Edit tour

Windows Analysis Report
c2SVEEbvn5.exe

Overview

General Information

Sample name:	c2SVEEbvn5.exe renamed because original name is a hash value
Original sample name:	07072e924fb80dcc2dd8afb0962a3b7f.exe
Analysis ID:	1546424
MD5:	07072e924fb80dcc2dd8afb0962a3b7f
SHA1:	4593f4e9c3b11320abdf35d6db727cfd2ae17b2e
SHA256:	a19db1e020b26580eddcf1a63c27c0ee935df2117b23ef941366cf9e42db7a7e
Tags:	32exetrojan
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Powershell create lnk in startup

AI detected suspicious sample

Machine Learning detection for sample

Powershell creates an autostart link

Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

c2SVEEbvn5.exe (PID: 5776 cmdline: "C:\Users\user\Desktop\c2SVEEbvn5.exe" MD5: 07072E924FB80DCC2DD8AFB0962A3B7F)

powershell.exe (PID: 6932 cmdline: powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Users\user\Desktop\c2SVEEbvn5.exe'; $s.Save()" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

c2SVEEbvn5.exe (PID: 2980 cmdline: "C:\Users\user\Desktop\c2SVEEbvn5.exe" MD5: 07072E924FB80DCC2DD8AFB0962A3B7F)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.2533883308.0000000000AF0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000005.00000002.2534067881.0000000000C70000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000A.00000002.2534153247.0000000002560000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000005.00000002.2534227814.00000000025E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89

Sigma Signatures

System Summary

Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE

Source: File created

Author: Christopher Peacock '@securepeacock', SCYTHE: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6932, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6932, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Users\user\Desktop\c2SVEEbvn5.exe'; $s.Save()", CommandLine: powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Users\user\Desktop\c2SVEEbvn5.exe'; $s.Save()", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\c2SVEEbvn5.exe", ParentImage: C:\Users\user\Desktop\c2SVEEbvn5.exe, ParentProcessId: 5776, ParentProcessName: c2SVEEbvn5.exe, ProcessCommandLine: powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Users\user\Desktop\c2SVEEbvn5.exe'; $s.Save()", ProcessId: 6932, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Powershell create lnk in startup

Source: Process started

Author: Joe Security: Data: Command: powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Users\user\Desktop\c2SVEEbvn5.exe'; $s.Save()", CommandLine: powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Users\user\Desktop\c2SVEEbvn5.exe'; $s.Save()", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\c2SVEEbvn5.exe", ParentImage: C:\Users\user\Desktop\c2SVEEbvn5.exe, ParentProcessId: 5776, ParentProcessName: c2SVEEbvn5.exe, ProcessCommandLine: powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Users\user\Desktop\c2SVEEbvn5.exe'; $s.Save()", ProcessId: 6932, ProcessName: powershell.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T21:42:26.452901+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.7	49752	TCP
2024-10-31T21:43:05.398707+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.7	49969	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: c2SVEEbvn5.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: c2SVEEbvn5.exe

ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for sample

Source: c2SVEEbvn5.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Unpacked PE file: 5.2.c2SVEEbvn5.exe.400000.0.unpack
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Unpacked PE file: 10.2.c2SVEEbvn5.exe.400000.0.unpack

Source: c2SVEEbvn5.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\c2SVEEbvn5.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 4x nop then mov ebp, edi	5_2_00403060
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 4x nop then mov dword ptr [esp], edx	5_2_00420B70
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 4x nop then mov ebp, edi	5_2_025E32C7
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 4x nop then mov dword ptr [esp], edx	5_2_02600DD7
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 4x nop then mov ebp, edi	10_2_00403060
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 4x nop then mov dword ptr [esp], edx	10_2_00420B70
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 4x nop then mov ebp, edi	10_2_025632C7
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 4x nop then mov dword ptr [esp], edx	10_2_02580DD7

Source: global traffic

TCP traffic: 192.168.2.7:49701 -> 185.196.10.218:9889

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.7:49752
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.7:49969

Source: powershell.exe, 00000007.00000002.1305034114.0000000005A57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000007.00000002.1302030493.0000000004B46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000007.00000002.1302030493.00000000049F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000007.00000002.1302030493.0000000004B46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000007.00000002.1302030493.00000000049F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000007.00000002.1305034114.0000000005A57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000007.00000002.1305034114.0000000005A57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000007.00000002.1305034114.0000000005A57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000007.00000002.1302030493.0000000004B46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000007.00000002.1302030493.00000000051D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000007.00000002.1305034114.0000000005A57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000000A.00000002.2533883308.0000000000AF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000002.2534067881.0000000000C70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000A.00000002.2534153247.0000000002560000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000005.00000002.2534227814.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 5_2_00403060	5_2_00403060
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 5_2_0040D0C0	5_2_0040D0C0
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 5_2_004129D0	5_2_004129D0
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 5_2_0042FA50	5_2_0042FA50
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 5_2_00409470	5_2_00409470
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 5_2_0041BDE0	5_2_0041BDE0
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 5_2_0041362B	5_2_0041362B
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 5_2_00403680	5_2_00403680
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 5_2_0044AF10	5_2_0044AF10
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 5_2_025E96D7	5_2_025E96D7
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 5_2_025E32C7	5_2_025E32C7
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 5_2_025F2E97	5_2_025F2E97
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 5_2_0262FF07	5_2_0262FF07
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 5_2_02611707	5_2_02611707
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 5_2_025ED327	5_2_025ED327
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 5_2_025E97A7	5_2_025E97A7
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 5_2_0262B177	5_2_0262B177
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 10_2_00403060	10_2_00403060
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 10_2_0040D0C0	10_2_0040D0C0
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 10_2_004129D0	10_2_004129D0
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 10_2_0042FA50	10_2_0042FA50
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 10_2_00409470	10_2_00409470
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 10_2_0041BDE0	10_2_0041BDE0
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 10_2_0041362B	10_2_0041362B
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 10_2_00403680	10_2_00403680
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 10_2_0044AF10	10_2_0044AF10
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 10_2_025696D7	10_2_025696D7
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 10_2_025632C7	10_2_025632C7
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 10_2_02572E97	10_2_02572E97
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 10_2_025AFF07	10_2_025AFF07
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 10_2_02591707	10_2_02591707
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 10_2_0256D327	10_2_0256D327
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 10_2_025697A7	10_2_025697A7
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 10_2_025AB177	10_2_025AB177

Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: String function: 02599BF7 appears 123 times
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: String function: 0259BE17 appears 156 times
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: String function: 00439990 appears 452 times
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: String function: 0261BE17 appears 156 times
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: String function: 0043BBB0 appears 474 times
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: String function: 00439A60 appears 48 times
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: String function: 02619BF7 appears 123 times

Source: c2SVEEbvn5.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0000000A.00000002.2533883308.0000000000AF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000002.2534067881.0000000000C70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000A.00000002.2534153247.0000000002560000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000005.00000002.2534227814.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: c2SVEEbvn5.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.spre.evad.winEXE@5/4@0/1

Source: C:\Users\user\Desktop\c2SVEEbvn5.exe

Code function: 5_2_00C707A6 CreateToolhelp32Snapshot,Module32First,

5_2_00C707A6

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6920:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_euowbtn0.ig1.ps1

Jump to behavior

Source: c2SVEEbvn5.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\c2SVEEbvn5.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: c2SVEEbvn5.exe

ReversingLabs: Detection: 42%

Source: c2SVEEbvn5.exe	String found in binary or memory: C:/Program Files/Go/src/net/addrselect.go
Source: c2SVEEbvn5.exe	String found in binary or memory: ap read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/p
Source: c2SVEEbvn5.exe	String found in binary or memory: ap read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/p
Source: c2SVEEbvn5.exe	String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: c2SVEEbvn5.exe	String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: c2SVEEbvn5.exe	String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: c2SVEEbvn5.exe	String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: c2SVEEbvn5.exe	String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: c2SVEEbvn5.exe	String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: c2SVEEbvn5.exe	String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: c2SVEEbvn5.exe	String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: c2SVEEbvn5.exe	String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: c2SVEEbvn5.exe	String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: c2SVEEbvn5.exe	String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: c2SVEEbvn5.exe	String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: c2SVEEbvn5.exe	String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: c2SVEEbvn5.exe	String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: c2SVEEbvn5.exe	String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: c2SVEEbvn5.exe	String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: c2SVEEbvn5.exe	String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: c2SVEEbvn5.exe	String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: c2SVEEbvn5.exe	String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime:
Source: c2SVEEbvn5.exe	String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime:
Source: c2SVEEbvn5.exe	String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: c2SVEEbvn5.exe	String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: c2SVEEbvn5.exe	String found in binary or memory: node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked
Source: c2SVEEbvn5.exe	String found in binary or memory: node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked
Source: c2SVEEbvn5.exe	String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: c2SVEEbvn5.exe	String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: c2SVEEbvn5.exe	String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable t
Source: c2SVEEbvn5.exe	String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable t
Source: c2SVEEbvn5.exe	String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime:
Source: c2SVEEbvn5.exe	String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime:
Source: c2SVEEbvn5.exe	String found in binary or memory: C:/Program Files/Go/src/net/addrselect.go
Source: c2SVEEbvn5.exe	String found in binary or memory: ap read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/p
Source: c2SVEEbvn5.exe	String found in binary or memory: ap read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/p
Source: c2SVEEbvn5.exe	String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: c2SVEEbvn5.exe	String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: c2SVEEbvn5.exe	String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: c2SVEEbvn5.exe	String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: c2SVEEbvn5.exe	String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: c2SVEEbvn5.exe	String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: c2SVEEbvn5.exe	String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: c2SVEEbvn5.exe	String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: c2SVEEbvn5.exe	String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: c2SVEEbvn5.exe	String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: c2SVEEbvn5.exe	String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: c2SVEEbvn5.exe	String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: c2SVEEbvn5.exe	String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: c2SVEEbvn5.exe	String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: c2SVEEbvn5.exe	String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: c2SVEEbvn5.exe	String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: c2SVEEbvn5.exe	String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: c2SVEEbvn5.exe	String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: c2SVEEbvn5.exe	String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime:
Source: c2SVEEbvn5.exe	String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime:
Source: c2SVEEbvn5.exe	String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: c2SVEEbvn5.exe	String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: c2SVEEbvn5.exe	String found in binary or memory: node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked
Source: c2SVEEbvn5.exe	String found in binary or memory: node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked
Source: c2SVEEbvn5.exe	String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: c2SVEEbvn5.exe	String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: c2SVEEbvn5.exe	String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable t
Source: c2SVEEbvn5.exe	String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable t
Source: c2SVEEbvn5.exe	String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime:
Source: c2SVEEbvn5.exe	String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime:

Source: unknown	Process created: C:\Users\user\Desktop\c2SVEEbvn5.exe "C:\Users\user\Desktop\c2SVEEbvn5.exe"
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Users\user\Desktop\c2SVEEbvn5.exe'; $s.Save()"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\c2SVEEbvn5.exe "C:\Users\user\Desktop\c2SVEEbvn5.exe"
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Users\user\Desktop\c2SVEEbvn5.exe'; $s.Save()"	Jump to behavior

Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Section loaded: mswsock.dll	Jump to behavior

Source: Nexus.lnk.7.dr

LNK file: ..\..\..\..\..\..\..\Desktop\c2SVEEbvn5.exe

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: c2SVEEbvn5.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: c2SVEEbvn5.exe

Static file information: File size 2132992 > 1048576

Source: C:\Users\user\Desktop\c2SVEEbvn5.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: c2SVEEbvn5.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1eb600

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Unpacked PE file: 5.2.c2SVEEbvn5.exe.400000.0.unpack .text:ER;.data:W;.wig:R;.yotepu:R;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;/4:R;/19:R;/32:R;/46:R;/65:R;/78:R;/90:R;.idata:W;.reloc:R;.symtab:R;
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Unpacked PE file: 10.2.c2SVEEbvn5.exe.400000.0.unpack .text:ER;.data:W;.wig:R;.yotepu:R;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;/4:R;/19:R;/32:R;/46:R;/65:R;/78:R;/90:R;.idata:W;.reloc:R;.symtab:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Unpacked PE file: 5.2.c2SVEEbvn5.exe.400000.0.unpack
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Unpacked PE file: 10.2.c2SVEEbvn5.exe.400000.0.unpack

Source: c2SVEEbvn5.exe	Static PE information: section name: .wig
Source: c2SVEEbvn5.exe	Static PE information: section name: .yotepu

Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 5_2_0041C4E6 pushfd ; ret	5_2_0041C4E7
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 5_2_00C724D4 pushfd ; ret	5_2_00C7251E
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 5_2_00C71504 pushad ; retf	5_2_00C71505
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 5_2_00C74EE6 pushfd ; ret	5_2_00C74EE7
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 10_2_0041C4E6 pushfd ; ret	10_2_0041C4E7
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 10_2_00AF24D4 pushfd ; ret	10_2_00AF251E
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 10_2_00AF1504 pushad ; retf	10_2_00AF1505
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 10_2_00AF4EE6 pushfd ; ret	10_2_00AF4EE7

Source: c2SVEEbvn5.exe

Static PE information: section name: .text entropy: 7.933634192032009

Boot Survival

Powershell creates an autostart link

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: .lnk'); $s.TargetPath = 'C:\Users\user\Desktop\c2SVEEbvn5.exe'; $s.Save()@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Scripting Techniques" # Keyword tags to help users find this module via navigations and search. Tags = @('powershell','unit testing','bdd','tdd','mocking') # The web address of an icon which can be used in gal

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk

Jump to behavior

Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2204			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1307			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2052	Thread sleep time: -1844674407370954s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2404	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: powershell.exe, 00000007.00000002.1306666032.0000000007140000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}l
Source: powershell.exe, 00000007.00000002.1306666032.0000000007140000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: c2SVEEbvn5.exe, 00000005.00000002.2533709795.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, c2SVEEbvn5.exe, 0000000A.00000002.2533706539.000000000081C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 5_2_00C70083 push dword ptr fs:[00000030h]	5_2_00C70083
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 5_2_025E092B mov eax, dword ptr fs:[00000030h]	5_2_025E092B
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 5_2_025E0D90 mov eax, dword ptr fs:[00000030h]	5_2_025E0D90
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 10_2_00AF0083 push dword ptr fs:[00000030h]	10_2_00AF0083
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 10_2_0256092B mov eax, dword ptr fs:[00000030h]	10_2_0256092B
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Code function: 10_2_02560D90 mov eax, dword ptr fs:[00000030h]	10_2_02560D90

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\c2SVEEbvn5.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Users\user\Desktop\c2SVEEbvn5.exe'; $s.Save()"

Jump to behavior

Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "$ws = new-object -comobject wscript.shell; $s = $ws.createshortcut('c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\nexus.lnk'); $s.targetpath = 'c:\users\user\desktop\c2sveebvn5.exe'; $s.save()"
Source: C:\Users\user\Desktop\c2SVEEbvn5.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "$ws = new-object -comobject wscript.shell; $s = $ws.createshortcut('c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\nexus.lnk'); $s.targetpath = 'c:\users\user\desktop\c2sveebvn5.exe'; $s.save()"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Command and Scripting Interpreter	12 Registry Run Keys / Startup Folder	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	1 DLL Side-Loading	12 Registry Run Keys / Startup Folder	21 Virtualization/Sandbox Evasion	LSASS Memory	21 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	4 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	22 Software Packing	Cached Domain Credentials	11 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
c2SVEEbvn5.exe	42%	ReversingLabs	Win32.Trojan.Generic
c2SVEEbvn5.exe	100%	Avira	HEUR/AGEN.1306978
c2SVEEbvn5.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000007.00000002.1305034114.0000000005A57000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000007.00000002.1302030493.0000000004B46000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000007.00000002.1302030493.00000000049F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000007.00000002.1302030493.00000000049F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000007.00000002.1302030493.0000000004B46000.00000004.00000800.00020000.00000000.sdmp	true		unknown
https://go.micro	powershell.exe, 00000007.00000002.1302030493.00000000051D8000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000007.00000002.1302030493.0000000004B46000.00000004.00000800.00020000.00000000.sdmp	true		unknown
https://contoso.com/	powershell.exe, 00000007.00000002.1305034114.0000000005A57000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000007.00000002.1305034114.0000000005A57000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000007.00000002.1305034114.0000000005A57000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000007.00000002.1305034114.0000000005A57000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.196.10.218	unknown	Switzerland		42624	SIMPLECARRIERCH	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546424
Start date and time:	2024-10-31 21:41:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	c2SVEEbvn5.exe renamed because original name is a hash value
Original Sample Name:	07072e924fb80dcc2dd8afb0962a3b7f.exe
Detection:	MAL
Classification:	mal100.spre.evad.winEXE@5/4@0/1
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 95% Number of executed functions: 18 Number of non-executed functions: 125
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 6932 because it is empty
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: c2SVEEbvn5.exe

Simulations

Behavior and APIs

Time	Type	Description
16:42:08	API Interceptor	4x Sleep call for process: powershell.exe modified
21:42:11	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
185.196.10.218	5yv6ZxNaTP.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SIMPLECARRIERCH	5yv6ZxNaTP.exe	Get hash	malicious	Unknown	Browse	185.196.10.218
	file.exe	Get hash	malicious	Unknown	Browse	185.196.10.218
	file.exe	Get hash	malicious	Unknown	Browse	185.196.10.218
	file.exe	Get hash	malicious	Unknown	Browse	185.196.10.218
	sipari_.exe	Get hash	malicious	AgentTesla	Browse	185.196.9.150
	UGcjMkPWwW.exe	Get hash	malicious	RHADAMANTHYS	Browse	185.196.11.237
	x86_64.bin.elf	Get hash	malicious	Unknown	Browse	185.196.10.215
	fEv4R2ahiLCQa5O.exe	Get hash	malicious	AgentTesla	Browse	185.196.9.150
	PW68YarHboeikgM.exe	Get hash	malicious	AgentTesla	Browse	185.196.9.150
	IND24072113.xlsx	Get hash	malicious	Unknown	Browse	185.196.10.234

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1510207563435464
Encrypted:	false
SSDEEP:	3:NlllulPki/llllZ:NllUcylll
MD5:	D8D47FD6FA3E199E4AFF68B91F1D04A8
SHA1:	788625E414B030E5174C5BE7262A4C93502C2C21
SHA-256:	2D9AF9AB25D04D1CF9B25DB196A988CD6E4124C1B8E185B96F2AB9554F4A6738
SHA-512:	5BFD83D07DC3CB53563F215BE1D4D7206340A4C0AB06988697637C402793146D13CDDE0E27DC8301E4506553D957876AC9D7A7BF3C7431BBDD5F019C17AB0A58
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................^..............@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_euowbtn0.ig1.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_roktahm1.gj3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Oct 5 06:54:41 2023, mtime=Thu Oct 31 19:42:08 2024, atime=Thu Oct 31 19:42:05 2024, length=2132992, window=hide
Category:	dropped
Size (bytes):	609
Entropy (8bit):	5.102872244891649
Encrypted:	false
SSDEEP:	12:846TrM1qzYNbRLHo8k5LoE6iLjA/mClURcmtUNlpeTJSTJzBmV:84rTnLBk5Y6A5URglpWJqJtm
MD5:	84F4FB2A5256240590248DEB9E3C07B5
SHA1:	3907F60D159E8D4C26B501D11D453C3B68FCAC5A
SHA-256:	DC5DFFF2872651F6EC7BE68ADEDE2B8F7C19663551717923089E642C48CA794C
SHA-512:	A6EC33F4626143372D9DCF456F29064836F21F20C53FD9527C08C327EAFB41D7B3BCB7A8BB3722A83223509BA04568201543135CE31C5FDCB7FC280310401695
Malicious:	true
Reputation:	low
Preview:	L..................F.... .....2a......Z.+.....X.+.... ..........................P.O. .:i.....+00.:...:..,.LB.)...A&...&........*_.....f4a......Z.+....j.2... ._YC. .C2SVEE~1.EXE..N......EW.>_YC............................/,.c.2.S.V.E.E.b.v.n.5...e.x.e.......X...............-.......W............Y.d.....C:\Users\user\Desktop\c2SVEEbvn5.exe..+.....\.....\.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.c.2.S.V.E.E.b.v.n.5...e.x.e.`.......X.......701188...........hT..CrF.f4... .../Tc...,......hT..CrF.f4... .../Tc...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.834450657393919
TrID:	Win32 Executable (generic) a (10002005/4) 99.55% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	c2SVEEbvn5.exe
File size:	2'132'992 bytes
MD5:	07072e924fb80dcc2dd8afb0962a3b7f
SHA1:	4593f4e9c3b11320abdf35d6db727cfd2ae17b2e
SHA256:	a19db1e020b26580eddcf1a63c27c0ee935df2117b23ef941366cf9e42db7a7e
SHA512:	57f9d37c8b2734dd55f7954628e0ac0f4e5de5918a0cfdff1a26f6509180216cdca7c9353bcf89f7b0553d80b8d6650a3cf2afee2ac6553a26a5ff177684d341
SSDEEP:	49152:aNcV2bHTZ8ysOT8SdP6Nsxl1SCqH4+KQZUdfbZtHe4kl:aN/zZDsOT8Sdi7ZHNKw8fb6
TLSH:	4FA523122791EC26D64652734E2ED7E8273FB9706E2CEF2776295E2F2871172C522307
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C..^.q...q...q...#?..q...#...q...#8..q.. ....q...q..~q...#1..q...#/..q...#*..q..Rich.q..........................PE..L...AC.d...

File Icon


Icon Hash:	63796de971636e0f

Static PE Info

General

Entrypoint:	0x40510f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x64D24341 [Tue Aug 8 13:29:37 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	fe68515784559bdc15451f33c744290f

Entrypoint Preview

Instruction
call 00007F1A80DC789Bh
jmp 00007F1A80DC488Eh
mov edi, edi
push ebp
mov ebp, esp
push edi
mov edi, 000003E8h
push edi
call dword ptr [004010B4h]
push dword ptr [ebp+08h]
call dword ptr [004010B0h]
add edi, 000003E8h
cmp edi, 0000EA60h
jnbe 00007F1A80DC4A16h
test eax, eax
je 00007F1A80DC49F0h
pop edi
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
call 00007F1A80DC5159h
push dword ptr [ebp+08h]
call 00007F1A80DC4FA6h
push dword ptr [005ED01Ch]
call 00007F1A80DC72F7h
push 000000FFh
call eax
add esp, 0Ch
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
push 0040120Ch
call dword ptr [004010B0h]
test eax, eax
je 00007F1A80DC4A27h
push 004011FCh
push eax
call dword ptr [00401078h]
test eax, eax
je 00007F1A80DC4A17h
push dword ptr [ebp+08h]
call eax
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007F1A80DC49DDh
pop ecx
push dword ptr [ebp+08h]
call dword ptr [004010B8h]
int3
push 00000008h
call 00007F1A80DC7A05h
pop ecx
ret
push 00000008h
call 00007F1A80DC7922h
pop ecx
ret
mov edi, edi
push ebp
mov ebp, esp
push esi
mov esi, eax
jmp 00007F1A80DC4A1Dh
mov eax, dword ptr [esi]
test eax, eax
je 00007F1A80DC4A14h

