad system page sizebad use of bucket.bpbad use of bucket.mpchan send (nil chan)close of , xrefs: 008C937F
pointer00000000BAD RANK_UNKNOWNdeadlockpollDescrwmutexRrwmutexWscavengetraceBufatomicor8bad prunechan sendctxt != 0hchanLeafinterfacemSpanDeadmap_entrypanicwaitpclmulqdqpreemptedprofBlockrwxrwxrwxstackpooltracebackwbufSpansBad varintGOMAXPROCSGOMEMLIMITatomic, xrefs: 008C9321
panicwrap: unexpected string after package name: runtime.reflect_makemap: unsupported map key typeruntime: unexpected waitm - semaphore out of syncs.allocCount != s.nelems && freeIndex == s.nelemsslice bounds out of range [::%x] with capacity %ysweeper left ou, xrefs: 008C9118

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: pointer00000000BAD RANK_UNKNOWNdeadlockpollDescrwmutexRrwmutexWscavengetraceBufatomicor8bad prunechan sendctxt != 0hchanLeafinterfacemSpanDeadmap_entrypanicwaitpclmulqdqpreemptedprofBlockrwxrwxrwxstackpooltracebackwbufSpansBad varintGOMAXPROCSGOMEMLIMITatomic$)$panicwrap: no ( in panicwrap: no ) in runtime: preempt g0semaRoot rotateLeftstopm holding lockssysMemStat overflowtoo much pixel dataunexpected g statusunknown wait reasonwinmm.dll not foundbad system page sizebad use of bucket.bpbad use of bucket.mpchan send $panicwrap: no ) in runtime: preempt g0semaRoot rotateLeftstopm holding lockssysMemStat overflowtoo much pixel dataunexpected g statusunknown wait reasonwinmm.dll not foundbad system page sizebad use of bucket.bpbad use of bucket.mpchan send (nil chan)close of $panicwrap: unexpected string after package name: runtime.reflect_makemap: unsupported map key typeruntime: unexpected waitm - semaphore out of syncs.allocCount != s.nelems && freeIndex == s.nelemsslice bounds out of range [::%x] with capacity %ysweeper left ou$panicwrap: unexpected string after type name: released less than one physical page of memoryruntime: name offset base pointer out of rangeruntime: text offset base pointer out of rangeruntime: type offset base pointer out of rangeslice bounds out of range [:%x$value method xadd64 failedxchg64 failed to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.W
API String ID: 0-1423911815
Opcode ID: b810c90567331350c019ae900b1522934d85f78ad847b3e0b28624273303feac
Instruction ID: c1d9916c643a038364098bebcc02e3cc9aa291127735460e1cf6ec31a1c288e6
Opcode Fuzzy Hash: b810c90567331350c019ae900b1522934d85f78ad847b3e0b28624273303feac
Instruction Fuzzy Hash: 0C816732208BC484CA60DB21F84539AB7A1F788780F44966AEADC87B99DF3CC154C700

Function 008EDEE0 Relevance: 8.8, Strings: 7, Instructions: 68COMMON

Download Yara Rule

Strings

ication, xrefs: 008EDF7B
powrprof, xrefs: 008EDF06
PowerReg, xrefs: 008EDF3F
umeNotif, xrefs: 008EDF6C
gisterSu, xrefs: 008EDF4E
spendRes, xrefs: 008EDF5D
rof.dll, xrefs: 008EDF15

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: PowerReg$gisterSu$ication$powrprof$rof.dll$spendRes$umeNotif
API String ID: 0-941992356
Opcode ID: 4c4304a5bb8ea716b75b3271cffd69a6fcac9719372ec5ebd0a745fbbdbac115
Instruction ID: c62d06d170514918813c310c8e549da8fd2cf5cc37f79e7084522457368c083d
Opcode Fuzzy Hash: 4c4304a5bb8ea716b75b3271cffd69a6fcac9719372ec5ebd0a745fbbdbac115
Instruction Fuzzy Hash: EA31E5B6208B80C5D720DB11F44039AB7A5F78ABC4F988125ABDC87B6ADF7DC159CB40

Function 008D779E Relevance: 6.4, Strings: 5, Instructions: 113COMMON

Download Yara Rule

Strings

runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not , xrefs: 008D7A76, 008D7ACD, 008D7B37
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma, xrefs: 008D7B6C
to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND, xrefs: 008D7A61, 008D7AB8, 008D7B22
, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa, xrefs: 008D7B5D
because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping, xrefs: 008D7AFC

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping$ to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND$, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not $runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma
API String ID: 0-3085556167
Opcode ID: f2c901e37f63547293519b0259fa8890599e72aa7c0a9fc38b609b79bde4822d
Instruction ID: 4204a818ebeb679e5a9b866bcffc684e00ba9b0e81254139ac83ab1fbae8106c
Opcode Fuzzy Hash: f2c901e37f63547293519b0259fa8890599e72aa7c0a9fc38b609b79bde4822d
Instruction Fuzzy Hash: 6541AF32209A8491E720AF61E4407DEB7A1F784BC0F489A73DA99D7B58EF78D641C340

