Edit tour

Windows Analysis Report
D_47267_1687617Q.exe

Overview

General Information

Sample name:	D_47267_1687617Q.exe
Analysis ID:	1522881
MD5:	a31c36986e12203913067e4b5bd81665
SHA1:	5db1c9a5cccc75628fde0c2ee4d807b28f2dfc2b
SHA256:	c68c8abb1a3272b6c9bdd749b32b91dc909b0e84afd06e067bda1a81a96319b8
Tags:	exeuser-Porcupine
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Found Tor onion address

Potentially malicious time measurement code found

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

PE file contains sections with non-standard names

Program does not show much activity (idle)

Classification

Process Tree

System is w10x64

D_47267_1687617Q.exe (PID: 4836 cmdline: "C:\Users\user\Desktop\D_47267_1687617Q.exe" MD5: A31C36986E12203913067E4B5BD81665)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 86.6% probability

Bitcoin Miner

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Source: C:\Users\user\Desktop\D_47267_1687617Q.exe

Code function: 0_2_004D1CE0 LoadLibraryExW,

0_2_004D1CE0

Source: D_47267_1687617Q.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 4x nop then lock or byte ptr [rdx], dil	0_2_004BE700
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 4x nop then shr r10, 0Dh	0_2_004C9720
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 4x nop then shr r10, 0Dh	0_2_004CABC0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 4x nop then cmp rdx, rbx	0_2_004ABE60
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 4x nop then cmp rdx, 40h	0_2_004BDFC0

Networking

Found Tor onion address

Source: D_47267_1687617Q.exe, 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: m=nil base X25519%w%.0wAcceptServernetdnsdomaingophertelnetreturn.local.onionip+netCONIN$rdtscppopcntcmd/gosecretheaderAnswerLengthSTREETavx512rdrandrdseedGlobal\BooleanLayeredRoutingfloat32float64UpgradeTrailersocks5hHEADERSReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGname %q:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTreaddirconsolePATHEXTTuesdayJanuaryOctoberMUI_StdMUI_DltabortedCopySidFreeSidSleepExWSARecvWSASendconnectsignal :events19531259765625invaliduintptrChanDir Value>ConvertforcegcallocmWcpuprofallocmRunknowngctraceIO waitrunningsyscallwaitingforevernetworkUNKNOWN, goid= s=nil
Source: D_47267_1687617Q.exe	String found in binary or memory: m=nil base X25519%w%.0wAcceptServernetdnsdomaingophertelnetreturn.local.onionip+netCONIN$rdtscppopcntcmd/gosecretheaderAnswerLengthSTREETavx512rdrandrdseedGlobal\BooleanLayeredRoutingfloat32float64UpgradeTrailersocks5hHEADERSReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGname %q:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTreaddirconsolePATHEXTTuesdayJanuaryOctoberMUI_StdMUI_DltabortedCopySidFreeSidSleepExWSARecvWSASendconnectsignal :events19531259765625invaliduintptrChanDir Value>ConvertforcegcallocmWcpuprofallocmRunknowngctraceIO waitrunningsyscallwaitingforevernetworkUNKNOWN, goid= s=nil

Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004D3260 DuplicateHandle,GetCurrentThreadId,CreateWaitableTimerExW,CreateWaitableTimerExW,NtCreateWaitCompletionPacket,VirtualQuery,	0_2_004D3260
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004D1620 NtCancelWaitCompletionPacket,SetWaitableTimer,NtAssociateWaitCompletionPacket,	0_2_004D1620
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004D1A20 LoadLibraryExW,LoadLibraryExW,NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,	0_2_004D1A20

Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004D4100	0_2_004D4100
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004A2260	0_2_004A2260
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004DE620	0_2_004DE620
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004C6760	0_2_004C6760
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004B3840	0_2_004B3840
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004E5820	0_2_004E5820
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004C5940	0_2_004C5940
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_0050598C	0_2_0050598C
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004ACD80	0_2_004ACD80
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004DEFA0	0_2_004DEFA0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004EA020	0_2_004EA020
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_0052D0C0	0_2_0052D0C0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_005310E0	0_2_005310E0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004E0160	0_2_004E0160
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_0050C240	0_2_0050C240
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004C0260	0_2_004C0260
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_005332C0	0_2_005332C0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004DC280	0_2_004DC280
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004B8380	0_2_004B8380
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004FC3A0	0_2_004FC3A0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004AA400	0_2_004AA400
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004D8420	0_2_004D8420
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_005354C0	0_2_005354C0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_005434C0	0_2_005434C0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_005384E0	0_2_005384E0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004F9480	0_2_004F9480
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_0051A500	0_2_0051A500
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_005435E0	0_2_005435E0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004F0580	0_2_004F0580
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004C3630	0_2_004C3630
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004B76C0	0_2_004B76C0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004C46A0	0_2_004C46A0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004B1760	0_2_004B1760
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004C9720	0_2_004C9720
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_0052D7C0	0_2_0052D7C0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_005337C0	0_2_005337C0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_005437C0	0_2_005437C0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004DB8C0	0_2_004DB8C0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004F5940	0_2_004F5940
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004B6960	0_2_004B6960
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_00500960	0_2_00500960
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_00531900	0_2_00531900
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004D09C0	0_2_004D09C0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004BE980	0_2_004BE980
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_0050EAA0	0_2_0050EAA0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004ADB60	0_2_004ADB60
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_0050FB29	0_2_0050FB29
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004CABC0	0_2_004CABC0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004D7BE0	0_2_004D7BE0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_00539BE0	0_2_00539BE0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004C9C00	0_2_004C9C00
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004FBC20	0_2_004FBC20
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004F1CC0	0_2_004F1CC0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_00509D40	0_2_00509D40
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_00519DE0	0_2_00519DE0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_00538DA0	0_2_00538DA0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004A3E40	0_2_004A3E40
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004CCE20	0_2_004CCE20
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004CDEC0	0_2_004CDEC0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004E7EC0	0_2_004E7EC0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004FEF00	0_2_004FEF00
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_0053EF00	0_2_0053EF00
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004CBF80	0_2_004CBF80
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: 0_2_004B7FA5	0_2_004B7FA5

Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: String function: 004D9160 appears 586 times
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: String function: 004D8940 appears 59 times
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: String function: 0050A860 appears 539 times
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Code function: String function: 004D63A0 appears 35 times

Source: classification engine

Classification label: mal56.evad.mine.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\D_47267_1687617Q.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\userBjorn

Source: D_47267_1687617Q.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\D_47267_1687617Q.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: D_47267_1687617Q.exe	String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: D_47267_1687617Q.exe	String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: D_47267_1687617Q.exe	String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: D_47267_1687617Q.exe	String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: D_47267_1687617Q.exe	String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: D_47267_1687617Q.exe	String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: D_47267_1687617Q.exe	String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: D_47267_1687617Q.exe	String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: D_47267_1687617Q.exe	String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: D_47267_1687617Q.exe	String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: D_47267_1687617Q.exe	String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: D_47267_1687617Q.exe	String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: D_47267_1687617Q.exe	String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: D_47267_1687617Q.exe	String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: D_47267_1687617Q.exe	String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: D_47267_1687617Q.exe	String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: D_47267_1687617Q.exe	String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: D_47267_1687617Q.exe	String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: D_47267_1687617Q.exe	String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime:
Source: D_47267_1687617Q.exe	String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime:
Source: D_47267_1687617Q.exe	String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable t
Source: D_47267_1687617Q.exe	String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable t
Source: D_47267_1687617Q.exe	String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime:
Source: D_47267_1687617Q.exe	String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime:
Source: D_47267_1687617Q.exe	String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: D_47267_1687617Q.exe	String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: D_47267_1687617Q.exe	String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: D_47267_1687617Q.exe	String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: D_47267_1687617Q.exe	String found in binary or memory: _cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runtime: stack split at bad timepanic while printing panic valueruntime: setevent failed; errno=runtime.semasleep wait_abandonedchacha20poly1305: bad key lengthtls: unknown Renegotiation valuetls: NextProtos values too largego package net: hostLookupOrder(mime: expected token after slashresource temporarily unavailablesoftware caused connection abortnumerical argument out of domainuse of closed network connection" not supported for cpu option "ed25519: bad public key length: x509: unsupported elliptic curvex509: invalid constraint value: x509: malformed subjectPublicKeyx509: cannot parse rfc822Name %qx509: ECDSA verification failurecrypto/aes: input not full blockcrypto/des: input not full blockcrypto/ecdh: invalid private keyunexpected character, want coloninput overflows the modulus sizeinteger is not minimally encodedcannot represent time as UTCTimechacha20: invalid buffer overlapChrome\Application\118.0.5993.120bytes.Buffer.Grow: negative countpseudo header field after regularhttp: invalid Read on closed Bodynet/http: skip alternate protocolinvalid header field value for %qpad size larger than data payloadframe_pushpromise_promiseid_shorthttp2: invalid pseudo headers: %vconnection not allowed by rulesetinvalid username/password versionunsupported transfer encoding: %qrelease of handle with refcount 0sync: RUnlock of unlocked RWMutexCryptAcquireCertificatePrivateKeyGetVolumeNameForVolumeMountPointWInitializeProcThreadAttributeListSetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWskip everything and stop the walkleafCounts[maxBits][maxBits] != n142108547152020037174224853515625710542735760100185871124267578125reflect: slice index out of range of method on nil interface valuereflect: Field index out of rangereflect: array index out of range to pointer to array with length slice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of rangetls: failed to write to key log: tls: invalid server finished hashtls: unexpected ServerKeyExchangego package net: confVal.netCgo = empty hex number for chunk leng
Source: D_47267_1687617Q.exe	String found in binary or memory: _cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runtime: stack split at bad timepanic while printing panic valueruntime: setevent failed; errno=runtime.semasleep wait_abandonedchacha20poly1305: bad key lengthtls: unknown Renegotiation valuetls: NextProtos values too largego package net: hostLookupOrder(mime: expected token after slashresource temporarily unavailablesoftware caused connection abortnumerical argument out of domainuse of closed network connection" not supported for cpu option "ed25519: bad public key length: x509: unsupported elliptic curvex509: invalid constraint value: x509: malformed subjectPublicKeyx509: cannot parse rfc822Name %qx509: ECDSA verification failurecrypto/aes: input not full blockcrypto/des: input not full blockcrypto/ecdh: invalid private keyunexpected character, want coloninput overflows the modulus sizeinteger is not minimally encodedcannot represent time as UTCTimechacha20: invalid buffer overlapChrome\Application\118.0.5993.120bytes.Buffer.Grow: negative countpseudo header field after regularhttp: invalid Read on closed Bodynet/http: skip alternate protocolinvalid header field value for %qpad size larger than data payloadframe_pushpromise_promiseid_shorthttp2: invalid pseudo headers: %vconnection not allowed by rulesetinvalid username/password versionunsupported transfer encoding: %qrelease of handle with refcount 0sync: RUnlock of unlocked RWMutexCryptAcquireCertificatePrivateKeyGetVolumeNameForVolumeMountPointWInitializeProcThreadAttributeListSetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWskip everything and stop the walkleafCounts[maxBits][maxBits] != n142108547152020037174224853515625710542735760100185871124267578125reflect: slice index out of range of method on nil interface valuereflect: Field index out of rangereflect: array index out of range to pointer to array with length slice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of rangetls: failed to write to key log: tls: invalid server finished hashtls: unexpected ServerKeyExchangego package net: confVal.netCgo = empty hex number for chunk leng
Source: D_47267_1687617Q.exe	String found in binary or memory: failed to construct HKDF label: %stoo many references: cannot spliceunexpected runtime.netpoll error: crypto/rsa: missing public modulusadding nil Certificate to CertPoolx509: unknown public key algorithmx509: invalid certificate policies%s %q is excluded by constraint %qx509: Ed25519 verification failurex509: unhandled critical extensioncrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapinvalid padding bits in BIT STRINGGODEBUG sys/cpu: can not disable "chacha20: wrong HChaCha20 key sizehttp: server closed idle connectionCONTINUATION frame with stream ID 02006-01-02T15:04:05.999999999Z07:00executable file not found in %PATH%SubscribeServiceChangeNotificationshash/crc32: invalid hash state sizeflate: corrupt input before offset 1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9reflect.MakeSlice of non-slice typepersistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freefailed to get or create weak handleattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlineNtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=unsupported signature algorithm: %vtls: too many non-advancing recordstls: server selected an invalid PSKtls: invalid Kyber server key sharemime: bogus characters after %%: %qhpack: invalid Huffman-encoded datadynamic table size update too largenetwork dropped connection on resettransport endpoint is not connectedfile type does not support deadlinebigmod: modulus is smaller than natx509: malformed extension OID fieldx509: wrong Ed25519 public key sizex509: invalid authority info accessmlkem768: invalid ciphertext lengthcrypto/md5: invalid hash state sizetoo many Questions to pack (>65535)'_' must separate successive digitsP224 point is the point at infinityP256 point is the point at infinityP384 point is the point at infinityP521 point is the point at infinitysuperfluous leading zeros in lengthchacha20: output smaller than inputtransform: short destination buffernenhum arquivo .exe encontrado em %sbytes.Reader.ReadAt: negative offsethttp: unexpected EOF reading trailer LastStreamID=%v ErrCode=%v Debug=%qRoundTrip retrying after failure: %vno acceptable authentication methodsTime.UnmarshalBinary: invalid lengthstrings.Builder.Grow: negative countstrings: Join output length overflow444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzmethod ABI and value ABI don't alignlfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on
Source: D_47267_1687617Q.exe	String found in binary or memory: failed to construct HKDF label: %stoo many references: cannot spliceunexpected runtime.netpoll error: crypto/rsa: missing public modulusadding nil Certificate to CertPoolx509: unknown public key algorithmx509: invalid certificate policies%s %q is excluded by constraint %qx509: Ed25519 verification failurex509: unhandled critical extensioncrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapinvalid padding bits in BIT STRINGGODEBUG sys/cpu: can not disable "chacha20: wrong HChaCha20 key sizehttp: server closed idle connectionCONTINUATION frame with stream ID 02006-01-02T15:04:05.999999999Z07:00executable file not found in %PATH%SubscribeServiceChangeNotificationshash/crc32: invalid hash state sizeflate: corrupt input before offset 1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9reflect.MakeSlice of non-slice typepersistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freefailed to get or create weak handleattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlineNtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=unsupported signature algorithm: %vtls: too many non-advancing recordstls: server selected an invalid PSKtls: invalid Kyber server key sharemime: bogus characters after %%: %qhpack: invalid Huffman-encoded datadynamic table size update too largenetwork dropped connection on resettransport endpoint is not connectedfile type does not support deadlinebigmod: modulus is smaller than natx509: malformed extension OID fieldx509: wrong Ed25519 public key sizex509: invalid authority info accessmlkem768: invalid ciphertext lengthcrypto/md5: invalid hash state sizetoo many Questions to pack (>65535)'_' must separate successive digitsP224 point is the point at infinityP256 point is the point at infinityP384 point is the point at infinityP521 point is the point at infinitysuperfluous leading zeros in lengthchacha20: output smaller than inputtransform: short destination buffernenhum arquivo .exe encontrado em %sbytes.Reader.ReadAt: negative offsethttp: unexpected EOF reading trailer LastStreamID=%v ErrCode=%v Debug=%qRoundTrip retrying after failure: %vno acceptable authentication methodsTime.UnmarshalBinary: invalid lengthstrings.Builder.Grow: negative countstrings: Join output length overflow444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzmethod ABI and value ABI don't alignlfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on
Source: D_47267_1687617Q.exe	String found in binary or memory: net/addrselect.go

Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe	Section loaded: umpdc.dll	Jump to behavior