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1ebb9c	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1fa000	0x14338	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x335000	0xb98	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3f48	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x190	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1eb49e	0x1eb600	d96f7db5b8d7c7cd903acc848ccd71a0	False	0.9594519126812516	data	7.933634192032009	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x1ed000	0xace4	0x6200	fb41b9fcd34bebe71022f97395ef7585	False	0.08605707908163265	data	1.0118098278034715	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.wig	0x1f8000	0x400	0x400	0f343b0931126a20f133d67c2b018a3b	False	0.0166015625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.yotepu	0x1f9000	0xd6	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x1fa000	0x13a338	0x14400	52bb6cee05efecb3e9fe84f268d0913b	False	0.37702546296296297	data	4.811473803307317	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x335000	0x25dc	0x2600	df3d0ecc307fdffd43de2552f275fb2a	False	0.2671669407894737	data	2.820346702319271	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PONUFIKOHEWIHUJAFEXOVUD	0x203af8	0x9e7	ASCII text, with very long lines (2535), with no line terminators	Tamil	India	0.6047337278106509
PONUFIKOHEWIHUJAFEXOVUD	0x203af8	0x9e7	ASCII text, with very long lines (2535), with no line terminators	Tamil	Sri Lanka	0.6047337278106509
VIDUHAVOCOKUVIZAVAMUDUVUZINA	0x205850	0x1e31	ASCII text, with very long lines (7729), with no line terminators	Tamil	India	0.5871393453228102
VIDUHAVOCOKUVIZAVAMUDUVUZINA	0x205850	0x1e31	ASCII text, with very long lines (7729), with no line terminators	Tamil	Sri Lanka	0.5871393453228102
YUFABIX	0x2044e0	0x136f	ASCII text, with very long lines (4975), with no line terminators	Tamil	India	0.5939698492462312
YUFABIX	0x2044e0	0x136f	ASCII text, with very long lines (4975), with no line terminators	Tamil	Sri Lanka	0.5939698492462312
RT_CURSOR	0x2076e0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.2953091684434968
RT_CURSOR	0x208588	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.46705776173285196
RT_CURSOR	0x208e30	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5361271676300579
RT_CURSOR	0x2093c8	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.4375
RT_CURSOR	0x2094f8	0xb0	Device independent bitmap graphic, 16 x 32 x 1, image size 0			0.44886363636363635
RT_CURSOR	0x2095d0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.27238805970149255
RT_CURSOR	0x20a478	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.375
RT_CURSOR	0x20ad20	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5057803468208093
RT_CURSOR	0x20b2b8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.30943496801705755
RT_CURSOR	0x20c160	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.427797833935018
RT_CURSOR	0x20ca08	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5469653179190751
RT_ICON	0x1fa890	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	India	0.5351382488479263
RT_ICON	0x1fa890	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	Sri Lanka	0.5351382488479263
RT_ICON	0x1faf58	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	India	0.40860995850622406
RT_ICON	0x1faf58	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	Sri Lanka	0.40860995850622406
RT_ICON	0x1fd500	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	India	0.44592198581560283
RT_ICON	0x1fd500	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	Sri Lanka	0.44592198581560283
RT_ICON	0x1fd998	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	India	0.49173773987206826
RT_ICON	0x1fd998	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	Sri Lanka	0.49173773987206826
RT_ICON	0x1fe840	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	India	0.47247292418772563
RT_ICON	0x1fe840	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	Sri Lanka	0.47247292418772563
RT_ICON	0x1ff0e8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	India	0.434971098265896
RT_ICON	0x1ff0e8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	Sri Lanka	0.434971098265896
RT_ICON	0x1ff650	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	India	0.27977178423236515
RT_ICON	0x1ff650	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	Sri Lanka	0.27977178423236515
RT_ICON	0x201bf8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	India	0.28775797373358347
RT_ICON	0x201bf8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	Sri Lanka	0.28775797373358347
RT_ICON	0x202ca0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Tamil	India	0.3086065573770492
RT_ICON	0x202ca0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Tamil	Sri Lanka	0.3086065573770492
RT_ICON	0x203628	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	India	0.3404255319148936
RT_ICON	0x203628	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	Sri Lanka	0.3404255319148936
RT_DIALOG	0x20d200	0x58	data			0.8977272727272727
RT_STRING	0x20d258	0x346	data	Tamil	India	0.46420047732696895
RT_STRING	0x20d258	0x346	data	Tamil	Sri Lanka	0.46420047732696895
RT_STRING	0x20d5a0	0x36e	data	Tamil	India	0.4715261958997722
RT_STRING	0x20d5a0	0x36e	data	Tamil	Sri Lanka	0.4715261958997722
RT_STRING	0x20d910	0x672	data	Tamil	India	0.42424242424242425
RT_STRING	0x20d910	0x672	data	Tamil	Sri Lanka	0.42424242424242425
RT_STRING	0x20df88	0x3b0	data	Tamil	India	0.4523305084745763
RT_STRING	0x20df88	0x3b0	data	Tamil	Sri Lanka	0.4523305084745763
RT_ACCELERATOR	0x207688	0x58	data	Tamil	India	0.7954545454545454
RT_ACCELERATOR	0x207688	0x58	data	Tamil	Sri Lanka	0.7954545454545454
RT_GROUP_CURSOR	0x209398	0x30	data			0.9375
RT_GROUP_CURSOR	0x2095a8	0x22	data			1.0588235294117647
RT_GROUP_CURSOR	0x20b288	0x30	data			0.9375
RT_GROUP_CURSOR	0x20cf70	0x30	data			0.9375
RT_GROUP_ICON	0x1fd968	0x30	data	Tamil	India	0.9375
RT_GROUP_ICON	0x1fd968	0x30	data	Tamil	Sri Lanka	0.9375
RT_GROUP_ICON	0x203a90	0x68	data	Tamil	India	0.7019230769230769
RT_GROUP_ICON	0x203a90	0x68	data	Tamil	Sri Lanka	0.7019230769230769
RT_VERSION	0x20cfa0	0x25c	data			0.5447019867549668

Imports

DLL

Import

KERNEL32.dll

GetTempFileNameW, WriteConsoleInputW, GetConsoleAliasExesA, CallNamedPipeA, CreateProcessW, InterlockedIncrement, OpenJobObjectA, InterlockedDecrement, GetCurrentProcess, GetComputerNameW, GetTimeFormatA, FreeEnvironmentStringsA, GetCommConfig, GetDllDirectoryW, GetNumberFormatA, ClearCommBreak, EnumTimeFormatsW, TlsSetValue, GetCurrencyFormatW, SetFileShortNameW, LoadLibraryW, GetFileAttributesW, GetModuleFileNameW, GetShortPathNameA, LCMapStringA, InterlockedExchange, GlobalUnfix, GetLogicalDriveStringsA, GetLastError, SetLastError, GetProcAddress, VirtualAlloc, DefineDosDeviceW, LoadLibraryA, SetEnvironmentVariableA, GlobalUnWire, GetCurrentDirectoryA, OpenEventW, GetVersionExA, ReadConsoleInputW, SetFileAttributesW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, HeapAlloc, SetFilePointer, EnterCriticalSection, LeaveCriticalSection, TerminateProcess, IsDebuggerPresent, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, DeleteCriticalSection, TlsGetValue, TlsAlloc, TlsFree, GetCurrentThreadId, HeapCreate, VirtualFree, HeapFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, HeapReAlloc, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, GetModuleHandleA, SetStdHandle, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, FlushFileBuffers, RtlUnwind, HeapSize, GetLocaleInfoA, RaiseException, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, CloseHandle

Possible Origin

Language of compilation system	Country where language is spoken	Map
Tamil	India
Tamil	Sri Lanka

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-31T21:42:26.452901+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.7	49752	TCP
2024-10-31T21:43:05.398707+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.7	49969	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 21:42:10.540273905 CET	49701	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:42:11.214559078 CET	9889	49701	185.196.10.218	192.168.2.7
Oct 31, 2024 21:42:11.214778900 CET	49701	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:42:19.715518951 CET	9889	49701	185.196.10.218	192.168.2.7
Oct 31, 2024 21:42:19.715605974 CET	49701	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:42:19.715914011 CET	49701	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:42:19.716207027 CET	49731	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:42:19.720837116 CET	9889	49701	185.196.10.218	192.168.2.7
Oct 31, 2024 21:42:19.721060038 CET	9889	49731	185.196.10.218	192.168.2.7
Oct 31, 2024 21:42:19.721132994 CET	49731	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:42:21.920917988 CET	49743	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:42:21.925925016 CET	9889	49743	185.196.10.218	192.168.2.7
Oct 31, 2024 21:42:21.925988913 CET	49743	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:42:28.210648060 CET	9889	49731	185.196.10.218	192.168.2.7
Oct 31, 2024 21:42:28.210730076 CET	49731	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:42:28.211442947 CET	49775	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:42:28.211472034 CET	49731	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:42:28.216382980 CET	9889	49775	185.196.10.218	192.168.2.7
Oct 31, 2024 21:42:28.216476917 CET	49775	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:42:28.216701984 CET	9889	49731	185.196.10.218	192.168.2.7
Oct 31, 2024 21:42:30.432912111 CET	9889	49743	185.196.10.218	192.168.2.7
Oct 31, 2024 21:42:30.436880112 CET	49743	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:42:30.538619995 CET	49787	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:42:30.538749933 CET	49743	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:42:30.543596983 CET	9889	49787	185.196.10.218	192.168.2.7
Oct 31, 2024 21:42:30.543705940 CET	49787	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:42:30.543760061 CET	9889	49743	185.196.10.218	192.168.2.7
Oct 31, 2024 21:42:36.702186108 CET	9889	49775	185.196.10.218	192.168.2.7
Oct 31, 2024 21:42:36.702263117 CET	49775	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:42:36.707448006 CET	49821	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:42:36.707478046 CET	49775	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:42:36.712337971 CET	9889	49821	185.196.10.218	192.168.2.7
Oct 31, 2024 21:42:36.712353945 CET	9889	49775	185.196.10.218	192.168.2.7
Oct 31, 2024 21:42:36.712445021 CET	49821	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:42:39.029472113 CET	9889	49787	185.196.10.218	192.168.2.7
Oct 31, 2024 21:42:39.032685995 CET	49787	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:42:39.033622026 CET	49834	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:42:39.033653975 CET	49787	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:42:39.038796902 CET	9889	49834	185.196.10.218	192.168.2.7
Oct 31, 2024 21:42:39.038810015 CET	9889	49787	185.196.10.218	192.168.2.7
Oct 31, 2024 21:42:39.038923025 CET	49834	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:42:45.203883886 CET	9889	49821	185.196.10.218	192.168.2.7
Oct 31, 2024 21:42:45.203963995 CET	49821	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:42:45.204885960 CET	49867	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:42:45.204926014 CET	49821	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:42:45.209743023 CET	9889	49867	185.196.10.218	192.168.2.7
Oct 31, 2024 21:42:45.209753990 CET	9889	49821	185.196.10.218	192.168.2.7
Oct 31, 2024 21:42:45.209876060 CET	49867	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:42:47.549494028 CET	9889	49834	185.196.10.218	192.168.2.7
Oct 31, 2024 21:42:47.549546957 CET	49834	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:42:47.549735069 CET	49834	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:42:47.550054073 CET	49880	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:42:47.554582119 CET	9889	49834	185.196.10.218	192.168.2.7
Oct 31, 2024 21:42:47.555324078 CET	9889	49880	185.196.10.218	192.168.2.7
Oct 31, 2024 21:42:47.555393934 CET	49880	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:42:53.708098888 CET	9889	49867	185.196.10.218	192.168.2.7
Oct 31, 2024 21:42:53.708183050 CET	49867	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:42:53.722261906 CET	49912	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:42:53.722328901 CET	49867	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:42:53.727643013 CET	9889	49912	185.196.10.218	192.168.2.7
Oct 31, 2024 21:42:53.727654934 CET	9889	49867	185.196.10.218	192.168.2.7
Oct 31, 2024 21:42:53.727715015 CET	49912	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:42:56.135967016 CET	9889	49880	185.196.10.218	192.168.2.7
Oct 31, 2024 21:42:56.136042118 CET	49880	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:42:56.136198044 CET	49880	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:42:56.136451960 CET	49922	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:42:56.144737005 CET	9889	49880	185.196.10.218	192.168.2.7
Oct 31, 2024 21:42:56.144753933 CET	9889	49922	185.196.10.218	192.168.2.7
Oct 31, 2024 21:42:56.144829988 CET	49922	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:02.233007908 CET	9889	49912	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:02.233062029 CET	49912	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:02.233228922 CET	49912	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:02.233408928 CET	49956	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:02.238728046 CET	9889	49912	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:02.239341021 CET	9889	49956	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:02.239398003 CET	49956	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:04.851500988 CET	9889	49922	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:04.851583004 CET	49922	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:04.852062941 CET	49970	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:04.852093935 CET	49922	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:04.852859974 CET	9889	49922	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:04.852911949 CET	49922	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:04.857249022 CET	9889	49970	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:04.857260942 CET	9889	49922	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:04.857347965 CET	49970	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:10.728070974 CET	9889	49956	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:10.728154898 CET	49956	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:10.728574038 CET	49985	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:10.728605986 CET	49956	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:10.733417988 CET	9889	49956	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:10.733431101 CET	9889	49985	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:10.733553886 CET	49985	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:13.341877937 CET	9889	49970	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:13.341974020 CET	49970	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:13.342086077 CET	49970	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:13.342396021 CET	49986	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:13.347374916 CET	9889	49970	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:13.347492933 CET	9889	49986	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:13.347562075 CET	49986	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:19.222099066 CET	9889	49985	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:19.222222090 CET	49985	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:19.222417116 CET	49985	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:19.222697020 CET	49987	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:19.228075981 CET	9889	49985	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:19.228087902 CET	9889	49987	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:19.228162050 CET	49987	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:21.839528084 CET	9889	49986	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:21.839704037 CET	49986	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:21.840022087 CET	49988	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:21.840121031 CET	49986	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:21.844894886 CET	9889	49988	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:21.844906092 CET	9889	49986	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:21.845050097 CET	49988	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:28.214303970 CET	9889	49987	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:28.214473009 CET	49987	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:28.215151072 CET	49989	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:28.215220928 CET	49987	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:28.220387936 CET	9889	49989	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:28.220449924 CET	9889	49987	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:28.220474958 CET	49989	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:30.348164082 CET	9889	49988	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:30.348241091 CET	49988	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:30.348941088 CET	49990	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:30.349042892 CET	49988	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:30.354051113 CET	9889	49990	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:30.354083061 CET	9889	49988	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:30.354135036 CET	49990	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:37.025109053 CET	9889	49989	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:37.025310040 CET	9889	49989	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:37.025511980 CET	49989	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:37.025511980 CET	49989	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:37.025846958 CET	49989	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:37.026525021 CET	49991	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:37.032166958 CET	9889	49989	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:37.033288002 CET	9889	49991	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:37.033415079 CET	49991	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:39.316705942 CET	9889	49990	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:39.316832066 CET	49990	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:39.317117929 CET	9889	49990	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:39.317189932 CET	49990	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:39.317619085 CET	49992	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:39.317632914 CET	49990	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:39.322954893 CET	9889	49990	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:39.322989941 CET	9889	49992	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:39.323144913 CET	49992	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:45.557475090 CET	9889	49991	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:45.557661057 CET	49991	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:45.557847023 CET	49991	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:45.558104038 CET	49993	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:45.562951088 CET	9889	49991	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:45.563153982 CET	9889	49993	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:45.563271999 CET	49993	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:47.830130100 CET	9889	49992	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:47.830257893 CET	49992	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:47.830614090 CET	49994	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:47.830735922 CET	49992	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:47.836056948 CET	9889	49994	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:47.836163044 CET	49994	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:47.836174965 CET	9889	49992	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:54.427766085 CET	9889	49993	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:54.427901030 CET	49993	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:54.428241014 CET	49993	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:54.428345919 CET	9889	49993	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:54.428422928 CET	49993	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:54.428859949 CET	49995	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:54.710309982 CET	9889	49993	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:54.710524082 CET	49993	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:54.712049007 CET	9889	49993	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:54.712085009 CET	9889	49995	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:54.712186098 CET	49995	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:56.348340034 CET	9889	49994	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:56.348433971 CET	49994	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:56.348586082 CET	49994	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:56.348882914 CET	49996	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:43:56.353874922 CET	9889	49994	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:56.354506969 CET	9889	49996	185.196.10.218	192.168.2.7
Oct 31, 2024 21:43:56.354600906 CET	49996	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:44:03.221494913 CET	9889	49995	185.196.10.218	192.168.2.7
Oct 31, 2024 21:44:03.221673012 CET	49995	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:44:03.222419024 CET	49997	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:44:03.222495079 CET	49995	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:44:03.227339029 CET	9889	49997	185.196.10.218	192.168.2.7
Oct 31, 2024 21:44:03.227396011 CET	9889	49995	185.196.10.218	192.168.2.7
Oct 31, 2024 21:44:03.227463961 CET	49997	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:44:04.867999077 CET	9889	49996	185.196.10.218	192.168.2.7
Oct 31, 2024 21:44:04.868058920 CET	49996	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:44:04.868165016 CET	49996	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:44:04.869541883 CET	49998	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:44:04.873048067 CET	9889	49996	185.196.10.218	192.168.2.7
Oct 31, 2024 21:44:04.874391079 CET	9889	49998	185.196.10.218	192.168.2.7
Oct 31, 2024 21:44:04.874464035 CET	49998	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:44:11.732263088 CET	9889	49997	185.196.10.218	192.168.2.7
Oct 31, 2024 21:44:11.732330084 CET	49997	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:44:11.732531071 CET	49997	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:44:11.732676983 CET	49999	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:44:11.737309933 CET	9889	49997	185.196.10.218	192.168.2.7
Oct 31, 2024 21:44:11.737613916 CET	9889	49999	185.196.10.218	192.168.2.7
Oct 31, 2024 21:44:11.737679005 CET	49999	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:44:13.376730919 CET	9889	49998	185.196.10.218	192.168.2.7
Oct 31, 2024 21:44:13.376859903 CET	49998	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:44:13.377120018 CET	50000	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:44:13.377137899 CET	49998	9889	192.168.2.7	185.196.10.218
Oct 31, 2024 21:44:13.381985903 CET	9889	49998	185.196.10.218	192.168.2.7
Oct 31, 2024 21:44:13.382004976 CET	9889	50000	185.196.10.218	192.168.2.7
Oct 31, 2024 21:44:13.382097006 CET	50000	9889	192.168.2.7	185.196.10.218

Target ID:	5
Start time:	16:42:06
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\c2SVEEbvn5.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\c2SVEEbvn5.exe"
Imagebase:	0x400000
File size:	2'132'992 bytes
MD5 hash:	07072E924FB80DCC2DD8AFB0962A3B7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000005.00000002.2534067881.0000000000C70000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000005.00000002.2534227814.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	16:42:07
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Users\user\Desktop\c2SVEEbvn5.exe'; $s.Save()"
Imagebase:	0x460000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	16:42:07
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	16:42:20
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\c2SVEEbvn5.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\c2SVEEbvn5.exe"
Imagebase:	0x400000
File size:	2'132'992 bytes
MD5 hash:	07072E924FB80DCC2DD8AFB0962A3B7F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000A.00000002.2533883308.0000000000AF0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000A.00000002.2534153247.0000000002560000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	0.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	37%
Total number of Nodes:	27
Total number of Limit Nodes:	1

Executed Functions

Function 00C707A6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00C707CE
Module32First.KERNEL32(00000000,00000224), ref: 00C707EE

Memory Dump Source

Source File: 00000005.00000002.2534067881.0000000000C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c70000_c2SVEEbvn5.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: c75ca2c0456aab4725d3f0a3e3434f96cf787aba2f6faab8f4dfa743e0f998ba
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 2CF06231101711ABD7243AB5988DA6F77ECAF49765F208528E65A910C0DA70F9458B61

Function 025E003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 025E024D

Strings

kernel32.dll, xrefs: 025E008F, 025E0095
cess, xrefs: 025E018D

Memory Dump Source

Source File: 00000005.00000002.2534227814.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_25e0000_c2SVEEbvn5.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: c97db3b646984794bd1160e20933eaed74d62d05f938e549ae04c2f16b3e5529
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 2C526974A01229DFDB64CF58C985BACBBB1BF09314F1480D9E54EAB391DB70AA85CF14

Function 025E0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,025E0223,?,?), ref: 025E0E19
SetErrorMode.KERNELBASE(00000000,?,?,025E0223,?,?), ref: 025E0E1E

Memory Dump Source

Source File: 00000005.00000002.2534227814.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_25e0000_c2SVEEbvn5.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 1cacf028484974530ae65c6e85c24824324feaa6d5fdbaaae33983dc66bd837b
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 9AD0123114512877DB003A94DC09BCD7F1CDF05B66F008021FB0DE9080C7B0954046E9

Function 00C70465 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00C704B6

Memory Dump Source

Source File: 00000005.00000002.2534067881.0000000000C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c70000_c2SVEEbvn5.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 502ed5289adad34d0956c9ffaf8bac928a9fbcf09e04f12531ef865bec85d0c3
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: BF113F79A40208EFDB01DF98C985E98BBF5AF08351F15C094F9489B362D371EA50DF80

Non-executed Functions

Function 004129D0 Relevance: 9.0, Strings: 7, Instructions: 250COMMON

Download Yara Rule

Strings

runtime: typeBitsBulkBarrier with type bulkBarrierPreWrite: unaligned argumentsrefill of span with free space remaining/cpu/classes/scavenge/assist:cpu-secondsruntime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unkn, xrefs: 00412AF1, 00412B73
runtime: typeBitsBulkBarrier without type/memory/classes/metadata/mspan/free:bytesruntime.SetFinalizer: second argument is gcSweep being done but phase is not GCoffobjects added out of order or overlappingmheap.freeSpanLocked - invalid stack freemheap.freeSpan, xrefs: 00412C11
but memory size /gc/pauses:seconds because dotdotdotruntime: npages = runtime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr cleantimers: bad p frames elided..., locked, xrefs: 00412BC7
with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame runti, xrefs: 00412B1B
runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime:, xrefs: 00412B36, 00412BFB
), xrefs: 00412C1A
of size runtime: p ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64, xrefs: 00412B9D

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: but memory size /gc/pauses:seconds because dotdotdotruntime: npages = runtime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr cleantimers: bad p frames elided..., locked$ of size runtime: p ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64$ with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame runti$)$runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime:$runtime: typeBitsBulkBarrier with type bulkBarrierPreWrite: unaligned argumentsrefill of span with free space remaining/cpu/classes/scavenge/assist:cpu-secondsruntime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unkn$runtime: typeBitsBulkBarrier without type/memory/classes/metadata/mspan/free:bytesruntime.SetFinalizer: second argument is gcSweep being done but phase is not GCoffobjects added out of order or overlappingmheap.freeSpanLocked - invalid stack freemheap.freeSpan
API String ID: 0-444383925
Opcode ID: fb7dd08eebdcffb68ed6f0515201766069551f0d0e5f9e2aea924636202642bd
Instruction ID: c3b6e2db6fa0461498705e485b1ed48b9f6ecf45ca636e26bb5418af4ff028b1
Opcode Fuzzy Hash: fb7dd08eebdcffb68ed6f0515201766069551f0d0e5f9e2aea924636202642bd
Instruction Fuzzy Hash: AFA17AB59097088FC300EF19C58025AFBE1FF88714F49896EE99887312EB74E945DB97

Function 025E092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

l, xrefs: 025E0966
GetProcAddress., xrefs: 025E09DC, 025E09DF, 025E09E4
., xrefs: 025E095F

Memory Dump Source

Source File: 00000005.00000002.2534227814.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_25e0000_c2SVEEbvn5.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: fc5b48697e139aa503d4e7ed2b31dba268f8bea0036869d3efbd2890e3e86d25
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: D13137B6900609DFDB14CF99C880AAEBBF5FF58324F54404AD442B7250D7B1EA45CBA8

Function 0041362B Relevance: 2.7, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

@, xrefs: 0042EF0E
bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 0042F025

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: @$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod
API String ID: 0-1191861649
Opcode ID: 3cd9e6d47d6a00410eafc5d67ef6ee1ccc7ee7513c52895f42e584a6bff5c1a0
Instruction ID: f8b2d6da8939e72d13611dfe0a8e748ee23736b0c935380960ee9fc8c18cfc0b
Opcode Fuzzy Hash: 3cd9e6d47d6a00410eafc5d67ef6ee1ccc7ee7513c52895f42e584a6bff5c1a0
Instruction Fuzzy Hash: 2251C4756187058FD308DF59C88121AB7E1EBC8314F48CA2DF999D7381EA78E949CB87

Function 00420B70 Relevance: 2.6, Strings: 2, Instructions: 88COMMON

Download Yara Rule

Strings

gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackunsafe.Slice: ptr is nil and len is not , xrefs: 00420C51
,, xrefs: 00420C5A

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: ,$gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackunsafe.Slice: ptr is nil and len is not
API String ID: 0-2682900153
Opcode ID: 64649ebcbaff8683dd4899564ac29fa37e42b7a96c4484865ad030cf5d710349
Instruction ID: 2b767600a48d3a3f937fc1aaa497ced393772dd76961046019b8390f8957080c
Opcode Fuzzy Hash: 64649ebcbaff8683dd4899564ac29fa37e42b7a96c4484865ad030cf5d710349
Instruction Fuzzy Hash: 4831AE756057968FD305DF18D480A6ABBE1BB86218F4881BDDC484F383CB35984ADB85

Function 02600DD7 Relevance: 2.6, Strings: 2, Instructions: 88COMMON

Download Yara Rule

Strings

,, xrefs: 02600EC1
gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackunsafe.Slice: ptr is nil and len is not , xrefs: 02600EB8

Memory Dump Source

Source File: 00000005.00000002.2534227814.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_25e0000_c2SVEEbvn5.jbxd

Yara matches

Similarity

API ID:
String ID: ,$gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackunsafe.Slice: ptr is nil and len is not
API String ID: 0-2682900153
Opcode ID: 5b827d1ba1997e99fc05240c7d88ace1e97bfe10e11d0cd67d72fbcdece76313
Instruction ID: 258c56ea9ba0a9e5488f5dd5334b9296a65915a2e0a8d8fde9e79196ba7a279a
Opcode Fuzzy Hash: 5b827d1ba1997e99fc05240c7d88ace1e97bfe10e11d0cd67d72fbcdece76313
Instruction Fuzzy Hash: F8317F75A057968FC305DF14C490B6AB7A2BB86218F4881BDCC485F383CB31984ACBC5

Function 0262FF07 Relevance: 1.7, Strings: 1, Instructions: 442COMMON

Download Yara Rule

Strings

!"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 0262FFF4, 026300D9, 026301D9, 026302D8

Memory Dump Source

Source File: 00000005.00000002.2534227814.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_25e0000_c2SVEEbvn5.jbxd

Yara matches

Similarity

API ID:
String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
API String ID: 0-2911004680
Opcode ID: c3b9397203e24147b403b36a04c5deb76d7fb6c35d6fa7d20e7624b44977da6d
Instruction ID: 00b7d0391f62902b538aadcf6e0ad0eaf0e656c765cb63628397856d4e7182eb
Opcode Fuzzy Hash: c3b9397203e24147b403b36a04c5deb76d7fb6c35d6fa7d20e7624b44977da6d
Instruction Fuzzy Hash: D602A771A083418FC319DF6CC4D066AB7E2BB88310F444A3DE99A977A4DB74ED49CB46

Function 0042FA50 Relevance: .5, Instructions: 477COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de6ceeb63d5c94b88c85896bfd4fbee6dab5196250008a5d13f4c15ca05d88a7
Instruction ID: a412c3e6bb2439181f76eefdfcda9e9e6cbd72f001b685094bee801b9dfb79ee
Opcode Fuzzy Hash: de6ceeb63d5c94b88c85896bfd4fbee6dab5196250008a5d13f4c15ca05d88a7
Instruction Fuzzy Hash: 71E14833B087294BD314DDA9D8C025EB2E2ABC8354F99863DDD559B380FA78DC0E86C5

Function 0041BDE0 Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f948c813329ed752be8fc435dfdb99893aa809fd790427490b1f9963b80280af
Instruction ID: b466f2edc5ddc6ad2ad8a7f2488d4fdc7affb25a0127b0b8c100e01adab44895
Opcode Fuzzy Hash: f948c813329ed752be8fc435dfdb99893aa809fd790427490b1f9963b80280af
Instruction Fuzzy Hash: F8C1D432B483158FC714DE6DC88065EBBD2ABC8304F49863DE8559B3A1E779DC468BC6