Function 008D7798 Relevance: 6.4, Strings: 5, Instructions: 113COMMON

Download Yara Rule

Strings

runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not , xrefs: 008D7A76, 008D7ACD, 008D7B37
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma, xrefs: 008D7B6C
to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND, xrefs: 008D7A61, 008D7AB8, 008D7B22
, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa, xrefs: 008D7B5D
because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping, xrefs: 008D7AFC

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping$ to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND$, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not $runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma
API String ID: 0-3085556167
Opcode ID: 3fee307a7e330f01c1db4333b4a0ee38ed6d368db37d8ec0c5004b4467323374
Instruction ID: 53535ab427fdc180b23281de05817ff25b33ec86aa993a1f8a756f41177a0475
Opcode Fuzzy Hash: 3fee307a7e330f01c1db4333b4a0ee38ed6d368db37d8ec0c5004b4467323374
Instruction Fuzzy Hash: 9B41A032209A8491E720AF61E4407DEB7A1F784BC0F489A73DA9DD7B58EF78D641C340

Function 008D77AA Relevance: 6.4, Strings: 5, Instructions: 113COMMON

Download Yara Rule

Strings

runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not , xrefs: 008D7A76, 008D7ACD, 008D7B37
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma, xrefs: 008D7B6C
to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND, xrefs: 008D7A61, 008D7AB8, 008D7B22
, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa, xrefs: 008D7B5D
because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping, xrefs: 008D7AFC

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping$ to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND$, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not $runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma
API String ID: 0-3085556167
Opcode ID: 3e98789163fc0cc8165fdafec0fd80a064323a7885d2cc8be2d1cd7a6645581c
Instruction ID: 7c1837b8c9cd87c08d31d5ba610e12ee2ec4ab068c9c4194ea7e39702753939d
Opcode Fuzzy Hash: 3e98789163fc0cc8165fdafec0fd80a064323a7885d2cc8be2d1cd7a6645581c
Instruction Fuzzy Hash: 7241AF32209A8491E720AF61E4407DEB7A1F784BC0F489A73DA99D7B58EF78D641C340

Function 008D77A4 Relevance: 6.4, Strings: 5, Instructions: 113COMMON

Download Yara Rule

Strings

runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not , xrefs: 008D7A76, 008D7ACD, 008D7B37
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma, xrefs: 008D7B6C
to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND, xrefs: 008D7A61, 008D7AB8, 008D7B22
, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa, xrefs: 008D7B5D
because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping, xrefs: 008D7AFC

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping$ to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND$, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not $runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma
API String ID: 0-3085556167
Opcode ID: 666766de1cb5fd137bfdbb060d69f5b2c83251fd634d686880d947e4a776c694
Instruction ID: 9fca1f049c6aedecab3b742c7c39ecba51c0ff0f63ec2c0b6950d27ef5666d95
Opcode Fuzzy Hash: 666766de1cb5fd137bfdbb060d69f5b2c83251fd634d686880d947e4a776c694
Instruction Fuzzy Hash: DC41A032209A8491E720AF61E4407DEB7A1F784BC0F489A73DA9DD7B58EF78D641C340

Function 008D77BC Relevance: 6.4, Strings: 5, Instructions: 113COMMON

Download Yara Rule

Strings

runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not , xrefs: 008D7A76, 008D7ACD, 008D7B37
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma, xrefs: 008D7B6C
to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND, xrefs: 008D7A61, 008D7AB8, 008D7B22
, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa, xrefs: 008D7B5D
because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping, xrefs: 008D7AFC

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping$ to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND$, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not $runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma
API String ID: 0-3085556167
Opcode ID: 666766de1cb5fd137bfdbb060d69f5b2c83251fd634d686880d947e4a776c694
Instruction ID: 9fca1f049c6aedecab3b742c7c39ecba51c0ff0f63ec2c0b6950d27ef5666d95
Opcode Fuzzy Hash: 666766de1cb5fd137bfdbb060d69f5b2c83251fd634d686880d947e4a776c694
Instruction Fuzzy Hash: DC41A032209A8491E720AF61E4407DEB7A1F784BC0F489A73DA9DD7B58EF78D641C340

Function 008D77B6 Relevance: 6.4, Strings: 5, Instructions: 113COMMON

Download Yara Rule

Strings

runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not , xrefs: 008D7A76, 008D7ACD, 008D7B37
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma, xrefs: 008D7B6C
to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND, xrefs: 008D7A61, 008D7AB8, 008D7B22
, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa, xrefs: 008D7B5D
because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping, xrefs: 008D7AFC

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping$ to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND$, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not $runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma
API String ID: 0-3085556167
Opcode ID: 666766de1cb5fd137bfdbb060d69f5b2c83251fd634d686880d947e4a776c694
Instruction ID: 9fca1f049c6aedecab3b742c7c39ecba51c0ff0f63ec2c0b6950d27ef5666d95
Opcode Fuzzy Hash: 666766de1cb5fd137bfdbb060d69f5b2c83251fd634d686880d947e4a776c694
Instruction Fuzzy Hash: DC41A032209A8491E720AF61E4407DEB7A1F784BC0F489A73DA9DD7B58EF78D641C340