Source: D_47267_1687617Q.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: D_47267_1687617Q.exe

Static file information: File size 5580288 > 1048576

Source: D_47267_1687617Q.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x26f800
Source: D_47267_1687617Q.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x289e00

Source: D_47267_1687617Q.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: D_47267_1687617Q.exe	Static PE information: section name: .xdata
Source: D_47267_1687617Q.exe	Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\D_47267_1687617Q.exe

Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\D_47267_1687617Q.exe

Code function: 0_2_00512880 rdtscp

0_2_00512880

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\D_47267_1687617Q.exe

Code function: 0_2_004D2320 GetSystemInfo,SetProcessPriorityBoost,

0_2_004D2320

Source: D_47267_1687617Q.exe	Binary or memory string: sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=tlsmaxrsasizeaccess denieduser canceledPKCS1WithSHA1ECDSAWithSHA1CLIENT_RANDOM in host namelame referralgzip, deflateGetTempPath2Wlevel 3 resetsrmount errortimer expiredexchange fullRegDeleteKeyWRegEnumValueWgocacheverifyinstallgoroothtml/templateinvalid ASN.1SHA256-RSAPSSSHA384-RSAPSSSHA512-RSAPSSemail addressshared_secretname too longempty integerunsupported: SustainabilityTransformationAuthenticationInitializationRiskManagementVirtualMachineis a directoryunexpected EOFContent-LengthMAX_FRAME_SIZEPROTOCOL_ERRORINTERNAL_ERRORREFUSED_STREAMERR_UNKNOWN_%daccept-charsetcontent-lengthread_frame_eofinternal errorunknown error unknown code: Not AcceptableComputerNameExasynctimerchan: extra text: ControlServiceCreateServiceWCryptGenRandomIsWellKnownSidMakeAbsoluteSDOpenSCManagerWSetThreadTokenCertCloseStoreClearCommBreakClearCommErrorCreateEventExWCreateMutexExWCreateProcessWFindFirstFileWFormatMessageWGetConsoleModeGetProcAddressGetTickCount64IsWow64ProcessLoadLibraryExWModule32FirstWProcess32NextWSetConsoleModeSetFilePointerSizeofResourceVirtualProtectVirtualQueryExNetUserGetInfoCoInitializeExCoUninitializeGetUserNameExWTranslateNameWGetShellWindowVerQueryValueWgetprotobyname procedure in invalid syntax1907348632812595367431640625unsafe.Pointer on zero Valueunknown methoduserArenaStateGC (dedicated)read mem statsgcstoptheworldprofstackdepthtraceallocfreeGC assist waitfinalizer waitsync.Cond.Waits.allocCount= nil elem type! to finalizer GC worker initruntime: full=runtime: want=MB; allocated RtlGetVersion
Source: D_47267_1687617Q.exe	Binary or memory string: sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=tlsmaxrsasizeaccess denieduser canceledPKCS1WithSHA1ECDSAWithSHA1CLIENT_RANDOM in host namelame referralgzip, deflateGetTempPath2Wlevel 3 resetsrmount errortimer expiredexchange fullRegDeleteKeyWRegEnumValueWgocacheverifyinstallgoroothtml/templateinvalid ASN.1SHA256-RSAPSSSHA384-RSAPSSSHA512-RSAPSSemail addressshared_secretname too longempty integerunsupported: SustainabilityTransformationAuthenticationInitializationRiskManagementVirtualMachineis a directoryunexpected EOFContent-LengthMAX_FRAME_SIZEPROTOCOL_ERRORINTERNAL_ERRORREFUSED_STREAMERR_UNKNOWN_%daccept-charsetcontent-lengthread_frame_eofinternal errorunknown error unknown code: Not AcceptableComputerNameExasynctimerchan: extra text: ControlServiceCreateServiceWCryptGenRandomIsWellKnownSidMakeAbsoluteSDOpenSCManagerWSetThreadTokenCertCloseStoreClearCommBreakClearCommErrorCreateEventExWCreateMutexExWCreateProcessWFindFirstFileWFormatMessageWGetConsoleModeGetProcAddressGetTickCount64IsWow64ProcessLoadLibraryExWModule32FirstWProcess32NextWSetConsoleModeSetFilePointerSizeofResourceVirtualProtectVirtualQueryExNetUserGetInfoCoInitializeExCoUninitializeGetUserNameExWTranslateNameWGetShellWindowVerQueryValueWgetprotobyname procedure in invalid syntax1907348632812595367431640625unsafe.Pointer on zero Valueunknown methoduserArenaStateGC (dedicated)read mem statsgcstoptheworldprofstackdepthtraceallocfreeGC assist waitfinalizer waitsync.Cond.Waits.allocCount= nil elem type! to finalizer GC worker initruntime: full=runtime: want=MB; allocated RtlGetVersiontimeEndPeriodbad restart PC-thread limit
Source: D_47267_1687617Q.exe, 00000000.00000002.3255090691.000001FB58B3C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\D_47267_1687617Q.exe

Code function: 0_2_00512880 Start: 00512889 End: 0051289F

0_2_00512880

Source: C:\Users\user\Desktop\D_47267_1687617Q.exe

Code function: 0_2_00512880 rdtscp

0_2_00512880

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\D_47267_1687617Q.exe

Code function: 0_2_004D1A20 LoadLibraryExW,LoadLibraryExW,NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion,

0_2_004D1A20

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 DLL Side-Loading	LSASS Memory	3 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Proxy	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Domains and IPs

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522881
Start date and time:	2024-09-30 19:52:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	D_47267_1687617Q.exe
Detection:	MAL
Classification:	mal56.evad.mine.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 16 Number of non-executed functions: 58
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
VT rate limit hit for: D_47267_1687617Q.exe

Joe Sandbox View / Context

Instruction
jmp 00007F47B4B9F230h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
dec eax
mov ebp, esp
pushfd
cld
dec eax
sub esp, 000000E0h
dec eax
mov dword ptr [esp], edi
dec eax
mov dword ptr [esp+08h], esi
dec eax
mov dword ptr [esp+10h], ebp
dec eax
mov dword ptr [esp+18h], ebx
dec esp
mov dword ptr [esp+20h], esp
dec esp
mov dword ptr [esp+28h], ebp
dec esp
mov dword ptr [esp+30h], esi
dec esp
mov dword ptr [esp+38h], edi
movups dqword ptr [esp+40h], xmm6
movups dqword ptr [esp+50h], xmm7
inc esp
movups dqword ptr [esp+60h], xmm0
inc esp
movups dqword ptr [esp+70h], xmm1
inc esp
movups dqword ptr [esp+00000080h], xmm2
inc esp
movups dqword ptr [esp+00000090h], xmm3
inc esp
movups dqword ptr [esp+000000A0h], xmm4
inc esp
movups dqword ptr [esp+000000B0h], xmm5
inc esp
movups dqword ptr [esp+000000C0h], xmm6
inc esp
movups dqword ptr [esp+000000D0h], xmm7
inc ebp
xorps xmm7, xmm7
dec ebp
xor esi, esi
dec eax
mov eax, dword ptr [0050BF02h]
dec eax
mov eax, dword ptr [eax]
dec eax
cmp eax, 00000000h
je 00007F47B4BA2B35h
dec esp
mov esi, dword ptr [eax]
dec eax
sub esp, 10h
dec eax
mov eax, ecx
dec eax
mov ebx, edx
call 00007F47B4BAB28Bh

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x597000	0x53e	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x587000	0xe574	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x598000	0xc060	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4fb160	0x178	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x26f6bd	0x26f800	a29212eab2bcff88ebf75811d25118eb	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x271000	0x289c70	0x289e00	11916972bff4790094a961d2ccfb1924	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4fb000	0x8b3c0	0x3d800	025198ce1ed03275e2d16ca0740de71c	False	0.36608787474593496	data	4.708294853472918	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x587000	0xe574	0xe600	6d3dda79e0681607e92302de8594ccf5	False	0.40458559782608694	data	5.434397286713313	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x596000	0xb4	0x200	e12db9011452e073ab5a219e11a01927	False	0.224609375	shared library	1.7635806726373504	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x597000	0x53e	0x600	e2af31d6918e8cd9ec6b8b7f4f05e961	False	0.375	OpenPGP Public Key	3.946664231035693	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x598000	0xc060	0xc200	c11fe11bd9b213fa6e7a09b381ca1f93	False	0.25106717139175255	data	5.419919190426678	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0x5a5000	0x4	0x200	07b5472d347d42780469fb2654b7fc54	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

DLL	Import
kernel32.dll	WriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, RtlVirtualUnwind, RtlLookupFunctionEntry, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler, AddVectoredContinueHandler

WriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, RtlVirtualUnwind, RtlLookupFunctionEntry, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler, AddVectoredContinueHandler

Network Behavior

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 19:53:14.483786106 CEST	53	50555	1.1.1.1	192.168.2.5
Sep 30, 2024 19:53:16.968255997 CEST	53	63898	1.1.1.1	192.168.2.5

Target ID:	0
Start time:	13:52:52
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\D_47267_1687617Q.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\D_47267_1687617Q.exe"
Imagebase:	0x4a0000
File size:	5'580'288 bytes
MD5 hash:	A31C36986E12203913067E4B5BD81665
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	0.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	24.6%
Total number of Nodes:	954
Total number of Limit Nodes:	75

Executed Functions

Function 004D1A20 Relevance: 13.9, Strings: 11, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

RtlGetCurrentPeb, xrefs: 004D1BEE
NtCreateWaitCompletionPacket exists but NtCancelWaitCompletionPacket does notcrypto/tls: ExportKeyingMaterial is unavailable when renegotiation is enabled1157920892103562487626974469494075735300861434152903141955336313088670978539511157920892103562487626974469, xrefs: 004D1C6E
bcryptprimitives.dll not foundpanic called with nil argumentcheckdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer found on stack locals stack map entries for abi mismatch detected between runtime: impossible , xrefs: 004D1CA5
ntdll.dll, xrefs: 004D1AC7
bcryptprimitives.dll, xrefs: 004D1A39
NtAssociateWaitCompletionPacket, xrefs: 004D1B59
ProcessPrng, xrefs: 004D1A89
NtCreateWaitCompletionPacket exists but NtAssociateWaitCompletionPacket does nottls: either ServerName or InsecureSkipVerify must be specified in the tls.Configx509: invalid signature: parent certificate cannot sign this kind of certificatecrypto/ecdh: interna, xrefs: 004D1C7F
RtlGetVersion, xrefs: 004D1C2D
NtCreateWaitCompletionPacket, xrefs: 004D1B14
NtCancelWaitCompletionPacket, xrefs: 004D1B9E

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: NtAssociateWaitCompletionPacket$NtCancelWaitCompletionPacket$NtCreateWaitCompletionPacket$NtCreateWaitCompletionPacket exists but NtAssociateWaitCompletionPacket does nottls: either ServerName or InsecureSkipVerify must be specified in the tls.Configx509: invalid signature: parent certificate cannot sign this kind of certificatecrypto/ecdh: interna$NtCreateWaitCompletionPacket exists but NtCancelWaitCompletionPacket does notcrypto/tls: ExportKeyingMaterial is unavailable when renegotiation is enabled1157920892103562487626974469494075735300861434152903141955336313088670978539511157920892103562487626974469$ProcessPrng$RtlGetCurrentPeb$RtlGetVersion$bcryptprimitives.dll$bcryptprimitives.dll not foundpanic called with nil argumentcheckdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer found on stack locals stack map entries for abi mismatch detected between runtime: impossible $ntdll.dll
API String ID: 0-2665925792
Opcode ID: d14ec9f81416f937dcbc824ddd27e7cb71291b0541af7be1fc8804a947bf4af7
Instruction ID: 5625ae0f565310679787ec37562e25a8dfabbf16a404a31a97ea4309553a6879
Opcode Fuzzy Hash: d14ec9f81416f937dcbc824ddd27e7cb71291b0541af7be1fc8804a947bf4af7
Instruction Fuzzy Hash: 6B616535245B85D5EB11EB51F8983AA77A4F789B80F488127EA9C033B6EF7CC584C705

Function 004ACD80 Relevance: 12.9, Strings: 10, Instructions: 384
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

arena already initialized to unused region of span bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p , xrefs: 004AD147
out of memory allocating heap arena metadata/cpu/classes/scavenge/background:cpu-secondsruntime: unexpected metric registration for gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbi, xrefs: 004AD136
base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-c, xrefs: 004AD3F1
) not in usable address space: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listruntime.Pinn, xrefs: 004AD4C5
memory reservation exceeds address space limittried to park scavenger from another goroutinereleased less than one physical page of memory (bad use of unsafe.Pointer? try -d=checkptr)sysGrow bounds not aligned to pallocChunkBytesruntime: failed to create new , xrefs: 004AD4F2
, xrefs: 004AD40F
region exceeds uintptr range/gc/heap/frees-by-size:bytes/gc/heap/tiny/allocs:objects/sched/goroutines:goroutinesgcBgMarkWorker: mode not setmspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: m, xrefs: 004AD3C7
out of memory allocating allArenas/memory/classes/heap/objects:bytesruntime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedruntime: source value is too largeVirtualQuery for stack base failedforEachP: sched.safePo, xrefs: 004AD125
end outside usable address spaceGCProg for type that isn't largeruntime: failed to release pagesruntime: fixalloc size too largeinvalid limiter event type foundscanstack: goroutine not stoppedscavenger state is already wiredsweep increased allocation countremo, xrefs: 004AD41F
out of memory allocating heap arena map/cpu/classes/gc/mark/assist:cpu-seconds/cpu/classes/scavenge/total:cpu-seconds/memory/classes/profiling/buckets:bytesmspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResume, xrefs: 004AD158

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: $) not in usable address space: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listruntime.Pinn$arena already initialized to unused region of span bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p $base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-c$end outside usable address spaceGCProg for type that isn't largeruntime: failed to release pagesruntime: fixalloc size too largeinvalid limiter event type foundscanstack: goroutine not stoppedscavenger state is already wiredsweep increased allocation countremo$memory reservation exceeds address space limittried to park scavenger from another goroutinereleased less than one physical page of memory (bad use of unsafe.Pointer? try -d=checkptr)sysGrow bounds not aligned to pallocChunkBytesruntime: failed to create new $out of memory allocating allArenas/memory/classes/heap/objects:bytesruntime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedruntime: source value is too largeVirtualQuery for stack base failedforEachP: sched.safePo$out of memory allocating heap arena map/cpu/classes/gc/mark/assist:cpu-seconds/cpu/classes/scavenge/total:cpu-seconds/memory/classes/profiling/buckets:bytesmspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResume$out of memory allocating heap arena metadata/cpu/classes/scavenge/background:cpu-secondsruntime: unexpected metric registration for gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbi$region exceeds uintptr range/gc/heap/frees-by-size:bytes/gc/heap/tiny/allocs:objects/sched/goroutines:goroutinesgcBgMarkWorker: mode not setmspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: m
API String ID: 0-3600667164
Opcode ID: 0e3be30211e3d7b79e14fddc74f5ade33f8899b552719ec72cc39670c313594b
Instruction ID: 5c82ddb60de0374122cbbd0ece3c3ab698405564cd472a15178caaf25d556896
Opcode Fuzzy Hash: 0e3be30211e3d7b79e14fddc74f5ade33f8899b552719ec72cc39670c313594b
Instruction Fuzzy Hash: EA02AC72608BC482EB60CB12F4503AAB764F79AB94F448226EF9D57B99CF7CC485C705