Function 025E97A7 Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2534227814.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_25e0000_c2SVEEbvn5.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05ff6cb999cdd611584f516dd20f6281b427111754aa8a6a8df6dbd5c01b05bf
Instruction ID: 2dd215eb95b7c7a939871afa8abad7de1df9d73b436269c0ea92a89a4b0d70b7
Opcode Fuzzy Hash: 05ff6cb999cdd611584f516dd20f6281b427111754aa8a6a8df6dbd5c01b05bf
Instruction Fuzzy Hash: 01C170756093158FCB19DF14C490A2EBBE2FFC8304F048A6DE89A8B355EB349945CB86

Function 00403680 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a541e0d4215aee7fe2d7420e62b8a3a3d423a6318a7f8c305957a0b0107ff25f
Instruction ID: e499e046faad790d5fb59210acf0d9146f8a0791c7e324fe5119758329b7e67a
Opcode Fuzzy Hash: a541e0d4215aee7fe2d7420e62b8a3a3d423a6318a7f8c305957a0b0107ff25f
Instruction Fuzzy Hash: 0781F9B2A183108FC314DF19D88095AFBE2BFC8758F46892EF988D7311D775E9158B86

Function 00403060 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dac70e7832649b0fdb1f6da99b48fa23e9f883378580a520e8acfa06bed60f97
Instruction ID: b1accaeb45bebe98f25a0b187f9ff510cf4f34d35392d8dd1ee67e08661e840a
Opcode Fuzzy Hash: dac70e7832649b0fdb1f6da99b48fa23e9f883378580a520e8acfa06bed60f97
Instruction Fuzzy Hash: 6761A67090C3A44AE30D9F6E84A503EFFE15BC9701F444A6EF5E613382D9B89505DBAA

Function 025E32C7 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2534227814.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_25e0000_c2SVEEbvn5.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca8cd28dbe4229f8384e5a8d2f25240425709018576d98c8e23e162aafa5cc0a
Instruction ID: b47dfb0510b97c80bae408e9af783013870d0c640f601e5b92dfda188b856630
Opcode Fuzzy Hash: ca8cd28dbe4229f8384e5a8d2f25240425709018576d98c8e23e162aafa5cc0a
Instruction Fuzzy Hash: 6D61767090C3A44AE31D9F6E84A503EFFE15BC9701F444E6EF5E603382D9B49505DBAA

Function 02611707 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2534227814.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_25e0000_c2SVEEbvn5.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fe997f03480b70e1bda0cf03cf3841aa46dde74517a6c9818b522a3d3e47c52
Instruction ID: 1b61bc323fcb436787a201bc9ac520337ac27743bad8a579bc41980777ef07bf
Opcode Fuzzy Hash: 0fe997f03480b70e1bda0cf03cf3841aa46dde74517a6c9818b522a3d3e47c52
Instruction Fuzzy Hash: EC516C75A453129FC318DF65C590A1AF7E1FF89614F0986ACD9898B391DB30E846CB82

Function 0040D0C0 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea815a966d26cd94ad5b29041365303835aaf6abc09ba974feb40f8be1a0b5e5
Instruction ID: bc9be27eca2955ff0db9d3217979b31b3da0bc258c1ab3cb705dfd96d15ea929
Opcode Fuzzy Hash: ea815a966d26cd94ad5b29041365303835aaf6abc09ba974feb40f8be1a0b5e5
Instruction Fuzzy Hash: D441C471904F058FC306DF79C49021AB3E5BFCA354F14872EE94A6B792EB358986CA42

Function 025ED327 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2534227814.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_25e0000_c2SVEEbvn5.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38b693f05b1fb5637f840c474d3fed7479bf51bf9af3d1f7ffc8876285c83735
Instruction ID: b0237379ff7bf1bdf3f41d57e696ab7988c7c99513e8a5af35591e49fbb7c48a
Opcode Fuzzy Hash: 38b693f05b1fb5637f840c474d3fed7479bf51bf9af3d1f7ffc8876285c83735
Instruction Fuzzy Hash: AD41F370904F048FC306DF38C49021AB7E6FFDA344F04872DE89A6B752EB319882CA42

Function 025F2E97 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2534227814.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_25e0000_c2SVEEbvn5.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4acf2e5ec8d76f8c7c17f3b927a982a528dbf59fdaf4257466bb142a1a2ae7ea
Instruction ID: 5159dc8e277b1c01dc740a047ef614f82091a7627d0073e32fcb56dbb8cc3432
Opcode Fuzzy Hash: 4acf2e5ec8d76f8c7c17f3b927a982a528dbf59fdaf4257466bb142a1a2ae7ea
Instruction Fuzzy Hash: B5314FB381971D8BD300AF498C40159F7E2ABD0A20F5E8A5ED9A457711EBB0AA15CBC7

Function 00409470 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21e43f1b6c4c8bcbcd74817159b337ac6630469e67797bdf4c7787f7848df216
Instruction ID: a81ca95e67b9b87b7bdf3ed0c5f9056178bc4de4cc890e7abb9393b7a3511e82
Opcode Fuzzy Hash: 21e43f1b6c4c8bcbcd74817159b337ac6630469e67797bdf4c7787f7848df216
Instruction Fuzzy Hash: C52104317082018BC71CCF3AD8D012AF7E3ABC9310759857ED456977A5DA38AC06CB5A

Function 025E96D7 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2534227814.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_25e0000_c2SVEEbvn5.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc59399d830395a432b6ba0760522697a8ab17b3f197173dd2916d55892e1a5e
Instruction ID: 29aa337fe1e986af53389f0befed2f740a371ff12b74703429a3abcba4877439
Opcode Fuzzy Hash: cc59399d830395a432b6ba0760522697a8ab17b3f197173dd2916d55892e1a5e
Instruction Fuzzy Hash: 0121D4717046118BDB1CCF3AD8D152AF7E3BBC9310749896DD4568B664DA34A80ACB4A

Function 00C70083 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2534067881.0000000000C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c70000_c2SVEEbvn5.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: a7f330debb4b8c495cc14a6745642b8c937b14a1bd5ee5d1cc2cb591f852df17
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: D7113CB2340100EFD754DE55DCC1FA673EAEB89330B298065ED08CB316D676E841D760

Function 0044AF10 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfdf9d90fc35679138c6bad65a85f04c6541efe5899589692596b10516e1b8b0
Instruction ID: 44b7847dda4cbb8ad284c177eeada58a1584cbe1c19e80bda3b70a8a95e3e91f
Opcode Fuzzy Hash: dfdf9d90fc35679138c6bad65a85f04c6541efe5899589692596b10516e1b8b0
Instruction Fuzzy Hash: 35111EB4740B118FC358DF59C4D4956B3E2FFCD220B4681BDDA4A8B766C670A811DB85

Function 0262B177 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2534227814.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_25e0000_c2SVEEbvn5.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfdf9d90fc35679138c6bad65a85f04c6541efe5899589692596b10516e1b8b0
Instruction ID: 44b7847dda4cbb8ad284c177eeada58a1584cbe1c19e80bda3b70a8a95e3e91f
Opcode Fuzzy Hash: dfdf9d90fc35679138c6bad65a85f04c6541efe5899589692596b10516e1b8b0
Instruction Fuzzy Hash: 35111EB4740B118FC358DF59C4D4956B3E2FFCD220B4681BDDA4A8B766C670A811DB85

Function 025E0D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2534227814.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_25e0000_c2SVEEbvn5.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: df0410c61a203207abd4ddf3c82edefc2bc19500901f7bae37740177d3c213eb
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 6E018F76A106048FDF25DF24C904BAE33A5FB86316F4544B5D90BE7281E7B4A9418B94

Function 004034A0 Relevance: 18.8, Strings: 15, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2-by, xrefs: 00403504
te k, xrefs: 00403519
nd 3, xrefs: 004034D3
nd 3, xrefs: 004034E8
2-by, xrefs: 004034F6
expa, xrefs: 004035D2
2-by, xrefs: 004034FD
nd 3, xrefs: 004034E1
2-by, xrefs: 004034EF
te k, xrefs: 0040350B
te k, xrefs: 00403520
te k, xrefs: 00403512
expa, xrefs: 00403527
expa, xrefs: 004034C5
nd 3, xrefs: 004034DA

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: 2-by$2-by$2-by$2-by$expa$expa$expa$nd 3$nd 3$nd 3$nd 3$te k$te k$te k$te k
API String ID: 0-4277483314
Opcode ID: fc3555c6e44bbdcb2cfa064d072331bb53f71f0f939a12c3ad269234c0296597
Instruction ID: 0bff66a761d1c838939a7e550572e3e7e5894a584f2545116f5c747d66c1c5ac
Opcode Fuzzy Hash: fc3555c6e44bbdcb2cfa064d072331bb53f71f0f939a12c3ad269234c0296597
Instruction Fuzzy Hash: CA5124B48056408FD358CF06C198BA5BBE1BF88314F2A86FAC4588F776E7768846CF51

Function 00417D50 Relevance: 16.7, Strings: 13, Instructions: 463
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

runtime.SetFinalizer: first argument is nilruntime.SetFinalizer: finalizer already setgcBgMarkWorker: unexpected gcMarkWorkerModenon in-use span found with specials bit setgrew heap, but no adequate free space foundroot level max pages doesn't fit in summaryru, xrefs: 004183E8
nil elem type! to finalizer GC worker initruntime: full=runtime: want=MB; allocated timeEndPeriod, xrefs: 00418376
+, xrefs: 004183F1
runtime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unknown mark worker modecannot free workbufs when work.full != 0runtime: out of memory: cannot allocate runtime.preemptM: duplicatehandle failedglobal runq empty wi, xrefs: 004183A3
, not a functiongc: unswept span KiB work (bg), mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 004182CD
runtime.SetFinalizer: pointer not at beginning of allocated blockunable to query buffer size from InitializeProcThreadAttributeListreflect: reflect.Value.UnsafePointer on an invalid notinheap pointerembedded IPv4 address must replace the final 2 fields of the , xrefs: 004182F8
(, xrefs: 004183AD
runtime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= casfrom_Gscanstatus: gp->status is not in scan state, xrefs: 0041834A
because dotdotdotruntime: npages = runtime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr cleantimers: bad p frames elided..., locked to threadruntime.semacreateruntime., xrefs: 00418271
runtime.SetFinalizer: second argument is gcSweep being done but phase is not GCoffobjects added out of order or overlappingmheap.freeSpanLocked - invalid stack freemheap.freeSpanLocked - invalid span stateattempted to add zero-sized address rangeruntime: block, xrefs: 004182B3
runtime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already , xrefs: 00418125, 004181AD, 00418235
runtime.SetFinalizer: first argument was allocated into an arenacompileCallback: expected function with one uintptr-sized resultuser arena chunk size is not a multiple of the physical page sizeruntime: function marked with #cgo nocallback called back into Goru, xrefs: 00418360
, not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failed, xrefs: 004183BD

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: because dotdotdotruntime: npages = runtime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr cleantimers: bad p frames elided..., locked to threadruntime.semacreateruntime.$($+$, not a functiongc: unswept span KiB work (bg), mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$, not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failed$nil elem type! to finalizer GC worker initruntime: full=runtime: want=MB; allocated timeEndPeriod$runtime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already $runtime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unknown mark worker modecannot free workbufs when work.full != 0runtime: out of memory: cannot allocate runtime.preemptM: duplicatehandle failedglobal runq empty wi$runtime.SetFinalizer: first argument is nilruntime.SetFinalizer: finalizer already setgcBgMarkWorker: unexpected gcMarkWorkerModenon in-use span found with specials bit setgrew heap, but no adequate free space foundroot level max pages doesn't fit in summaryru$runtime.SetFinalizer: first argument was allocated into an arenacompileCallback: expected function with one uintptr-sized resultuser arena chunk size is not a multiple of the physical page sizeruntime: function marked with #cgo nocallback called back into Goru$runtime.SetFinalizer: pointer not at beginning of allocated blockunable to query buffer size from InitializeProcThreadAttributeListreflect: reflect.Value.UnsafePointer on an invalid notinheap pointerembedded IPv4 address must replace the final 2 fields of the $runtime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= casfrom_Gscanstatus: gp->status is not in scan state$runtime.SetFinalizer: second argument is gcSweep being done but phase is not GCoffobjects added out of order or overlappingmheap.freeSpanLocked - invalid stack freemheap.freeSpanLocked - invalid span stateattempted to add zero-sized address rangeruntime: block
API String ID: 0-4142479673
Opcode ID: 01390737ad45a1fb96a7f0d7b846c00ec7583e6307a8425ac0bd5fdc00a0d0e0
Instruction ID: ea967b089e611846dd5a7173fc7f0fa1b20cd5e6a94ee60f8f3ebd5422ba16b5
Opcode Fuzzy Hash: 01390737ad45a1fb96a7f0d7b846c00ec7583e6307a8425ac0bd5fdc00a0d0e0
Instruction Fuzzy Hash: 6A1237746087058FC724DF25C0806ABBBF1BF88744F14892EE8D987351EB79D986DB4A

Function 0040B600 Relevance: 15.2, Strings: 12, Instructions: 250
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double wait, xrefs: 0040B93B, 0040B9C7, 0040BA53
) must be a power of 2system huge page size (runtime: s.allocCount= s.allocCount > s.nelems/gc/heap/allocs:objectsmissing type in runfinqruntime: internal errorwork.nwait > work.nprocleft over markroot jobsgcDrain phase incorrectMB during sweep; swept bad pro, xrefs: 0040B8BE, 0040B920
bad system huge page sizearena already initialized to unused region of span bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: p, xrefs: 0040B8D9
failed to get system page sizeassignment to entry in nil mapruntime: found in object at *( in prepareForSweep; sweepgen /cpu/classes/total:cpu-seconds/gc/cycles/automatic:gc-cycles/sched/pauses/total/gc:seconds/sync/mutex/wait/total:seconds/godebug/non-default, xrefs: 0040BA69
) is smaller than minimum page size (/cpu/classes/gc/mark/idle:cpu-secondssetprofilebucket: profile already setfailed to reserve page summary memoryruntime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpr, xrefs: 0040B982
) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintm, xrefs: 0040B9AC, 0040BA38
$, xrefs: 0040BA17
bad TinySizeClassruntime: pointer g already scannedmark - bad statusscanobject n == 0swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 0040BA7F
min size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not enabledno goroutines (main called runtime.Goexit) - deadlock!goroutine running on other thread; stack unavailablename is not in canonical format (it must end, xrefs: 0040B84D
system huge page size (runtime: s.allocCount= s.allocCount > s.nelems/gc/heap/allocs:objectsmissing type in runfinqruntime: internal errorwork.nwait > work.nprocleft over markroot jobsgcDrain phase incorrectMB during sweep; swept bad profile stack countruntime, xrefs: 0040B892
system page size ( but memory size /gc/pauses:seconds because dotdotdotruntime: npages = runtime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr cleantimers: bad p frames , xrefs: 0040B8F4, 0040B956, 0040B9E2
) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:, xrefs: 0040BA0E

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: $$) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintm$) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:$) is smaller than minimum page size (/cpu/classes/gc/mark/idle:cpu-secondssetprofilebucket: profile already setfailed to reserve page summary memoryruntime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpr$) must be a power of 2system huge page size (runtime: s.allocCount= s.allocCount > s.nelems/gc/heap/allocs:objectsmissing type in runfinqruntime: internal errorwork.nwait > work.nprocleft over markroot jobsgcDrain phase incorrectMB during sweep; swept bad pro$bad TinySizeClassruntime: pointer g already scannedmark - bad statusscanobject n == 0swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb$bad system huge page sizearena already initialized to unused region of span bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: p$bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double wait$failed to get system page sizeassignment to entry in nil mapruntime: found in object at *( in prepareForSweep; sweepgen /cpu/classes/total:cpu-seconds/gc/cycles/automatic:gc-cycles/sched/pauses/total/gc:seconds/sync/mutex/wait/total:seconds/godebug/non-default$min size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not enabledno goroutines (main called runtime.Goexit) - deadlock!goroutine running on other thread; stack unavailablename is not in canonical format (it must end$system huge page size (runtime: s.allocCount= s.allocCount > s.nelems/gc/heap/allocs:objectsmissing type in runfinqruntime: internal errorwork.nwait > work.nprocleft over markroot jobsgcDrain phase incorrectMB during sweep; swept bad profile stack countruntime$system page size ( but memory size /gc/pauses:seconds because dotdotdotruntime: npages = runtime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr cleantimers: bad p frames
API String ID: 0-3943168262
Opcode ID: 6ba72ae5723c61703524b54541c1f2213e1e0b4ae6b433b220f6459e02b2af84
Instruction ID: 0cbbd9b4595dbc890d40b0817110a4e30afdb0a33d4367c6fd16a2df426bf2ee
Opcode Fuzzy Hash: 6ba72ae5723c61703524b54541c1f2213e1e0b4ae6b433b220f6459e02b2af84
Instruction Fuzzy Hash: C6C14AB4108604CFD304EF65D49576AB7E5FF58308F00982EE588C73A1EB789849DF9A

Function 004477E0 Relevance: 14.0, Strings: 11, Instructions: 243
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

no goroutines (main called runtime.Goexit) - deadlock!goroutine running on other thread; stack unavailablename is not in canonical format (it must end with a .)internal error: polling on unsupported descriptor typeReceived Open Connection Request for Stream , xrefs: 004478EE
mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNexus.lnk method: (MISSING)%!(EXTRA files,dnsdns,filesipv6-icmp_outboundloc, xrefs: 00447B06
nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type 19531259765625::ffff:abortedCopySidWSARecvWSASendsignal nil keyanswersavx512fos/execruntime#internPrograms-CommandGoStringnetedns0[::1]:53continue_gatewayshutdown, xrefs: 00447B30
runtime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a power of 2too many callback functionstimer when must b, xrefs: 00447A92
checkdead: no p for timercheckdead: no m for timerunknown sigtramp callbackunexpected fault address missing stack in newstackbad status in shrinkstackmissing traceGCSweepStart2910383045673370361328125IPv4 field has value >255resource deadlock avoidedoperation , xrefs: 00447A25
all goroutines are asleep - deadlock!2220446049250313080847263336181640625godebug: unexpected IncNonDefault of cannot exec a shared library directlyvalue too large for defined data typecannot create context from nil parenttoo many Authorities to pack (>65535)t, xrefs: 00447A63
checkdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer found on stack locals stack map entries for abi mismatch detected between runtime: impossible type kind unsafe.Slice: len out of range22737367544323205947, xrefs: 00447B74
^, xrefs: 0044797A, 0044798B
nmidlelocked= needspinning=randinit twicestore64 failedmemprofileratesemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module dataruntime: seq1=runtime: goid= in goroutine 1907348632812595367431640625file too largeis a dir, xrefs: 00447ADC
%, xrefs: 00447A6C
checkdead: no m for timerunknown sigtramp callbackunexpected fault address missing stack in newstackbad status in shrinkstackmissing traceGCSweepStart2910383045673370361328125IPv4 field has value >255resource deadlock avoidedoperation now in progressno buffer , xrefs: 004479FF

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNexus.lnk method: (MISSING)%!(EXTRA files,dnsdns,filesipv6-icmp_outboundloc$ nmidlelocked= needspinning=randinit twicestore64 failedmemprofileratesemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module dataruntime: seq1=runtime: goid= in goroutine 1907348632812595367431640625file too largeis a dir$ nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type 19531259765625::ffff:abortedCopySidWSARecvWSASendsignal nil keyanswersavx512fos/execruntime#internPrograms-CommandGoStringnetedns0[::1]:53continue_gatewayshutdown$ ^$%$all goroutines are asleep - deadlock!2220446049250313080847263336181640625godebug: unexpected IncNonDefault of cannot exec a shared library directlyvalue too large for defined data typecannot create context from nil parenttoo many Authorities to pack (>65535)t$checkdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer found on stack locals stack map entries for abi mismatch detected between runtime: impossible type kind unsafe.Slice: len out of range22737367544323205947$checkdead: no m for timerunknown sigtramp callbackunexpected fault address missing stack in newstackbad status in shrinkstackmissing traceGCSweepStart2910383045673370361328125IPv4 field has value >255resource deadlock avoidedoperation now in progressno buffer $checkdead: no p for timercheckdead: no m for timerunknown sigtramp callbackunexpected fault address missing stack in newstackbad status in shrinkstackmissing traceGCSweepStart2910383045673370361328125IPv4 field has value >255resource deadlock avoidedoperation $no goroutines (main called runtime.Goexit) - deadlock!goroutine running on other thread; stack unavailablename is not in canonical format (it must end with a .)internal error: polling on unsupported descriptor typeReceived Open Connection Request for Stream $runtime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a power of 2too many callback functionstimer when must b
API String ID: 0-794593442
Opcode ID: 48b61ef6d9f2b701cd519543989a218348ec51ea5dd9d5102a56db2ae8a3cd89
Instruction ID: 93f6c63aa4b6947a3dcffc5d8c5af000d6ad82d6968fc3f62af2d9cc5a2561f4
Opcode Fuzzy Hash: 48b61ef6d9f2b701cd519543989a218348ec51ea5dd9d5102a56db2ae8a3cd89
Instruction Fuzzy Hash: B5A179B45093048FD714EF25D48566EBBE0FF98308F44982EE8C997351EB38D94ADB4A

Function 0040BAA0 Relevance: 12.9, Strings: 10, Instructions: 351
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

., xrefs: 0040C052
arena already initialized to unused region of span bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p , xrefs: 0040BDAD
) not in usable address space: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: , xrefs: 0040C015
out of memory allocating allArenas/memory/classes/heap/objects:bytesruntime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning wit, xrefs: 0040BD81
memory reservation exceeds address space limittried to park scavenger from another goroutinereleased less than one physical page of memory (bad use of unsafe.Pointer? try -d=checkptr)sysGrow bounds not aligned to pallocChunkBytesruntime: failed to create new , xrefs: 0040C049
runtime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:b, xrefs: 0040BFC1
misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:b, xrefs: 0040BF96
out of memory allocating heap arena metadata/cpu/classes/scavenge/background:cpu-secondsruntime: unexpected metric registration for gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbi, xrefs: 0040BD97
out of memory allocating heap arena map/cpu/classes/gc/mark/assist:cpu-seconds/cpu/classes/scavenge/total:cpu-seconds/memory/classes/profiling/buckets:bytesmspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResume, xrefs: 0040BDCD
region exceeds uintptr range/gc/heap/frees-by-size:bytes/gc/heap/tiny/allocs:objects/sched/goroutines:goroutinesgcBgMarkWorker: mode not setmspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: m, xrefs: 0040BF64

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: ) not in usable address space: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: $.$arena already initialized to unused region of span bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p $memory reservation exceeds address space limittried to park scavenger from another goroutinereleased less than one physical page of memory (bad use of unsafe.Pointer? try -d=checkptr)sysGrow bounds not aligned to pallocChunkBytesruntime: failed to create new $misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:b$out of memory allocating allArenas/memory/classes/heap/objects:bytesruntime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning wit$out of memory allocating heap arena map/cpu/classes/gc/mark/assist:cpu-seconds/cpu/classes/scavenge/total:cpu-seconds/memory/classes/profiling/buckets:bytesmspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResume$out of memory allocating heap arena metadata/cpu/classes/scavenge/background:cpu-secondsruntime: unexpected metric registration for gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbi$region exceeds uintptr range/gc/heap/frees-by-size:bytes/gc/heap/tiny/allocs:objects/sched/goroutines:goroutinesgcBgMarkWorker: mode not setmspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: m$runtime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:b
API String ID: 0-994603571
Opcode ID: 56923667fd2f1879d0c7250705a9fafbe80af6074363d1558ddfff19389e5c2e
Instruction ID: 064074db6ef64add303172c7b25e5eea2f774f360a01db361163f97ee675393e
Opcode Fuzzy Hash: 56923667fd2f1879d0c7250705a9fafbe80af6074363d1558ddfff19389e5c2e
Instruction Fuzzy Hash: 1EF103B45083058FC710DF25C48069AFBE1FF88704F45892EE9989B391E779A849CF9A

Function 0041AD30 Relevance: 12.8, Strings: 10, Instructions: 286
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

&, xrefs: 0041B1EE
work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status=, xrefs: 0041B0C2, 0041B143
gcBgMarkWorker: blackening not enabledcannot read stack of running goroutineruntime: blocked read on free polldescruntime: sudog with non-false isSelectarg size to reflect.call more than 1GBaddtimer called with initialized timerv could not fit in traceBytesPer, xrefs: 0041B1E5
work.nwait > work.nprocleft over markroot jobsgcDrain phase incorrectMB during sweep; swept bad profile stack countruntime: netpoll failedRtlGetNtVersionNumbers, xrefs: 0041B0F6
work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= , xrefs: 0041B098
runtime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foundruntime: sudog with non-nil , xrefs: 0041B06F
runtime: work.nwait= previous allocCount=, levelBits[level] = runtime: searchIdx = defer on system stackpanic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdea, xrefs: 0041B119
gcBgMarkWorker: mode not setmspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on , xrefs: 0041B18D
GC worker initruntime: full=runtime: want=MB; allocated timeEndPeriod, xrefs: 0041AD74
work.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread I, xrefs: 0041B177