Function 008D77B0 Relevance: 6.4, Strings: 5, Instructions: 113COMMON

Download Yara Rule

Strings

runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not , xrefs: 008D7A76, 008D7ACD, 008D7B37
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma, xrefs: 008D7B6C
to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND, xrefs: 008D7A61, 008D7AB8, 008D7B22
, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa, xrefs: 008D7B5D
because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping, xrefs: 008D7AFC

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping$ to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND$, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not $runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma
API String ID: 0-3085556167
Opcode ID: cc74029280aa91a67f3728fbd2b3200ef74bdfecc2104a45a146b2d01b5b87c1
Instruction ID: e840184a7f690dc860535d1f6dc2f4d2150bb62763e1e055b6767008a4003ceb
Opcode Fuzzy Hash: cc74029280aa91a67f3728fbd2b3200ef74bdfecc2104a45a146b2d01b5b87c1
Instruction Fuzzy Hash: EA41A032209A8491E720AF61E4407DEB7A1F784BC0F489A73DA9DD7B58EF78D641C340

Function 008D77C2 Relevance: 6.4, Strings: 5, Instructions: 113COMMON

Download Yara Rule

Strings

runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not , xrefs: 008D7A76, 008D7ACD, 008D7B37
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma, xrefs: 008D7B6C
to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND, xrefs: 008D7A61, 008D7AB8, 008D7B22
, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa, xrefs: 008D7B5D
because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping, xrefs: 008D7AFC

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping$ to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND$, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not $runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma
API String ID: 0-3085556167
Opcode ID: 3c40e0294d9982f0d368514538102b54b5a4d404a8009e799502b4d3a2b1dc51
Instruction ID: b0fbcbf932f51bf2907069a88431b79c09873dab462ac7ed92c4c80ac6f2de33
Opcode Fuzzy Hash: 3c40e0294d9982f0d368514538102b54b5a4d404a8009e799502b4d3a2b1dc51
Instruction Fuzzy Hash: 0441AF32209A8491E720AF61E4407DEB7A1F784BC0F489A73DA99D7B58EF78D641C340

Function 008D77C8 Relevance: 6.4, Strings: 5, Instructions: 112COMMON

Download Yara Rule

Strings

runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not , xrefs: 008D7A76, 008D7ACD, 008D7B37
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma, xrefs: 008D7B6C
to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND, xrefs: 008D7A61, 008D7AB8, 008D7B22
, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa, xrefs: 008D7B5D
because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping, xrefs: 008D7AFC

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping$ to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND$, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not $runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma
API String ID: 0-3085556167
Opcode ID: 65a108ec0b2f39c926349855c06e908f002aee4583899120190cade3612f2901
Instruction ID: d81690baaf6924cd984ad4b60cf1ac8dcb0690d0a4a9451f23f26bafdb181a0b
Opcode Fuzzy Hash: 65a108ec0b2f39c926349855c06e908f002aee4583899120190cade3612f2901
Instruction Fuzzy Hash: E641AE32309A8491E720AF61E4407DEB7A1F784BC0F489A73DA99D7B58EF78D641C340

Function 008D780B Relevance: 6.4, Strings: 5, Instructions: 106COMMON

Download Yara Rule

Strings

runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not , xrefs: 008D7A76, 008D7ACD, 008D7B37
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma, xrefs: 008D7B6C
to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND, xrefs: 008D7A61, 008D7AB8, 008D7B22
, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa, xrefs: 008D7B5D
because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping, xrefs: 008D7AFC

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping$ to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND$, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not $runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma
API String ID: 0-3085556167
Opcode ID: 0710ee02483309b0950de60f00114eee7eb61ef2fb7f7df83fabda7abe3bf4ab
Instruction ID: 3c0e095689fbba3ebc4a8fe411b604ab136eae0ff833b7a75351d7c3219a8d75
Opcode Fuzzy Hash: 0710ee02483309b0950de60f00114eee7eb61ef2fb7f7df83fabda7abe3bf4ab
Instruction Fuzzy Hash: E941A032249A8891E720AF51E4407DEB7A1F784BC0F489A73DA9DD7B58EF78D641C340

Function 008D7805 Relevance: 6.4, Strings: 5, Instructions: 106COMMON

Download Yara Rule

Strings

runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not , xrefs: 008D7A76, 008D7ACD, 008D7B37
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma, xrefs: 008D7B6C
to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND, xrefs: 008D7A61, 008D7AB8, 008D7B22
, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa, xrefs: 008D7B5D
because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping, xrefs: 008D7AFC