Function 004D3260 Relevance: 12.7, Strings: 10, Instructions: 247
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerocontext: internal error: missing cancel errortls: internal error: unexpected ren, xrefs: 004D3757
runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerocontext: internal error: missing cancel errortls: internal error: unexpected renegotiationcannot send after transport endpoin, xrefs: 004D3697, 004D36F7
runtime: NtCreateWaitCompletionPacket failed; errno=casfrom_Gscanstatus: gp->status is not in scan statetls: server selected unsupported protocol version %xtls: received a session ticket with invalid lifetimecrypto/rsa: PSSOptions.SaltLength cannot be negative, xrefs: 004D3637
VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notinvalid timer channel: no capacityexpected an RSA public, xrefs: 004D360F
0, xrefs: 004D34BA
bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timerstlsunsafeekmclose notifyremote errorc hs traffics hs tra, xrefs: 004D35AA
CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=failed to parse cert, xrefs: 004D36BF, 004D371F
runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:, xrefs: 004D35E7
NtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=unsupported signature algorithm: %vtls: too many non-advancing recordstls: server sel, xrefs: 004D365F
runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!crypto: Size of unknown hash functiontls: unsupported certificate key (%T)t, xrefs: 004D377F

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: 0$CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=failed to parse cert$NtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=unsupported signature algorithm: %vtls: too many non-advancing recordstls: server sel$VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inconsistent bp entersyscallblock inconsistent sp runtime: g is running but p is notinvalid timer channel: no capacityexpected an RSA public$bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timerstlsunsafeekmclose notifyremote errorc hs traffics hs tra$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerocontext: internal error: missing cancel errortls: internal error: unexpected ren$runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!crypto: Size of unknown hash functiontls: unsupported certificate key (%T)t$runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerocontext: internal error: missing cancel errortls: internal error: unexpected renegotiationcannot send after transport endpoin$runtime: NtCreateWaitCompletionPacket failed; errno=casfrom_Gscanstatus: gp->status is not in scan statetls: server selected unsupported protocol version %xtls: received a session ticket with invalid lifetimecrypto/rsa: PSSOptions.SaltLength cannot be negative$runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:
API String ID: 0-1757931288
Opcode ID: bd391cec86971930e76634e2bee9253c1094e02d937fac941afbe07f304bcf82
Instruction ID: 0022e78e48f9db78c7af377a8d7560202e7a3d4d50f37f355d8e5fd339089648
Opcode Fuzzy Hash: bd391cec86971930e76634e2bee9253c1094e02d937fac941afbe07f304bcf82
Instruction Fuzzy Hash: 35C17E36604B8485E710EB26F49936E7764F78AB84F40822BEE9C43BA6DF3DC541C715

Function 004A2260 Relevance: 9.2, Strings: 7, Instructions: 430
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

rdtscppopcntcmd/gosecretheaderAnswerLengthSTREETavx512rdrandrdseedGlobal\BooleanLayeredRoutingfloat32float64UpgradeTrailersocks5hHEADERSReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGname %q:method:schemeupgrade:statushttp://chunkedCreat, xrefs: 004A2300
avx512fos/execruntimeSHA-224SHA-256SHA-384SHA-512Ed25519MD5-RSAserial:eae_prkanswers2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9amxtileamxint8amxbf16osxsaveAdvancedAnalyzerDatatypeDebuggerEndpointFeedbackInstanceIntervalJudgmentKeyboardLockdownManeuverModelingPi, xrefs: 004A27F5
adxaesshaavxfmanetMD4MD5RSADSAURIexp): TTLSET.exeopenreadtrueHost<>idlehttp1080DATAPINGPOSTEtag0x%xdateetagfromhostlinkvarypathDategzip%xGonefilesyncpipeStat.com.bat.cmdJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDT as hourquitbind3125Atoi-In, xrefs: 004A2286
sse41sse42ssse3SHA-1P-224P-256P-384P-521ECDSA (at ClassStringFormat[]bytestringactiveclosedsocks5CANCELGOAWAYPADDEDBasic CookieacceptcookieexpectoriginserverExpectstatusPragmasocks Lockedreadatrenameexec: SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12U, xrefs: 004A24ED
pclmulqdqmath/randd.nx != 0info_hashClassINETAuthorityquestionsunderflowArtificialBackgroundBinaryTreeBreakpointCalculatorCapabilityClusteringConnectionConstraintControllerCoordinateDelegationDependencyDescriptorDictionaryDispatcherDocumentedEfficiencyEncrypti, xrefs: 004A22DF
avx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MD5+SHA1SHA3-224SHA3-256SHA3-384SHA3-512SHA1-RSADSA-SHA1DNS nameClassANYQuestion2.5.4.102.5.4.112.5.4.17avx512cdavx512eravx512pfavx512dqBjorn.iniError: %vAdvantageAdventureAggregateAlgorithmAlternateAnimationAnon, xrefs: 004A281C
ermssse3avx2bmi1bmi2timebitsNameTypeasn1cx16sse2BjornErro:<nil>falseError&"'https:***@Rangeallowrangeclose:path%s %q%s=%sHTTP/socksFoundchdirwritemkdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930monthLocalntohsGreek1562578125in, xrefs: 004A22C1

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: adxaesshaavxfmanetMD4MD5RSADSAURIexp): TTLSET.exeopenreadtrueHost<>idlehttp1080DATAPINGPOSTEtag0x%xdateetagfromhostlinkvarypathDategzip%xGonefilesyncpipeStat.com.bat.cmdJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDT as hourquitbind3125Atoi-In$avx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MD5+SHA1SHA3-224SHA3-256SHA3-384SHA3-512SHA1-RSADSA-SHA1DNS nameClassANYQuestion2.5.4.102.5.4.112.5.4.17avx512cdavx512eravx512pfavx512dqBjorn.iniError: %vAdvantageAdventureAggregateAlgorithmAlternateAnimationAnon$avx512fos/execruntimeSHA-224SHA-256SHA-384SHA-512Ed25519MD5-RSAserial:eae_prkanswers2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9amxtileamxint8amxbf16osxsaveAdvancedAnalyzerDatatypeDebuggerEndpointFeedbackInstanceIntervalJudgmentKeyboardLockdownManeuverModelingPi$ermssse3avx2bmi1bmi2timebitsNameTypeasn1cx16sse2BjornErro:<nil>falseError&"'https:***@Rangeallowrangeclose:path%s %q%s=%sHTTP/socksFoundchdirwritemkdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930monthLocalntohsGreek1562578125in$pclmulqdqmath/randd.nx != 0info_hashClassINETAuthorityquestionsunderflowArtificialBackgroundBinaryTreeBreakpointCalculatorCapabilityClusteringConnectionConstraintControllerCoordinateDelegationDependencyDescriptorDictionaryDispatcherDocumentedEfficiencyEncrypti$rdtscppopcntcmd/gosecretheaderAnswerLengthSTREETavx512rdrandrdseedGlobal\BooleanLayeredRoutingfloat32float64UpgradeTrailersocks5hHEADERSReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGname %q:method:schemeupgrade:statushttp://chunkedCreat$sse41sse42ssse3SHA-1P-224P-256P-384P-521ECDSA (at ClassStringFormat[]bytestringactiveclosedsocks5CANCELGOAWAYPADDEDBasic CookieacceptcookieexpectoriginserverExpectstatusPragmasocks Lockedreadatrenameexec: SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12U
API String ID: 0-21248499
Opcode ID: 8aad8ce82a85c2454ab9fe099d0c4cdcd238b7e351cddb8e88c796dd1f5e5e0e
Instruction ID: 34f32495012277d2e0960486f3d59fc18fd6c8203f2f82227fc1b8f976f29640
Opcode Fuzzy Hash: 8aad8ce82a85c2454ab9fe099d0c4cdcd238b7e351cddb8e88c796dd1f5e5e0e
Instruction Fuzzy Hash: 9932AC7A604B48C5E700DF6AF445B893BA4F36AB80F559227DA8D87362DF7DC0A9C341

Function 0050598C Relevance: 8.1, Strings: 6, Instructions: 586COMMON

Download Yara Rule

Strings

!"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 00505CF3
mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= , xrefs: 005062C6
malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]mo, xrefs: 005062E8
mallocgc called with gcphase == _GCmarkterminationruntime.Pinner: object was allocated into an arenaruntime.Pinner: decreased non-existing pin counterrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCal, xrefs: 005062F9
malloc during signalclose of nil channelinconsistent lockedmnotetsleep not on g0bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=, xrefs: 005062D7
VE, xrefs: 00506305

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC$malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = requested skip=bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]mo$malloc during signalclose of nil channelinconsistent lockedmnotetsleep not on g0bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=$mallocgc called with gcphase == _GCmarkterminationruntime.Pinner: object was allocated into an arenaruntime.Pinner: decreased non-existing pin counterrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCal$mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= $VE
API String ID: 0-780336222
Opcode ID: fdf15fa4ec168f304c831e202a25bda75bd3cad0d82d0d7222aa26bbe3a18604
Instruction ID: 866bc7a715d0b45d7464d5254648861d6890e49b7bff72d7ce3589c3ec62c1b5
Opcode Fuzzy Hash: fdf15fa4ec168f304c831e202a25bda75bd3cad0d82d0d7222aa26bbe3a18604
Instruction Fuzzy Hash: 1E320376308B8086DB20CB15E0447AFBF65F786B94F489626EF9903BD5DB38C895CB00

Function 004DEFA0 Relevance: 7.2, Strings: 5, Instructions: 942COMMON

Download Yara Rule

Strings

findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionkey is not comparabledecompression failureunsupported extensionX25519Ky, xrefs: 004DFF0A
global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2oversized record received with length %dtls: received empty certificates messagemalformed MIME heade, xrefs: 004DFEC6
findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of r, xrefs: 004DFEF9
findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=unsupported signature algorithm: %vtls: too many non-advancing recordstls: server selected an invalid PSKtls: invalid Ky, xrefs: 004DFED7
findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for [origina, xrefs: 004DFEE8

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of r$findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for [origina$findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=unsupported signature algorithm: %vtls: too many non-advancing recordstls: server selected an invalid PSKtls: invalid Ky$findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionkey is not comparabledecompression failureunsupported extensionX25519Ky$global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2oversized record received with length %dtls: received empty certificates messagemalformed MIME heade
API String ID: 0-2218324874
Opcode ID: c48492623a6c469abeac13ecebaa7da221e9c4cb667babfea0d9f82d79add055
Instruction ID: 99127ba33b0f5f1964e836125f83677992905666b94bfdb3edfeba6080c67d1e
Opcode Fuzzy Hash: c48492623a6c469abeac13ecebaa7da221e9c4cb667babfea0d9f82d79add055
Instruction Fuzzy Hash: 93928F32209BC485DB319B52E4903EBA361F78AB94F48413BCA8D57B55DF3DD889C744

Function 004D1620 Relevance: 5.1, Strings: 4, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

runtime: NtAssociateWaitCompletionPacket failed; errno= b4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21bd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34x509: subject key identifier incorre, xrefs: 004D17C6
runtime: SetWaitableTimer failed; errno= stopTheWorld: not stopped (stopwait != 0)tls: internal error: unsupported key (%T)invalid value length: expected %d, got %dnet/url: invalid control character in URLidna: internal error in punycode encodingx509: cannot p, xrefs: 004D1829
runtime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrtls: received unexpected handshake message of type %Ttls: unexpected server_name extension in server , xrefs: 004D186F
runtime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocresize: invalid argspan has no free stacksstack growth after forkshrinkstack at bad timereflect.methodValueCallunsuppo, xrefs: 004D17EF, 004D184F, 004D1899

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: runtime: NtAssociateWaitCompletionPacket failed; errno= b4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21bd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34x509: subject key identifier incorre$runtime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrtls: received unexpected handshake message of type %Ttls: unexpected server_name extension in server $runtime: SetWaitableTimer failed; errno= stopTheWorld: not stopped (stopwait != 0)tls: internal error: unsupported key (%T)invalid value length: expected %d, got %dnet/url: invalid control character in URLidna: internal error in punycode encodingx509: cannot p$runtime: netpoll failedpanic during preemptoffnanotime returning zerofatal: morestack on g0the current g is not g0schedule: holding locksprocresize: invalid argspan has no free stacksstack growth after forkshrinkstack at bad timereflect.methodValueCallunsuppo
API String ID: 0-1393143707
Opcode ID: 2b01323e87d3f0d86477cb55004685455478adc560c03f9eac03ed2f638d6d61
Instruction ID: 9516022e667e312e37059f80f0a5cf0fafa0cc38cbf00445884b193d8d183ea7
Opcode Fuzzy Hash: 2b01323e87d3f0d86477cb55004685455478adc560c03f9eac03ed2f638d6d61
Instruction Fuzzy Hash: 97513E36608B8485D600DB66F49536EB764F78AB94F54822BFE9C43BAACF3CD441CB14

Function 004D4100 Relevance: 4.0, Strings: 3, Instructions: 273COMMON

Download Yara Rule

Strings

runtime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=failed to parse certificate #%d in the chain: %wtls: no supported sy, xrefs: 004D4567
runtime.preemptM: duplicatehandle failedstopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2oversized record rec, xrefs: 004D458F
self-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timerstlsunsafeekmclose notifyremote errorc hs traffics hs trafficc ap tra, xrefs: 004D45A5

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: runtime.preemptM: duplicatehandle failed; errno=runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=failed to parse certificate #%d in the chain: %wtls: no supported sy$runtime.preemptM: duplicatehandle failedstopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2oversized record rec$self-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchwrong timerstlsunsafeekmclose notifyremote errorc hs traffics hs trafficc ap tra
API String ID: 0-4156812386
Opcode ID: bbb23f11ec5ba50f6d6531d8aa5a33ad43e03a8ebca891cb1f6c7597f587c8d4
Instruction ID: 559ff70a6be370a3bf3e65247ad321931aae0442a73103d3c9d2c274cdabc436
Opcode Fuzzy Hash: bbb23f11ec5ba50f6d6531d8aa5a33ad43e03a8ebca891cb1f6c7597f587c8d4
Instruction Fuzzy Hash: 27C14A36605B8086DA50DB25F89136F7760F78ABA4F1892379EAC93795DF3DC482CB04

Function 004D1CE0 Relevance: 3.8, Strings: 3, Instructions: 65COMMON

Download Yara Rule

Strings

PowerRegisterSuspendResumeNotification, xrefs: 004D1D49
@2P, xrefs: 004D1D7A
powrprof.dll, xrefs: 004D1CF9

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: @2P$PowerRegisterSuspendResumeNotification$powrprof.dll
API String ID: 0-4236600172
Opcode ID: b6923e269ffbd89576febc9603ee5a5ed6fbe6bad6538e105b42f951c6fac229
Instruction ID: 52e951b3f63b4051b6ef2790d71ad7e1078c9f8b9930dd149208cf681300ed1a
Opcode Fuzzy Hash: b6923e269ffbd89576febc9603ee5a5ed6fbe6bad6538e105b42f951c6fac229
Instruction Fuzzy Hash: 2C215536208B84C2DA00CB11F48535ABBA5F38ABC0F488116EE8C47B69DF7DD196CB40

Function 004C6760 Relevance: 2.9, Strings: 2, Instructions: 358COMMON

Download Yara Rule

Strings

@IP, xrefs: 004C6AF3
grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime.Pinner: argument is not a pointer: runtime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=ru, xrefs: 004C6D34

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: @IP$grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime.Pinner: argument is not a pointer: runtime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=ru
API String ID: 0-3030388268
Opcode ID: c0e3a0be1c11d8b46b3095c4fa8e4cd62af39be93277936c475e0c0cff387c65
Instruction ID: 0fb67e18dfce37909f17762264c475df4894d16b72bf7d23250b8c1e228b55c0
Opcode Fuzzy Hash: c0e3a0be1c11d8b46b3095c4fa8e4cd62af39be93277936c475e0c0cff387c65
Instruction Fuzzy Hash: 0CE18F76309B8485DBA0CB16E480B9BBB61F786BD0F05912AEE8D43B69CF3CC455CB05