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status=$ work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= $&$GC worker initruntime: full=runtime: want=MB; allocated timeEndPeriod$gcBgMarkWorker: blackening not enabledcannot read stack of running goroutineruntime: blocked read on free polldescruntime: sudog with non-false isSelectarg size to reflect.call more than 1GBaddtimer called with initialized timerv could not fit in traceBytesPer$gcBgMarkWorker: mode not setmspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on $runtime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foundruntime: sudog with non-nil $runtime: work.nwait= previous allocCount=, levelBits[level] = runtime: searchIdx = defer on system stackpanic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdea$work.nwait > work.nprocleft over markroot jobsgcDrain phase incorrectMB during sweep; swept bad profile stack countruntime: netpoll failedRtlGetNtVersionNumbers$work.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread I
API String ID: 0-2597733568
Opcode ID: 7626a6057af96ac597dcfb971f8fb7afd8f662e0fe17e8697f83deab9cd22213
Instruction ID: 10e4db9bf1196a97a6d1858a6c1bb9d57f34c66855e3692ec656ed791d6a67f1
Opcode Fuzzy Hash: 7626a6057af96ac597dcfb971f8fb7afd8f662e0fe17e8697f83deab9cd22213
Instruction Fuzzy Hash: 92D1D1B41097449FC304EF25C090A5ABBF0FF89318F00996EE99987362DB79E885DF56

Function 0041B460 Relevance: 12.8, Strings: 10, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

P has cached GC work at end of mark terminationfailed to acquire lock to start a GC transitionfinishGCTransition called without starting one?tried to sleep scavenger from another goroutineruntime: CreateIoCompletionPort failed (errno= racy sudog adjustment due, xrefs: 0041B71A
next= jobs= goid sweep B -> % util alloc free span= prev= list=, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= (...) m=nil base 390625hangupkilled, val headerAnswerLengthGetACPCommonrdtscppopcntcmd/goAPPDATAWindowsStartupfloat32float64windowsru, xrefs: 0041B7F7
nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= runtime: pid=, xrefs: 0041B8C9
nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACE, xrefs: 0041B875
8, xrefs: 0041B91D
runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at en, xrefs: 0041B625
flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= runtime: pid=: unknown pc , xrefs: 0041B64F
wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ lockedm=244140625rwxrwxrw, xrefs: 0041B695
runtime: full=runtime: want=MB; allocated timeEndPeriod, xrefs: 0041B7CD
in gcMark expecting to see gcphase as _GCmarkterminationsync: WaitGroup misuse: Add called concurrently with Waitcannot run executable found relative to current directory (set GODEBUG=execwait=2 to capture stacks for debugging)runtime: checkmarks found unexpec, xrefs: 0041B914

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= runtime: pid=: unknown pc $ nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACE$ nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= runtime: pid=$ next= jobs= goid sweep B -> % util alloc free span= prev= list=, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= (...) m=nil base 390625hangupkilled, val headerAnswerLengthGetACPCommonrdtscppopcntcmd/goAPPDATAWindowsStartupfloat32float64windowsru$ wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ lockedm=244140625rwxrwxrw$8$P has cached GC work at end of mark terminationfailed to acquire lock to start a GC transitionfinishGCTransition called without starting one?tried to sleep scavenger from another goroutineruntime: CreateIoCompletionPort failed (errno= racy sudog adjustment due$in gcMark expecting to see gcphase as _GCmarkterminationsync: WaitGroup misuse: Add called concurrently with Waitcannot run executable found relative to current directory (set GODEBUG=execwait=2 to capture stacks for debugging)runtime: checkmarks found unexpec$runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at en$runtime: full=runtime: want=MB; allocated timeEndPeriod
API String ID: 0-2780444836
Opcode ID: fa9f76e301de3e2c2f94b555e00f6cd4fb5b15aaee8dd8d840375eaecd65081c
Instruction ID: 82a5545f0430c9045a731e37a05a4fd15ef01553cc6b59c52fc67bdbe0034acd
Opcode Fuzzy Hash: fa9f76e301de3e2c2f94b555e00f6cd4fb5b15aaee8dd8d840375eaecd65081c
Instruction Fuzzy Hash: 88D1F7B45093449FC304EF65D585B6ABBF1FF88308F40982EF9898B351DB38A944DB96

Function 00460180 Relevance: 12.7, Strings: 10, Instructions: 244COMMON

Download Yara Rule

Strings

[("")) ) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=St, xrefs: 004603F4
minutes etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNexus.lnk method: (MISSING)%!(EXTRA files,dnsdns,filesipv6-icmp_outboundlocalhostconnectexfork/exec#execwaitWednesdaySeptem, xrefs: 0046049E
, locked to threadruntime.semacreateruntime.semawakeup298023223876953125unable to parse IPsegmentation faultoperation canceledno child processesconnection refusedRFS specific erroridentifier removedinput/output errormultihop attemptedfile name too longno locks, xrefs: 004604CC
goroutine 12207031256103515625ParseAddr(invalid IPterminatedowner diedDnsQuery_WGetIfEntryCancelIoExCreatePipeGetVersionWSACleanupWSAStartupgetsockoptdnsapi.dllws2_32.dllClassCSNETClassCHAOSAdditionalskipping: LockFileExWSASocketWhttp2debugcrypto/tlsshort writ, xrefs: 004602CA
m=nil base 390625hangupkilled, val headerAnswerLengthGetACPCommonrdtscppopcntcmd/goAPPDATAWindowsStartupfloat32float64windowsrunningwsarecvwsasendconnectlookup writetoconsolePATHEXT\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_DltinvaliduintptrChanDir Value>forcegca, xrefs: 004603D4
(scan)types : type 19531259765625::ffff:abortedCopySidWSARecvWSASendsignal nil keyanswersavx512fos/execruntime#internPrograms-CommandGoStringnetedns0[::1]:53continue_gatewayshutdownaddress readfromwsaioctlunixgramnil PoolFullPathThursdaySaturdayFebruaryNovem, xrefs: 00460433
???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintmapptr...finobjgc %: gp *(in n= ) - NaN P , xrefs: 004601DD
]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccallkindallgallprootitabsbrkidledead is LEAFb, xrefs: 004604EC
gp= mp=) m=3125quitbitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localint16int32int64uint8arrayslice and defersweeptestRtestWexecWexecRschedhch, xrefs: 00460333
unknown wait reasonnotesleep not on g0GC work not flushed/gc/scan/heap:bytes/gc/heap/goal:bytes/gc/heap/live:bytesbad kind in runfinqmarkroot: bad indexnwait > work.nprocs, gp->atomicstatus=marking free object KiB work (eager), [controller reset]mspan.sweep: , xrefs: 00460205

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: (scan)types : type 19531259765625::ffff:abortedCopySidWSARecvWSASendsignal nil keyanswersavx512fos/execruntime#internPrograms-CommandGoStringnetedns0[::1]:53continue_gatewayshutdownaddress readfromwsaioctlunixgramnil PoolFullPathThursdaySaturdayFebruaryNovem$ [("")) ) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=St$ gp= mp=) m=3125quitbitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localint16int32int64uint8arrayslice and defersweeptestRtestWexecWexecRschedhch$ m=nil base 390625hangupkilled, val headerAnswerLengthGetACPCommonrdtscppopcntcmd/goAPPDATAWindowsStartupfloat32float64windowsrunningwsarecvwsasendconnectlookup writetoconsolePATHEXT\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_DltinvaliduintptrChanDir Value>forcegca$ minutes etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNexus.lnk method: (MISSING)%!(EXTRA files,dnsdns,filesipv6-icmp_outboundlocalhostconnectexfork/exec#execwaitWednesdaySeptem$, locked to threadruntime.semacreateruntime.semawakeup298023223876953125unable to parse IPsegmentation faultoperation canceledno child processesconnection refusedRFS specific erroridentifier removedinput/output errormultihop attemptedfile name too longno locks$???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintmapptr...finobjgc %: gp *(in n= ) - NaN P $]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccallkindallgallprootitabsbrkidledead is LEAFb$goroutine 12207031256103515625ParseAddr(invalid IPterminatedowner diedDnsQuery_WGetIfEntryCancelIoExCreatePipeGetVersionWSACleanupWSAStartupgetsockoptdnsapi.dllws2_32.dllClassCSNETClassCHAOSAdditionalskipping: LockFileExWSASocketWhttp2debugcrypto/tlsshort writ$unknown wait reasonnotesleep not on g0GC work not flushed/gc/scan/heap:bytes/gc/heap/goal:bytes/gc/heap/live:bytesbad kind in runfinqmarkroot: bad indexnwait > work.nprocs, gp->atomicstatus=marking free object KiB work (eager), [controller reset]mspan.sweep:
API String ID: 0-1838092129
Opcode ID: e0cc56025ce05c5fbcd10d2eba0a069ffa7b479f1965e6c1216a3a5823f1c344
Instruction ID: 872cae036d1da53ab8c811fab67b347261010f21cfe77534060da605c69c5e42
Opcode Fuzzy Hash: e0cc56025ce05c5fbcd10d2eba0a069ffa7b479f1965e6c1216a3a5823f1c344
Instruction Fuzzy Hash: 2DA149746093148FC310EF65C191A6FB7E1EF88708F50986EE98487352EB38E945DB9B

Function 00407100 Relevance: 12.7, Strings: 10, Instructions: 199COMMON

Download Yara Rule

Strings

: missing method notetsleepg on g0bad TinySizeClassruntime: pointer g already scannedmark - bad statusscanobject n == 0swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 004073BB
(types from different packages)GCProg for type that isn't largeruntime: failed to release pagesruntime: fixalloc size too largeinvalid limiter event type foundscanstack: goroutine not stoppedscavenger state is already wiredsweep increased allocation countremo, xrefs: 004072FC
, not object next= jobs= goid sweep B -> % util alloc free span= prev= list=, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= (...) m=nil base 390625hangupkilled, val headerAnswerLengthGetACPCommonrdtscppopcntcmd/goAPPDATAWindowsStartupfloat32floa, xrefs: 004071FF
is not pointerBAD RANK status unknown(trigger= npages= nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/, xrefs: 00407399
(types from different scopes)notetsleep - waitm out of syncfailed to get system page sizeassignment to entry in nil mapruntime: found in object at *( in prepareForSweep; sweepgen /cpu/classes/total:cpu-seconds/gc/cycles/automatic:gc-cycles/sched/pauses/total/, xrefs: 00407334
is nil, not value method bad map state span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: , xrefs: 00407447
is LEAFbase of <==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125quitbitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+, xrefs: 004071E5
interface conversion: freeIndex is not validoldoverflow is not nils.freeindex > s.nelemsbad sweepgen in refillspan has no free space/gc/scan/globals:bytes/gc/heap/frees:objectsruntime: work.nwait = runtime:scanstack: gp=scanstack - bad statusheadTailIndex over, xrefs: 004071C3, 0040737F, 00407425
interfaceinvalid nfuncargs(bad indirreflect: InterfaceprofBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedcoroutinecopystack ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), xrefs: 00407130
, xrefs: 00407306

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: $ (types from different packages)GCProg for type that isn't largeruntime: failed to release pagesruntime: fixalloc size too largeinvalid limiter event type foundscanstack: goroutine not stoppedscavenger state is already wiredsweep increased allocation countremo$ (types from different scopes)notetsleep - waitm out of syncfailed to get system page sizeassignment to entry in nil mapruntime: found in object at *( in prepareForSweep; sweepgen /cpu/classes/total:cpu-seconds/gc/cycles/automatic:gc-cycles/sched/pauses/total/$ is LEAFbase of <==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125quitbitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+$ is nil, not value method bad map state span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: $ is not pointerBAD RANK status unknown(trigger= npages= nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/$, not object next= jobs= goid sweep B -> % util alloc free span= prev= list=, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= (...) m=nil base 390625hangupkilled, val headerAnswerLengthGetACPCommonrdtscppopcntcmd/goAPPDATAWindowsStartupfloat32floa$: missing method notetsleepg on g0bad TinySizeClassruntime: pointer g already scannedmark - bad statusscanobject n == 0swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb$interface conversion: freeIndex is not validoldoverflow is not nils.freeindex > s.nelemsbad sweepgen in refillspan has no free space/gc/scan/globals:bytes/gc/heap/frees:objectsruntime: work.nwait = runtime:scanstack: gp=scanstack - bad statusheadTailIndex over$interfaceinvalid nfuncargs(bad indirreflect: InterfaceprofBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedcoroutinecopystack ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use)
API String ID: 0-3784703874
Opcode ID: af3fc176bcb5e14d9d5188559cf9f01110c711f2e0b1578073616a30cc7fc258
Instruction ID: f83e9998422f3e5ce4d122e8e5248b1e27ca6edef12f27c547d49e3482ed015f
Opcode Fuzzy Hash: af3fc176bcb5e14d9d5188559cf9f01110c711f2e0b1578073616a30cc7fc258
Instruction Fuzzy Hash: 6DA199B49083419FC318DF15C080A5ABBE1BB88744F50892EF89987391DB79A849DF47

Function 004612C0 Relevance: 12.7, Strings: 10, Instructions: 175COMMON

Download Yara Rule

Strings

etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNexus.lnk method: (MISSING)%!(EXTRA files,dnsdns,filesipv6-icmp_outboundlocalhostconnectexfork/exec#execwaitWednesdaySeptember-07:0, xrefs: 0046149C
runtime: type offset out of range142108547152020037174224853515625710542735760100185871124267578125skip everything and stop the walktoo many levels of symbolic linksInitializeProcThreadAttributeListtoo many Answers to pack (>65535)GetVolumeNameForVolumeMountPo, xrefs: 0046158C
types : type 19531259765625::ffff:abortedCopySidWSARecvWSASendsignal nil keyanswersavx512fos/execruntime#internPrograms-CommandGoStringnetedns0[::1]:53continue_gatewayshutdownaddress readfromwsaioctlunixgramnil PoolFullPathThursdaySaturdayFebruaryNovemberDece, xrefs: 00461472
- NaN P MPC= < end > ]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccallkindallgallprooti, xrefs: 00461558
!, xrefs: 00461595
runtime: type offset base pointer out of rangeruntime: text offset base pointer out of rangebufio: reader returned negative count from Readunexpected error wrapping poll.ErrFileClosing: reflect.Value.Bytes of unaddressable byte arrayslice bounds out of range [, xrefs: 004614E2
runtime: typeOff runtime: textOff 1192092895507812559604644775390625permission deniedwrong medium typeno data availableexec format errorLookupAccountSidWDnsRecordListFreeGetCurrentProcessGetShortPathNameWWSAEnumProtocolsWRegLoadMUIStringWmultipartmaxpartsrefle, xrefs: 004613D4, 00461505
out of range no module dataruntime: seq1=runtime: goid= in goroutine 1907348632812595367431640625file too largeis a directorylevel 2 haltedlevel 3 haltedtoo many linksno such deviceprotocol errortext file busytoo many usersCryptGenRandomCertCloseStoreCreatePr, xrefs: 0046152E
base 390625hangupkilled, val headerAnswerLengthGetACPCommonrdtscppopcntcmd/goAPPDATAWindowsStartupfloat32float64windowsrunningwsarecvwsasendconnectlookup writetoconsolePATHEXT\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_DltinvaliduintptrChanDir Value>forcegcallocmW, xrefs: 004613FD
not in ranges:23841857910156250123456789ABCDEFinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePointerExOpenProcessTokenRegQueryInfoKeyWRegQueryValueExWDnsNameCompare_WCreateDirectoryWFlushFileBuffersGetC, xrefs: 00461427

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: types : type 19531259765625::ffff:abortedCopySidWSARecvWSASendsignal nil keyanswersavx512fos/execruntime#internPrograms-CommandGoStringnetedns0[::1]:53continue_gatewayshutdownaddress readfromwsaioctlunixgramnil PoolFullPathThursdaySaturdayFebruaryNovemberDece$ - NaN P MPC= < end > ]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccallkindallgallprooti$ base 390625hangupkilled, val headerAnswerLengthGetACPCommonrdtscppopcntcmd/goAPPDATAWindowsStartupfloat32float64windowsrunningwsarecvwsasendconnectlookup writetoconsolePATHEXT\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_DltinvaliduintptrChanDir Value>forcegcallocmW$ etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNexus.lnk method: (MISSING)%!(EXTRA files,dnsdns,filesipv6-icmp_outboundlocalhostconnectexfork/exec#execwaitWednesdaySeptember-07:0$ not in ranges:23841857910156250123456789ABCDEFinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePointerExOpenProcessTokenRegQueryInfoKeyWRegQueryValueExWDnsNameCompare_WCreateDirectoryWFlushFileBuffersGetC$ out of range no module dataruntime: seq1=runtime: goid= in goroutine 1907348632812595367431640625file too largeis a directorylevel 2 haltedlevel 3 haltedtoo many linksno such deviceprotocol errortext file busytoo many usersCryptGenRandomCertCloseStoreCreatePr$!$runtime: type offset base pointer out of rangeruntime: text offset base pointer out of rangebufio: reader returned negative count from Readunexpected error wrapping poll.ErrFileClosing: reflect.Value.Bytes of unaddressable byte arrayslice bounds out of range [$runtime: type offset out of range142108547152020037174224853515625710542735760100185871124267578125skip everything and stop the walktoo many levels of symbolic linksInitializeProcThreadAttributeListtoo many Answers to pack (>65535)GetVolumeNameForVolumeMountPo$runtime: typeOff runtime: textOff 1192092895507812559604644775390625permission deniedwrong medium typeno data availableexec format errorLookupAccountSidWDnsRecordListFreeGetCurrentProcessGetShortPathNameWWSAEnumProtocolsWRegLoadMUIStringWmultipartmaxpartsrefle
API String ID: 0-2750088902
Opcode ID: 43c3d045e655d812b6373281fd0d502039e68b2fecf9becc2859258b88dc1300
Instruction ID: f84276e96cc464bdbfe79f9bce170ddb1aa41f5f0dc3cb53c0e9b2862f9e1838
Opcode Fuzzy Hash: 43c3d045e655d812b6373281fd0d502039e68b2fecf9becc2859258b88dc1300
Instruction Fuzzy Hash: 8F8139B45093059FC344EF25C481B6AB7E0FF88308F44996EE98887751EB389949EB97

Function 00461010 Relevance: 12.7, Strings: 10, Instructions: 156COMMON

Download Yara Rule

Strings

etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNexus.lnk method: (MISSING)%!(EXTRA files,dnsdns,filesipv6-icmp_outboundlocalhostconnectexfork/exec#execwaitWednesdaySeptember-07:0, xrefs: 004611AB
runtime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base pointer out of rangebufio: reader returned negative count from Readunexpected error wrapping poll.ErrFileClosing: reflect.Value.Bytes of unadd, xrefs: 004611F1
!, xrefs: 004612A4
types : type 19531259765625::ffff:abortedCopySidWSARecvWSASendsignal nil keyanswersavx512fos/execruntime#internPrograms-CommandGoStringnetedns0[::1]:53continue_gatewayshutdownaddress readfromwsaioctlunixgramnil PoolFullPathThursdaySaturdayFebruaryNovemberDece, xrefs: 00461181
- NaN P MPC= < end > ]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccallkindallgallprooti, xrefs: 00461267
runtime: nameOff runtime: typeOff runtime: textOff 1192092895507812559604644775390625permission deniedwrong medium typeno data availableexec format errorLookupAccountSidWDnsRecordListFreeGetCurrentProcessGetShortPathNameWWSAEnumProtocolsWRegLoadMUIStringWmulti, xrefs: 004610DF, 00461214
out of range no module dataruntime: seq1=runtime: goid= in goroutine 1907348632812595367431640625file too largeis a directorylevel 2 haltedlevel 3 haltedtoo many linksno such deviceprotocol errortext file busytoo many usersCryptGenRandomCertCloseStoreCreatePr, xrefs: 0046123D
base 390625hangupkilled, val headerAnswerLengthGetACPCommonrdtscppopcntcmd/goAPPDATAWindowsStartupfloat32float64windowsrunningwsarecvwsasendconnectlookup writetoconsolePATHEXT\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_DltinvaliduintptrChanDir Value>forcegcallocmW, xrefs: 00461108
runtime: name offset out of rangeruntime: type offset out of range142108547152020037174224853515625710542735760100185871124267578125skip everything and stop the walktoo many levels of symbolic linksInitializeProcThreadAttributeListtoo many Answers to pack (>65, xrefs: 0046129B
not in ranges:23841857910156250123456789ABCDEFinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePointerExOpenProcessTokenRegQueryInfoKeyWRegQueryValueExWDnsNameCompare_WCreateDirectoryWFlushFileBuffersGetC, xrefs: 00461132

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: types : type 19531259765625::ffff:abortedCopySidWSARecvWSASendsignal nil keyanswersavx512fos/execruntime#internPrograms-CommandGoStringnetedns0[::1]:53continue_gatewayshutdownaddress readfromwsaioctlunixgramnil PoolFullPathThursdaySaturdayFebruaryNovemberDece$ - NaN P MPC= < end > ]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccallkindallgallprooti$ base 390625hangupkilled, val headerAnswerLengthGetACPCommonrdtscppopcntcmd/goAPPDATAWindowsStartupfloat32float64windowsrunningwsarecvwsasendconnectlookup writetoconsolePATHEXT\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_DltinvaliduintptrChanDir Value>forcegcallocmW$ etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNexus.lnk method: (MISSING)%!(EXTRA files,dnsdns,filesipv6-icmp_outboundlocalhostconnectexfork/exec#execwaitWednesdaySeptember-07:0$ not in ranges:23841857910156250123456789ABCDEFinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePointerExOpenProcessTokenRegQueryInfoKeyWRegQueryValueExWDnsNameCompare_WCreateDirectoryWFlushFileBuffersGetC$ out of range no module dataruntime: seq1=runtime: goid= in goroutine 1907348632812595367431640625file too largeis a directorylevel 2 haltedlevel 3 haltedtoo many linksno such deviceprotocol errortext file busytoo many usersCryptGenRandomCertCloseStoreCreatePr$!$runtime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base pointer out of rangebufio: reader returned negative count from Readunexpected error wrapping poll.ErrFileClosing: reflect.Value.Bytes of unadd$runtime: name offset out of rangeruntime: type offset out of range142108547152020037174224853515625710542735760100185871124267578125skip everything and stop the walktoo many levels of symbolic linksInitializeProcThreadAttributeListtoo many Answers to pack (>65$runtime: nameOff runtime: typeOff runtime: textOff 1192092895507812559604644775390625permission deniedwrong medium typeno data availableexec format errorLookupAccountSidWDnsRecordListFreeGetCurrentProcessGetShortPathNameWWSAEnumProtocolsWRegLoadMUIStringWmulti
API String ID: 0-528331427
Opcode ID: 0da25ecb87cb4e265b2180c4bd9ea8b3b72a65382f788047a731e162cea343eb
Instruction ID: fc671f0a6b84f3f40c6abe962479be665b475ed6c8606287bbcc50d366154201
Opcode Fuzzy Hash: 0da25ecb87cb4e265b2180c4bd9ea8b3b72a65382f788047a731e162cea343eb
Instruction Fuzzy Hash: 57612BB45087449FC344EF65C58176AB7E0FF88308F40982EE9C887751EB789948EB97

Function 00401A60 Relevance: 11.6, Strings: 9, Instructions: 326COMMON

Download Yara Rule

Strings

!, xrefs: 00401C4C
", missing CPU supportpattern bits too long: Unknown message type: %dError creating shortcut:SA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard TimeSA Western Standard TimeMontevideo Standard TimeMagallanes Standard TimePacific SA Standard Ti, xrefs: 00401D0F
GODEBUG: unknown cpu feature "Failed to read message type: %vError checking for shortcut: %vfmt: unknown base; can't happenW. Central Africa Standard TimeCentral Brazilian Standard TimeMountain Standard Time (Mexico)reflect: Len of non-array type slice bounds , xrefs: 00401E24
"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintmapptr...finobjgc %: gp *(in n= ) - , xrefs: 00401C0E, 00401C6D, 00401E4E
cpu., xrefs: 00401AD1
" not supported for cpu option "Failed to read message length: %vFailed to get executable path: %vgo package net: confVal.netCgo = sync: RUnlock of unlocked RWMutexreflect: slice index out of range of method on nil interface valuereflect: Field index out of ra, xrefs: 00401BE4
GODEBUG: no value specified for "unaligned 64-bit atomic operationFailed to connect to target %s: %vClosed connection for Stream ID %dNoDefaultCurrentDirectoryInExePathreflect: Field of non-struct type reflect: Field index out of boundsreflect: string index ou, xrefs: 00401C43
GODEBUG: value "[bisect-match 0xreflect.Value.Int0123456789ABCDEFX0123456789abcdefxos/exec.Command(exec: killing Cmdexec: not startedGTB Standard TimeFLE Standard TimeGMT Standard Timeunknown type kindreflect: call of reflect.Value.Lengoroutine profileAllThre, xrefs: 00401BBA
GODEBUG: can not enable "Failed to read payload: %vcannot marshal DNS messageunexpected type in connecttoo many colons in addressunclosed criterion bracketcriterion lacks equal signGetFileInformationByHandleSouth Africa Standard TimeSaint Pierre Standard TimeN, xrefs: 00401CE5

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: !$"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintmapptr...finobjgc %: gp *(in n= ) - $" not supported for cpu option "Failed to read message length: %vFailed to get executable path: %vgo package net: confVal.netCgo = sync: RUnlock of unlocked RWMutexreflect: slice index out of range of method on nil interface valuereflect: Field index out of ra$", missing CPU supportpattern bits too long: Unknown message type: %dError creating shortcut:SA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard TimeSA Western Standard TimeMontevideo Standard TimeMagallanes Standard TimePacific SA Standard Ti$GODEBUG: can not enable "Failed to read payload: %vcannot marshal DNS messageunexpected type in connecttoo many colons in addressunclosed criterion bracketcriterion lacks equal signGetFileInformationByHandleSouth Africa Standard TimeSaint Pierre Standard TimeN$GODEBUG: no value specified for "unaligned 64-bit atomic operationFailed to connect to target %s: %vClosed connection for Stream ID %dNoDefaultCurrentDirectoryInExePathreflect: Field of non-struct type reflect: Field index out of boundsreflect: string index ou$GODEBUG: unknown cpu feature "Failed to read message type: %vError checking for shortcut: %vfmt: unknown base; can't happenW. Central Africa Standard TimeCentral Brazilian Standard TimeMountain Standard Time (Mexico)reflect: Len of non-array type slice bounds $GODEBUG: value "[bisect-match 0xreflect.Value.Int0123456789ABCDEFX0123456789abcdefxos/exec.Command(exec: killing Cmdexec: not startedGTB Standard TimeFLE Standard TimeGMT Standard Timeunknown type kindreflect: call of reflect.Value.Lengoroutine profileAllThre$cpu.
API String ID: 0-3650166030
Opcode ID: 9cfbf6dd7358f3a2cfa980e791c2cbd565f79b3a47979bce08e7bb82901ebe4a
Instruction ID: 434b28da2bcfce092ea891682c63a407aae1b0b9201cbaf4d9cb4cb07bd33a4a
Opcode Fuzzy Hash: 9cfbf6dd7358f3a2cfa980e791c2cbd565f79b3a47979bce08e7bb82901ebe4a
Instruction Fuzzy Hash: 97D1907060C3548FC714DF65C48052EB7F1AB98308F54886FE885AB3A2D778E945DF9A