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping$ to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND$, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not $runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma
API String ID: 0-3085556167
Opcode ID: f7c7b08399af1838e34214d1ff6a65ae2dbdaecd7685e17fe3cfe47bdfef2d5d
Instruction ID: 526a98af28c4371b89d9764d6f4625e13aac09ecbc8522c7aa5761a8b8121287
Opcode Fuzzy Hash: f7c7b08399af1838e34214d1ff6a65ae2dbdaecd7685e17fe3cfe47bdfef2d5d
Instruction Fuzzy Hash: 1941A032249A8891E720AF51E4407DEB7A1F784BC0F489A73DA9DD7B68EF78D641C340

Function 008D781D Relevance: 6.4, Strings: 5, Instructions: 106COMMON

Download Yara Rule

Strings

runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not , xrefs: 008D7A76, 008D7ACD, 008D7B37
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma, xrefs: 008D7B6C
to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND, xrefs: 008D7A61, 008D7AB8, 008D7B22
, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa, xrefs: 008D7B5D
because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping, xrefs: 008D7AFC

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping$ to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND$, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not $runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma
API String ID: 0-3085556167
Opcode ID: f7c7b08399af1838e34214d1ff6a65ae2dbdaecd7685e17fe3cfe47bdfef2d5d
Instruction ID: 526a98af28c4371b89d9764d6f4625e13aac09ecbc8522c7aa5761a8b8121287
Opcode Fuzzy Hash: f7c7b08399af1838e34214d1ff6a65ae2dbdaecd7685e17fe3cfe47bdfef2d5d
Instruction Fuzzy Hash: 1941A032249A8891E720AF51E4407DEB7A1F784BC0F489A73DA9DD7B68EF78D641C340

Function 008D7817 Relevance: 6.4, Strings: 5, Instructions: 106COMMON

Download Yara Rule

Strings

runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not , xrefs: 008D7A76, 008D7ACD, 008D7B37
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma, xrefs: 008D7B6C
to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND, xrefs: 008D7A61, 008D7AB8, 008D7B22
, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa, xrefs: 008D7B5D
because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping, xrefs: 008D7AFC

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping$ to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND$, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not $runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma
API String ID: 0-3085556167
Opcode ID: f7c7b08399af1838e34214d1ff6a65ae2dbdaecd7685e17fe3cfe47bdfef2d5d
Instruction ID: 526a98af28c4371b89d9764d6f4625e13aac09ecbc8522c7aa5761a8b8121287
Opcode Fuzzy Hash: f7c7b08399af1838e34214d1ff6a65ae2dbdaecd7685e17fe3cfe47bdfef2d5d
Instruction Fuzzy Hash: 1941A032249A8891E720AF51E4407DEB7A1F784BC0F489A73DA9DD7B68EF78D641C340

Function 008D7811 Relevance: 6.4, Strings: 5, Instructions: 106COMMON

Download Yara Rule

Strings

runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not , xrefs: 008D7A76, 008D7ACD, 008D7B37
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma, xrefs: 008D7B6C
to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND, xrefs: 008D7A61, 008D7AB8, 008D7B22
, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa, xrefs: 008D7B5D
because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping, xrefs: 008D7AFC

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping$ to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND$, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not $runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma
API String ID: 0-3085556167
Opcode ID: b1be2069426497e40ce11da16927aec0badf0646c2d42680dca2c44dcbd778f1
Instruction ID: cbcdd377e68bf3d828fe3dc96190f203fba6b69b8e59687e80bfdb549e629af7
Opcode Fuzzy Hash: b1be2069426497e40ce11da16927aec0badf0646c2d42680dca2c44dcbd778f1
Instruction Fuzzy Hash: 23419F32249A8891E720AF51E4407DEB7A1F784BC0F489A73DA9DD7B68EF78D641C340

Function 008D7823 Relevance: 6.4, Strings: 5, Instructions: 106COMMON

Download Yara Rule

Strings

runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not , xrefs: 008D7A76, 008D7ACD, 008D7B37
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma, xrefs: 008D7B6C
to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND, xrefs: 008D7A61, 008D7AB8, 008D7B22
, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa, xrefs: 008D7B5D
because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping, xrefs: 008D7AFC

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping$ to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND$, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not $runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma
API String ID: 0-3085556167
Opcode ID: 0710ee02483309b0950de60f00114eee7eb61ef2fb7f7df83fabda7abe3bf4ab
Instruction ID: 3c0e095689fbba3ebc4a8fe411b604ab136eae0ff833b7a75351d7c3219a8d75
Opcode Fuzzy Hash: 0710ee02483309b0950de60f00114eee7eb61ef2fb7f7df83fabda7abe3bf4ab
Instruction Fuzzy Hash: E941A032249A8891E720AF51E4407DEB7A1F784BC0F489A73DA9DD7B58EF78D641C340

Function 008D77FF Relevance: 6.4, Strings: 5, Instructions: 106COMMON

Download Yara Rule

Strings

runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not , xrefs: 008D7A76, 008D7ACD, 008D7B37
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma, xrefs: 008D7B6C
to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND, xrefs: 008D7A61, 008D7AB8, 008D7B22
, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa, xrefs: 008D7B5D
because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping, xrefs: 008D7AFC