Function 004B3840 Relevance: 1.5, Strings: 1, Instructions: 277COMMON

Download Yara Rule

Strings

span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor, xrefs: 004B39E4

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor
API String ID: 0-1712010102
Opcode ID: ae2b4a60cd4b71864d7c834a084b747d49501bdee52085a22955735d566d6ddc
Instruction ID: 7f3bb0eeaedbfddc5f791b8ad99b80b3e6b84d89cecd0a97ca0f763cdaab8d9d
Opcode Fuzzy Hash: ae2b4a60cd4b71864d7c834a084b747d49501bdee52085a22955735d566d6ddc
Instruction Fuzzy Hash: E0B1CE72209A4186DF04DF26E4807AEB7A5F785B55F04452BEB8D03BAADF3CC945CB24

Function 004C5940 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

VL, xrefs: 004C5965

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: VL
API String ID: 0-2008703989
Opcode ID: 0285487a77ca8c429cb664d950a9f0151db0b7f51b401498925fabb90dc4b4b2
Instruction ID: f1face80dcf8a8936bd0e32852492341a2f71fd161cf62b973af693c478c67e5
Opcode Fuzzy Hash: 0285487a77ca8c429cb664d950a9f0151db0b7f51b401498925fabb90dc4b4b2
Instruction Fuzzy Hash: 4441C07A708B8591DB48DB2AE4913EA2761F385BC4F80913BEE4E47328DE3DD14AC340

Function 004E5820 Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 279e71ce0faac639cd8fe2747d52f7bf2355e1466fec3e9460aad3adac2e8596
Instruction ID: 7849d8d88b4e4e5d6ec1890e4282c4bbf78e36c612a9a6d29cc92a43a2efc695
Opcode Fuzzy Hash: 279e71ce0faac639cd8fe2747d52f7bf2355e1466fec3e9460aad3adac2e8596
Instruction Fuzzy Hash: 78C18D72309B81C6DB00DF66F49036AB761F78A789F54512BEA8E8776ADB7CC441CB04

Function 004DE620 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f7a7e4e31a2d7b4741eaa636167f3a86c1949593231c24b7d210d352c23697a
Instruction ID: 70f00ae98ec0a28ab654cc79d9075fc6dd24321ec451b2e50776c7e580f3fe3f
Opcode Fuzzy Hash: 5f7a7e4e31a2d7b4741eaa636167f3a86c1949593231c24b7d210d352c23697a
Instruction Fuzzy Hash: 3F912575B41601CADB10BF16E8A036A7761F796B88F88917BD90C0B326DF3DD886C744

Function 004D2320 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f217fb4e283cce5eec28e2320e7e1bd2ea3dd5fe5d6d15291f6e332b4f2ee163
Instruction ID: ab4d678b421df4d3483e4e88d5160f91b7b00f23e013916338777e0d46452ce5
Opcode Fuzzy Hash: f217fb4e283cce5eec28e2320e7e1bd2ea3dd5fe5d6d15291f6e332b4f2ee163
Instruction Fuzzy Hash: 0A213B32604B80C6D700EF62F95636A77A0F75AB94F449327E9AC423A6DF3CC081CB05

Function 00514180 Relevance: 1.6, APIs: 1, Instructions: 52synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexExW.KERNELBASE ref: 00514227

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 2525a88f381b6b1ecfbfb687c266decb66c4fc36e0a9b82aa819b4781aa7c3de
Instruction ID: ff9a7e31bb1c350d50ff0a1de2fdd5807b91f5766e6d777a61a199e3c1272586
Opcode Fuzzy Hash: 2525a88f381b6b1ecfbfb687c266decb66c4fc36e0a9b82aa819b4781aa7c3de
Instruction Fuzzy Hash: F3118C36640A8081EB259B1AE45136C6370F749BE4F244226DFAE53BA0CB39E5D3CA00

Non-executed Functions

Function 004B8380 Relevance: 17.0, Strings: 13, Instructions: 716COMMON

Download Yara Rule

Strings

failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre, xrefs: 004B9189
MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc=, xrefs: 004B8F45
@6P, xrefs: 004B8973
MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, xrefs: 004B8F85
gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket, xrefs: 004B919A
`7P, xrefs: 004B90DF
., xrefs: 004B8A7D
gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:tls: Earlyparsefilesimap2imap3imapspop3shostsutf-8%s*%dtext/bad nsse41sse42ssse3SHA-1P-224P-256P-384P-521ECDSA (at ClassStringFormat[]bytestringactiveclosedsocks5CANCELGOAWAYPADDED, xrefs: 004B8452
ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACE, xrefs: 004B8C8D
non-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrtls: received unexpected handshake message of ty, xrefs: 004B9178
, xrefs: 004B896B
ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = bad prune, tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=, xrefs: 004B8EC5
gc %: gp *(in n= ) - P MPC= < end > ]:pc= Gkey///%25Viacgodnsudpftpssh::1set204206304400500..\\\.\\?\??adxaesshaavxfmanetMD4MD5RSADSAURIexp): TTLSET.exeopenreadtrueHost<>idlehttp1080DATAPINGPOSTEtag0x%xdateetagfromhostlinkvarypathDategz, xrefs: 004B8AFA

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: $ MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:$ MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc=$ ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACE$ ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = bad prune, tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=$.$@6P$`7P$failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre$gc %: gp *(in n= ) - P MPC= < end > ]:pc= Gkey///%25Viacgodnsudpftpssh::1set204206304400500..\\\.\\?\??adxaesshaavxfmanetMD4MD5RSADSAURIexp): TTLSET.exeopenreadtrueHost<>idlehttp1080DATAPINGPOSTEtag0x%xdateetagfromhostlinkvarypathDategz$gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket$gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:tls: Earlyparsefilesimap2imap3imapspop3shostsutf-8%s*%dtext/bad nsse41sse42ssse3SHA-1P-224P-256P-384P-521ECDSA (at ClassStringFormat[]bytestringactiveclosedsocks5CANCELGOAWAYPADDED$non-concurrent sweep failed to drain all sweep queuesruntime: NtCancelWaitCompletionPacket failed; errno= exited a goroutine internally locked to the OS threadcompileCallback: argument size is larger than uintptrtls: received unexpected handshake message of ty
API String ID: 0-973671051
Opcode ID: b5806f9b4e9994a24c0af5cc8925a3a12b09e6055781f034ae3b85ff486518c9
Instruction ID: 5ae836f392b7203daa1faa19439acd61957ac72a20e011d5382ebdfa9074e1d1
Opcode Fuzzy Hash: b5806f9b4e9994a24c0af5cc8925a3a12b09e6055781f034ae3b85ff486518c9
Instruction Fuzzy Hash: 24727D32609BC585EB21DB26F8953EA7768F78AB84F44812BDA8C43766DF3CC481C715

Function 004B6960 Relevance: 15.4, Strings: 12, Instructions: 359COMMON

Download Yara Rule

Strings

, not a functiongc: unswept span KiB work (bg), mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 004B6E90
runtime.SetFinalizer: pointer not at beginning of allocated blocktls: internal error: attempted to read record with QUIC transporttls: server selected an invalid version after a HelloRetryRequestx509: inner and outer signature algorithm identifiers don't match, xrefs: 004B6EB0
runtime.SetFinalizer: second argument is gcSweep being done but phase is not GCoffobjects added out of order or overlappingmheap.freeSpanLocked - invalid stack freemheap.freeSpanLocked - invalid span stateattempted to add zero-sized address rangeruntime: block, xrefs: 004B6E9F
runtime.SetFinalizer: first argument was allocated into an arenacompileCallback: expected function with one uintptr-sized resultattempted to trace stack of a goroutine this thread does not ownABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ABCD, xrefs: 004B6F45
runtime.SetFinalizer: first argument is nilruntime.SetFinalizer: finalizer already setgcBgMarkWorker: unexpected gcMarkWorkerModenon in-use span found with specials bit setgrew heap, but no adequate free space foundroot level max pages doesn't fit in summaryru, xrefs: 004B6F97
runtime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedruntime: source value is too largeVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inco, xrefs: 004B6DAC, 004B6E03, 004B6E6B
runtime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unknown mark worker modecannot free workbufs when work.full != 0runtime: out of memory: cannot allocate runtime.preemptM: duplicatehandle failedstopTheWorld: broken, xrefs: 004B6F86
nil elem type! to finalizer GC worker initruntime: full=runtime: want=MB; allocated RtlGetVersion, xrefs: 004B6F56
runtime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= runtime: NtCreateWaitCompletionPacket failed; errno=, xrefs: 004B6F34
ZkK, xrefs: 004B6B50
, not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failed, xrefs: 004B6F77
because dotdotdotruntime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime., xrefs: 004B6E30

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: because dotdotdotruntime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.$, not a functiongc: unswept span KiB work (bg), mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$, not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failed$ZkK$nil elem type! to finalizer GC worker initruntime: full=runtime: want=MB; allocated RtlGetVersion$runtime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedruntime: source value is too largeVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workentersyscallblock inco$runtime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unknown mark worker modecannot free workbufs when work.full != 0runtime: out of memory: cannot allocate runtime.preemptM: duplicatehandle failedstopTheWorld: broken$runtime.SetFinalizer: first argument is nilruntime.SetFinalizer: finalizer already setgcBgMarkWorker: unexpected gcMarkWorkerModenon in-use span found with specials bit setgrew heap, but no adequate free space foundroot level max pages doesn't fit in summaryru$runtime.SetFinalizer: first argument was allocated into an arenacompileCallback: expected function with one uintptr-sized resultattempted to trace stack of a goroutine this thread does not ownABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ABCD$runtime.SetFinalizer: pointer not at beginning of allocated blocktls: internal error: attempted to read record with QUIC transporttls: server selected an invalid version after a HelloRetryRequestx509: inner and outer signature algorithm identifiers don't match$runtime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= runtime: NtCreateWaitCompletionPacket failed; errno=$runtime.SetFinalizer: second argument is gcSweep being done but phase is not GCoffobjects added out of order or overlappingmheap.freeSpanLocked - invalid stack freemheap.freeSpanLocked - invalid span stateattempted to add zero-sized address rangeruntime: block
API String ID: 0-2982936295
Opcode ID: 5009f22eb0dec23a29e45bc7739795f5afe97b818addba64ab7740e842c1a2dc
Instruction ID: eed188602d58721b7c4c39ae2b80a5afd9e133681eee502df72fcc4b31a3ff49
Opcode Fuzzy Hash: 5009f22eb0dec23a29e45bc7739795f5afe97b818addba64ab7740e842c1a2dc
Instruction Fuzzy Hash: 97E19C32609B8485EB209B11E4803EEBBA5F785B80F4A8537DB8C57B99DF3CD495C724

Function 004C9C00 Relevance: 14.3, Strings: 11, Instructions: 543COMMON

Download Yara Rule

Strings

, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base X25519%w%.0wAcceptServernetdnsdomaingophertelnetreturn.local.onionip+netCONIN$rdtscppopcntcmd/gosecretheaderAnswerLengthSTREETavx512rdrandrdseedGlobal\BooleanLayeredRoutingfloa, xrefs: 004CA485
runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 004C9EED, 004CA332
, levelBits[level] = runtime: searchIdx = defer on system stackpanic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:, xrefs: 004CA505
, j0 = head = panic: nmsys= locks= dying= allocs m->g0= pad1= pad2= text= minpc= value= (scan)types : type nil keytls3desderivedInitialExpiresSubjectwindowswsarecvwsasendlookup writetocharsetCONOUT$\\.\UNCavx512fos/execruntimeSHA-224SHA-256SHA-384SHA-512E, xrefs: 004CA41A
] = (usageinit ms, fault tab= top=[...], fp:tls: Earlyparsefilesimap2imap3imapspop3shostsutf-8%s*%dtext/bad nsse41sse42ssse3SHA-1P-224P-256P-384P-521ECDSA (at ClassStringFormat[]bytestringactiveclosedsocks5CANCELGOAWAYPADDEDBasic Cookieacceptcookieexpectorigi, xrefs: 004C9F26
bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 004C9FCF, 004CA72C
] = pc=: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=Fromicmpigmpftpspop3smtpdial unixxn--ermssse3avx2bmi1bmi2timebitsNameTypeasn1cx16sse2BjornErro:<nil>falseError&"'https:***@Rangeallowrangeclose:path%s %q%s=%sHTTP/socksFound, xrefs: 004CA374
runtime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupcontext., xrefs: 004C9FA5
runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSruntime: mp.lockedInt = runqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockerror decrypting messagecertificate unobtainabletls: server rejected, xrefs: 004CA465
, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by .WithCancel.WithValue(tls10servertls: al, xrefs: 004CA3FC
runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket, xrefs: 004CA4E5

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: , i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= bad ts(...) m=nil base X25519%w%.0wAcceptServernetdnsdomaingophertelnetreturn.local.onionip+netCONIN$rdtscppopcntcmd/gosecretheaderAnswerLengthSTREETavx512rdrandrdseedGlobal\BooleanLayeredRoutingfloa$, j0 = head = panic: nmsys= locks= dying= allocs m->g0= pad1= pad2= text= minpc= value= (scan)types : type nil keytls3desderivedInitialExpiresSubjectwindowswsarecvwsasendlookup writetocharsetCONOUT$\\.\UNCavx512fos/execruntimeSHA-224SHA-256SHA-384SHA-512E$, levelBits[level] = runtime: searchIdx = defer on system stackpanic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:$, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by .WithCancel.WithValue(tls10servertls: al$] = pc=: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=Fromicmpigmpftpspop3smtpdial unixxn--ermssse3avx2bmi1bmi2timebitsNameTypeasn1cx16sse2BjornErro:<nil>falseError&"'https:***@Rangeallowrangeclose:path%s %q%s=%sHTTP/socksFound$] = (usageinit ms, fault tab= top=[...], fp:tls: Earlyparsefilesimap2imap3imapspop3shostsutf-8%s*%dtext/bad nsse41sse42ssse3SHA-1P-224P-256P-384P-521ECDSA (at ClassStringFormat[]bytestringactiveclosedsocks5CANCELGOAWAYPADDEDBasic Cookieacceptcookieexpectorigi$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket$runtime: npages = invalid skip valueruntime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupcontext.$runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSruntime: mp.lockedInt = runqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockerror decrypting messagecertificate unobtainabletls: server rejected$runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
API String ID: 0-1267405085
Opcode ID: 51472d7f3d3df06c9a69e67d1da9d023492f22ec393334fa902a94a7c7fc8c49
Instruction ID: b23eb45eab3907f2cc24245a72fc870d5fafbf190126bd737e057f0217c2f31e
Opcode Fuzzy Hash: 51472d7f3d3df06c9a69e67d1da9d023492f22ec393334fa902a94a7c7fc8c49
Instruction Fuzzy Hash: 9932DE7A714BC981EB609B12E8507EAA325F789BC4F40412BDE8D07B5ACF3CC855C705