Function 00420770 Relevance: 11.5, Strings: 9, Instructions: 239COMMON

Download Yara Rule

Strings

*(in n= ) - NaN P MPC= < end > ]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccallkinda, xrefs: 00420A6A
<==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125quitbitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Lo, xrefs: 00420AFE
s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= runtime: pid=: unknown pc called from 3814697265625, xrefs: 00420885
) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintm, xrefs: 00420983
s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc=, xrefs: 00420831
s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ lockedm=244140625rwxrwxrwxinterruptbus erro, xrefs: 0042085B
unknown(trigger= npages= nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNex, xrefs: 00420955
... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:1562578125 (at ntohsClassGreeksse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localreturnlisten.onionsocketexec: SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13uint16, xrefs: 00420A39, 00420B44
s=nil (scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type 19531259765625::ffff:abortedCopySidWSARecvWSASendsignal nil keyanswersavx512fos/execruntime#internP, xrefs: 004209E5

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: *(in n= ) - NaN P MPC= < end > ]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccallkinda$ ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:1562578125 (at ntohsClassGreeksse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localreturnlisten.onionsocketexec: SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13uint16$ <==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125quitbitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Lo$ s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc=$ s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ lockedm=244140625rwxrwxrwxinterruptbus erro$ s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= runtime: pid=: unknown pc called from 3814697265625$ s=nil (scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type 19531259765625::ffff:abortedCopySidWSARecvWSASendsignal nil keyanswersavx512fos/execruntime#internP$) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintm$unknown(trigger= npages= nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNex
API String ID: 0-4106205133
Opcode ID: f71dfa7bd4d34e9a92bbf05ca2c4b8f52d9232918c7fdfc8fcf14ce956999baa
Instruction ID: 34d944404b5c83a6b05763de51e48f506b933d9d9cb014227796db39f0ced14f
Opcode Fuzzy Hash: f71dfa7bd4d34e9a92bbf05ca2c4b8f52d9232918c7fdfc8fcf14ce956999baa
Instruction Fuzzy Hash: FDB1FAB42093548FD340EF65D19176EBBE0EF88308F81985EE98987352DB389948DB97

Function 00436C90 Relevance: 11.4, Strings: 9, Instructions: 189COMMON

Download Yara Rule

Strings

%, xrefs: 00436FF1
) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintm, xrefs: 00436EBC
runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerocannot send after transport endpoint shutdowncontext: internal error: missing cancel errorparsing/packing of this section has, xrefs: 00436F59
runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:, xrefs: 00436EFE
bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatch152587890625762939453125invalid slothost is downillegal seekGetLengt, xrefs: 00436ED7
runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!2220446049250313080847263336181640625godebug: unexpected IncNonDefault of c, xrefs: 00436FE8
runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerocannot send after transport endpoint shutdowncontext: internal error: missing ca, xrefs: 00436FB4
VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timer3552713678800500929355621337890625too many references: cannot spliceSetFileCompletionNotif, xrefs: 00436F32
CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject wait_failed; errno=strconv: illegal AppendFloat/FormatFloat bitSizenot enough significant bits after mult64bitPow10syscall: string with, xrefs: 00436F8D

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: %$) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintm$CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject wait_failed; errno=strconv: illegal AppendFloat/FormatFloat bitSizenot enough significant bits after mult64bitPow10syscall: string with$VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timer3552713678800500929355621337890625too many references: cannot spliceSetFileCompletionNotif$bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatch152587890625762939453125invalid slothost is downillegal seekGetLengt$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerocannot send after transport endpoint shutdowncontext: internal error: missing ca$runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!2220446049250313080847263336181640625godebug: unexpected IncNonDefault of c$runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerocannot send after transport endpoint shutdowncontext: internal error: missing cancel errorparsing/packing of this section has$runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:
API String ID: 0-2025737982
Opcode ID: 1b1964fc6b4db3a573c57e88b4f4ed46b7491482acc87dbbe837a7bb27ee8aee
Instruction ID: d296bd98874d98b09101613837b3cc139afd8fcf293b97d7d4a826dccca11ac0
Opcode Fuzzy Hash: 1b1964fc6b4db3a573c57e88b4f4ed46b7491482acc87dbbe837a7bb27ee8aee
Instruction Fuzzy Hash: 549103B41087058FC300EF69C09575ABBE4FF88318F01996EE9888B351DB78E949DF96

Function 00412500 Relevance: 11.4, Strings: 9, Instructions: 125COMMON

Download Yara Rule

Strings

runtime: found in object at *( in prepareForSweep; sweepgen /cpu/classes/total:cpu-seconds/gc/cycles/automatic:gc-cycles/sched/pauses/total/gc:seconds/sync/mutex/wait/total:seconds/godebug/non-default-behavior/bcryptprimitives.dll not foundpanic called with ni, xrefs: 004125A3
) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintm, xrefs: 004125F7
to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitws2_32.dll not found, xrefs: 00412661
object next= jobs= goid sweep B -> % util alloc free span= prev= list=, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= (...) m=nil base 390625hangupkilled, val headerAnswerLengthGetACPCommonrdtscppopcntcmd/goAPPDATAWindowsStartupfloat32float64win, xrefs: 00412612
to unused region of span bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p has runnable gsstoplocked, xrefs: 0041272C
span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failed, xrefs: 0041269F
found bad pointer in Go heap (incorrect use of unsafe or cgo?)limiterEvent.stop: found wrong event in p's limiter event slotslice length too short to convert to array or pointer to arrayruntime: internal error: misuse of lockOSThread/unlockOSThreadmalformed GO, xrefs: 00412588
runtime: pointer g already scannedmark - bad statusscanobject n == 0swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 00412521
>, xrefs: 00412591

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failed$ to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitws2_32.dll not found$ to unused region of span bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p has runnable gsstoplocked$) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintm$>$found bad pointer in Go heap (incorrect use of unsafe or cgo?)limiterEvent.stop: found wrong event in p's limiter event slotslice length too short to convert to array or pointer to arrayruntime: internal error: misuse of lockOSThread/unlockOSThreadmalformed GO$object next= jobs= goid sweep B -> % util alloc free span= prev= list=, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= (...) m=nil base 390625hangupkilled, val headerAnswerLengthGetACPCommonrdtscppopcntcmd/goAPPDATAWindowsStartupfloat32float64win$runtime: found in object at *( in prepareForSweep; sweepgen /cpu/classes/total:cpu-seconds/gc/cycles/automatic:gc-cycles/sched/pauses/total/gc:seconds/sync/mutex/wait/total:seconds/godebug/non-default-behavior/bcryptprimitives.dll not foundpanic called with ni$runtime: pointer g already scannedmark - bad statusscanobject n == 0swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
API String ID: 0-3668347996
Opcode ID: e60f9dccfec0eea950195a98f6719ed39a1180ad009b9753a6d4dcbbe1d150c4
Instruction ID: cbfe1744b4e828010f7ec837e2b766780ae937bffb6cc0cc3886ce7d8d63807d
Opcode Fuzzy Hash: e60f9dccfec0eea950195a98f6719ed39a1180ad009b9753a6d4dcbbe1d150c4
Instruction Fuzzy Hash: FF51D7B41096049FC340FF65C19179EBBE4EF4C308F50985EE98887352DB789949EBA7

Function 00408CF0 Relevance: 10.2, Strings: 8, Instructions: 218COMMON

Download Yara Rule

Strings

called using nil *unknown wait reasonnotesleep not on g0GC work not flushed/gc/scan/heap:bytes/gc/heap/goal:bytes/gc/heap/live:bytesbad kind in runfinqmarkroot: bad indexnwait > work.nprocs, gp->atomicstatus=marking free object KiB work (eager), [controller , xrefs: 00408F9E
pointerBAD RANK status unknown(trigger= npages= nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/b, xrefs: 00408FC4
panicwrap: unexpected string after type name: memory reservation exceeds address space limittried to park scavenger from another goroutinereleased less than one physical page of memory (bad use of unsafe.Pointer? try -d=checkptr)sysGrow bounds not aligned to , xrefs: 00408E89
panicwrap: unexpected string after package name: runtime: unexpected waitm - semaphore out of syncs.allocCount != s.nelems && freeIndex == s.nelemsdelayed zeroing on data that may contain pointerssweeper left outstanding across sweep generationsfully empty unf, xrefs: 00408DC8
value method bad map state span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads=, xrefs: 00408F1D
panicwrap: no ) in called using nil *unknown wait reasonnotesleep not on g0GC work not flushed/gc/scan/heap:bytes/gc/heap/goal:bytes/gc/heap/live:bytesbad kind in runfinqmarkroot: bad indexnwait > work.nprocs, gp->atomicstatus=marking free object KiB work (ea, xrefs: 00409033
., xrefs: 00408E93
panicwrap: no ( in panicwrap: no ) in called using nil *unknown wait reasonnotesleep not on g0GC work not flushed/gc/scan/heap:bytes/gc/heap/goal:bytes/gc/heap/live:bytesbad kind in runfinqmarkroot: bad indexnwait > work.nprocs, gp->atomicstatus=marking free , xrefs: 00409090

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: called using nil *unknown wait reasonnotesleep not on g0GC work not flushed/gc/scan/heap:bytes/gc/heap/goal:bytes/gc/heap/live:bytesbad kind in runfinqmarkroot: bad indexnwait > work.nprocs, gp->atomicstatus=marking free object KiB work (eager), [controller $ pointerBAD RANK status unknown(trigger= npages= nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/b$.$panicwrap: no ( in panicwrap: no ) in called using nil *unknown wait reasonnotesleep not on g0GC work not flushed/gc/scan/heap:bytes/gc/heap/goal:bytes/gc/heap/live:bytesbad kind in runfinqmarkroot: bad indexnwait > work.nprocs, gp->atomicstatus=marking free $panicwrap: no ) in called using nil *unknown wait reasonnotesleep not on g0GC work not flushed/gc/scan/heap:bytes/gc/heap/goal:bytes/gc/heap/live:bytesbad kind in runfinqmarkroot: bad indexnwait > work.nprocs, gp->atomicstatus=marking free object KiB work (ea$panicwrap: unexpected string after package name: runtime: unexpected waitm - semaphore out of syncs.allocCount != s.nelems && freeIndex == s.nelemsdelayed zeroing on data that may contain pointerssweeper left outstanding across sweep generationsfully empty unf$panicwrap: unexpected string after type name: memory reservation exceeds address space limittried to park scavenger from another goroutinereleased less than one physical page of memory (bad use of unsafe.Pointer? try -d=checkptr)sysGrow bounds not aligned to $value method bad map state span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads=
API String ID: 0-2628187855
Opcode ID: a49a52ccfa3d05b8cb831fb6aeb29f55b84c4650b9d9afef934ca34aaafa47c6
Instruction ID: 9d1f064a71096dbe859929c47fb0ef8b8ac8243933752ddc8241ec1b2b08d5db
Opcode Fuzzy Hash: a49a52ccfa3d05b8cb831fb6aeb29f55b84c4650b9d9afef934ca34aaafa47c6
Instruction Fuzzy Hash: E6B19FB4A093459FD324DF25D190B9ABBE1BF88304F40892EE4C997352DB78A948CF57

Function 00426710 Relevance: 10.1, Strings: 8, Instructions: 126COMMON

Download Yara Rule

Strings

pages/byte s.sweepgen= allocCount end tracegcProcessPrng, xrefs: 004268CF
sweeper left outstanding across sweep generationsfully empty unfreed span set block found in resetcasgstatus: waiting for Gwaiting but is Grunnablenot enough significant bits after mult128bitPow10the :: must expand to at least one field of zerosinvalid or inco, xrefs: 00426908
mismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freeattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlinefindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did n, xrefs: 004268F2
pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine , xrefs: 004268A9
MB; allocated timeEndPeriod, xrefs: 0042683C
1, xrefs: 00426911
pacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinning: not a spinning mentersyscallblock inconsistent runtime: split stack overflow: ...additional frames elided...unsafe.String: len out of range113686837721, xrefs: 00426812
MB during sweep; swept bad profile stack countruntime: netpoll failedRtlGetNtVersionNumbers, xrefs: 0042687F

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine $ pages/byte s.sweepgen= allocCount end tracegcProcessPrng$1$MB during sweep; swept bad profile stack countruntime: netpoll failedRtlGetNtVersionNumbers$MB; allocated timeEndPeriod$mismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freeattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlinefindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did n$pacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinning: not a spinning mentersyscallblock inconsistent runtime: split stack overflow: ...additional frames elided...unsafe.String: len out of range113686837721$sweeper left outstanding across sweep generationsfully empty unfreed span set block found in resetcasgstatus: waiting for Gwaiting but is Grunnablenot enough significant bits after mult128bitPow10the :: must expand to at least one field of zerosinvalid or inco
API String ID: 0-1865461020
Opcode ID: 62ac155142be4b216eb538f82a2ee2ac38ef09d7a5fb54542cbe3df895fa4cac
Instruction ID: 24a43e043851d58181f11b684ab76c9f7ac95071338aa9a3e217df2613327bb9
Opcode Fuzzy Hash: 62ac155142be4b216eb538f82a2ee2ac38ef09d7a5fb54542cbe3df895fa4cac
Instruction Fuzzy Hash: 465104746087059FC304EF29D48462EBBE0FF88308F81992EF89883351EB38D945DB46

Function 00401F10 Relevance: 9.2, Strings: 7, Instructions: 483COMMON

Download Yara Rule

Strings

adxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccallkindallgallprootitabsbrkidledead is LEAFbase of <==GOGC] = p, xrefs: 00401F40
sse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localreturnlisten.onionsocketexec: SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13uint16uint32uint64structchan<-<-chan Valuesysmontimersefenceselect, not object next= jobs= goid sweep, xrefs: 00402146
pclmulqdqmath/randtlsrsakexStart Menupowershell(BADINDEX)%!(NOVERB)myhostname.localhostunixpacketsetsockopt netGo = /dev/stdinCreateFileexecerrdotSYSTEMROOTtime.Date(time.Local%!Weekday(complex128t.Kind == notifyListprofInsertstackLargemSpanInUseGOMAXPROCSsto, xrefs: 00401F8A
avx512fos/execruntime#internPrograms-CommandGoStringnetedns0[::1]:53continue_gatewayshutdownaddress readfromwsaioctlunixgramnil PoolFullPathThursdaySaturdayFebruaryNovemberDecember%!Month(scavengepollDesctraceBufdeadlockraceFinipanicnilcgocheckrunnable procid , xrefs: 00402463
rdtscppopcntcmd/goAPPDATAWindowsStartupfloat32float64windowsrunningwsarecvwsasendconnectlookup writetoconsolePATHEXT\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_DltinvaliduintptrChanDir Value>forcegcallocmWcpuprofallocmRunknowngctraceIO waitsyscallwaitingUNKNOWN:eve, xrefs: 00401FA3
avx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNexus.lnk method: (MISSING)%!(EXTRA files,dnsdns,filesipv6-icmp_outboundlocalhostconnectexfork/exec#execwaitWednesdaySeptember-07:00:00Z07:00:00complex64interfaceinvalid nfuncargs(bad indirreflect: Inter, xrefs: 004024A4
ermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localint16int32int64uint8arrayslice and defersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleep, xrefs: 00401F71

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: adxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccallkindallgallprootitabsbrkidledead is LEAFbase of <==GOGC] = p$avx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNexus.lnk method: (MISSING)%!(EXTRA files,dnsdns,filesipv6-icmp_outboundlocalhostconnectexfork/exec#execwaitWednesdaySeptember-07:00:00Z07:00:00complex64interfaceinvalid nfuncargs(bad indirreflect: Inter$avx512fos/execruntime#internPrograms-CommandGoStringnetedns0[::1]:53continue_gatewayshutdownaddress readfromwsaioctlunixgramnil PoolFullPathThursdaySaturdayFebruaryNovemberDecember%!Month(scavengepollDesctraceBufdeadlockraceFinipanicnilcgocheckrunnable procid $ermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localint16int32int64uint8arrayslice and defersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleep$pclmulqdqmath/randtlsrsakexStart Menupowershell(BADINDEX)%!(NOVERB)myhostname.localhostunixpacketsetsockopt netGo = /dev/stdinCreateFileexecerrdotSYSTEMROOTtime.Date(time.Local%!Weekday(complex128t.Kind == notifyListprofInsertstackLargemSpanInUseGOMAXPROCSsto$rdtscppopcntcmd/goAPPDATAWindowsStartupfloat32float64windowsrunningwsarecvwsasendconnectlookup writetoconsolePATHEXT\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_DltinvaliduintptrChanDir Value>forcegcallocmWcpuprofallocmRunknowngctraceIO waitsyscallwaitingUNKNOWN:eve$sse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localreturnlisten.onionsocketexec: SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13uint16uint32uint64structchan<-<-chan Valuesysmontimersefenceselect, not object next= jobs= goid sweep
API String ID: 0-4001917556
Opcode ID: 723136f72bf18482a275495c001da335651f044058853c9d2f64deb5a7ac3b55
Instruction ID: 5a566a7ef4cc34c82151f9986193eb8a3813bf1cb864c8919b1e502b5e469abf
Opcode Fuzzy Hash: 723136f72bf18482a275495c001da335651f044058853c9d2f64deb5a7ac3b55
Instruction Fuzzy Hash: 76328DB45087418FD718DF18D884B5ABBF1BF98308F18856ED8488B396E375D84ADF86

Function 0043B5F0 Relevance: 8.9, Strings: 7, Instructions: 145COMMON

Download Yara Rule

Strings

-, xrefs: 0043B6C8
NaN P MPC= < end > ]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccallkindallgallprootitab, xrefs: 0043B6DD
., xrefs: 0043B77A
e, xrefs: 0043B77F
-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125quitbitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localint16int32int64ui, xrefs: 0043B644
-, xrefs: 0043B78D
+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125quitbitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localint16int32int, xrefs: 0043B65E

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: +Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125quitbitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localint16int32int$-$-$-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125quitbitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localint16int32int64ui$.$NaN P MPC= < end > ]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccallkindallgallprootitab$e
API String ID: 0-1305696309
Opcode ID: 8baffc0a3f58290862e6d68fd225efbeb8791f13a2a5dc794e8772a1ba0d9e5e
Instruction ID: 69877f113d9a23dfec359bee7a64b41cc3967e04c30e5e6da35c7d5a9ae7c92f
Opcode Fuzzy Hash: 8baffc0a3f58290862e6d68fd225efbeb8791f13a2a5dc794e8772a1ba0d9e5e
Instruction Fuzzy Hash: A2513E71409B448EC70BEF39C06632AB7D4EFAA384F409B4FE58666293E778454D8287

Function 0040C230 Relevance: 8.9, Strings: 7, Instructions: 128COMMON

Download Yara Rule

Strings

s.allocCount != s.nelems && freeIndex == s.nelemsdelayed zeroing on data that may contain pointerssweeper left outstanding across sweep generationsfully empty unfreed span set block found in resetcasgstatus: waiting for Gwaiting but is Grunnablenot enough sign, xrefs: 0040C43E
s.allocCount > s.nelems/gc/heap/allocs:objectsmissing type in runfinqruntime: internal errorwork.nwait > work.nprocleft over markroot jobsgcDrain phase incorrectMB during sweep; swept bad profile stack countruntime: netpoll failedRtlGetNtVersionNumbers, xrefs: 0040C39A
s.allocCount= nil elem type! to finalizer GC worker initruntime: full=runtime: want=MB; allocated timeEndPeriod, xrefs: 0040C32C
1, xrefs: 0040C447
runtime: s.allocCount= s.allocCount > s.nelems/gc/heap/allocs:objectsmissing type in runfinqruntime: internal errorwork.nwait > work.nprocleft over markroot jobsgcDrain phase incorrectMB during sweep; swept bad profile stack countruntime: netpoll failedRtlGetN, xrefs: 0040C3D0
s.nelems= of size runtime: p ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64, xrefs: 0040C366, 0040C40A
freeIndex is not validoldoverflow is not nils.freeindex > s.nelemsbad sweepgen in refillspan has no free space/gc/scan/globals:bytes/gc/heap/frees:objectsruntime: work.nwait = runtime:scanstack: gp=scanstack - bad statusheadTailIndex overflowruntime.main not o, xrefs: 0040C3B0

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: s.nelems= of size runtime: p ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64$1$freeIndex is not validoldoverflow is not nils.freeindex > s.nelemsbad sweepgen in refillspan has no free space/gc/scan/globals:bytes/gc/heap/frees:objectsruntime: work.nwait = runtime:scanstack: gp=scanstack - bad statusheadTailIndex overflowruntime.main not o$runtime: s.allocCount= s.allocCount > s.nelems/gc/heap/allocs:objectsmissing type in runfinqruntime: internal errorwork.nwait > work.nprocleft over markroot jobsgcDrain phase incorrectMB during sweep; swept bad profile stack countruntime: netpoll failedRtlGetN$s.allocCount != s.nelems && freeIndex == s.nelemsdelayed zeroing on data that may contain pointerssweeper left outstanding across sweep generationsfully empty unfreed span set block found in resetcasgstatus: waiting for Gwaiting but is Grunnablenot enough sign$s.allocCount > s.nelems/gc/heap/allocs:objectsmissing type in runfinqruntime: internal errorwork.nwait > work.nprocleft over markroot jobsgcDrain phase incorrectMB during sweep; swept bad profile stack countruntime: netpoll failedRtlGetNtVersionNumbers$s.allocCount= nil elem type! to finalizer GC worker initruntime: full=runtime: want=MB; allocated timeEndPeriod
API String ID: 0-4108374785
Opcode ID: 70eaae74c5d76de4ad09092affad1cf90ecb747016f093b2af87d50309681575
Instruction ID: c0f7344dcff2dc5f716eb97af03ec686f4addf8ea6041382b57d98bd1bf14694
Opcode Fuzzy Hash: 70eaae74c5d76de4ad09092affad1cf90ecb747016f093b2af87d50309681575
Instruction Fuzzy Hash: 375107B40083549AC344EF65C19026EB7E0FF98708F90985EF8D887382E778D945EB6B

Function 004615B0 Relevance: 8.9, Strings: 7, Instructions: 123COMMON

Download Yara Rule

Strings

etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNexus.lnk method: (MISSING)%!(EXTRA files,dnsdns,filesipv6-icmp_outboundlocalhostconnectexfork/exec#execwaitWednesdaySeptember-07:0, xrefs: 0046174D
., xrefs: 0046179C
runtime: textOff 1192092895507812559604644775390625permission deniedwrong medium typeno data availableexec format errorLookupAccountSidWDnsRecordListFreeGetCurrentProcessGetShortPathNameWWSAEnumProtocolsWRegLoadMUIStringWmultipartmaxpartsreflect.Value.Uintserv, xrefs: 0046166D
types : type 19531259765625::ffff:abortedCopySidWSARecvWSASendsignal nil keyanswersavx512fos/execruntime#internPrograms-CommandGoStringnetedns0[::1]:53continue_gatewayshutdownaddress readfromwsaioctlunixgramnil PoolFullPathThursdaySaturdayFebruaryNovemberDece, xrefs: 00461723
runtime: text offset base pointer out of rangebufio: reader returned negative count from Readunexpected error wrapping poll.ErrFileClosing: reflect.Value.Bytes of unaddressable byte arrayslice bounds out of range [::%x] with length %yP has cached GC work at en, xrefs: 00461793
base 390625hangupkilled, val headerAnswerLengthGetACPCommonrdtscppopcntcmd/goAPPDATAWindowsStartupfloat32float64windowsrunningwsarecvwsasendconnectlookup writetoconsolePATHEXT\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_DltinvaliduintptrChanDir Value>forcegcallocmW, xrefs: 00461696
not in ranges:23841857910156250123456789ABCDEFinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePointerExOpenProcessTokenRegQueryInfoKeyWRegQueryValueExWDnsNameCompare_WCreateDirectoryWFlushFileBuffersGetC, xrefs: 004616C0