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping$ to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND$, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not $runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma
API String ID: 0-3085556167
Opcode ID: 18cce42056d48f0c59038c7783299a404949b465f8088cb9abacefd9d7cf523c
Instruction ID: b775f8ac2c4bd3101f92a359cfa05254e311ee887fdc5f7939363d4cd7cf61c0
Opcode Fuzzy Hash: 18cce42056d48f0c59038c7783299a404949b465f8088cb9abacefd9d7cf523c
Instruction Fuzzy Hash: 4841A032249A8891E720AF51E4407DEB7A1F784BC0F489A73DA9DD7B58EF78D641C340

Function 008D77F9 Relevance: 6.4, Strings: 5, Instructions: 106COMMON

Download Yara Rule

Strings

runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not , xrefs: 008D7A76, 008D7ACD, 008D7B37
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma, xrefs: 008D7B6C
to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND, xrefs: 008D7A61, 008D7AB8, 008D7B22
, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa, xrefs: 008D7B5D
because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping, xrefs: 008D7AFC

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: because dotdotdotGC worker (active)bad lfnode addressbad manualFreeListchunk out of ordercleantimers: bad pcompression methoddimension overflowelem align too bigforEachP: not donegarbage collectionindex out of rangeruntime.semacreateruntime.semawakeupstopping$ to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND$, not a function0123456789ABCDEF0123456789abcdefGC scavenge waitGC worker (idle)GODEBUG: value "bad g transitionbad special kindbad summary databad symbol tablecastogscanstatusgc: unswept spaninteger overflowinvalid checksuminvalid g statusmSpanList.insertmSpa$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]attempt to clear non-empty span setfindrunnable: netpoll with spinninggreyobject: obj not $runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)acquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callnon-empty ma
API String ID: 0-3085556167
Opcode ID: a0617972e48e328b9c3d8568c9e9062623e93a07a30a4a0718024dcf84614373
Instruction ID: c1f1f9160743887c24bb957aac4f4004d0ea84ade702fe46c2b8cf2882ead8a5
Opcode Fuzzy Hash: a0617972e48e328b9c3d8568c9e9062623e93a07a30a4a0718024dcf84614373
Instruction Fuzzy Hash: F141A032249A8891E720AF51E4407DEB7A1F784BC0F489A73DA9DD7B68EF78D641C340

Function 008C15C0 Relevance: 5.4, Strings: 4, Instructions: 445COMMON

Download Yara Rule

Strings

popcntproto2proto3rdrandrdseedrdtscpreadatrealmsremoverenamereturnrune1 secondselectsendtoserversetenvsint32sint64socketsocks5stringstructswitchsyntaxsysmontelnettimersuint16uint32uint64unusedustar ustar, xrefs: 008C17F1, 008C180F
pclmulqdqpreemptedprofBlockrwxrwxrwxstackpooltracebackwbufSpansBad varintGOMAXPROCSGOMEMLIMITatomicand8debug callexitThreadfloat32nanfloat64nanmSpanInUsenotifyListprofInsertsemacquirestackLargeunknown pcassistQueuebad m valuebad timedivcgocall nilfloat32nan2fl, xrefs: 008C1646
avx2basebindbitsbmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6casechancx16datedef=dialelseenumermsetagexecfailfilefromftpsfuncgotogziphosthourhttpicmpidleigmpint8itabkindlazylinklistnamenoneopenpathpipepop3quitreadrootseeksizesmtpspansse2sse3synctRNStar, xrefs: 008C1AB5, 008C1AD2
sse41sse42ssse3startsudogsweeptext/tls: traceuint8unameusageutf-8valueweak=writexxxxx Value%s: %s%s: %v%v: %v, not , val .local.onion.proto0x%08x390625; and <-chanACARIDALIYOSARGALSASLOPEAnswerArabicAugustBIOGASBOINGSBOSQUEBinaryBitBltBrahmiCANCELCHAKRACHINASC, xrefs: 008C189F, 008C18BC

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: avx2basebindbitsbmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6casechancx16datedef=dialelseenumermsetagexecfailfilefromftpsfuncgotogziphosthourhttpicmpidleigmpint8itabkindlazylinklistnamenoneopenpathpipepop3quitreadrootseeksizesmtpspansse2sse3synctRNStar$pclmulqdqpreemptedprofBlockrwxrwxrwxstackpooltracebackwbufSpansBad varintGOMAXPROCSGOMEMLIMITatomicand8debug callexitThreadfloat32nanfloat64nanmSpanInUsenotifyListprofInsertsemacquirestackLargeunknown pcassistQueuebad m valuebad timedivcgocall nilfloat32nan2fl$popcntproto2proto3rdrandrdseedrdtscpreadatrealmsremoverenamereturnrune1 secondselectsendtoserversetenvsint32sint64socketsocks5stringstructswitchsyntaxsysmontelnettimersuint16uint32uint64unusedustar ustar$sse41sse42ssse3startsudogsweeptext/tls: traceuint8unameusageutf-8valueweak=writexxxxx Value%s: %s%s: %v%v: %v, not , val .local.onion.proto0x%08x390625; and <-chanACARIDALIYOSARGALSASLOPEAnswerArabicAugustBIOGASBOINGSBOSQUEBinaryBitBltBrahmiCANCELCHAKRACHINASC
API String ID: 0-719224210
Opcode ID: 8b7d82ed017ce75cb3dfccc3f8af762e49cd08dc472af6697418b534b50084ff
Instruction ID: 829ec7afc4723eb4c7e4fc851043a9e71f94cf1eba3c8c2a63b7f51774218e0e
Opcode Fuzzy Hash: 8b7d82ed017ce75cb3dfccc3f8af762e49cd08dc472af6697418b534b50084ff
Instruction Fuzzy Hash: 2432D176209A88D1EB00DF25F8897D97BF1F39AB84F85456AEA4D87725DF38C249C300