Function 004F0580 Relevance: 12.9, Strings: 10, Instructions: 364COMMON

Download Yara Rule

Strings

and defersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleep cnt=gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:tls: Earlyparsefilesimap2imap3imapspop3shostsutf-8%s*%dtext/bad nsse41sse42ssse3SHA-1P-224P-256, xrefs: 004F08EF, 004F0A7A
missing stackmapbad symbol tablenon-Go function not in ranges:context canceledno renegotiationSignatureScheme(Content-LanguagehostLookupOrder=/etc/resolv.confnon-IPv4 addressnon-IPv6 addressunknown network no colon on lineinvalid encodingGetCurrentThreadRtlV, xrefs: 004F0A19, 004F0B99
runtime: pcdata is bad ABI descriptionrevoked certificateexpired certificateunknown certificateunknown cipher typeinvalid URL escape missing ']' in hostmultipartmaxheaderscriterion too shortmime: no media typeevictCount overflowbad file descriptordisk quota ex, xrefs: 004F08D3, 004F0A5F
bad symbol tablenon-Go function not in ranges:context canceledno renegotiationSignatureScheme(Content-LanguagehostLookupOrder=/etc/resolv.confnon-IPv4 addressnon-IPv6 addressunknown network no colon on lineinvalid encodingGetCurrentThreadRtlVirtualUnwindinva, xrefs: 004F096A, 004F0AEA
untyped args out of range no module data in goroutine runtime: seq1=runtime: goid=.WithoutCancel.WithDeadline(bad record MACAccept-CharsetDkim-Signatureunknown mode: need more dataREQUEST_METHODfile too largelevel 2 haltedlevel 3 haltedtoo many linksno such , xrefs: 004F09D7
untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:context canceledno renegotiationSignatureScheme(Content-LanguagehostLookupOrder=/etc/resolv.confnon-IPv4 addressnon-IPv6 addressunknown network no colon on lineinvalid encodingGetC, xrefs: 004F0B4C
args stack map entries for invalid runtime symbol tableruntime: no module data for [originating from goroutine traceRegion: alloc too largetls: malformed ECHConfigListEd25519 verification failuremalformed MIME header line: cannot unmarshal DNS messageinvalid , xrefs: 004F090F
(targetpc= , plugin: runtime: g : frame.sp=created by .WithCancel.WithValue(tls10servertls: alert(local errorc e traffictraffic updIn-Reply-ToReturn-Pathsubmissionsi/o timeoutHTTPS_PROXYhttps_proxyProcessPrngNetShareAddNetShareDelbad messagefile existsbad add, xrefs: 004F0937, 004F0AB8
locals stack map entries for abi mismatch detected between runtime: impossible type kind unsafe.Slice: len out of rangeprotocol version not supportedmissing validateFirstLine funcmime: duplicate parameter namesocket operation on non-socketinappropriate ioctl , xrefs: 004F0A95
runtime: frame ts set in timertraceback stuckx509keypairleafrecord overflowbad certificatePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512ClientAuthType(unknown versionAccept-LanguageX-Forwarded-Formissing address/etc/mdns.allowunknown network()<>@,;:\"/[]?=adver, xrefs: 004F09B4, 004F0B29

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: (targetpc= , plugin: runtime: g : frame.sp=created by .WithCancel.WithValue(tls10servertls: alert(local errorc e traffictraffic updIn-Reply-ToReturn-Pathsubmissionsi/o timeoutHTTPS_PROXYhttps_proxyProcessPrngNetShareAddNetShareDelbad messagefile existsbad add$ and defersweeptestRtestWexecWhchanexecRschedsudogtimergscanmheaptracepanicsleep cnt=gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:tls: Earlyparsefilesimap2imap3imapspop3shostsutf-8%s*%dtext/bad nsse41sse42ssse3SHA-1P-224P-256$ args stack map entries for invalid runtime symbol tableruntime: no module data for [originating from goroutine traceRegion: alloc too largetls: malformed ECHConfigListEd25519 verification failuremalformed MIME header line: cannot unmarshal DNS messageinvalid $ locals stack map entries for abi mismatch detected between runtime: impossible type kind unsafe.Slice: len out of rangeprotocol version not supportedmissing validateFirstLine funcmime: duplicate parameter namesocket operation on non-socketinappropriate ioctl $ untyped args out of range no module data in goroutine runtime: seq1=runtime: goid=.WithoutCancel.WithDeadline(bad record MACAccept-CharsetDkim-Signatureunknown mode: need more dataREQUEST_METHODfile too largelevel 2 haltedlevel 3 haltedtoo many linksno such $ untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:context canceledno renegotiationSignatureScheme(Content-LanguagehostLookupOrder=/etc/resolv.confnon-IPv4 addressnon-IPv6 addressunknown network no colon on lineinvalid encodingGetC$bad symbol tablenon-Go function not in ranges:context canceledno renegotiationSignatureScheme(Content-LanguagehostLookupOrder=/etc/resolv.confnon-IPv4 addressnon-IPv6 addressunknown network no colon on lineinvalid encodingGetCurrentThreadRtlVirtualUnwindinva$missing stackmapbad symbol tablenon-Go function not in ranges:context canceledno renegotiationSignatureScheme(Content-LanguagehostLookupOrder=/etc/resolv.confnon-IPv4 addressnon-IPv6 addressunknown network no colon on lineinvalid encodingGetCurrentThreadRtlV$runtime: frame ts set in timertraceback stuckx509keypairleafrecord overflowbad certificatePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512ClientAuthType(unknown versionAccept-LanguageX-Forwarded-Formissing address/etc/mdns.allowunknown network()<>@,;:\"/[]?=adver$runtime: pcdata is bad ABI descriptionrevoked certificateexpired certificateunknown certificateunknown cipher typeinvalid URL escape missing ']' in hostmultipartmaxheaderscriterion too shortmime: no media typeevictCount overflowbad file descriptordisk quota ex
API String ID: 0-1331516954
Opcode ID: 0e86ae5192ea07c8eb8d3e850914533c54211671846e635f39f187d4b9c3397e
Instruction ID: ee48c65dfdb48b38df26ae6561e23e993341c18653ef5a0b9e166567c2596623
Opcode Fuzzy Hash: 0e86ae5192ea07c8eb8d3e850914533c54211671846e635f39f187d4b9c3397e
Instruction Fuzzy Hash: 41E1A336608B8985EB20EB26E49036EB365F788B84F54412BEF8D47766DF7CC944CB04

Function 004C3630 Relevance: 10.4, Strings: 8, Instructions: 375COMMON

Download Yara Rule

Strings

sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executiontraceSto, xrefs: 004C3B1E
sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine res binderres masterresumption, xrefs: 004C3B75
nalloc= nfreed=[signal newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes tlskyberCurveID(finishedexporterReceivednetedns0[::1]:53continue_gatewayinvalid address readfromwsaioctlunixgramif-rangeNO_PROXYno_proxyno anodeavx512bwavx5, xrefs: 004C3C08
previous allocCount=, levelBits[level] = runtime: searchIdx = defer on system stackpanic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime:, xrefs: 004C3C25
sweep increased allocation countremovespecial on invalid pointergetWeakHandle on invalid pointerruntime: root level max pages = NtAssociateWaitCompletionPacket, xrefs: 004C3C6F
swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 004C3B2F
mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification, xrefs: 004C3BB8
mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 004C3B90

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$ nalloc= nfreed=[signal newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes tlskyberCurveID(finishedexporterReceivednetedns0[::1]:53continue_gatewayinvalid address readfromwsaioctlunixgramif-rangeNO_PROXYno_proxyno anodeavx512bwavx5$ previous allocCount=, levelBits[level] = runtime: searchIdx = defer on system stackpanic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime:$ sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine res binderres masterresumption$mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification$sweep increased allocation countremovespecial on invalid pointergetWeakHandle on invalid pointerruntime: root level max pages = NtAssociateWaitCompletionPacket$sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executiontraceSto$swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
API String ID: 0-171345729
Opcode ID: f910813209429a19f44956c5a126f7a649c12e5a76eb5f4d603335f469ef5ebe
Instruction ID: 2f9ad473a9ec8c7ee616a52e762488fbc706077941274aba3a31bf17380483b7
Opcode Fuzzy Hash: f910813209429a19f44956c5a126f7a649c12e5a76eb5f4d603335f469ef5ebe
Instruction Fuzzy Hash: E2F1EF77208B8182DB50DF25E4903AE7761F78AB84F84812BEA8D43769DF3CC996C754

Function 004D7BE0 Relevance: 7.8, Strings: 6, Instructions: 301COMMON

Download Yara Rule

Strings

runtime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupcontext.Backgroundunexpected messageexport restrictioninvalid character server m, xrefs: 004D8005
, gp->atomicstatus=marking free object KiB work (eager), [controller reset]mspan.sweep: state=sysMemStat overflowbad sequence numberntdll.dll not foundwinmm.dll not foundruntime: g0 stack [panic during mallocpanic holding locksmissing deferreturnunexpected gp, xrefs: 004D8045
invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:context canceledno renegotiationSignatureScheme(Content-LanguagehostLookupOrder=/etc/resolv.confnon-, xrefs: 004D80F9
, goid= s=nil (scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocs m->g0= pad1= pad2= text= minpc= value= (scan)types : type nil keytls3desderivedInitialExpiresSubjectwindowswsarecvwsasendlookup writetocharsetCONOUT$\\.\UNCa, xrefs: 004D8025, 004D80AF
JP, xrefs: 004D7F5B
suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function traceRegion: alloc with concurrent droptls: unsupported certificate curve (%s)tls: internal error: wrong, xrefs: 004D810A

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: , goid= s=nil (scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocs m->g0= pad1= pad2= text= minpc= value= (scan)types : type nil keytls3desderivedInitialExpiresSubjectwindowswsarecvwsasendlookup writetocharsetCONOUT$\\.\UNCa$, gp->atomicstatus=marking free object KiB work (eager), [controller reset]mspan.sweep: state=sysMemStat overflowbad sequence numberntdll.dll not foundwinmm.dll not foundruntime: g0 stack [panic during mallocpanic holding locksmissing deferreturnunexpected gp$invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:context canceledno renegotiationSignatureScheme(Content-LanguagehostLookupOrder=/etc/resolv.confnon-$runtime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupcontext.Backgroundunexpected messageexport restrictioninvalid character server m$suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function traceRegion: alloc with concurrent droptls: unsupported certificate curve (%s)tls: internal error: wrong$JP
API String ID: 0-178645164
Opcode ID: 8ea98e8fad8518d996c762b701742b963005bc78c5531d52c48de25392c58038
Instruction ID: fa756ae87a75b7292614339f4898bfcaf828eedf6ec2018b6beae8c435b19599
Opcode Fuzzy Hash: 8ea98e8fad8518d996c762b701742b963005bc78c5531d52c48de25392c58038
Instruction Fuzzy Hash: FCD17D36608B8086D710DB26E06176ABB61F78ABD0F14916BEE8D03B69DB3CC841CB05

Function 004F9480 Relevance: 6.7, Strings: 5, Instructions: 449COMMON

Download Yara Rule

Strings

fp= gp= mp=) m=Fromicmpigmpftpspop3smtpdial unixxn--ermssse3avx2bmi1bmi2timebitsNameTypeasn1cx16sse2BjornErro:<nil>falseError&"'https:***@Rangeallowrangeclose:path%s %q%s=%sHTTP/socksFoundchdirwritemkdirLstatMarchApril+0530+0430+0545+0630+0330+, xrefs: 004F9AB2
...0,h1NUL:\/SunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDlt125625NaNintmapptr, xrefs: 004F98F7
sp= sp: lr: fp= gp= mp=) m=Fromicmpigmpftpspop3smtpdial unixxn--ermssse3avx2bmi1bmi2timebitsNameTypeasn1cx16sse2BjornErro:<nil>falseError&"'https:***@Rangeallowrangeclose:path%s %q%s=%sHTTP/socksFoundchdirwritemkdirLstatMarchApril+0530+0430+054, xrefs: 004F9AD2
pc=: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=Fromicmpigmpftpspop3smtpdial unixxn--ermssse3avx2bmi1bmi2timebitsNameTypeasn1cx16sse2BjornErro:<nil>falseError&"'https:***@Rangeallowrangeclose:path%s %q%s=%sHTTP/socksFoundchdi, xrefs: 004F9AF2
non-Go function at pc=error decoding messageinappropriate fallbackECDSAWithP256AndSHA256ECDSAWithP384AndSHA384ECDSAWithP521AndSHA512.localhost.localdomainmissing ']' in addressinvalid address familyoperation was canceledgzip: invalid checksumhpack: string too , xrefs: 004F9C1B

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: fp= gp= mp=) m=Fromicmpigmpftpspop3smtpdial unixxn--ermssse3avx2bmi1bmi2timebitsNameTypeasn1cx16sse2BjornErro:<nil>falseError&"'https:***@Rangeallowrangeclose:path%s %q%s=%sHTTP/socksFoundchdirwritemkdirLstatMarchApril+0530+0430+0545+0630+0330+$ pc=: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=Fromicmpigmpftpspop3smtpdial unixxn--ermssse3avx2bmi1bmi2timebitsNameTypeasn1cx16sse2BjornErro:<nil>falseError&"'https:***@Rangeallowrangeclose:path%s %q%s=%sHTTP/socksFoundchdi$ sp= sp: lr: fp= gp= mp=) m=Fromicmpigmpftpspop3smtpdial unixxn--ermssse3avx2bmi1bmi2timebitsNameTypeasn1cx16sse2BjornErro:<nil>falseError&"'https:***@Rangeallowrangeclose:path%s %q%s=%sHTTP/socksFoundchdirwritemkdirLstatMarchApril+0530+0430+054$...0,h1NUL:\/SunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDlt125625NaNintmapptr$non-Go function at pc=error decoding messageinappropriate fallbackECDSAWithP256AndSHA256ECDSAWithP384AndSHA384ECDSAWithP521AndSHA512.localhost.localdomainmissing ']' in addressinvalid address familyoperation was canceledgzip: invalid checksumhpack: string too
API String ID: 0-1084136232
Opcode ID: 6ebea664f7ef505be44b84a1a3ad0100ca32ff607a4c2ffbf4933beddfb6e13f
Instruction ID: 4c36211be710d76a8080f22b06969625e7021ab83c5fd426308f34a199179465
Opcode Fuzzy Hash: 6ebea664f7ef505be44b84a1a3ad0100ca32ff607a4c2ffbf4933beddfb6e13f
Instruction Fuzzy Hash: B1123532219BC885DB609B26E4943AFB7A4F789B84F44511AEF8D43B69CF3DC845CB04

Function 004B76C0 Relevance: 6.6, Strings: 5, Instructions: 351COMMON

Download Yara Rule

Strings

!= sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase, xrefs: 004B7C85
runtime: p ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32, xrefs: 004B7C4C
flushGen MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= , xrefs: 004B7C67
p mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitpreempt off reason: forcegc: phase errorgopark: bad g statusgo of nil func valueselectgo: bad wakeupsemaRoot rotateRight, xrefs: 004B7CAA
8P, xrefs: 004B7A1C

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase$ 8P$ flushGen MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= $p mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitpreempt off reason: forcegc: phase errorgopark: bad g statusgo of nil func valueselectgo: bad wakeupsemaRoot rotateRight$runtime: p ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32
API String ID: 0-4176609771
Opcode ID: 897ae49ce3a99e86bd1ba1eddaf4ea1f8f1d05f6eb5648d7d91fc0c0d7b6d805
Instruction ID: fc739e1e69f1f5a141d612686087277f54ebbcbce467b1c07397c8118fe8eb7d
Opcode Fuzzy Hash: 897ae49ce3a99e86bd1ba1eddaf4ea1f8f1d05f6eb5648d7d91fc0c0d7b6d805
Instruction Fuzzy Hash: 1DF1D332209B808AEB10DF25F4843AE7765F786794F44822BDA9D437A6DF3CC491CB55