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: types : type 19531259765625::ffff:abortedCopySidWSARecvWSASendsignal nil keyanswersavx512fos/execruntime#internPrograms-CommandGoStringnetedns0[::1]:53continue_gatewayshutdownaddress readfromwsaioctlunixgramnil PoolFullPathThursdaySaturdayFebruaryNovemberDece$ base 390625hangupkilled, val headerAnswerLengthGetACPCommonrdtscppopcntcmd/goAPPDATAWindowsStartupfloat32float64windowsrunningwsarecvwsasendconnectlookup writetoconsolePATHEXT\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_DltinvaliduintptrChanDir Value>forcegcallocmW$ etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNexus.lnk method: (MISSING)%!(EXTRA files,dnsdns,filesipv6-icmp_outboundlocalhostconnectexfork/exec#execwaitWednesdaySeptember-07:0$ not in ranges:23841857910156250123456789ABCDEFinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePointerExOpenProcessTokenRegQueryInfoKeyWRegQueryValueExWDnsNameCompare_WCreateDirectoryWFlushFileBuffersGetC$.$runtime: text offset base pointer out of rangebufio: reader returned negative count from Readunexpected error wrapping poll.ErrFileClosing: reflect.Value.Bytes of unaddressable byte arrayslice bounds out of range [::%x] with length %yP has cached GC work at en$runtime: textOff 1192092895507812559604644775390625permission deniedwrong medium typeno data availableexec format errorLookupAccountSidWDnsRecordListFreeGetCurrentProcessGetShortPathNameWWSAEnumProtocolsWRegLoadMUIStringWmultipartmaxpartsreflect.Value.Uintserv
API String ID: 0-1432873523
Opcode ID: ede6dafcac25a1760a948e1c2b9b653e286d272c438f7ecec3bc37634bd6d316
Instruction ID: 8e798a1d2312d316292b43de35c69e40b1da4e2db5f8249b87a8acadeb768228
Opcode Fuzzy Hash: ede6dafcac25a1760a948e1c2b9b653e286d272c438f7ecec3bc37634bd6d316
Instruction Fuzzy Hash: 78511BB4508705DFC344EF65C481A6AB7F0FF88308F44992EE88987361EB389949DB97

Function 00415160 Relevance: 8.9, Strings: 7, Instructions: 105COMMON

Download Yara Rule

Strings

checkmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinning: not a spinning mentersyscall, xrefs: 0041530C
) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintm, xrefs: 00415290
runtime: checkmarks found unexpected unmarked object obj=GODEBUG=execwait=2 detected a leaked exec.Cmd created by:reflect: reflect.Value.Elem on an invalid notinheap pointerunexpected malloc header in delayed zeroing of large objectsync/atomic: store of incon, xrefs: 00415203
objgc %: gp *(in n= ) - NaN P MPC= < end > ]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanf, xrefs: 004152D1
9, xrefs: 0041520C
runtime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incorrectpageAlloc: out of me, xrefs: 0041523C
base of <==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125quitbitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+134, xrefs: 004152AB

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: ) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintm$9$base of <==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125quitbitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+134$checkmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinning: not a spinning mentersyscall$objgc %: gp *(in n= ) - NaN P MPC= < end > ]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanf$runtime: checkmarks found unexpected unmarked object obj=GODEBUG=execwait=2 detected a leaked exec.Cmd created by:reflect: reflect.Value.Elem on an invalid notinheap pointerunexpected malloc header in delayed zeroing of large objectsync/atomic: store of incon$runtime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incorrectpageAlloc: out of me
API String ID: 0-2953137140
Opcode ID: 8d4f20fa257f4dba0100c20701d8b1b91c6cd5d0bc3cc889e45ccb4204fc6d8c
Instruction ID: dcc7d37e97a34984d87f630a7a8289da972a49e8f9c43accd7125e52c7054e4e
Opcode Fuzzy Hash: 8d4f20fa257f4dba0100c20701d8b1b91c6cd5d0bc3cc889e45ccb4204fc6d8c
Instruction Fuzzy Hash: 43413AB41097449FC340EF29C491B9ABBE0EF89308F45885EE9C887352D7789948DF97

Function 00443FD0 Relevance: 7.6, Strings: 6, Instructions: 114COMMON

Download Yara Rule

Strings

preempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame runtimer: bad ptraceback stuckruntime.gopanic476837158203125advertise errorkey has expirednetwork is downno medium foundno such processGetAdaptersInfoCreat, xrefs: 0044414C
runtime: unexpected SPWRITE function all goroutines are asleep - deadlock!2220446049250313080847263336181640625godebug: unexpected IncNonDefault of cannot exec a shared library directlyvalue too large for defined data typecannot create context from nil parentt, xrefs: 00444107
%, xrefs: 00444110
preempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruption186264514923095703125931322574615478515625bad type in compare: IPv4 address too longtrace/br, xrefs: 00444162
bad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatch152587890625762939453125invalid slothost is downillegal seekGetLengthSidGetLastErrorGetStdHandleGetTempPathWLoadLibr, xrefs: 00444184
in async preemptbad manualFreeListruntime: textAddr cleantimers: bad p frames elided..., locked to threadruntime.semacreateruntime.semawakeup298023223876953125unable to parse IPsegmentation faultoperation canceledno child processesconnection refusedRFS spec, xrefs: 00444131

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: in async preemptbad manualFreeListruntime: textAddr cleantimers: bad p frames elided..., locked to threadruntime.semacreateruntime.semawakeup298023223876953125unable to parse IPsegmentation faultoperation canceledno child processesconnection refusedRFS spec$%$bad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatch152587890625762939453125invalid slothost is downillegal seekGetLengthSidGetLastErrorGetStdHandleGetTempPathWLoadLibr$preempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame runtimer: bad ptraceback stuckruntime.gopanic476837158203125advertise errorkey has expirednetwork is downno medium foundno such processGetAdaptersInfoCreat$preempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruption186264514923095703125931322574615478515625bad type in compare: IPv4 address too longtrace/br$runtime: unexpected SPWRITE function all goroutines are asleep - deadlock!2220446049250313080847263336181640625godebug: unexpected IncNonDefault of cannot exec a shared library directlyvalue too large for defined data typecannot create context from nil parentt
API String ID: 0-1341020396
Opcode ID: a5e1bca6b94905c07c41c1c90706ff0b422841710b93f402d244acb5bc346468
Instruction ID: ad408563bafe0cd09adc1c9a3d490920fe2f81fcef738c24150ba287d6ccc7cd
Opcode Fuzzy Hash: a5e1bca6b94905c07c41c1c90706ff0b422841710b93f402d244acb5bc346468
Instruction Fuzzy Hash: 465105B46087009FD314EF25C195A2ABBE1FF98708F01985EE8C98B352DB78D948DF56

Function 0043DE30 Relevance: 7.6, Strings: 6, Instructions: 98COMMON

Download Yara Rule

Strings

, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ lockedm=244140625rwxrwxrwxinterruptbus errorFindCloseLocalFreeMoveFileWWriteFileWSASendTontdll.dllClassINETAuthorityquestionspsapi.dllInheritedpclmulqd, xrefs: 0043DEBD, 0043DF64
casfrom_Gscanstatus:top gp->status is not in scan state is currently not supported for use in system callbackseach colon-separated field must have at least one digitstrings: illegal use of non-zero Builder copied by valuenon-empty pointer map passed for non-po, xrefs: 0043DFCE
7, xrefs: 0043DFD7
runtime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function 277555756156289135105907917022705078125IPv4 field must have at least one digittransport endpoint is already connectedFailed to send status chec, xrefs: 0043DE9B
runtime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=methodValueCallFrameObjs is not in a modulemult64bitPow10: power of 10 is out of rangeinterrupted system call should be restartedreflect: funcLayout with interface receiver s, xrefs: 0043DF42
casfrom_Gscanstatus: gp->status is not in scan stateExit Node: Read %d bytes from target for Stream ID %dnon-concurrent sweep failed to drain all sweep queuescompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class bou, xrefs: 0043DF27

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: , oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ lockedm=244140625rwxrwxrwxinterruptbus errorFindCloseLocalFreeMoveFileWWriteFileWSASendTontdll.dllClassINETAuthorityquestionspsapi.dllInheritedpclmulqd$7$casfrom_Gscanstatus: gp->status is not in scan stateExit Node: Read %d bytes from target for Stream ID %dnon-concurrent sweep failed to drain all sweep queuescompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class bou$casfrom_Gscanstatus:top gp->status is not in scan state is currently not supported for use in system callbackseach colon-separated field must have at least one digitstrings: illegal use of non-zero Builder copied by valuenon-empty pointer map passed for non-po$runtime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=methodValueCallFrameObjs is not in a modulemult64bitPow10: power of 10 is out of rangeinterrupted system call should be restartedreflect: funcLayout with interface receiver s$runtime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function 277555756156289135105907917022705078125IPv4 field must have at least one digittransport endpoint is already connectedFailed to send status chec
API String ID: 0-4060435565
Opcode ID: 65f8cf30876a589e804f79b1671db6ea620f08c65b1ccf6949839aab19165f2c
Instruction ID: f8ca82d709463d0025a5638a40aeee3a8b13a17425545e52debb7e135d947f59
Opcode Fuzzy Hash: 65f8cf30876a589e804f79b1671db6ea620f08c65b1ccf6949839aab19165f2c
Instruction Fuzzy Hash: D841F3B45087048FC300FF65D18576EBBE0EF88308F41981EE9C887352EB3899489BA7

Function 0043E0D0 Relevance: 6.5, Strings: 5, Instructions: 297COMMON

Download Yara Rule

Strings

casgstatus: waiting for Gwaiting but is Grunnablenot enough significant bits after mult128bitPow10the :: must expand to at least one field of zerosinvalid or incomplete multibyte or wide charactergo package net: dynamic selection of DNS resolverruntime: unabl, xrefs: 0043E41A
newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNexus.lnk method: (MISSING)%!(EXTRA files,dnsdns,filesipv6-icmp_out, xrefs: 0043E494
casgstatus: bad incoming valuesresetspinning: not a spinning mentersyscallblock inconsistent runtime: split stack overflow: ...additional frames elided...unsafe.String: len out of range11368683772161602973937988281255684341886080801486968994140625zone must be, xrefs: 0043E4C8
runtime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid , xrefs: 0043E46A
1, xrefs: 0043E423

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNexus.lnk method: (MISSING)%!(EXTRA files,dnsdns,filesipv6-icmp_out$1$casgstatus: bad incoming valuesresetspinning: not a spinning mentersyscallblock inconsistent runtime: split stack overflow: ...additional frames elided...unsafe.String: len out of range11368683772161602973937988281255684341886080801486968994140625zone must be$casgstatus: waiting for Gwaiting but is Grunnablenot enough significant bits after mult128bitPow10the :: must expand to at least one field of zerosinvalid or incomplete multibyte or wide charactergo package net: dynamic selection of DNS resolverruntime: unabl$runtime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid
API String ID: 0-4136709329
Opcode ID: f992372dafc6c909db0effe0e011d98e93f348b1ce9fa512eab48bc2c57231a2
Instruction ID: 60ebbe3695e81d8bc1d688524b408e6bc0354754b08c0aeb4726d890cc2252cc
Opcode Fuzzy Hash: f992372dafc6c909db0effe0e011d98e93f348b1ce9fa512eab48bc2c57231a2
Instruction Fuzzy Hash: 11C1277010A3458FD314EF26C09076BBBE1FF88304F54996EE895873A2D778E845DB8A

Function 00450850 Relevance: 6.4, Strings: 5, Instructions: 194COMMON

Download Yara Rule

Strings

stackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of range14210854715202003717422485351562571054273576010018587112426757, xrefs: 00450ADA
out of memory (stackalloc)shrinking stack in libcallruntime: pcHeader: magic= traceRegion: out of memory1455191522836685180664062572759576141834259033203125invalid request descriptorno CSI structure availablerequired key not availableno message of desired type, xrefs: 004508F0
out of memory is nil, not value method bad map state span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=, xrefs: 004509BB
stack size not a power of 2too many callback functionstimer when must be positive: unexpected return pc for 363797880709171295166015625IPv6 field has value >=2^16channel number out of rangecommunication error on sendkey was rejected by servicenot a XENIX named, xrefs: 00450AC4
!, xrefs: 00450AE3

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: !$out of memory (stackalloc)shrinking stack in libcallruntime: pcHeader: magic= traceRegion: out of memory1455191522836685180664062572759576141834259033203125invalid request descriptorno CSI structure availablerequired key not availableno message of desired type$out of memory is nil, not value method bad map state span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=$stack size not a power of 2too many callback functionstimer when must be positive: unexpected return pc for 363797880709171295166015625IPv6 field has value >=2^16channel number out of rangecommunication error on sendkey was rejected by servicenot a XENIX named$stackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of range14210854715202003717422485351562571054273576010018587112426757
API String ID: 0-2902031945
Opcode ID: e9434a3c8120c53ebff57357947320cf0648e246488d42e49776e31014ac6f19
Instruction ID: 4938389fe009ad404551de69f93fa163d2c8dd0d9ba31e3789a80a1da3c73113
Opcode Fuzzy Hash: e9434a3c8120c53ebff57357947320cf0648e246488d42e49776e31014ac6f19
Instruction Fuzzy Hash: 20816C786097058FD714DF29C08066EB7F2FF99314F14882EE88587356E738D94ACB8A

Function 0040D360 Relevance: 6.4, Strings: 5, Instructions: 181COMMON

Download Yara Rule

Strings

persistentalloc: size == 0/gc/cycles/total:gc-cyclesnegative idle mark workersuse of invalid sweepLockerruntime: bad span s.state=freedefer with d.fn != nilforEachP: P did not run fnwakep: negative nmspinningstartlockedm: locked to meentersyscall inconsistent , xrefs: 0040D5DC
*, xrefs: 0040D5CF
persistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classes/gc/mark/dedicated:cpu-seconds/memory/classes/metadata/mcache/free:bytes/memory/classes/metadata/mspan/inuse:bytesnon-empty mark queue after concurrent marksweep: t, xrefs: 0040D5C6
runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin, xrefs: 0040D588
persistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freeattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: incons, xrefs: 0040D5B0

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: *$persistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classes/gc/mark/dedicated:cpu-seconds/memory/classes/metadata/mcache/free:bytes/memory/classes/metadata/mspan/inuse:bytesnon-empty mark queue after concurrent marksweep: t$persistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freeattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: incons$persistentalloc: size == 0/gc/cycles/total:gc-cyclesnegative idle mark workersuse of invalid sweepLockerruntime: bad span s.state=freedefer with d.fn != nilforEachP: P did not run fnwakep: negative nmspinningstartlockedm: locked to meentersyscall inconsistent $runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin
API String ID: 0-1480168796
Opcode ID: ee3d75b10f3034bcdb2eaba3c0c387d8aacab423aa12b8dea82b6349dfe30c37
Instruction ID: dae5ebd936b47f3f7a049f5c34c6c785e4ba7a5bcff2b30a68932cbc59c0f3e4
Opcode Fuzzy Hash: ee3d75b10f3034bcdb2eaba3c0c387d8aacab423aa12b8dea82b6349dfe30c37
Instruction Fuzzy Hash: 6D815CB4A09705CFC714DF64C48066ABBE1FF89318F10992EE89897391D738E94ACF46

Function 0041DB20 Relevance: 6.4, Strings: 5, Instructions: 178COMMON

Download Yara Rule

Strings

gc: unswept span KiB work (bg), mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 0041DD45
+, xrefs: 0041DDA5
non in-use span found with specials bit setgrew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=ru, xrefs: 0041DD9C
s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= , xrefs: 0041DD64
sweep B -> % util alloc free span= prev= list=, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= (...) m=nil base 390625hangupkilled, val headerAnswerLengthGetACPCommonrdtscppopcntcmd/goAPPDATAWindowsStartupfloat32float64windowsrunningwsarecvwsasen, xrefs: 0041DCF8

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: +$gc: unswept span KiB work (bg), mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$non in-use span found with specials bit setgrew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=ru$s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= $sweep B -> % util alloc free span= prev= list=, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= (...) m=nil base 390625hangupkilled, val headerAnswerLengthGetACPCommonrdtscppopcntcmd/goAPPDATAWindowsStartupfloat32float64windowsrunningwsarecvwsasen
API String ID: 0-129831425
Opcode ID: c11d868dec98aa1aea7521d152da0dead3a217a4fff77393a613a0044db83baa
Instruction ID: f9d9d57a8d8c8b24f6f58bd8bfb2410d8c5e8701347621514a79983f34e39113
Opcode Fuzzy Hash: c11d868dec98aa1aea7521d152da0dead3a217a4fff77393a613a0044db83baa
Instruction Fuzzy Hash: FE715FB460C3418FC704EF25C09066ABBE1BF89308F55885EF9C987352D778D989CB9A

Function 00426CF0 Relevance: 6.4, Strings: 5, Instructions: 155COMMON

Download Yara Rule

Strings

sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine 1220703125, xrefs: 00426F06
runtime: bad span s.state=freedefer with d.fn != nilforEachP: P did not run fnwakep: negative nmspinningstartlockedm: locked to meentersyscall inconsistent inittask with no functionscorrupted semaphore ticketout of memory (stackalloc)shrinking stack in libcall, xrefs: 00426EAE
s.sweepgen= allocCount end tracegcProcessPrng, xrefs: 00426EDC
AF, xrefs: 00426E61
non in-use span in unswept listcasgstatus: bad incoming valuesresetspinning: not a spinning mentersyscallblock inconsistent runtime: split stack overflow: ...additional frames elided...unsafe.String: len out of range1136868377216160297393798828125568434188608, xrefs: 00426F3A

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: s.sweepgen= allocCount end tracegcProcessPrng$ sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine 1220703125$non in-use span in unswept listcasgstatus: bad incoming valuesresetspinning: not a spinning mentersyscallblock inconsistent runtime: split stack overflow: ...additional frames elided...unsafe.String: len out of range1136868377216160297393798828125568434188608$runtime: bad span s.state=freedefer with d.fn != nilforEachP: P did not run fnwakep: negative nmspinningstartlockedm: locked to meentersyscall inconsistent inittask with no functionscorrupted semaphore ticketout of memory (stackalloc)shrinking stack in libcall$AF
API String ID: 0-2103893276
Opcode ID: f2353677582116173b9bf4d8261dffe9c36650ec14b44dfbab4a17a43ef56779
Instruction ID: f2dad3ec18ba70d275316a3683cff0e34660a5d397c8d60a6e2af3acbe29feab
Opcode Fuzzy Hash: f2353677582116173b9bf4d8261dffe9c36650ec14b44dfbab4a17a43ef56779
Instruction Fuzzy Hash: D56138B42093458FC744EF25D090A6ABBF0AF88308F81895EF8D887362D738D949DF56

Function 00414250 Relevance: 6.4, Strings: 5, Instructions: 153COMMON

Download Yara Rule

Strings

bad sweepgen in refillspan has no free space/gc/scan/globals:bytes/gc/heap/frees:objectsruntime: work.nwait = runtime:scanstack: gp=scanstack - bad statusheadTailIndex overflowruntime.main not on m0set_crosscall2 missingbad g->status in readywirep: invalid p s, xrefs: 00414489
span has no free space/gc/scan/globals:bytes/gc/heap/frees:objectsruntime: work.nwait = runtime:scanstack: gp=scanstack - bad statusheadTailIndex overflowruntime.main not on m0set_crosscall2 missingbad g->status in readywirep: invalid p stateassembly checks fa, xrefs: 00414451
refill of span with free space remaining/cpu/classes/scavenge/assist:cpu-secondsruntime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unknown mark worker modecannot free workbufs when work.full != 0runtime: out of memo, xrefs: 0041449F
out of memory is nil, not value method bad map state span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=, xrefs: 00414467
(, xrefs: 004144A8

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: ($bad sweepgen in refillspan has no free space/gc/scan/globals:bytes/gc/heap/frees:objectsruntime: work.nwait = runtime:scanstack: gp=scanstack - bad statusheadTailIndex overflowruntime.main not on m0set_crosscall2 missingbad g->status in readywirep: invalid p s$out of memory is nil, not value method bad map state span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=$refill of span with free space remaining/cpu/classes/scavenge/assist:cpu-secondsruntime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unknown mark worker modecannot free workbufs when work.full != 0runtime: out of memo$span has no free space/gc/scan/globals:bytes/gc/heap/frees:objectsruntime: work.nwait = runtime:scanstack: gp=scanstack - bad statusheadTailIndex overflowruntime.main not on m0set_crosscall2 missingbad g->status in readywirep: invalid p stateassembly checks fa
API String ID: 0-4022714126
Opcode ID: 721e4ded0970a36a15a337b9fe983fda3579ff0efbd6ffb7eca7e90be4661869
Instruction ID: cf5401e9c8c3bc6069cf0b16d4d917035ab18dee61e70ff8870e79d0758fb799
Opcode Fuzzy Hash: 721e4ded0970a36a15a337b9fe983fda3579ff0efbd6ffb7eca7e90be4661869
Instruction Fuzzy Hash: 00612DB05087048FC344EF29D590A6ABBF1FF88304F41996EE8988B392D778D949DF56

Function 0041CDB0 Relevance: 6.4, Strings: 5, Instructions: 137COMMON

Download Yara Rule

Strings

limiterEvent.stop: found wrong event in p's limiter event slotslice length too short to convert to array or pointer to arrayruntime: internal error: misuse of lockOSThread/unlockOSThreadmalformed GOMEMLIMIT; see `go doc runtime/debug.SetMemoryLimit`runtime.Set, xrefs: 0041CF8F
limiterEvent.stop: invalid limiter event type foundpotentially overlapping in-use allocations detectedruntime: netpoll: PostQueuedCompletionStatus failedfatal: systemstack called from unexpected goroutinegodebug: Value of name not listed in godebugs.All: Faile, xrefs: 0041CF0E
got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:1562578125 (at ntohsClassGreeksse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localreturnlisten.onionsocketexec: SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13u, xrefs: 0041CF5B
runtime: want=MB; allocated timeEndPeriod, xrefs: 0041CF2D
>, xrefs: 0041CF98

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:1562578125 (at ntohsClassGreeksse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localreturnlisten.onionsocketexec: SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13u$>$limiterEvent.stop: found wrong event in p's limiter event slotslice length too short to convert to array or pointer to arrayruntime: internal error: misuse of lockOSThread/unlockOSThreadmalformed GOMEMLIMIT; see `go doc runtime/debug.SetMemoryLimit`runtime.Set$limiterEvent.stop: invalid limiter event type foundpotentially overlapping in-use allocations detectedruntime: netpoll: PostQueuedCompletionStatus failedfatal: systemstack called from unexpected goroutinegodebug: Value of name not listed in godebugs.All: Faile$runtime: want=MB; allocated timeEndPeriod
API String ID: 0-2752319557
Opcode ID: 5b85751be5a4169c28d9f80a4cd313c0e147efcb688fce551df7f3823bb53278
Instruction ID: f2276967c4ea0a36ddf618ab9a1b96884a261dc84fbf3042525a9b64f3fc0352
Opcode Fuzzy Hash: 5b85751be5a4169c28d9f80a4cd313c0e147efcb688fce551df7f3823bb53278
Instruction Fuzzy Hash: DF5158B05497049FC714EF25C4917AEBBE2AF88704F40982EE4C883391DB38D986DB4B

Function 00436B00 Relevance: 6.3, Strings: 5, Instructions: 74COMMON

Download Yara Rule

Strings

runtime.newosprocruntime/internal/thread exhaustionlocked m0 woke upentersyscallblock spinningthreads=gp.waiting != nilunknown caller pcstack: frame={sp:runtime: nameOff runtime: typeOff runtime: textOff 1192092895507812559604644775390625permission deniedwrong, xrefs: 00436C14
runtime: failed to create new OS thread (have runtime: panic before malloc heap initializedstopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executionruntime: name offset base pointer out of rangeruntime: type offset base poin, xrefs: 00436BA0
., xrefs: 00436BA9
) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintm, xrefs: 00436BF9
already; errno=runtime stack:invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:23841857910156250123456789ABCDEFinvalid exchangeno route to hostinva, xrefs: 00436BCF

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: already; errno=runtime stack:invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:23841857910156250123456789ABCDEFinvalid exchangeno route to hostinva$) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintm$.$runtime.newosprocruntime/internal/thread exhaustionlocked m0 woke upentersyscallblock spinningthreads=gp.waiting != nilunknown caller pcstack: frame={sp:runtime: nameOff runtime: typeOff runtime: textOff 1192092895507812559604644775390625permission deniedwrong$runtime: failed to create new OS thread (have runtime: panic before malloc heap initializedstopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executionruntime: name offset base pointer out of rangeruntime: type offset base poin
API String ID: 0-773840574
Opcode ID: fae2f7efd013461163e415d50d6878821613eb43e0483f310c8afcfcef45cb0e
Instruction ID: 4c5cdd3165ea79b07941d19889fd5d9bf31d5f62f00ae4de94e299e959d0fc95
Opcode Fuzzy Hash: fae2f7efd013461163e415d50d6878821613eb43e0483f310c8afcfcef45cb0e
Instruction Fuzzy Hash: 1D31E2B45093049FD304EF65D48575ABBE4FF88308F41982EE8C887351EB789948DB8A

Function 00418B60 Relevance: 5.4, Strings: 4, Instructions: 364COMMON

Download Yara Rule

Strings

p mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitws2_32.dll not foundpreempt off reason: forcegc: phase errorgopark: bad g statusgo of nil func valueselectgo: bad wakeup, xrefs: 00419135
flushGen MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nan, xrefs: 004190D7
!= sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase, xrefs: 00419101
runtime: p ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64, xrefs: 004190AE

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase$ flushGen MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nan$p mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitws2_32.dll not foundpreempt off reason: forcegc: phase errorgopark: bad g statusgo of nil func valueselectgo: bad wakeup$runtime: p ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64
API String ID: 0-3407218033
Opcode ID: 5185b6e3b26d2392be76ff846d5cffb7d459f38a0e947d7a3d2f834a429f8597
Instruction ID: e5767b86f85a4907806c87cb152cfe932a0dfe52ac3839b4bea86a2c464783ec
Opcode Fuzzy Hash: 5185b6e3b26d2392be76ff846d5cffb7d459f38a0e947d7a3d2f834a429f8597
Instruction Fuzzy Hash: 560215B45083408FD314EF25D49575ABBE0FF89314F10891EE4998B3A2EB78D889DF56

Function 0041D3B0 Relevance: 5.3, Strings: 4, Instructions: 288COMMON

Download Yara Rule

Strings

markroot: bad indexnwait > work.nprocs, gp->atomicstatus=marking free object KiB work (eager), [controller reset]mspan.sweep: state=sysMemStat overflowbad sequence numberntdll.dll not foundwinmm.dll not foundruntime: g0 stack [panic during mallocpanic holding, xrefs: 0041D6A5
runtime: markroot index can't scan our own stackgcDrainN phase incorrectpageAlloc: out of memoryruntime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSrunqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seq, xrefs: 0041D60C
) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintm, xrefs: 0041D68A
not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: hol, xrefs: 0041D636