Function 008DC620 Relevance: 5.3, Strings: 4, Instructions: 314COMMON

Download Yara Rule

Strings

scanstack - bad statussend on closed channelspan has no free spacestack not a power of 2trace reader (blocked)trace: alloc too largeunexpected length codewirep: invalid p state", missing CPU supportchan receive (nil chan)close of closed channelfatal: morestac, xrefs: 008DCB80
scanstack: goroutine not stoppedscavenger state is already wiredslice bounds out of range [%x::]slice bounds out of range [:%x:]slice bounds out of range [::%x]sweep increased allocation countGODEBUG: no value specified for "concurrent map read and map writefi, xrefs: 008DCB67
can't scan our own stackdouble traceGCSweepStartgcDrainN phase incorrecthash of unhashable type invalid interlace methodpageAlloc: out of memoryqueuefinalizer during GCrange partially overlapsrunqsteal: runq overflowspan has no free objectsupdate during transi, xrefs: 008DCB45
mark - bad statusmarkBits overflowmissing closing )missing closing ]notetsleepg on g0runtime.newosprocruntime/internal/scanobject n == 0select (no cases)swept cached spansync.RWMutex.Lockthread exhaustionunknown caller pcwait for GC cycle because dotdotdotGC w, xrefs: 008DC824

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: can't scan our own stackdouble traceGCSweepStartgcDrainN phase incorrecthash of unhashable type invalid interlace methodpageAlloc: out of memoryqueuefinalizer during GCrange partially overlapsrunqsteal: runq overflowspan has no free objectsupdate during transi$mark - bad statusmarkBits overflowmissing closing )missing closing ]notetsleepg on g0runtime.newosprocruntime/internal/scanobject n == 0select (no cases)swept cached spansync.RWMutex.Lockthread exhaustionunknown caller pcwait for GC cycle because dotdotdotGC w$scanstack - bad statussend on closed channelspan has no free spacestack not a power of 2trace reader (blocked)trace: alloc too largeunexpected length codewirep: invalid p state", missing CPU supportchan receive (nil chan)close of closed channelfatal: morestac$scanstack: goroutine not stoppedscavenger state is already wiredslice bounds out of range [%x::]slice bounds out of range [:%x:]slice bounds out of range [::%x]sweep increased allocation countGODEBUG: no value specified for "concurrent map read and map writefi
API String ID: 0-2201561079
Opcode ID: e989c1a308c5f098ec4d69fe2763a061e47c8cd054f3ce2971e2977ec37a61aa
Instruction ID: f1e3843d8ef3004852b425b3cd81ef7ffee835ba4f1df8478e5a66df523ca714
Opcode Fuzzy Hash: e989c1a308c5f098ec4d69fe2763a061e47c8cd054f3ce2971e2977ec37a61aa
Instruction Fuzzy Hash: 32D15972648BC5C6DB24CB15E0807EEB7A1F789B94F489627DA8C93B59CF38C581CB41

Function 008D9A60 Relevance: 5.2, Strings: 4, Instructions: 198COMMON

Download Yara Rule

Strings

work.nwait was > work.nprocFixedStack is not power-of-2comparing uncomparable type fatal: morestack on gsignalfindrunnable: netpoll with pfound pointer to free objectgcBgMarkWorker: mode not setgcstopm: negative nmspinninginvalid runtime symbol tablemissing s, xrefs: 008D9DBB
gcBgMarkWorker: blackening not enabledindex out of range [%x] with length %yinternal error: exit hook invoked exitm changed unexpectedly in cgocallbackgmakechan: invalid channel element typeruntime: blocked read on free polldescruntime: sudog with non-false is, xrefs: 008D9DE0
work.nwait > work.nprocbad defer entry in panicbypassed recovery failedcan't scan our own stackdouble traceGCSweepStartgcDrainN phase incorrecthash of unhashable type invalid interlace methodpageAlloc: out of memoryqueuefinalizer during GCrange partially overl, xrefs: 008D9DAA
GC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND lengthbad IHDR lengthbad PL, xrefs: 008D9A95, 008D9AAC