Function 004BDFC0 Relevance: 6.4, Strings: 5, Instructions: 177COMMON

Download Yara Rule

Strings

base of ) = <==GOGC] = pc=: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=Fromicmpigmpftpspop3smtpdial unixxn--ermssse3avx2bmi1bmi2timebitsNameTypeasn1cx16sse2BjornErro:<nil>falseError&"'https:***@Rangeallowrangeclose:path%s %q, xrefs: 004BE1FB
greyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freefailed to get or create weak handleattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlineNtCreateWaitCom, xrefs: 004BE24F
marking free object KiB work (eager), [controller reset]mspan.sweep: state=sysMemStat overflowbad sequence numberntdll.dll not foundwinmm.dll not foundruntime: g0 stack [panic during mallocpanic holding locksmissing deferreturnunexpected gp.parampanic during , xrefs: 004BE23E
runtime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket, xrefs: 004BE187
objgc %: gp *(in n= ) - P MPC= < end > ]:pc= Gkey///%25Viacgodnsudpftpssh::1set204206304400500..\\\.\\?\??adxaesshaavxfmanetMD4MD5RSADSAURIexp): TTLSET.exeopenreadtrueHost<>idlehttp1080DATAPINGPOSTEtag0x%xdateetagfromhostlinkvarypathDat, xrefs: 004BE216

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: base of ) = <==GOGC] = pc=: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=Fromicmpigmpftpspop3smtpdial unixxn--ermssse3avx2bmi1bmi2timebitsNameTypeasn1cx16sse2BjornErro:<nil>falseError&"'https:***@Rangeallowrangeclose:path%s %q$greyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freefailed to get or create weak handleattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlineNtCreateWaitCom$marking free object KiB work (eager), [controller reset]mspan.sweep: state=sysMemStat overflowbad sequence numberntdll.dll not foundwinmm.dll not foundruntime: g0 stack [panic during mallocpanic holding locksmissing deferreturnunexpected gp.parampanic during $objgc %: gp *(in n= ) - P MPC= < end > ]:pc= Gkey///%25Viacgodnsudpftpssh::1set204206304400500..\\\.\\?\??adxaesshaavxfmanetMD4MD5RSADSAURIexp): TTLSET.exeopenreadtrueHost<>idlehttp1080DATAPINGPOSTEtag0x%xdateetagfromhostlinkvarypathDat$runtime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=NtCreateWaitCompletionPacket
API String ID: 0-1638293046
Opcode ID: a31ce7c56f6451832368dddaaeddf1ccf0a0bc67d43242c260fd0a0fba6cae95
Instruction ID: ddc0528076e17acf151039b571e2b081633f25c1675f77fc19543a22840aeb6a
Opcode Fuzzy Hash: a31ce7c56f6451832368dddaaeddf1ccf0a0bc67d43242c260fd0a0fba6cae95
Instruction Fuzzy Hash: 5861CF72608B8186EB109B16E4403EEBB79F786B84F44512AEF8D07B66CB7CC5A4C714

Function 005437C0 Relevance: 5.6, Strings: 4, Instructions: 560COMMON

Download Yara Rule

Strings

invalid pattern syntax: x509: malformed validityaddress string too shortresource length too longunpacking Question.ClassstreamSafe was not resetGODEBUG sys/cpu: value "", required CPU featurechacha20: wrong key sizezip: not a valid zip filehttp: invalid cooki, xrefs: 0054385B, 00543917, 005439C2, 00543E4A, 00543F19, 00543F80, 00543FEA, 00544052
-, xrefs: 00543A7D
pattern bits too long: exit hook invoked panicinvalid PrintableStringx509: malformed UTCTimex509: invalid key usagex509: malformed versiontoo many pointers (>10)segment length too longunpacking Question.Nameunpacking Question.Typeskipping Question ClassP224 po, xrefs: 00543EB2
invalid pattern syntax (+ after -): no assembly implementation availablex509: zero or negative DSA parameterx509: invalid CRL distribution pointx509: invalid subject key identifierx509: malformed algorithm identifiercrypto/cipher: input not full blockscrypto/s, xrefs: 00543DE3

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: -$invalid pattern syntax (+ after -): no assembly implementation availablex509: zero or negative DSA parameterx509: invalid CRL distribution pointx509: invalid subject key identifierx509: malformed algorithm identifiercrypto/cipher: input not full blockscrypto/s$invalid pattern syntax: x509: malformed validityaddress string too shortresource length too longunpacking Question.ClassstreamSafe was not resetGODEBUG sys/cpu: value "", required CPU featurechacha20: wrong key sizezip: not a valid zip filehttp: invalid cooki$pattern bits too long: exit hook invoked panicinvalid PrintableStringx509: malformed UTCTimex509: invalid key usagex509: malformed versiontoo many pointers (>10)segment length too longunpacking Question.Nameunpacking Question.Typeskipping Question ClassP224 po
API String ID: 0-3891606564
Opcode ID: 76792ac96d893af3fbb5cb37ac0fff523b7c522003e0f9cd9b4052cb43a2a454
Instruction ID: 65d5b9751fc1b0a7574a5f59a0a921286f47c3e9fa4f326e57ff6a48d00013b3
Opcode Fuzzy Hash: 76792ac96d893af3fbb5cb37ac0fff523b7c522003e0f9cd9b4052cb43a2a454
Instruction Fuzzy Hash: 1032D132A08B80C4D711CF25E8443DA7BA4F785BA8F589226DBAD477A5DF7DCA94C700

Function 004A3E40 Relevance: 5.3, Strings: 4, Instructions: 294COMMON

Download Yara Rule

Strings

expa, xrefs: 004A3E48
nd 3, xrefs: 004A3E57
2-by, xrefs: 004A3E66
te k, xrefs: 004A3E75

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: 2-by$expa$nd 3$te k
API String ID: 0-3581043453
Opcode ID: d0a0678b136faf6cdae2b5bb443573c909990b14ac4f0b67f8b4f134291ae36c
Instruction ID: 5a507d22028e55e31b090cfd7012f2dd07ab1ff66a69ee0c8e32482875761174
Opcode Fuzzy Hash: d0a0678b136faf6cdae2b5bb443573c909990b14ac4f0b67f8b4f134291ae36c
Instruction Fuzzy Hash: EDB1B066F25FD94AF323A63810036B7EB185FFB9C9A40E327FC9474A87D72095036254

Function 004DC280 Relevance: 5.3, Strings: 4, Instructions: 289COMMON

Download Yara Rule

Strings

stopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executioncompileCallback: float arguments not supportedruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base poin, xrefs: 004DC6E4
stopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2oversized record received with length %dtls: received empty , xrefs: 004DC6FE
stopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a , xrefs: 004DC745
stopTheWorld: not stopped (stopwait != 0)tls: internal error: unsupported key (%T)invalid value length: expected %d, got %dnet/url: invalid control character in URLidna: internal error in punycode encodingx509: cannot parse URI %q: invalid domaincrypto/md5: in, xrefs: 004DC62A

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: stopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2oversized record received with length %dtls: received empty $stopTheWorld: holding locksgcstopm: not waiting for gcruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a $stopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executioncompileCallback: float arguments not supportedruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base poin$stopTheWorld: not stopped (stopwait != 0)tls: internal error: unsupported key (%T)invalid value length: expected %d, got %dnet/url: invalid control character in URLidna: internal error in punycode encodingx509: cannot parse URI %q: invalid domaincrypto/md5: in
API String ID: 0-1581966374
Opcode ID: 2cd1e88e2f759b69d16de389057723e5bc69446f30cae47812f97220e721def6
Instruction ID: 106fefc2b10e3d3374bdd4888e3e305349047fa2e4ce6bca9ad8869fd3995168
Opcode Fuzzy Hash: 2cd1e88e2f759b69d16de389057723e5bc69446f30cae47812f97220e721def6
Instruction Fuzzy Hash: 6EC19F76209B8586DB10CF22E4A436AB761F38ABC4F189127EE8D43765CF3DC486CB05

Function 004D8420 Relevance: 5.2, Strings: 4, Instructions: 221COMMON

Download Yara Rule

Strings

runtime., xrefs: 004D85B2
runtime/internal/thread exhaustionlocked m0 woke upentersyscallblock spinningthreads=gp.waiting != nilunknown caller pcstack: frame={sp:runtime: nameOff runtime: typeOff runtime: textOff decryption failedhandshake failureillegal parametermissing extensionunrec, xrefs: 004D85E5
reflect., xrefs: 004D860C
bad restart PC-thread limitstopm spinning nmidlelocked= needspinning=randinit twicestore64 failedsemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module data in goroutine runtime: seq1=runtime: goid=.WithoutCancel.WithDea, xrefs: 004D86D3

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: bad restart PC-thread limitstopm spinning nmidlelocked= needspinning=randinit twicestore64 failedsemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module data in goroutine runtime: seq1=runtime: goid=.WithoutCancel.WithDea$reflect.$runtime.$runtime/internal/thread exhaustionlocked m0 woke upentersyscallblock spinningthreads=gp.waiting != nilunknown caller pcstack: frame={sp:runtime: nameOff runtime: typeOff runtime: textOff decryption failedhandshake failureillegal parametermissing extensionunrec
API String ID: 0-3201311403
Opcode ID: 2d73cdd278e380bc89d3ceec455d138a1b39f8209f48d6aadede79ff1ded6860
Instruction ID: add69674e477380d681a9cc68a8ad9579e3eb958aa88e8f8ef91b204d0caed6c
Opcode Fuzzy Hash: 2d73cdd278e380bc89d3ceec455d138a1b39f8209f48d6aadede79ff1ded6860
Instruction Fuzzy Hash: 1B719E32B04A4086DB148F21E4A03BBB7A5F785BA4F48813BDB4E57754DF7CD8918B08

Function 004ABE60 Relevance: 5.1, Strings: 4, Instructions: 80COMMON

Download Yara Rule

Strings

cnt=gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:tls: Earlyparsefilesimap2imap3imapspop3shostsutf-8%s*%dtext/bad nsse41sse42ssse3SHA-1P-224P-256P-384P-521ECDSA (at ClassStringFormat[]bytestringactiveclosedsocks5CANCELGOAWAYP, xrefs: 004ABF05
runtime: lfstack.push invalid packing: node=out of memory allocating heap arena metadata/cpu/classes/scavenge/background:cpu-secondsruntime: unexpected metric registration for gcmarknewobject called while doing checkmarkactive sweepers found at start of mark p, xrefs: 004ABEE5
packed=BAD RANK status unknown(trigger= npages= nalloc= nfreed=[signal newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes tlskyberCurveID(finishedexporterReceivednetedns0[::1]:53continue_gatewayinvalid address readfromwsaioctlunix, xrefs: 004ABF25
-> node= ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = bad prune, tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)tracebac, xrefs: 004ABF45

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: -> node= ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = bad prune, tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)tracebac$ cnt=gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:tls: Earlyparsefilesimap2imap3imapspop3shostsutf-8%s*%dtext/bad nsse41sse42ssse3SHA-1P-224P-256P-384P-521ECDSA (at ClassStringFormat[]bytestringactiveclosedsocks5CANCELGOAWAYP$ packed=BAD RANK status unknown(trigger= npages= nalloc= nfreed=[signal newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes tlskyberCurveID(finishedexporterReceivednetedns0[::1]:53continue_gatewayinvalid address readfromwsaioctlunix$runtime: lfstack.push invalid packing: node=out of memory allocating heap arena metadata/cpu/classes/scavenge/background:cpu-secondsruntime: unexpected metric registration for gcmarknewobject called while doing checkmarkactive sweepers found at start of mark p
API String ID: 0-2188752124
Opcode ID: 6666ecc3ccd40bdb717a5b278e3b84afe59da87cb612e4054fb2233e0c982598
Instruction ID: baa72108e5298d566187f9aa46fcfaa7f070a71dab7bf09b5dd3690d8f2ccfe1
Opcode Fuzzy Hash: 6666ecc3ccd40bdb717a5b278e3b84afe59da87cb612e4054fb2233e0c982598
Instruction Fuzzy Hash: AF218F32618B8586D700EF12E89136EA768F78AB84F48953BEA8C47726CF3CC451C758

Function 004EA020 Relevance: 4.9, Strings: 3, Instructions: 1165COMMON

Download Yara Rule

Strings

gp.waiting != nilunknown caller pcstack: frame={sp:runtime: nameOff runtime: typeOff runtime: textOff decryption failedhandshake failureillegal parametermissing extensionunrecognized namemultipartmaxpartsmessage too largepermission deniedwrong medium typeno da, xrefs: 004EAD90
ey, xrefs: 004EAD5B
selectgo: bad wakeupsemaRoot rotateRightreflect.makeFuncStubtrace: out of memorywirep: already in gounknown PSK identitycertificate requiredinvalid DNS responsegetadaptersaddressesunexpected network: gzip: invalid headerheader line too longGetProcessMemoryInfo, xrefs: 004EAD67

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: gp.waiting != nilunknown caller pcstack: frame={sp:runtime: nameOff runtime: typeOff runtime: textOff decryption failedhandshake failureillegal parametermissing extensionunrecognized namemultipartmaxpartsmessage too largepermission deniedwrong medium typeno da$selectgo: bad wakeupsemaRoot rotateRightreflect.makeFuncStubtrace: out of memorywirep: already in gounknown PSK identitycertificate requiredinvalid DNS responsegetadaptersaddressesunexpected network: gzip: invalid headerheader line too longGetProcessMemoryInfo$ey
API String ID: 0-4044303321
Opcode ID: c2b1dcb74d98368625a71bcca315baa9542bf1792ebc6fb9789f231320c47d70
Instruction ID: 76857f7f7d6583467dff2903ae735789f5a418706164f921c789822d4d976f27
Opcode Fuzzy Hash: c2b1dcb74d98368625a71bcca315baa9542bf1792ebc6fb9789f231320c47d70
Instruction Fuzzy Hash: D6B27532208BD0C2D720CF12E44879AB7A8F389B95F558526EF9D47B99CF78D8A0C745

Function 004BE980 Relevance: 3.9, Strings: 3, Instructions: 179COMMON

Download Yara Rule

Strings

(scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocs m->g0= pad1= pad2= text= minpc= value= (scan)types : type nil keytls3desderivedInitialExpiresSubjectwindowswsarecvwsasendlookup writetocharsetCONOUT$\\.\UNCavx512fos/execr, xrefs: 004BEBA5
pacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitpreempt off reason: forcegc: phase errorgopark: bad g statusgo of nil func valueselectgo: bad wakeupsemaRoot rotateRightreflect.makeFuncStubtrace: out of memory, xrefs: 004BEB86
MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=tlsmaxrsasizeaccess denied, xrefs: 004BEC05

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: (scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocs m->g0= pad1= pad2= text= minpc= value= (scan)types : type nil keytls3desderivedInitialExpiresSubjectwindowswsarecvwsasendlookup writetocharsetCONOUT$\\.\UNCavx512fos/execr$ MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=tlsmaxrsasizeaccess denied$pacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitpreempt off reason: forcegc: phase errorgopark: bad g statusgo of nil func valueselectgo: bad wakeupsemaRoot rotateRightreflect.makeFuncStubtrace: out of memory
API String ID: 0-163087891
Opcode ID: 1bceb77ac407167870e19d547858bf70ab164a2481ed5f3064b9dafa3df56d77
Instruction ID: 4a2f94690dfd70726a08bc6d60448aae17bd88ff776040c7b24daafe43f4ec7b
Opcode Fuzzy Hash: 1bceb77ac407167870e19d547858bf70ab164a2481ed5f3064b9dafa3df56d77
Instruction Fuzzy Hash: CC71B432908F9485D701EB26E44039AB768FB9ABC4F44832BEA8D67725CF3CC492C754

Function 005337C0 Relevance: 3.0, Strings: 2, Instructions: 520COMMON

Download Yara Rule

Strings

\, xrefs: 005339E7
]7S, xrefs: 00534085

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: \$]7S
API String ID: 0-311488551
Opcode ID: 083e5d4ea698489c7d6080a4d91190962d448acb878ccdf425f58a96228b5bb3
Instruction ID: ccb272243f5bbf7164a0005ae9c44ad53a18b39f7153a275db1bff328a4f27b5
Opcode Fuzzy Hash: 083e5d4ea698489c7d6080a4d91190962d448acb878ccdf425f58a96228b5bb3
Instruction Fuzzy Hash: 68227162709BC185DB20CF26E4547AAAB61F38ABD0F448626EF8D57B59DF3CC585CB00