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: hol$) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintm$markroot: bad indexnwait > work.nprocs, gp->atomicstatus=marking free object KiB work (eager), [controller reset]mspan.sweep: state=sysMemStat overflowbad sequence numberntdll.dll not foundwinmm.dll not foundruntime: g0 stack [panic during mallocpanic holding$runtime: markroot index can't scan our own stackgcDrainN phase incorrectpageAlloc: out of memoryruntime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSrunqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seq
API String ID: 0-146678372
Opcode ID: cdbfeff3bdbac45b7b7d511ca8594089cd9cb850740dc15cc356998b79f76cc5
Instruction ID: 11cc2ec9f6ebbc5af1fb648ee4378967d930c01a4fe2dba037c91243681ca58b
Opcode Fuzzy Hash: cdbfeff3bdbac45b7b7d511ca8594089cd9cb850740dc15cc356998b79f76cc5
Instruction Fuzzy Hash: 34D109B4A08305CFC318EF25C58565ABBF1FB88304F40892EE88987351D778E985DF56

Function 00437680 Relevance: 5.3, Strings: 4, Instructions: 251COMMON

Download Yara Rule

Strings

runtime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject wait_failed; errno=strconv: illegal AppendFloat/FormatFloat bitSizenot enough significant bits after mult64bitPow10syscall: string with NUL passed to StringToUTF16parsing/packing of t, xrefs: 00437A7F
runtime.preemptM: duplicatehandle failedglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many arguments13877787807814456755295395851135253906256938893903907228377647697925567626953125ryuFtoaFixed32 calle, xrefs: 00437AB6
(, xrefs: 00437ABF
self-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatch152587890625762939453125invalid slothost is downillegal seekGetLengthSidGetLastE, xrefs: 00437ACC

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: ($runtime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject wait_failed; errno=strconv: illegal AppendFloat/FormatFloat bitSizenot enough significant bits after mult64bitPow10syscall: string with NUL passed to StringToUTF16parsing/packing of t$runtime.preemptM: duplicatehandle failedglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many arguments13877787807814456755295395851135253906256938893903907228377647697925567626953125ryuFtoaFixed32 calle$self-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatch152587890625762939453125invalid slothost is downillegal seekGetLengthSidGetLastE
API String ID: 0-858039921
Opcode ID: 0b569679e981a016ed8b9f749d5c9b5edb4f1f07881dcb3c0b597482bd2efdd2
Instruction ID: 204ad1d036eb5e4fc0057c6f74a78a79fa4468fb0f133b724d4e7b58bae32505
Opcode Fuzzy Hash: 0b569679e981a016ed8b9f749d5c9b5edb4f1f07881dcb3c0b597482bd2efdd2
Instruction Fuzzy Hash: E8C118B450D7458FD329EF24C194B6ABBE4FF89308F00996EE4C887392D7789944DB4A

Function 0043F480 Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

forEachP: P did not run fnwakep: negative nmspinningstartlockedm: locked to meentersyscall inconsistent inittask with no functionscorrupted semaphore ticketout of memory (stackalloc)shrinking stack in libcallruntime: pcHeader: magic= traceRegion: out of memory, xrefs: 0043F7E1
forEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timer3552713678800500929355621337890625too many references: cannot spliceSetFileCompletionNotificationModesunexpected runtime.net, xrefs: 0043F80D
forEachP: not done in async preemptbad manualFreeListruntime: textAddr cleantimers: bad p frames elided..., locked to threadruntime.semacreateruntime.semawakeup298023223876953125unable to parse IPsegmentation faultoperation canceledno child processesconnecti, xrefs: 0043F7F7
", xrefs: 0043F816

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: "$forEachP: P did not run fnwakep: negative nmspinningstartlockedm: locked to meentersyscall inconsistent inittask with no functionscorrupted semaphore ticketout of memory (stackalloc)shrinking stack in libcallruntime: pcHeader: magic= traceRegion: out of memory$forEachP: not done in async preemptbad manualFreeListruntime: textAddr cleantimers: bad p frames elided..., locked to threadruntime.semacreateruntime.semawakeup298023223876953125unable to parse IPsegmentation faultoperation canceledno child processesconnecti$forEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timer3552713678800500929355621337890625too many references: cannot spliceSetFileCompletionNotificationModesunexpected runtime.net
API String ID: 0-3611715326
Opcode ID: b100f7d27872059a47aefdd6bf5bd881dba0a2cc3fc08170f384a594eecb1600
Instruction ID: bb909b5d84f44afc2df4ef838a5cb9b38dfa1ce79a9d8b89b8e1dab0322180fc
Opcode Fuzzy Hash: b100f7d27872059a47aefdd6bf5bd881dba0a2cc3fc08170f384a594eecb1600
Instruction Fuzzy Hash: 6DB1F4746097418FC308DF25D491A2ABBF1BF9D304F50996EE8858B362D738E84ADB46

Function 00435100 Relevance: 5.2, Strings: 4, Instructions: 247COMMON

Download Yara Rule

Strings

) - NaN P MPC= < end > ]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccallkindallgallpro, xrefs: 0043536F
runtime: netpoll failedRtlGetNtVersionNumbers, xrefs: 0043538A
4, xrefs: 0043534F
runtime: GetQueuedCompletionStatusEx failed (errno= casfrom_Gscanstatus: gp->status is not in scan stateExit Node: Read %d bytes from target for Stream ID %dnon-concurrent sweep failed to drain all sweep queuescompileCallback: argument size is larger than uint, xrefs: 00435346

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: ) - NaN P MPC= < end > ]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccallkindallgallpro$4$runtime: GetQueuedCompletionStatusEx failed (errno= casfrom_Gscanstatus: gp->status is not in scan stateExit Node: Read %d bytes from target for Stream ID %dnon-concurrent sweep failed to drain all sweep queuescompileCallback: argument size is larger than uint$runtime: netpoll failedRtlGetNtVersionNumbers
API String ID: 0-993846852
Opcode ID: 29a4fd480f7de51d4b2a2317c7a7205f53c086ce4527f0e82d437d89734ca372
Instruction ID: db147dcdb71929e4a089edade569723e1b11fea9453168cb0a768ac591f20f18
Opcode Fuzzy Hash: 29a4fd480f7de51d4b2a2317c7a7205f53c086ce4527f0e82d437d89734ca372
Instruction Fuzzy Hash: 43A17BB0109B418FD714DF25C080B5FB7E1AF88708F54992EE99987381DB39E949CB9B

Function 0040B180 Relevance: 5.2, Strings: 4, Instructions: 182COMMON

Download Yara Rule

Strings

1, xrefs: 0040B3C8
notetsleep - waitm out of syncfailed to get system page sizeassignment to entry in nil mapruntime: found in object at *( in prepareForSweep; sweepgen /cpu/classes/total:cpu-seconds/gc/cycles/automatic:gc-cycles/sched/pauses/total/gc:seconds/sync/mutex/wait/tot, xrefs: 0040B233
runtime: unexpected waitm - semaphore out of syncs.allocCount != s.nelems && freeIndex == s.nelemsdelayed zeroing on data that may contain pointerssweeper left outstanding across sweep generationsfully empty unfreed span set block found in resetcasgstatus: wai, xrefs: 0040B3BF
runtime: unable to acquire - semaphore out of syncmallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEve, xrefs: 0040B3A9

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: 1$notetsleep - waitm out of syncfailed to get system page sizeassignment to entry in nil mapruntime: found in object at *( in prepareForSweep; sweepgen /cpu/classes/total:cpu-seconds/gc/cycles/automatic:gc-cycles/sched/pauses/total/gc:seconds/sync/mutex/wait/tot$runtime: unable to acquire - semaphore out of syncmallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEve$runtime: unexpected waitm - semaphore out of syncs.allocCount != s.nelems && freeIndex == s.nelemsdelayed zeroing on data that may contain pointerssweeper left outstanding across sweep generationsfully empty unfreed span set block found in resetcasgstatus: wai
API String ID: 0-2424477488
Opcode ID: f6ff3aed7bc44cbe706e4451685eec2f532faadd0c6c69db9183f104229a8e93
Instruction ID: c23de695b375a1d27a2d4156dc43a560e9a3ec8389a2b95bba70cf45fc192049
Opcode Fuzzy Hash: f6ff3aed7bc44cbe706e4451685eec2f532faadd0c6c69db9183f104229a8e93
Instruction Fuzzy Hash: B8716EB46083519FC305DF29C084B1EBBE1AF98308F09896DE8D89B392D775DC45DB96

Function 00453F30 Relevance: 5.2, Strings: 4, Instructions: 159COMMON

Download Yara Rule

Strings

-, xrefs: 0045407C
-, xrefs: 004540C3
-, xrefs: 00453F56
-, xrefs: 004540A1

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: -$-$-$-
API String ID: 0-1033403326
Opcode ID: b590c92c2adf7b940816abf60e01e197facf12322e7b90cf2da97c5c58e207e5
Instruction ID: d4c9dbf66dafffd94ec74c6255fd574ac0c90c64840e54c8dc7431c091842afa
Opcode Fuzzy Hash: b590c92c2adf7b940816abf60e01e197facf12322e7b90cf2da97c5c58e207e5
Instruction Fuzzy Hash: 945101B2A093564FD715CE18985431EBBD1ABD0309F58862DD8948B3D2E37D8A4E87C6

Function 00405060 Relevance: 5.1, Strings: 4, Instructions: 137COMMON

Download Yara Rule

Strings

M [("")) ) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=, xrefs: 004050E6
out of bounds [/gc/gogc:percent, not a functiongc: unswept span KiB work (bg), mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 00405164
procid eax ebx ecx edx edi esi ebp esp eip eflags cs fs gs is not pointerBAD RANK status unknown(trigger= npages= nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= sta, xrefs: 00405110
runtime: cgocallback with sp=runtime: bad g in cgocallback (types from different scopes)notetsleep - waitm out of syncfailed to get system page sizeassignment to entry in nil mapruntime: found in object at *( in prepareForSweep; sweepgen /cpu/classes/total:c, xrefs: 0040513A

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: out of bounds [/gc/gogc:percent, not a functiongc: unswept span KiB work (bg), mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$ procid eax ebx ecx edx edi esi ebp esp eip eflags cs fs gs is not pointerBAD RANK status unknown(trigger= npages= nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= sta$ runtime: cgocallback with sp=runtime: bad g in cgocallback (types from different scopes)notetsleep - waitm out of syncfailed to get system page sizeassignment to entry in nil mapruntime: found in object at *( in prepareForSweep; sweepgen /cpu/classes/total:c$M [("")) ) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=
API String ID: 0-1180118442
Opcode ID: 30b8846cb9b7de86923cbf3b4a52475119dfb9a322fb7f0c0b38fee8e088cabf
Instruction ID: bbf2af95c3b073296b4fe45af95c73c1e6307a567785cfe4ddff6250cc9bd888
Opcode Fuzzy Hash: 30b8846cb9b7de86923cbf3b4a52475119dfb9a322fb7f0c0b38fee8e088cabf
Instruction Fuzzy Hash: 6851F8B45097089FC740EF65C18075ABBE0FF88308F5089AEE9889B351D739E949DF96

Function 0045F950 Relevance: 5.1, Strings: 4, Instructions: 135COMMON

Download Yara Rule

Strings

...additional frames elided...unsafe.String: len out of range11368683772161602973937988281255684341886080801486968994140625zone must be a non-empty stringcannot assign requested address.lib section in a.out corruptedbufio: tried to fill full buffergo package , xrefs: 0045FA89
[originating from goroutine 18189894035458564758300781259094947017729282379150390625file descriptor in bad statedestination address requiredprotocol driver not attachedCertCreateCertificateContextabi.NewName: name too long: mismatched local address typeexec: W, xrefs: 0045F97C
2, xrefs: 0045FA7D
]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccallkindallgallprootitabsbrkidledead is LEAFb, xrefs: 0045F9A6

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: ...additional frames elided...unsafe.String: len out of range11368683772161602973937988281255684341886080801486968994140625zone must be a non-empty stringcannot assign requested address.lib section in a.out corruptedbufio: tried to fill full buffergo package $2$[originating from goroutine 18189894035458564758300781259094947017729282379150390625file descriptor in bad statedestination address requiredprotocol driver not attachedCertCreateCertificateContextabi.NewName: name too long: mismatched local address typeexec: W$]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccallkindallgallprootitabsbrkidledead is LEAFb
API String ID: 0-2001881887
Opcode ID: 10ffb95f802a8d4750f89734ffe1c75408ee38e7578d1468ceb025ec4493491c
Instruction ID: b486b2ecf3c74d537c75abba6250e72881a688e8ee55b94d8ab66e64fdd535cc
Opcode Fuzzy Hash: 10ffb95f802a8d4750f89734ffe1c75408ee38e7578d1468ceb025ec4493491c
Instruction Fuzzy Hash: 9751D3B460C3419FC304EF25C190A2ABBE1AF88715F54896EF8C887352DB38E949DB57

Function 004156A0 Relevance: 5.1, Strings: 4, Instructions: 121COMMON

Download Yara Rule

Strings

bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p has runnable gsstoplockedm: not runnablereleasep: , xrefs: 004157BF, 0041583F
out of memory is nil, not value method bad map state span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=, xrefs: 004157F3
runtime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinning: not a spinning mentersyscallblock inconsistent runtime: spl, xrefs: 00415873
runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p has runnable gsstoplockedm: not runnablereleasep: invalid p statecheckdead:, xrefs: 00415795, 00415815

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p has runnable gsstoplockedm: not runnablereleasep: $out of memory is nil, not value method bad map state span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=$runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p has runnable gsstoplockedm: not runnablereleasep: invalid p statecheckdead:$runtime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinning: not a spinning mentersyscallblock inconsistent runtime: spl
API String ID: 0-82273310
Opcode ID: 4af118c573b4b3e7f7a2552a991e9375d91db7733d981a97672f71ae2d99292e
Instruction ID: e29570d5ab88a5c0e782f58b6befebaf6addbc43dc97f178ddb589ba7dfcc98a
Opcode Fuzzy Hash: 4af118c573b4b3e7f7a2552a991e9375d91db7733d981a97672f71ae2d99292e
Instruction Fuzzy Hash: A051F3B4108705CFD340EF65C49179EB7E0EB8C308F40982EE99883381E77899899F9B

Function 00452530 Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

bad status in shrinkstackmissing traceGCSweepStart2910383045673370361328125IPv4 field has value >255resource deadlock avoidedoperation now in progressno buffer space availableno such device or addresssocket type not supportedinvalid cross-device linkGetFinalPa, xrefs: 00452675
shrinking stack in libcallruntime: pcHeader: magic= traceRegion: out of memory1455191522836685180664062572759576141834259033203125invalid request descriptorno CSI structure availablerequired key not availableno message of desired typename not unique on network, xrefs: 00452649
shrinkstack at bad timereflect.methodValueCall23283064365386962890625device or resource busyinterrupted system callno space left on deviceoperation not supportedoperation not permittedCertGetCertificateChainFreeEnvironmentStringsWGetEnvironmentVariableWGetSyst, xrefs: 0045265F
missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for traceRegion: alloc too large[originating from goroutine 18189894035458564758300781259094947017729282379150390625file descriptor in bad statedestinat, xrefs: 0045268B

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: bad status in shrinkstackmissing traceGCSweepStart2910383045673370361328125IPv4 field has value >255resource deadlock avoidedoperation now in progressno buffer space availableno such device or addresssocket type not supportedinvalid cross-device linkGetFinalPa$missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for traceRegion: alloc too large[originating from goroutine 18189894035458564758300781259094947017729282379150390625file descriptor in bad statedestinat$shrinking stack in libcallruntime: pcHeader: magic= traceRegion: out of memory1455191522836685180664062572759576141834259033203125invalid request descriptorno CSI structure availablerequired key not availableno message of desired typename not unique on network$shrinkstack at bad timereflect.methodValueCall23283064365386962890625device or resource busyinterrupted system callno space left on deviceoperation not supportedoperation not permittedCertGetCertificateChainFreeEnvironmentStringsWGetEnvironmentVariableWGetSyst
API String ID: 0-1404966890
Opcode ID: b5f7645e38a6cb472544d09b4fe7212d05c92313f9dc55ae038229fbaa697176
Instruction ID: 9cb0de28833c032196120a8c3500da3e23e825a4c1936554c6bbc486b6b039af
Opcode Fuzzy Hash: b5f7645e38a6cb472544d09b4fe7212d05c92313f9dc55ae038229fbaa697176
Instruction Fuzzy Hash: E94189786047008FC718DF25D291A2A73E1FF9A704F45486EEC8987362E7B8EC49DB06

Function 0042C160 Relevance: 5.1, Strings: 4, Instructions: 95COMMON

Download Yara Rule

Strings

+, xrefs: 0042C2DC
runtime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foundruntime: sudog with non-nil cgfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflo, xrefs: 0042C29F
root level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=methodValueCallFrameObjs is not in a modulemu, xrefs: 0042C2D3
runtime: root level max pages = WSAGetOverlappedResult not found_cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runt, xrefs: 0042C259

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: +$root level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=methodValueCallFrameObjs is not in a modulemu$runtime: root level max pages = WSAGetOverlappedResult not found_cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runt$runtime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foundruntime: sudog with non-nil cgfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflo
API String ID: 0-2069587728
Opcode ID: b590b892d386e0b96edd03454fb27e9122f082a52a4f4809640b0bb5567e4af5
Instruction ID: 5810637721fd97ebc4f9260e6c95588109c84356bdefb35b34f73715b5cac299
Opcode Fuzzy Hash: b590b892d386e0b96edd03454fb27e9122f082a52a4f4809640b0bb5567e4af5
Instruction Fuzzy Hash: 724109B4608744CFC304EF25D091B6EBBE0BF88308F55996EE88987352DB389945DF96

Function 00415540 Relevance: 5.1, Strings: 4, Instructions: 88COMMON

Download Yara Rule

Strings

runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incorrectpageAlloc: out of memoryruntime: p.searchAdd, xrefs: 0041561B
runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec, xrefs: 00415679
bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p has runnable gsstoplockedm: not runnablereleasep: , xrefs: 00415645
!, xrefs: 00415682

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p has runnable gsstoplockedm: not runnablereleasep: $!$runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incorrectpageAlloc: out of memoryruntime: p.searchAdd$runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
API String ID: 0-464846790
Opcode ID: d1346c64cc3424fbced7448fb6c1fbdf2ee226fc30ff30b870c91e778456cfba
Instruction ID: eb0402943e15ad96eb03f06c49feb420b179ab6dad1ea236cf630f484daf2e97
Opcode Fuzzy Hash: d1346c64cc3424fbced7448fb6c1fbdf2ee226fc30ff30b870c91e778456cfba
Instruction Fuzzy Hash: E1311AB0608700DFC708EF25D0917AAB7E2AF88314F50892EF98983355D7389985DB9B

Function 0045CAF0 Relevance: 5.1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

Strings

/, xrefs: 0045CC4E
attempted to trace a bad status for a goroutineattempting to link in too many shared librariesbufio: writer returned negative count from Writeslice bounds out of range [:%x] with capacity %yruntime: waitforsingleobject unexpected; result=CreateWaitableTimerEx , xrefs: 0045CC45
runtime: goid= in goroutine 1907348632812595367431640625file too largeis a directorylevel 2 haltedlevel 3 haltedtoo many linksno such deviceprotocol errortext file busytoo many usersCryptGenRandomCertCloseStoreCreateProcessWFindFirstFileWFormatMessageWGetConso, xrefs: 0045CC11
", xrefs: 0045CBCE

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: "$/$attempted to trace a bad status for a goroutineattempting to link in too many shared librariesbufio: writer returned negative count from Writeslice bounds out of range [:%x] with capacity %yruntime: waitforsingleobject unexpected; result=CreateWaitableTimerEx $runtime: goid= in goroutine 1907348632812595367431640625file too largeis a directorylevel 2 haltedlevel 3 haltedtoo many linksno such deviceprotocol errortext file busytoo many usersCryptGenRandomCertCloseStoreCreateProcessWFindFirstFileWFormatMessageWGetConso
API String ID: 0-1597289052
Opcode ID: 9230d4d5508b24f0d161fe133809a4f959f440b478c120dfd5c73ddbf3d027ea
Instruction ID: 66abcc1fd4a5d9f006299883a229fd291e3dcfffc528ec6d131c447797e76219
Opcode Fuzzy Hash: 9230d4d5508b24f0d161fe133809a4f959f440b478c120dfd5c73ddbf3d027ea
Instruction Fuzzy Hash: 10419AB45083449FC300DF66C09461AFBE0BF89758F40892EE9D897352D7B8A949CF97

Function 00431380 Relevance: 5.1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

Strings

, xrefs: 00431413
, xrefs: 004313EE
, xrefs: 0043141B
, xrefs: 00431468

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: $ $ $
API String ID: 0-3535155489
Opcode ID: fe1e3152f6cfa4c2189269bb4e5f408dde4f9cfad6c1ff862d8af1c044846f9f
Instruction ID: 5d81aca682314557c982b7bb72dce441b60d736a6e6a6c09b2129089a2cc1ba8
Opcode Fuzzy Hash: fe1e3152f6cfa4c2189269bb4e5f408dde4f9cfad6c1ff862d8af1c044846f9f
Instruction Fuzzy Hash: 5631B2746083418FD328DF15D094A6BBBE2BFC8718F10992EE48987761DB39A949CF47

Function 00425DA0 Relevance: 5.1, Strings: 4, Instructions: 57COMMON

Download Yara Rule

Strings

runtime: inUse=runtime: max = bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame runtimer: bad ptraceback stuckruntime.gopanic476837158203125adver, xrefs: 00425E07
", xrefs: 00425E72
too many pages allocated in chunk?mspan.ensureSwept: m is not lockedVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timer3552713678800500929355, xrefs: 00425E69
npages= nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNexus.lnk method: (, xrefs: 00425E35

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: npages= nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNexus.lnk method: ($"$runtime: inUse=runtime: max = bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame runtimer: bad ptraceback stuckruntime.gopanic476837158203125adver$too many pages allocated in chunk?mspan.ensureSwept: m is not lockedVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timer3552713678800500929355
API String ID: 0-1504365986
Opcode ID: aa02d357239e3e68f8083561a9a69f21b4baf7444e8bde4ef75aa3c8ebcaa8d8
Instruction ID: 2dc0cd07df50af94a44fb8bfd933ae964e3a7ab04a29c15e9a34ace7adcf9ab1
Opcode Fuzzy Hash: aa02d357239e3e68f8083561a9a69f21b4baf7444e8bde4ef75aa3c8ebcaa8d8
Instruction Fuzzy Hash: D9215B701186108EC300EF25D09573AB7E1EF88708F85D85EE999873A2E7389848DB6B

Function 004236B0 Relevance: 5.1, Strings: 4, Instructions: 57COMMON

Download Yara Rule

Strings

?, xrefs: 00423782
GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pc, xrefs: 004236C7
malformed GOMEMLIMIT; see `go doc runtime/debug.SetMemoryLimit`runtime.SetFinalizer: first argument was allocated into an arenacompileCallback: expected function with one uintptr-sized resultuser arena chunk size is not a multiple of the physical page sizerunt, xrefs: 00423779
GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime, xrefs: 00423745

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: ?$GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pc$GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime$malformed GOMEMLIMIT; see `go doc runtime/debug.SetMemoryLimit`runtime.SetFinalizer: first argument was allocated into an arenacompileCallback: expected function with one uintptr-sized resultuser arena chunk size is not a multiple of the physical page sizerunt
API String ID: 0-1099554046
Opcode ID: ea0540e330aed416487035ce45f06f4ff617c14fa814f5a914b00c85db1baba5
Instruction ID: 35b0f3f179cf4810e6a0c6d1dc1fb296fd46c69fba74fda29b01e42f21dc8f13
Opcode Fuzzy Hash: ea0540e330aed416487035ce45f06f4ff617c14fa814f5a914b00c85db1baba5
Instruction Fuzzy Hash: C6213AB05083418FC710EF25E05162ABBF1FF88718F90895EE8D887391DB389A45CB5B

Function 00435000 Relevance: 5.1, Strings: 4, Instructions: 53COMMON

Download Yara Rule

Strings

) - NaN P MPC= < end > ]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccallkindallgallpro, xrefs: 004350B9
3, xrefs: 004350DD
runtime: netpoll: PostQueuedCompletionStatus failed (errno= runtime: GetQueuedCompletionStatusEx returned invalid mode= go package net: GODEBUG setting forcing use of Go's resolverexec: Cmd started a Process but leaked without a call to WaitabiRegArgsType nee, xrefs: 0043508F
runtime: netpoll: PostQueuedCompletionStatus failedfatal: systemstack called from unexpected goroutinegodebug: Value of name not listed in godebugs.All: Failed to send close message to middleman server: %vmallocgc called without a P or outside bootstrappingrun, xrefs: 004350D4

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: ) - NaN P MPC= < end > ]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccallkindallgallpro$3$runtime: netpoll: PostQueuedCompletionStatus failed (errno= runtime: GetQueuedCompletionStatusEx returned invalid mode= go package net: GODEBUG setting forcing use of Go's resolverexec: Cmd started a Process but leaked without a call to WaitabiRegArgsType nee$runtime: netpoll: PostQueuedCompletionStatus failedfatal: systemstack called from unexpected goroutinegodebug: Value of name not listed in godebugs.All: Failed to send close message to middleman server: %vmallocgc called without a P or outside bootstrappingrun
API String ID: 0-682007050
Opcode ID: 9f8425ef9269fe0098c6b2fbacdc71af105f5e9692bce2cbca32d5a1bfecd8da
Instruction ID: 55102773e57a206d1fe24f581cae639836691e0b6b00865180aff2c802025652
Opcode Fuzzy Hash: 9f8425ef9269fe0098c6b2fbacdc71af105f5e9692bce2cbca32d5a1bfecd8da
Instruction Fuzzy Hash: FE2127B01087048FD304EF25D09572ABBF4EF98308F40981EE8C883352EB799949DB97