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: GC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.WaituserArenaStatework.full != 0bad IEND lengthbad IHDR lengthbad PL$gcBgMarkWorker: blackening not enabledindex out of range [%x] with length %yinternal error: exit hook invoked exitm changed unexpectedly in cgocallbackgmakechan: invalid channel element typeruntime: blocked read on free polldescruntime: sudog with non-false is$work.nwait > work.nprocbad defer entry in panicbypassed recovery failedcan't scan our own stackdouble traceGCSweepStartgcDrainN phase incorrecthash of unhashable type invalid interlace methodpageAlloc: out of memoryqueuefinalizer during GCrange partially overl$work.nwait was > work.nprocFixedStack is not power-of-2comparing uncomparable type fatal: morestack on gsignalfindrunnable: netpoll with pfound pointer to free objectgcBgMarkWorker: mode not setgcstopm: negative nmspinninginvalid runtime symbol tablemissing s
API String ID: 0-1962062076
Opcode ID: ee70271a80a2c4014a880884e7d7ea5a51f2a7847b30a1145f7e6764cd2cb14b
Instruction ID: b2c6afc9c780713c42f9be3484db397cd96a9a31eaa06fe71561ea5cf3a1b222
Opcode Fuzzy Hash: ee70271a80a2c4014a880884e7d7ea5a51f2a7847b30a1145f7e6764cd2cb14b
Instruction Fuzzy Hash: 6B918B36609B88C2DB50CF29E48439A77B5F38ABA4F545227EA9C837A4CF79C495C740

Function 00904E40 Relevance: 5.2, Strings: 4, Instructions: 180COMMON

Download Yara Rule

Strings

out of memory (stackalloc)persistentalloc: size == 0shrinking stack in libcallssh: invalid packet lengthstartlockedm: locked to meuse of invalid sweepLockerwakep: negative nmspinningCurveP256CurveP384CurveP521G waiting list is corruptedaddress not a stack addr, xrefs: 00904EE4
out of memoryprofMemActiveprofMemFuturetraceStackTabvalue method xadd64 failedxchg64 failed to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queues, xrefs: 00904FBD
stack size not a power of 2stopTheWorld: holding lockstimer when must be positivetoo many callback functionswork.nwait was > work.nprocFixedStack is not power-of-2comparing uncomparable type fatal: morestack on gsignalfindrunnable: netpoll with pfound pointer, xrefs: 009050DC
stackalloc not on scheduler stackstoplockedm: inconsistent lockingtimer period must be non-negativeVirtualQuery for stack base faileddoaddtimer: P already set in timerforEachP: sched.safePointWait != 0invalid nested repetition operatorinvalid or unsupported Pe, xrefs: 009050ED

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: out of memory (stackalloc)persistentalloc: size == 0shrinking stack in libcallssh: invalid packet lengthstartlockedm: locked to meuse of invalid sweepLockerwakep: negative nmspinningCurveP256CurveP384CurveP521G waiting list is corruptedaddress not a stack addr$out of memoryprofMemActiveprofMemFuturetraceStackTabvalue method xadd64 failedxchg64 failed to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queues$stack size not a power of 2stopTheWorld: holding lockstimer when must be positivetoo many callback functionswork.nwait was > work.nprocFixedStack is not power-of-2comparing uncomparable type fatal: morestack on gsignalfindrunnable: netpoll with pfound pointer$stackalloc not on scheduler stackstoplockedm: inconsistent lockingtimer period must be non-negativeVirtualQuery for stack base faileddoaddtimer: P already set in timerforEachP: sched.safePointWait != 0invalid nested repetition operatorinvalid or unsupported Pe
API String ID: 0-1500535864
Opcode ID: aeee94e53eebbf57e409474b9be02c1d83c3bab75ad584b086e46cd08d12d5fe
Instruction ID: e531278c103da0dbcb9a8ecf4abf05673f1a6e9dd72d5160b8a234eec84990d1
Opcode Fuzzy Hash: aeee94e53eebbf57e409474b9be02c1d83c3bab75ad584b086e46cd08d12d5fe
Instruction Fuzzy Hash: A5618E76308B94CADB04DB15E0813AEB7A6F789B90F544535EB8E87BA5DF38C841CB41

Function 008CD3A0 Relevance: 5.2, Strings: 4, Instructions: 163COMMON

Download Yara Rule

Strings

runtime: cannot allocate memoryruntime: failed to commit pagesslice bounds out of range [%x:]slice bounds out of range [:%x]unsafe.String: len out of rangewriteBytes with unfinished bits (types from different packages)WSAGetOverlappedResult not found" not supp, xrefs: 008CD5DE
persistentalloc: align is not a power of 2runtime: blocked write on closing polldescsweep: tried to preserve a user arena spanunexpected signal during runtime executiongcBgMarkWorker: unexpected gcMarkWorkerModegrew heap, but no adequate free space foundmethod, xrefs: 008CD610
persistentalloc: align is too largepidleput: P has non-empty run queueruntime: close polldesc w/o unblockruntime: inconsistent read deadlinessh: invalid packet length multipletraceback did not unwind completely0123456789abcdefghijklmnopqrstuvwxyzGo pointer sto, xrefs: 008CD5FF
persistentalloc: size == 0shrinking stack in libcallssh: invalid packet lengthstartlockedm: locked to meuse of invalid sweepLockerwakep: negative nmspinningCurveP256CurveP384CurveP521G waiting list is corruptedaddress not a stack addresscould not find QPC sysc, xrefs: 008CD625