Function 0050EAA0 Relevance: 3.0, Strings: 2, Instructions: 498COMMON

Download Yara Rule

Strings

)P, xrefs: 0050F234
", xrefs: 0050F22C

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: "$)P
API String ID: 0-1414339957
Opcode ID: 453c2a69f11b4cfc657d833a8e41cffdb0b0fb7b83204e032821b8400047eee1
Instruction ID: 0c1fb02fc80adbd980431b0ce70ccaf8fc5ec460903cb57bf6dd1db9d089f717
Opcode Fuzzy Hash: 453c2a69f11b4cfc657d833a8e41cffdb0b0fb7b83204e032821b8400047eee1
Instruction Fuzzy Hash: 0C329F72208BC585DB20CF65E4853EEBB61F786794F14862ADA9C17BAACF39C445C740

Function 004E7EC0 Relevance: 2.9, Strings: 2, Instructions: 423COMMON

Download Yara Rule

Strings

runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=failed to parse certificate #%d in the chain: %wtls: no supported symmetric ciphersuites for ECHtls: CurvePreference, xrefs: 004E8235
runtime: malformed profBuf buffer - tag and data out of synctls: no supported versions satisfy MinVersion and MaxVersiontls: initial handshake had non-empty renegotiation extensiontls: server resumed a session with a different EMS extensionexec: Cmd started a , xrefs: 004E8265

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: runtime: malformed profBuf buffer - invalid sizeattempt to trace invalid or unsupported P statusruntime: waitforsingleobject wait_failed; errno=failed to parse certificate #%d in the chain: %wtls: no supported symmetric ciphersuites for ECHtls: CurvePreference$runtime: malformed profBuf buffer - tag and data out of synctls: no supported versions satisfy MinVersion and MaxVersiontls: initial handshake had non-empty renegotiation extensiontls: server resumed a session with a different EMS extensionexec: Cmd started a
API String ID: 0-3242746415
Opcode ID: 2c074ba6a09fe3c7053438622f3c844286eb46854b9bfa712e2cb3a281bf49b1
Instruction ID: 0abe929b1fcc756195f7628bd3a4879c68cdfc2406c6a8769c8739857491503c
Opcode Fuzzy Hash: 2c074ba6a09fe3c7053438622f3c844286eb46854b9bfa712e2cb3a281bf49b1
Instruction Fuzzy Hash: 81D1F022705A9482DE149F67E40176B6B61F78AFC6F49942AEE0E97710DF7CCC82C308

Function 004D09C0 Relevance: 2.7, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

runtime: inconsistent read deadlineNtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=unsupported signature algorithm: %vtls: too many n, xrefs: 004D0BCD
runtime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime:, xrefs: 004D0B5E

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: runtime: inconsistent read deadlineNtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=unsupported signature algorithm: %vtls: too many n$runtime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime:
API String ID: 0-921591563
Opcode ID: 76aaddf56cca2591d2491c0061746a27d42f9e29e9baf6f7828a708f6da993ef
Instruction ID: 53421a8af33a77f40023f3f94ba1e8e898c2edff7573d962e1b68cfb1fb47b31
Opcode Fuzzy Hash: 76aaddf56cca2591d2491c0061746a27d42f9e29e9baf6f7828a708f6da993ef
Instruction Fuzzy Hash: 4651E43230E74085CB64CBA5E06433FBBA0F796B98F19456BEA9D03795CB7CD8408749

Function 0050C240 Relevance: 1.7, Strings: 1, Instructions: 440COMMON

Download Yara Rule

Strings

!"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 0050C34D, 0050C456, 0050C597, 0050C6BF

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
API String ID: 0-2911004680
Opcode ID: a228e8f1463bc9528876bc78fb9a805b6a10359a95dc952a3dfed461cf1be21f
Instruction ID: fef7576312ab35d062b078f18bd7e7dac36b9c0b2454cf8a60b73528c8e40036
Opcode Fuzzy Hash: a228e8f1463bc9528876bc78fb9a805b6a10359a95dc952a3dfed461cf1be21f
Instruction Fuzzy Hash: B5F13632315A8082EA10DF69E8043ADAF65F786BD0F898625EF5E477D5CFB8C895C704

Function 0052D0C0 Relevance: 1.7, Strings: 1, Instructions: 430COMMON

Download Yara Rule

Strings

ParseUint[%v = %d]websocketsucceededSee OtherUse ProxyForbiddenNot FoundToo EarlyTrailer: protocol nil errorfork/exec#execwaitWednesdaySeptemberinterruptbus errorntdll.dllole32.dllpsapi.dllwinmm.dllFindCloseLocalFreeMoveFileWPurgeCommSetupCommWriteFileWSASendT, xrefs: 0052D23E, 0052D272, 0052D2A4, 0052D3BD, 0052D47D, 0052D53D, 0052D5FD, 0052D6E3

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: ParseUint[%v = %d]websocketsucceededSee OtherUse ProxyForbiddenNot FoundToo EarlyTrailer: protocol nil errorfork/exec#execwaitWednesdaySeptemberinterruptbus errorntdll.dllole32.dllpsapi.dllwinmm.dllFindCloseLocalFreeMoveFileWPurgeCommSetupCommWriteFileWSASendT
API String ID: 0-4063562177
Opcode ID: 4224e0abbee2552c425d7d77cafb44739a73c205936917f6ebb721ef109d7d53
Instruction ID: add51a36910f3ab9e834b040a6ea44dcf3f7437195746ddc19545da9849fcf88
Opcode Fuzzy Hash: 4224e0abbee2552c425d7d77cafb44739a73c205936917f6ebb721ef109d7d53
Instruction Fuzzy Hash: AF02AC72618B50C5EB00DF11F8443AA7BB5FB8ABD0F459026EA8E477A9DB7CC590C750

Function 00509D40 Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

M, xrefs: 0050A03D, 0050A0CB

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-2060442770
Opcode ID: 7661dfb583fb0d65e9b9b0fd2f290a0145f24f08469e85c496d8fc8ff6172b68
Instruction ID: e8c927207decea7aac38ba80b1b323cbe9d9267796cf560090a9e3a1a532e18c
Opcode Fuzzy Hash: 7661dfb583fb0d65e9b9b0fd2f290a0145f24f08469e85c496d8fc8ff6172b68
Instruction Fuzzy Hash: 0CD19236209B8585DB64CB16E4403AEBBA1F386B84F59D036DE8D43B9ADF78C485D701

Function 0052D7C0 Relevance: 1.5, Strings: 1, Instructions: 279COMMON

Download Yara Rule

Strings

ParseIntscavengepollDesctraceBufdeadlockraceFinipanicnilcgocheckrunnable procid rax rbx rcx rdx rdi rsi rbp rsp r8 r9 r10 r11 r12 r13 r14 r15 rip rflags cs fs gs is not poi, xrefs: 0052D983, 0052DA63, 0052DB08, 0052DB99

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: ParseIntscavengepollDesctraceBufdeadlockraceFinipanicnilcgocheckrunnable procid rax rbx rcx rdx rdi rsi rbp rsp r8 r9 r10 r11 r12 r13 r14 r15 rip rflags cs fs gs is not poi
API String ID: 0-4012776879
Opcode ID: cf299124b97538b6825dff9760316ae2239df04384685c1b1ffc6b5162a194f9
Instruction ID: 00186b4103ba90b6fc64b254955a24a1d480fdc1b7a41a5550861c1258b9fa90
Opcode Fuzzy Hash: cf299124b97538b6825dff9760316ae2239df04384685c1b1ffc6b5162a194f9
Instruction Fuzzy Hash: B0C18E72608B50C5EB14DF15F84439A7BB5FB8ABC0F498526EA8D47BA9DF38C891C740

Function 004CCE20 Relevance: 1.5, Strings: 1, Instructions: 266COMMON

Download Yara Rule

Strings

runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listruntime.Pinner: argument is nilcasgstatus: , xrefs: 004CD1C5

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listruntime.Pinner: argument is nilcasgstatus:
API String ID: 0-1312986596
Opcode ID: 3cb92977038153dc2979b7a150ccb6bd88210ce3b6e7b4be6c1263f200cbbc81
Instruction ID: 14dba0acba049bb1c514e8cb2166c38755f9fa6ae3d3512a971763c328756ce5
Opcode Fuzzy Hash: 3cb92977038153dc2979b7a150ccb6bd88210ce3b6e7b4be6c1263f200cbbc81
Instruction Fuzzy Hash: 82A15E7AB08B9481CA50CB16E48075BA765F389BC4F48512BEF8D57B29CF3CC592CB44

Function 004B1760 Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

bulkBarrierPreWrite: unaligned argumentsruntime: typeBitsBulkBarrier with type refill of span with free space remaining/cpu/classes/scavenge/assist:cpu-secondsruntime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unkn, xrefs: 004B1B07

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: bulkBarrierPreWrite: unaligned argumentsruntime: typeBitsBulkBarrier with type refill of span with free space remaining/cpu/classes/scavenge/assist:cpu-secondsruntime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unkn
API String ID: 0-2740983204
Opcode ID: 8ad8cd977b802c9c3d5ddce170431e314ae48fe622913f19cfbd176385c7262b
Instruction ID: b6e75438d4f7d59987ad6d4f697b011473fefb11553e5fbd85607b5863fa3906
Opcode Fuzzy Hash: 8ad8cd977b802c9c3d5ddce170431e314ae48fe622913f19cfbd176385c7262b
Instruction Fuzzy Hash: 9291A1B6709B8482DB108B56E45439AA7A5F389FC0F988127EF8D57B28DF3CC496C714

Function 004DB8C0 Relevance: 1.5, Strings: 1, Instructions: 223COMMON

Download Yara Rule

Strings

KP, xrefs: 004DBA17

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: KP
API String ID: 0-3219806408
Opcode ID: f4ab8d2d9e235c195cd6c7620446c94ae132eeffb285f0bd5e3a0244cbaba81f
Instruction ID: eaf818aaf1f2fdf84177ab8bee3b0e2349a83fb5faf6d7150df251e5e36957db
Opcode Fuzzy Hash: f4ab8d2d9e235c195cd6c7620446c94ae132eeffb285f0bd5e3a0244cbaba81f
Instruction Fuzzy Hash: 68A17F36605A84C6D700CB26E49536EBB61F38AB90F098227EF9C43759CF7DD486CB44

Function 004CBF80 Relevance: 1.4, Strings: 1, Instructions: 189COMMON

Download Yara Rule

Strings

bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 004CC247

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod
API String ID: 0-2099802129
Opcode ID: 49f0093b5d87ea48fcee75634ac19bcc116657794dd41c2e224bd420e2539699
Instruction ID: 6b832a9c94598a25cd658525ae7505d9c9211495353e5b55f85c6083c9f354a6
Opcode Fuzzy Hash: 49f0093b5d87ea48fcee75634ac19bcc116657794dd41c2e224bd420e2539699
Instruction Fuzzy Hash: E161DDB7B14B8882DB409B56E48039A7765F78ABD0F44922AEF9D1379ACF3CC581C740

Function 00531900 Relevance: 1.4, Strings: 1, Instructions: 178COMMON

Download Yara Rule

Strings

00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 00531A3E

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
API String ID: 0-2272463933
Opcode ID: 22a7a57254d3df51cdd571937fd1bb61d785f5412c89b132bab65489d13616d1
Instruction ID: a2fbe745f98d6e22b17202b5da3f7314a0d15c04eff57845547cccaab74e275d
Opcode Fuzzy Hash: 22a7a57254d3df51cdd571937fd1bb61d785f5412c89b132bab65489d13616d1
Instruction Fuzzy Hash: 2B417623749E9482DB188B3A942177CAF11F3D5BD0F999A1ACE4B07781CE28CC52C388

Function 004B7FA5 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:tls: Earlyparsefilesimap2imap3imapspop3shostsutf-8%s*%dtext/bad nsse41sse42ssse3SHA-1P-224P-256P-384P-521ECDSA (at ClassStringFormat[]bytestringactiveclosedsocks5CANCELGOAWAYPADDED, xrefs: 004B7FB4

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:tls: Earlyparsefilesimap2imap3imapspop3shostsutf-8%s*%dtext/bad nsse41sse42ssse3SHA-1P-224P-256P-384P-521ECDSA (at ClassStringFormat[]bytestringactiveclosedsocks5CANCELGOAWAYPADDED
API String ID: 0-2467681893
Opcode ID: 1c3ca4e65e27f15707a7bcf62557b3472bb1b26f7963b0fa7a17b507d571a41e
Instruction ID: 38c7f675391c330c0c67c4b59e8d75c476942596a8ff434aab9b9eacd540f74a
Opcode Fuzzy Hash: 1c3ca4e65e27f15707a7bcf62557b3472bb1b26f7963b0fa7a17b507d571a41e
Instruction Fuzzy Hash: 81517B32209B80C6E710CF25F48539A7BA4F796784F41822BEA8C43766DF7DC499CB55

Function 004BE700 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackunsafe.Slice: ptr is nil and len is not , xrefs: 004BE7F0

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID: gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackunsafe.Slice: ptr is nil and len is not
API String ID: 0-3110597650
Opcode ID: 5ea65cabca027ba43264be2b134412e8c0307318bddfd5d5c446bc6a84b2cee3
Instruction ID: 1b6e632f3906524b00488ad16f0841cb276b41eef1d265cf1c212226bfe9cc0a
Opcode Fuzzy Hash: 5ea65cabca027ba43264be2b134412e8c0307318bddfd5d5c446bc6a84b2cee3
Instruction Fuzzy Hash: 2621CCF3B02AC446EB049F15D4803E86B22E39AFD8F4AA076CF4A57756CA6CC592C300

Function 0051A500 Relevance: .6, Instructions: 606COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f79cdacbc71f03c22c082229d7b9a8420ce33d1af2c3ac9f884b477bdc99f8d7
Instruction ID: b6113b17ed71ec7767fef9d59261cf546170c5ed298124517f40ea78c558a67f
Opcode Fuzzy Hash: f79cdacbc71f03c22c082229d7b9a8420ce33d1af2c3ac9f884b477bdc99f8d7
Instruction Fuzzy Hash: B7221572A1669486FF228B26D0403FA6F65F394FD4F185412EE8D1779ADB2CC8D1D702

Function 00538DA0 Relevance: .5, Instructions: 524COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9734db6d3e92427208a8d53dd37f2c9170517f83ba5621b92c689f626280ff5a
Instruction ID: 3699354820791a3de87b0f57ff5c94f4732dff421b0bf11589575ad8ccfc8781
Opcode Fuzzy Hash: 9734db6d3e92427208a8d53dd37f2c9170517f83ba5621b92c689f626280ff5a
Instruction Fuzzy Hash: 5302FEB3B18A9082DB648B26E04037AAF65F395FD4F485451FF8D1BB99DB78C8D29700

Function 005354C0 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b35ce4284d0a7f0ad00d9dbb807d2d255040cc1bcf6f63037f61fe09f934b5c4
Instruction ID: f8d1d161ecf70dd441ef8943247900c59202a7b2b4842e44e69aa9c8880363c3
Opcode Fuzzy Hash: b35ce4284d0a7f0ad00d9dbb807d2d255040cc1bcf6f63037f61fe09f934b5c4
Instruction Fuzzy Hash: 7612AA73A18FC481D6318B65E4403EAAB60F399B84F54A616DF9D17B5AEF38D5E0CB00

Function 0053EF00 Relevance: .4, Instructions: 417COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b420e5dd93916f64e044037361f9ed73a7307d4062299c10eb327b604a539a84
Instruction ID: d92a766d2de5b01ca107f92fe5851436436261b0e9b8ebc8dddc02ea1ccb5a7b
Opcode Fuzzy Hash: b420e5dd93916f64e044037361f9ed73a7307d4062299c10eb327b604a539a84
Instruction Fuzzy Hash: C1E11976E18554C9EF644B1AE8813BD2F26F381794F881472EA4D1B39BDB28CCE5E314

Function 00539BE0 Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 415f2d9b4f69222b36fd8747659d5a7fddf02b1f4d877b79fd208ede2ca979c3
Instruction ID: 68c653050b0c7da176dd5b3af9b0f9f76a4d0b6e437068a1cc2b5bb5236de8a9
Opcode Fuzzy Hash: 415f2d9b4f69222b36fd8747659d5a7fddf02b1f4d877b79fd208ede2ca979c3
Instruction Fuzzy Hash: 6CE18AB6608B84C6CB14CB16E48436DBBA5F3CAFC0F589526CE9E47759DBB8C891C740

Function 005310E0 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e72756fb1357e44877bdef18b62b98eb22d787ffb3d0fc95f35e8291ad6527e
Instruction ID: 82a4971e5dc84cf06228444522cf7b7ef88d174b49f796770113c948a195db18
Opcode Fuzzy Hash: 3e72756fb1357e44877bdef18b62b98eb22d787ffb3d0fc95f35e8291ad6527e
Instruction Fuzzy Hash: 0CC1D633B09E9482CE14CF76E401BAAAB64F395FC4F485421EE8E87B19DB79C945CB44

Function 004FBC20 Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 717f3db0a353065965019076acecbc8015bbf492bcced9f09dda771f3c34e7a9
Instruction ID: c1f337f3ad40b9b45bee9561b33e4e66927a71eda4210c604ebcdc81c03c2ba2
Opcode Fuzzy Hash: 717f3db0a353065965019076acecbc8015bbf492bcced9f09dda771f3c34e7a9
Instruction Fuzzy Hash: DAD1E2B2715A89C2DA248B40E5403BA7764F38AB84F854227DB9E17B89CF7CC456C74A

Function 005332C0 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a43b47099751903cbfbf412907f2adce9326f72f1cea61a6a3c4137a1bc5d3ed
Instruction ID: 55e9f5a7f776c6b430d2a7112af4f94b5d0b3b01883837b6019a6eb6e4095012
Opcode Fuzzy Hash: a43b47099751903cbfbf412907f2adce9326f72f1cea61a6a3c4137a1bc5d3ed
Instruction Fuzzy Hash: F7B12D73F18544DAFB24CF71D85A7AA5B43B389750F86C866E90E87782DA28CB95C700

Function 004FEF00 Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28810612674ddcc625ccc677d65d5adf9e6e06b8177089a3cd9410055760da79
Instruction ID: 4b434878f58038d783cc595db9be9ab0eaf524aca37659edbd49600b386d6d40
Opcode Fuzzy Hash: 28810612674ddcc625ccc677d65d5adf9e6e06b8177089a3cd9410055760da79
Instruction Fuzzy Hash: 3ED1F232314B4A82CA10DB05E404B7A7B65FB5ABC0F958626EF9D47B59CF7CC84AC748

Function 00519DE0 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e4b1a82658b9094ec1051d519a7bbfcb3b08c56d820de6126a2971ee0fe6f7e
Instruction ID: f443c707ea280c49105bc40e7c1653a8edcc21674a88cac654d1fde9028d1615
Opcode Fuzzy Hash: 0e4b1a82658b9094ec1051d519a7bbfcb3b08c56d820de6126a2971ee0fe6f7e
Instruction Fuzzy Hash: E7D15D32609B8486EA61DB16F4903AEBB65F7C5BC0F548426EF8D47B29DF39C495CB00

Function 005384E0 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a622ce6501772b44420fc1c0a0fe9efe06c3a8a15d55709b40d7139d8e5889f
Instruction ID: 0892b393698a7ec879b16bf9102a87630ca8d5eb6feb97f8e9a106dd466104b4
Opcode Fuzzy Hash: 6a622ce6501772b44420fc1c0a0fe9efe06c3a8a15d55709b40d7139d8e5889f
Instruction Fuzzy Hash: 52D16872209B84C6DA68DF16E48036EBB61F7C6BC0F549426EB8E47B59DF39C491CB10

Function 00500960 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56d9178053e887eff0e2e2b3d5abbd3828ffe7b55228766584ea43966a721631
Instruction ID: 098f7b4b99a23be6f1e4630d18a02f7915005e7840feff1f569c88127c44e62d
Opcode Fuzzy Hash: 56d9178053e887eff0e2e2b3d5abbd3828ffe7b55228766584ea43966a721631
Instruction Fuzzy Hash: C2B1F363204B8AC6DB50CF95E0007ED7B65F3AABC4F949212EA8D07799CF78C555C781

Function 004E0160 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a334dc95b6cc58b00a247639c1e121659b04f79bd589aca131386812b4e7744d
Instruction ID: 8d64fd9130437af00fe380c3d5e46757f2cb000701b476ae08dbd379b8d3f684
Opcode Fuzzy Hash: a334dc95b6cc58b00a247639c1e121659b04f79bd589aca131386812b4e7744d
Instruction Fuzzy Hash: 3C91E6723186C186CB24CB27A540B6BAB61F789BC5F485127EF9D47B15CB7CC891CB44

Function 0050FB29 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 440d47c7488a388788ab247d6ffb0abb63c11723b2173531378ea3bb94622e5d
Instruction ID: 608e728db270d078301422863913df38301cf48f063ae0de75f510e5cad19c4c
Opcode Fuzzy Hash: 440d47c7488a388788ab247d6ffb0abb63c11723b2173531378ea3bb94622e5d
Instruction Fuzzy Hash: 70B1FB16E1CFCA50E613567C9403B762B106FF35C4F01D73ABAC2F1AA3DB566910BA22

Function 004C9720 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f54b3405961686a0f2ca623e98a71748eadd91df70ef3cd54bd88e104f306719
Instruction ID: 014f432d8bd917ca9f1bf5fbf0567732d84c4b0f561241b673e75b536a4a1bea
Opcode Fuzzy Hash: f54b3405961686a0f2ca623e98a71748eadd91df70ef3cd54bd88e104f306719
Instruction Fuzzy Hash: 65A1797A618B8482DB608B15F08039AB7A5F78ABD4F14522AEFDD43B59DF3CD495CB00

Function 004CABC0 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8492f6e6a7844f789619f13ae9f700f3fb20b6747a64655f2feaf739ba6bec18
Instruction ID: c0c33c12a8a2ec3767d5bebdc05fcff0eb217739c1ccd608e759e3fb3bc3868f
Opcode Fuzzy Hash: 8492f6e6a7844f789619f13ae9f700f3fb20b6747a64655f2feaf739ba6bec18
Instruction Fuzzy Hash: 7181A177718B8482DB508F15E4807AAA762F78ABC4F04512AEF9E17B5ACB3CC4A1C744

Function 004FC3A0 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6bc9722e48fc01aa2d550b8aaec47f96509c70388fbb1539311380854bad696
Instruction ID: 461f2437f9e35824ea9af2235bf590d30d2d0974e7c14dd2dd7c7e710561a9ea
Opcode Fuzzy Hash: d6bc9722e48fc01aa2d550b8aaec47f96509c70388fbb1539311380854bad696
Instruction Fuzzy Hash: E66113F2304B9886CB058A1AD5803EA77E6F784FD4F88D226DF5D0BB98DA79C559C340

Function 004F1CC0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c073c20cfb70d9e904c1891120d6e3e3b8c98f5a3d3d79000b3b82815186fbb6
Instruction ID: 486c764d81f6f7a60f5b7f8a4a61ebf93e6ffb8a8f377d298c6109a822184839
Opcode Fuzzy Hash: c073c20cfb70d9e904c1891120d6e3e3b8c98f5a3d3d79000b3b82815186fbb6
Instruction Fuzzy Hash: 30413922B81A4CCADF149A3494513B722A6D380774FCC4677CF2D473E2E26C94E59618

Function 004AA400 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cab0fa6efc13eaace6dcf5f7f238e2c0832e8f776f8de2402e1428158b6abce
Instruction ID: bc61993b29605ebca52d16c531752fb3738885505cc2deed8002cfb29508097e
Opcode Fuzzy Hash: 7cab0fa6efc13eaace6dcf5f7f238e2c0832e8f776f8de2402e1428158b6abce
Instruction Fuzzy Hash: 7441E9A1701A5481EE04CF1689182AAF361E75FFE0B49A133DF1D77B68C76CD816C349

Function 004F5940 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e0e5bb6a338d5065fdbe4d516e957055d3cebd9c496ce69356f21bbc8f65ed1
Instruction ID: 65ecdf26b4bbe43ad658d00ac705f2e11dad1a899fc0cc41ffb5477d7dc338e6
Opcode Fuzzy Hash: 7e0e5bb6a338d5065fdbe4d516e957055d3cebd9c496ce69356f21bbc8f65ed1
Instruction Fuzzy Hash: 7E518172B09E9886CB15CB16E08036BAB61F789BD4F089517EF8D17B49CB3CD591CB04

Function 004C46A0 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec42449cbe7015911f826dd1ccd484021bb59d44e7fe677b2b1ebe4151aaa619
Instruction ID: b38761457653a4b2bbe6a67d564e3d9cfe87bc4428bb6d9cdc37471b3e8e600f
Opcode Fuzzy Hash: ec42449cbe7015911f826dd1ccd484021bb59d44e7fe677b2b1ebe4151aaa619
Instruction Fuzzy Hash: B651157A605B8485DA41CB35E55072AB362FBC6BE4F18872BEA6D13B95DF3CC0918708

Function 004C0260 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e803be071de6aff7e260b228c36a46575c3f9121b44a3a804a9efa9ed2b5cfd
Instruction ID: db62d3269dbd803de1ba0e11f87a64d3b4791e4fbed26cf4300bb8055189c409
Opcode Fuzzy Hash: 5e803be071de6aff7e260b228c36a46575c3f9121b44a3a804a9efa9ed2b5cfd
Instruction Fuzzy Hash: 5C3116A2B1BF848ACD47DB7A5460B20820A6F97BE4F54C7335C3B762E5EB2D84438204

Function 005435E0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fffa9cb39625c63f587e59e84902ba3b9cb43eb51a0d7af04cb9ddf263d4ae89
Instruction ID: 17cc2462a39c0e41ac273a23cdf17f3a4a430e8ef40e84f08c97de4d27c97159
Opcode Fuzzy Hash: fffa9cb39625c63f587e59e84902ba3b9cb43eb51a0d7af04cb9ddf263d4ae89
Instruction Fuzzy Hash: 82312EEBD19FCD05FA1347399443692A610AFF76E4A10E743FEF132A12EB14B6A46314

Function 004CDEC0 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2d3871379ef4234a58a4aca6178531caa16d61f67b9b99e0eef8b4734e8d601
Instruction ID: 3e9fda2c60c69e9f39f7d1e894a625bb9dd86339e1cd496efb5798bd2acc3542
Opcode Fuzzy Hash: c2d3871379ef4234a58a4aca6178531caa16d61f67b9b99e0eef8b4734e8d601
Instruction Fuzzy Hash: E031E8BA302B844ADAD4CB335654A8963ABF798BC4B159239DF0D93724EB39D4A5C300

Function 004ADB60 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 092f23c08cb5cfca720c067935acdf67b27ca8d5a987054025cc771cd1aef0e2
Instruction ID: 13745d0b9e01772cdeb20324523468a3f56f0920c622d0bf7fa7cc06d4a09a13
Opcode Fuzzy Hash: 092f23c08cb5cfca720c067935acdf67b27ca8d5a987054025cc771cd1aef0e2
Instruction Fuzzy Hash: 0411EEE1E26F440EDA47C73A9551351821B5FEBBD0F68D323BD1BB6796EB2990D38100

Function 005434C0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 156a7beeb203a26e7f0815e4bb70240e6ef6d90e906f0264561fffd1184a11a6
Instruction ID: 86c21e82c3e2cb4034f31b105a661dcec031209ef600d20ec747357ff8fbd2b4
Opcode Fuzzy Hash: 156a7beeb203a26e7f0815e4bb70240e6ef6d90e906f0264561fffd1184a11a6
Instruction Fuzzy Hash: EF11EF339111B046E702CB3ED804AAA7BA2F389B9DF6AC340DF92534DEC5254A0396E0

Function 00512880 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3253312057.00000000004A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000000.00000002.3253278260.00000000004A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253795010.000000000099B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253816255.000000000099E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253831485.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253846981.00000000009A0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253870240.00000000009C3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253886077.00000000009C4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253900519.00000000009C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253921348.00000000009D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.00000000009F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253937702.0000000000A20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3253994420.0000000000A27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254013222.0000000000A37000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254033034.0000000000A38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_D_47267_1687617Q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1766fef994a4eb0576a4b1e7ccb2889f0455099ce3f161999410101d31ec1012
Instruction ID: 4404c64485e45b7d7efb2631e1d53af2ad5d30f000bf572ea48d09091132651d
Opcode Fuzzy Hash: 1766fef994a4eb0576a4b1e7ccb2889f0455099ce3f161999410101d31ec1012
Instruction Fuzzy Hash: DCC02BF1A07BC738FF14C30471003843DC19F453C0F80C090828800619D63CC2D08204

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.227541951702708
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	D_47267_1687617Q.exe
File size:	5'580'288 bytes
MD5:	a31c36986e12203913067e4b5bd81665
SHA1:	5db1c9a5cccc75628fde0c2ee4d807b28f2dfc2b
SHA256:	c68c8abb1a3272b6c9bdd749b32b91dc909b0e84afd06e067bda1a81a96319b8
SHA512:	fdf3f466bfbd42103c118913c14a93fc3aa6b02427c4728a9a19a10c201df97c964a0bfac1b2e3a8af599acb1b7ade8a3340956e7be988596fb1fa0172eec5f1
SSDEEP:	49152:vv6SNBVqlEhYQB+MXtrKyNsYthDD6A9Fzvv/0uja5E3TdqyeN7rdNC8dMzw2pk:n57qyJIRpA9FzaEYTNPG8dMzw
TLSH:	AC464A07ECE545A8D0AED235CA629152BB727C485B3423D72FA0F7392F76BD06A79700
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........$U.......".......&......... @........@..............................`Z...........`... ............................

Entrypoint:	0x474020
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	d42595b695fc008ef2c56aabd8efd68e

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report D_47267_1687617Q.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

UDP Packets

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: D_47267_1687617Q.exePID: 4836, Parent PID: 1028

General

Chronological Activities

Disassembly

Analysis Process: D_47267_1687617Q.exePID: 4836, Parent PID: 1028COMMON

Execution Graph

Graph

Executed Functions

Function 004D1A20 Relevance: 13.9, Strings: 11, Instructions: 138COMMON

Control-flow Graph

Function 004ACD80 Relevance: 12.9, Strings: 10, Instructions: 384COMMON

Windows Analysis Report
D_47267_1687617Q.exe

Function 004D1A20 Relevance: 13.9, Strings: 11, Instructions: 138
COMMON

Function 004ACD80 Relevance: 12.9, Strings: 10, Instructions: 384
COMMON

Function 004D3260 Relevance: 12.7, Strings: 10, Instructions: 247
COMMON

Function 004A2260 Relevance: 9.2, Strings: 7, Instructions: 430
COMMON

Function 004D1620 Relevance: 5.1, Strings: 4, Instructions: 138
COMMON