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: persistentalloc: align is not a power of 2runtime: blocked write on closing polldescsweep: tried to preserve a user arena spanunexpected signal during runtime executiongcBgMarkWorker: unexpected gcMarkWorkerModegrew heap, but no adequate free space foundmethod$persistentalloc: align is too largepidleput: P has non-empty run queueruntime: close polldesc w/o unblockruntime: inconsistent read deadlinessh: invalid packet length multipletraceback did not unwind completely0123456789abcdefghijklmnopqrstuvwxyzGo pointer sto$persistentalloc: size == 0shrinking stack in libcallssh: invalid packet lengthstartlockedm: locked to meuse of invalid sweepLockerwakep: negative nmspinningCurveP256CurveP384CurveP521G waiting list is corruptedaddress not a stack addresscould not find QPC sysc$runtime: cannot allocate memoryruntime: failed to commit pagesslice bounds out of range [%x:]slice bounds out of range [:%x]unsafe.String: len out of rangewriteBytes with unfinished bits (types from different packages)WSAGetOverlappedResult not found" not supp
API String ID: 0-479432679
Opcode ID: 8d1dddf399894ba4d5ea0a89fcc41f52621df6789ed49b54679e822796570e22
Instruction ID: 5a233314b5620379b607114e2c8645e64730b63d17706b312a56e66407c76c34
Opcode Fuzzy Hash: 8d1dddf399894ba4d5ea0a89fcc41f52621df6789ed49b54679e822796570e22
Instruction Fuzzy Hash: F4618C72609B89C1DB10EF05E48079AB7B5F348BD8F849526EB9D83B28DF38C585C701

Function 008D58E0 Relevance: 5.1, Strings: 4, Instructions: 131COMMON

Download Yara Rule

Strings

bad sweepgen in refillcall not at safe pointcompileCallabck: type duplicated defer entryfreeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversion: kernel32.dll not foundminpc or maxpc invalidnon-positive dimen, xrefs: 008D5AE5
refill of span with free space remainingruntime.SetFinalizer: first argument is runtime.preemptM: duplicatehandle failedruntime: SyscallN has too many argumentsattempted to add zero-sized address rangegcSweep being done but phase is not GCoffmheap.freeSpanLock, xrefs: 008D5AF6
out of memoryprofMemActiveprofMemFuturetraceStackTabvalue method xadd64 failedxchg64 failed to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queues, xrefs: 008D5AC5
span has no free spacestack not a power of 2trace reader (blocked)trace: alloc too largeunexpected length codewirep: invalid p state", missing CPU supportchan receive (nil chan)close of closed channelfatal: morestack on g0garbage collection scangcDrain phase, xrefs: 008D5AB1

Memory Dump Source

Source File: 00000005.00000002.2522620282.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000005.00000002.2522549042.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000011C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.00000000013FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524257823.000000000174A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524273269.0000000001758000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524285596.0000000001759000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524297573.000000000175A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524317043.000000000177C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524329754.0000000001781000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.0000000001785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017E5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524342756.00000000017ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524416777.00000000017FA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2524429140.00000000017FB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8c0000_NLBgWmWGow.jbxd

Yara matches

Similarity

API ID:
String ID: bad sweepgen in refillcall not at safe pointcompileCallabck: type duplicated defer entryfreeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversion: kernel32.dll not foundminpc or maxpc invalidnon-positive dimen$out of memoryprofMemActiveprofMemFuturetraceStackTabvalue method xadd64 failedxchg64 failed to finalizer GC assist waitGC worker initbad allocCountbad restart PCbad span statefinalizer waitkey size wrongnil elem type!no module datanot a PNG filesemaRoot queues$refill of span with free space remainingruntime.SetFinalizer: first argument is runtime.preemptM: duplicatehandle failedruntime: SyscallN has too many argumentsattempted to add zero-sized address rangegcSweep being done but phase is not GCoffmheap.freeSpanLock$span has no free spacestack not a power of 2trace reader (blocked)trace: alloc too largeunexpected length codewirep: invalid p state", missing CPU supportchan receive (nil chan)close of closed channelfatal: morestack on g0garbage collection scangcDrain phase
API String ID: 0-3123902989
Opcode ID: 9c7c22d2a7d417ed6ae443d433a55ddc65b0bf74c90b5a9a6ebf540a4fb6281b
Instruction ID: ba140f9aece4de31d64ab921fe4aa9f531fc29371d4c922ba0a93b5f6536bdaa
Opcode Fuzzy Hash: 9c7c22d2a7d417ed6ae443d433a55ddc65b0bf74c90b5a9a6ebf540a4fb6281b
Instruction Fuzzy Hash: 39517A72218BA486CB10DF15E4803AE77B5F789B94F444623EB8D47B69DF38C945C750

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report NLBgWmWGow.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\Mup\user-PC\PIPE\samr

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
NLBgWmWGow.exe