Function 004158A0 Relevance: 5.0, Strings: 4, Instructions: 45COMMON

Download Yara Rule

Strings

runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incorrectpageAlloc: out of memoryruntime: p.searchAdd, xrefs: 004158E6
bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p has runnable gsstoplockedm: not runnablereleasep: , xrefs: 00415910
runtime: failed to release pagesruntime: fixalloc size too largeinvalid limiter event type foundscanstack: goroutine not stoppedscavenger state is already wiredsweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = WSAG, xrefs: 00415944
, xrefs: 0041594D

Memory Dump Source

Source File: 00000005.00000002.2532665160.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2532665160.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2532665160.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: $ bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p has runnable gsstoplockedm: not runnablereleasep: $runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incorrectpageAlloc: out of memoryruntime: p.searchAdd$runtime: failed to release pagesruntime: fixalloc size too largeinvalid limiter event type foundscanstack: goroutine not stoppedscavenger state is already wiredsweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = WSAG
API String ID: 0-3511914922
Opcode ID: a7d109619fe20d68980b69089ef3fb5d620c346555093f1b42fac837cb3fadd5
Instruction ID: e831ae280137a815bd9cbc07886118ba5bd1da9de69c0fd05c05f5d38d0a0548
Opcode Fuzzy Hash: a7d109619fe20d68980b69089ef3fb5d620c346555093f1b42fac837cb3fadd5
Instruction Fuzzy Hash: F7119DB41097089FD340FF69C58575EBBE4EF88708F41981EE9C887341EB7899489BA7

Analysis Process: powershell.exePID: 6932, Parent PID: 5776COMMON

Executed Functions

Function 074E0560 Relevance: .7, Instructions: 698COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1307475341.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50b951f2a5e5644d5840cad02ef1d757cb9cfb4caaffb558e11177d09429b51a
Instruction ID: 821c541dd72eae178823ddd22a05847b8eb2d237f8dbd84a8bb65adda538c3a1
Opcode Fuzzy Hash: 50b951f2a5e5644d5840cad02ef1d757cb9cfb4caaffb558e11177d09429b51a
Instruction Fuzzy Hash: 913257B07043099FD7118B658850BEBBBBAEFC5325F24806BD5159F756CB72C842C7A1

Function 02E029F0 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1301857028.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2e00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbd87080db9494966e8de98b20a1c2f95545245bddb43efac993d91f50318e99
Instruction ID: c1df14ab1fd9546110f6ff6acee8c6e755742fe471a7855004eceee5b8e1e51c
Opcode Fuzzy Hash: fbd87080db9494966e8de98b20a1c2f95545245bddb43efac993d91f50318e99
Instruction Fuzzy Hash: FA919070A006458FCB15CF59C4D8AEAFBF1FF49314B24859AD915AB3A1C735EC82CBA0

Function 074E1068 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1307475341.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ead6cbd6be1a081140898168c89c61f85dd90a4aef561cfd8114bab075c628f
Instruction ID: 7c6fa8182de8264d4b18df950dfa0868cb48e4f5a2db0d394e6e335ea12a9c34
Opcode Fuzzy Hash: 0ead6cbd6be1a081140898168c89c61f85dd90a4aef561cfd8114bab075c628f
Instruction Fuzzy Hash: A561B8F0B90208ABE7149B909D51BEE67B65FC5724F204025D5067FB89CF72DD428B62

Function 074E15B5 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1307475341.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17baf33f46f4cf62ab91d85faef3e241353b62219d4447d82b3bb71c491e981b
Instruction ID: 1eb928a0dce49c354f8f1a9f5f8a8b5c74ed98af87cd7de872a74359a1ba9c82
Opcode Fuzzy Hash: 17baf33f46f4cf62ab91d85faef3e241353b62219d4447d82b3bb71c491e981b
Instruction Fuzzy Hash: FB5107F0B8030D9FE7149BA48910BEA7BBA9FC5B10F148026D5066F785DF31DD428BA2

Function 02E02B00 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1301857028.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2e00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d90d14f14c105004a7d8130c3bd643f12bdbb7c9773c644e5e1896b1c1da5d91
Instruction ID: d043615a2dfa64716c8d0a82878a5300187ff52648f1a1a6bb874849d8555b99
Opcode Fuzzy Hash: d90d14f14c105004a7d8130c3bd643f12bdbb7c9773c644e5e1896b1c1da5d91
Instruction Fuzzy Hash: DB412A74A006058FCB15CF68C4D8AEAFBB1FF48314B158159D915AB3A4C736FC92CBA4

Function 074E0E40 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1307475341.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e593f7ef554f5224ed34390203bec02d3da8ae8ac961a2b18cfc323945fcb32c
Instruction ID: 6fc71c8cfa5e3ee776ec527783253c391925c53941caadd47396b8dadf37f9a4
Opcode Fuzzy Hash: e593f7ef554f5224ed34390203bec02d3da8ae8ac961a2b18cfc323945fcb32c
Instruction Fuzzy Hash: 70319DB13082459FD71096589850AABBBA6DFC5330B24C07BD519DF796CA72CC02C361

Function 074E0E24 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1307475341.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f19a4abd33883617b0dd3a8d4c459fea561e46f3a6e2058eb03072337a552ef9
Instruction ID: 25e81694bbbe0231882b2bd440b54305f38f022ab16e456ca036142ce5c1f066
Opcode Fuzzy Hash: f19a4abd33883617b0dd3a8d4c459fea561e46f3a6e2058eb03072337a552ef9
Instruction Fuzzy Hash: 8A112770308284ABD7114A149D50AABBB6A9FC5735B28C0B7D914DF797CB72DC42C361

Function 02C1D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1301310570.0000000002C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c1d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6a417dd5a776828958fef03fd0f9fee44539285f1264bcbcc27d300fbbe5871
Instruction ID: 27f111bcc98cea3836b8c5759cc2e71712bdaa15ba47eef677f4e58fb1d5d3a2
Opcode Fuzzy Hash: d6a417dd5a776828958fef03fd0f9fee44539285f1264bcbcc27d300fbbe5871
Instruction Fuzzy Hash: 1001526140E3C05FD7128B258C94752BFB4DF43224F1D81DBD9888F1A3C2695849DBB2

Function 02C1D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1301310570.0000000002C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c1d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7a3a593f2e3641754152a773b2b070603c543a86f036aa350db20d9279d8606
Instruction ID: 29dfd0147a03a5ae9d3196ff62a29594d80298709ef716766f93fa13153ebd0c
Opcode Fuzzy Hash: f7a3a593f2e3641754152a773b2b070603c543a86f036aa350db20d9279d8606
Instruction Fuzzy Hash: AC01D631404344AEE7208A26CDC5B67BFD8DF82224F18C51AED4A4F642C7799982DAF6

Function 074E13FF Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1307475341.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_74e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2bb79f39a471ccd24a7b284e1371d7b913c38ffaff6daf923623ad7433c7272
Instruction ID: ac9297e32e07901be8b14686cdda3995a3ee50e9d815676276b3b7c1ee5fdfd5
Opcode Fuzzy Hash: d2bb79f39a471ccd24a7b284e1371d7b913c38ffaff6daf923623ad7433c7272
Instruction Fuzzy Hash: 70F081F178C19A1BD71152B41860AABFF55DBC2225718847BC4459F383DA32CC83C772

Analysis Process: c2SVEEbvn5.exePID: 2980, Parent PID: 4056COMMON

Execution Graph

Execution Coverage:	0.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	27
Total number of Limit Nodes:	1

Executed Functions

Function 0256003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0256024D

Strings

kernel32.dll, xrefs: 0256008F, 02560095
cess, xrefs: 0256018D

Memory Dump Source

Source File: 0000000A.00000002.2534153247.0000000002560000.00000040.00001000.00020000.00000000.sdmp, Offset: 02560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2560000_c2SVEEbvn5.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 8748816e91601d01a212cc8ca78b5fd4f6328feed49940da2d66e1e2c91ee6a8
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 43525874A01229DFDB64CF58C984BA8BBB1BF09314F1480D9E94DAB391DB30AE85DF14

Function 00AF07A6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00AF07CE
Module32First.KERNEL32(00000000,00000224), ref: 00AF07EE

Memory Dump Source

Source File: 0000000A.00000002.2533883308.0000000000AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_af0000_c2SVEEbvn5.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 5a58e5bfeea6bfb1545b12fbc11d0b26d501695c9faf974ea68edf8a9af7f980
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: FEF06231101B196BD7203BF5A88DE7FB6E8AF49765F100568F742910C1DB70F8454A61

Function 02560E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02560223,?,?), ref: 02560E19
SetErrorMode.KERNELBASE(00000000,?,?,02560223,?,?), ref: 02560E1E

Memory Dump Source

Source File: 0000000A.00000002.2534153247.0000000002560000.00000040.00001000.00020000.00000000.sdmp, Offset: 02560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2560000_c2SVEEbvn5.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 28b5f1fce6c579d886385c532f99378ce88ba66a548b13f3c04ec17d3950e732
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 6FD0123154512877D7102AD4DC0DBDD7F1CEF05B66F008011FB0DD9080C770994046E9

Function 00AF0465 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00AF04B6

Memory Dump Source

Source File: 0000000A.00000002.2533883308.0000000000AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_af0000_c2SVEEbvn5.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 909d0477a8fd57cde3606d05b57f047fa60d952501455c377d7872e239f55071
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 93113C79A40208EFDB01DF98CA85E98BFF5AF08351F058094FA489B362D371EA50DF80

Non-executed Functions

Function 004129D0 Relevance: 9.0, Strings: 7, Instructions: 250COMMON

Download Yara Rule

Strings

runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime:, xrefs: 00412B36, 00412BFB
with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame runti, xrefs: 00412B1B
), xrefs: 00412C1A
runtime: typeBitsBulkBarrier with type bulkBarrierPreWrite: unaligned argumentsrefill of span with free space remaining/cpu/classes/scavenge/assist:cpu-secondsruntime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unkn, xrefs: 00412AF1, 00412B73
runtime: typeBitsBulkBarrier without type/memory/classes/metadata/mspan/free:bytesruntime.SetFinalizer: second argument is gcSweep being done but phase is not GCoffobjects added out of order or overlappingmheap.freeSpanLocked - invalid stack freemheap.freeSpan, xrefs: 00412C11
but memory size /gc/pauses:seconds because dotdotdotruntime: npages = runtime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr cleantimers: bad p frames elided..., locked, xrefs: 00412BC7
of size runtime: p ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64, xrefs: 00412B9D

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: but memory size /gc/pauses:seconds because dotdotdotruntime: npages = runtime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr cleantimers: bad p frames elided..., locked$ of size runtime: p ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64$ with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame runti$)$runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime:$runtime: typeBitsBulkBarrier with type bulkBarrierPreWrite: unaligned argumentsrefill of span with free space remaining/cpu/classes/scavenge/assist:cpu-secondsruntime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unkn$runtime: typeBitsBulkBarrier without type/memory/classes/metadata/mspan/free:bytesruntime.SetFinalizer: second argument is gcSweep being done but phase is not GCoffobjects added out of order or overlappingmheap.freeSpanLocked - invalid stack freemheap.freeSpan
API String ID: 0-444383925
Opcode ID: fb7dd08eebdcffb68ed6f0515201766069551f0d0e5f9e2aea924636202642bd
Instruction ID: c3b6e2db6fa0461498705e485b1ed48b9f6ecf45ca636e26bb5418af4ff028b1
Opcode Fuzzy Hash: fb7dd08eebdcffb68ed6f0515201766069551f0d0e5f9e2aea924636202642bd
Instruction Fuzzy Hash: AFA17AB59097088FC300EF19C58025AFBE1FF88714F49896EE99887312EB74E945DB97

Function 004034A0 Relevance: 18.8, Strings: 15, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

te k, xrefs: 00403512
nd 3, xrefs: 004034DA
2-by, xrefs: 004034EF
expa, xrefs: 00403527
te k, xrefs: 00403519
2-by, xrefs: 004034F6
nd 3, xrefs: 004034D3
2-by, xrefs: 004034FD
nd 3, xrefs: 004034E1
2-by, xrefs: 00403504
te k, xrefs: 00403520
te k, xrefs: 0040350B
expa, xrefs: 004035D2
expa, xrefs: 004034C5
nd 3, xrefs: 004034E8

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: 2-by$2-by$2-by$2-by$expa$expa$expa$nd 3$nd 3$nd 3$nd 3$te k$te k$te k$te k
API String ID: 0-4277483314
Opcode ID: fc3555c6e44bbdcb2cfa064d072331bb53f71f0f939a12c3ad269234c0296597
Instruction ID: 0bff66a761d1c838939a7e550572e3e7e5894a584f2545116f5c747d66c1c5ac
Opcode Fuzzy Hash: fc3555c6e44bbdcb2cfa064d072331bb53f71f0f939a12c3ad269234c0296597
Instruction Fuzzy Hash: CA5124B48056408FD358CF06C198BA5BBE1BF88314F2A86FAC4588F776E7768846CF51

Function 00417D50 Relevance: 16.7, Strings: 13, Instructions: 463
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+, xrefs: 004183F1
because dotdotdotruntime: npages = runtime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr cleantimers: bad p frames elided..., locked to threadruntime.semacreateruntime., xrefs: 00418271
runtime.SetFinalizer: pointer not at beginning of allocated blockunable to query buffer size from InitializeProcThreadAttributeListreflect: reflect.Value.UnsafePointer on an invalid notinheap pointerembedded IPv4 address must replace the final 2 fields of the , xrefs: 004182F8
runtime.SetFinalizer: first argument was allocated into an arenacompileCallback: expected function with one uintptr-sized resultuser arena chunk size is not a multiple of the physical page sizeruntime: function marked with #cgo nocallback called back into Goru, xrefs: 00418360
nil elem type! to finalizer GC worker initruntime: full=runtime: want=MB; allocated timeEndPeriod, xrefs: 00418376
(, xrefs: 004183AD
runtime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already , xrefs: 00418125, 004181AD, 00418235
runtime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unknown mark worker modecannot free workbufs when work.full != 0runtime: out of memory: cannot allocate runtime.preemptM: duplicatehandle failedglobal runq empty wi, xrefs: 004183A3
, not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failed, xrefs: 004183BD
runtime.SetFinalizer: first argument is nilruntime.SetFinalizer: finalizer already setgcBgMarkWorker: unexpected gcMarkWorkerModenon in-use span found with specials bit setgrew heap, but no adequate free space foundroot level max pages doesn't fit in summaryru, xrefs: 004183E8
runtime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= casfrom_Gscanstatus: gp->status is not in scan state, xrefs: 0041834A
runtime.SetFinalizer: second argument is gcSweep being done but phase is not GCoffobjects added out of order or overlappingmheap.freeSpanLocked - invalid stack freemheap.freeSpanLocked - invalid span stateattempted to add zero-sized address rangeruntime: block, xrefs: 004182B3
, not a functiongc: unswept span KiB work (bg), mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 004182CD

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: because dotdotdotruntime: npages = runtime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr cleantimers: bad p frames elided..., locked to threadruntime.semacreateruntime.$($+$, not a functiongc: unswept span KiB work (bg), mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$, not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failed$nil elem type! to finalizer GC worker initruntime: full=runtime: want=MB; allocated timeEndPeriod$runtime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already $runtime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unknown mark worker modecannot free workbufs when work.full != 0runtime: out of memory: cannot allocate runtime.preemptM: duplicatehandle failedglobal runq empty wi$runtime.SetFinalizer: first argument is nilruntime.SetFinalizer: finalizer already setgcBgMarkWorker: unexpected gcMarkWorkerModenon in-use span found with specials bit setgrew heap, but no adequate free space foundroot level max pages doesn't fit in summaryru$runtime.SetFinalizer: first argument was allocated into an arenacompileCallback: expected function with one uintptr-sized resultuser arena chunk size is not a multiple of the physical page sizeruntime: function marked with #cgo nocallback called back into Goru$runtime.SetFinalizer: pointer not at beginning of allocated blockunable to query buffer size from InitializeProcThreadAttributeListreflect: reflect.Value.UnsafePointer on an invalid notinheap pointerembedded IPv4 address must replace the final 2 fields of the $runtime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= casfrom_Gscanstatus: gp->status is not in scan state$runtime.SetFinalizer: second argument is gcSweep being done but phase is not GCoffobjects added out of order or overlappingmheap.freeSpanLocked - invalid stack freemheap.freeSpanLocked - invalid span stateattempted to add zero-sized address rangeruntime: block
API String ID: 0-4142479673
Opcode ID: 01390737ad45a1fb96a7f0d7b846c00ec7583e6307a8425ac0bd5fdc00a0d0e0
Instruction ID: ea967b089e611846dd5a7173fc7f0fa1b20cd5e6a94ee60f8f3ebd5422ba16b5
Opcode Fuzzy Hash: 01390737ad45a1fb96a7f0d7b846c00ec7583e6307a8425ac0bd5fdc00a0d0e0
Instruction Fuzzy Hash: 6A1237746087058FC724DF25C0806ABBBF1BF88744F14892EE8D987351EB79D986DB4A

Function 0040B600 Relevance: 15.2, Strings: 12, Instructions: 250
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

) is smaller than minimum page size (/cpu/classes/gc/mark/idle:cpu-secondssetprofilebucket: profile already setfailed to reserve page summary memoryruntime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpr, xrefs: 0040B982
) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:, xrefs: 0040BA0E
$, xrefs: 0040BA17
bad system huge page sizearena already initialized to unused region of span bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: p, xrefs: 0040B8D9
) must be a power of 2system huge page size (runtime: s.allocCount= s.allocCount > s.nelems/gc/heap/allocs:objectsmissing type in runfinqruntime: internal errorwork.nwait > work.nprocleft over markroot jobsgcDrain phase incorrectMB during sweep; swept bad pro, xrefs: 0040B8BE, 0040B920
) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintm, xrefs: 0040B9AC, 0040BA38
bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double wait, xrefs: 0040B93B, 0040B9C7, 0040BA53
system huge page size (runtime: s.allocCount= s.allocCount > s.nelems/gc/heap/allocs:objectsmissing type in runfinqruntime: internal errorwork.nwait > work.nprocleft over markroot jobsgcDrain phase incorrectMB during sweep; swept bad profile stack countruntime, xrefs: 0040B892
bad TinySizeClassruntime: pointer g already scannedmark - bad statusscanobject n == 0swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 0040BA7F
failed to get system page sizeassignment to entry in nil mapruntime: found in object at *( in prepareForSweep; sweepgen /cpu/classes/total:cpu-seconds/gc/cycles/automatic:gc-cycles/sched/pauses/total/gc:seconds/sync/mutex/wait/total:seconds/godebug/non-default, xrefs: 0040BA69
min size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not enabledno goroutines (main called runtime.Goexit) - deadlock!goroutine running on other thread; stack unavailablename is not in canonical format (it must end, xrefs: 0040B84D
system page size ( but memory size /gc/pauses:seconds because dotdotdotruntime: npages = runtime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr cleantimers: bad p frames , xrefs: 0040B8F4, 0040B956, 0040B9E2

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: $$) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintm$) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:$) is smaller than minimum page size (/cpu/classes/gc/mark/idle:cpu-secondssetprofilebucket: profile already setfailed to reserve page summary memoryruntime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpr$) must be a power of 2system huge page size (runtime: s.allocCount= s.allocCount > s.nelems/gc/heap/allocs:objectsmissing type in runfinqruntime: internal errorwork.nwait > work.nprocleft over markroot jobsgcDrain phase incorrectMB during sweep; swept bad pro$bad TinySizeClassruntime: pointer g already scannedmark - bad statusscanobject n == 0swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb$bad system huge page sizearena already initialized to unused region of span bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: p$bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double wait$failed to get system page sizeassignment to entry in nil mapruntime: found in object at *( in prepareForSweep; sweepgen /cpu/classes/total:cpu-seconds/gc/cycles/automatic:gc-cycles/sched/pauses/total/gc:seconds/sync/mutex/wait/total:seconds/godebug/non-default$min size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not enabledno goroutines (main called runtime.Goexit) - deadlock!goroutine running on other thread; stack unavailablename is not in canonical format (it must end$system huge page size (runtime: s.allocCount= s.allocCount > s.nelems/gc/heap/allocs:objectsmissing type in runfinqruntime: internal errorwork.nwait > work.nprocleft over markroot jobsgcDrain phase incorrectMB during sweep; swept bad profile stack countruntime$system page size ( but memory size /gc/pauses:seconds because dotdotdotruntime: npages = runtime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr cleantimers: bad p frames
API String ID: 0-3943168262
Opcode ID: 6ba72ae5723c61703524b54541c1f2213e1e0b4ae6b433b220f6459e02b2af84
Instruction ID: 0cbbd9b4595dbc890d40b0817110a4e30afdb0a33d4367c6fd16a2df426bf2ee
Opcode Fuzzy Hash: 6ba72ae5723c61703524b54541c1f2213e1e0b4ae6b433b220f6459e02b2af84
Instruction Fuzzy Hash: C6C14AB4108604CFD304EF65D49576AB7E5FF58308F00982EE588C73A1EB789849DF9A

Function 0040BAA0 Relevance: 12.9, Strings: 10, Instructions: 351
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

runtime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:b, xrefs: 0040BFC1
misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:b, xrefs: 0040BF96
memory reservation exceeds address space limittried to park scavenger from another goroutinereleased less than one physical page of memory (bad use of unsafe.Pointer? try -d=checkptr)sysGrow bounds not aligned to pallocChunkBytesruntime: failed to create new , xrefs: 0040C049
out of memory allocating heap arena map/cpu/classes/gc/mark/assist:cpu-seconds/cpu/classes/scavenge/total:cpu-seconds/memory/classes/profiling/buckets:bytesmspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResume, xrefs: 0040BDCD
., xrefs: 0040C052
arena already initialized to unused region of span bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p , xrefs: 0040BDAD
) not in usable address space: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: , xrefs: 0040C015
out of memory allocating heap arena metadata/cpu/classes/scavenge/background:cpu-secondsruntime: unexpected metric registration for gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbi, xrefs: 0040BD97
out of memory allocating allArenas/memory/classes/heap/objects:bytesruntime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning wit, xrefs: 0040BD81
region exceeds uintptr range/gc/heap/frees-by-size:bytes/gc/heap/tiny/allocs:objects/sched/goroutines:goroutinesgcBgMarkWorker: mode not setmspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: m, xrefs: 0040BF64

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: ) not in usable address space: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: $.$arena already initialized to unused region of span bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p $memory reservation exceeds address space limittried to park scavenger from another goroutinereleased less than one physical page of memory (bad use of unsafe.Pointer? try -d=checkptr)sysGrow bounds not aligned to pallocChunkBytesruntime: failed to create new $misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:b$out of memory allocating allArenas/memory/classes/heap/objects:bytesruntime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning wit$out of memory allocating heap arena map/cpu/classes/gc/mark/assist:cpu-seconds/cpu/classes/scavenge/total:cpu-seconds/memory/classes/profiling/buckets:bytesmspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResume$out of memory allocating heap arena metadata/cpu/classes/scavenge/background:cpu-secondsruntime: unexpected metric registration for gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbi$region exceeds uintptr range/gc/heap/frees-by-size:bytes/gc/heap/tiny/allocs:objects/sched/goroutines:goroutinesgcBgMarkWorker: mode not setmspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: m$runtime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:b
API String ID: 0-994603571
Opcode ID: 56923667fd2f1879d0c7250705a9fafbe80af6074363d1558ddfff19389e5c2e
Instruction ID: 064074db6ef64add303172c7b25e5eea2f774f360a01db361163f97ee675393e
Opcode Fuzzy Hash: 56923667fd2f1879d0c7250705a9fafbe80af6074363d1558ddfff19389e5c2e
Instruction Fuzzy Hash: 1EF103B45083058FC710DF25C48069AFBE1FF88704F45892EE9989B391E779A849CF9A

Function 0041AD30 Relevance: 12.8, Strings: 10, Instructions: 286
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= , xrefs: 0041B098
work.nwait > work.nprocleft over markroot jobsgcDrain phase incorrectMB during sweep; swept bad profile stack countruntime: netpoll failedRtlGetNtVersionNumbers, xrefs: 0041B0F6
gcBgMarkWorker: blackening not enabledcannot read stack of running goroutineruntime: blocked read on free polldescruntime: sudog with non-false isSelectarg size to reflect.call more than 1GBaddtimer called with initialized timerv could not fit in traceBytesPer, xrefs: 0041B1E5
work.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread I, xrefs: 0041B177
runtime: work.nwait= previous allocCount=, levelBits[level] = runtime: searchIdx = defer on system stackpanic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdea, xrefs: 0041B119
&, xrefs: 0041B1EE
gcBgMarkWorker: mode not setmspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on , xrefs: 0041B18D
GC worker initruntime: full=runtime: want=MB; allocated timeEndPeriod, xrefs: 0041AD74
runtime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foundruntime: sudog with non-nil , xrefs: 0041B06F
work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status=, xrefs: 0041B0C2, 0041B143

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status=$ work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= $&$GC worker initruntime: full=runtime: want=MB; allocated timeEndPeriod$gcBgMarkWorker: blackening not enabledcannot read stack of running goroutineruntime: blocked read on free polldescruntime: sudog with non-false isSelectarg size to reflect.call more than 1GBaddtimer called with initialized timerv could not fit in traceBytesPer$gcBgMarkWorker: mode not setmspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on $runtime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foundruntime: sudog with non-nil $runtime: work.nwait= previous allocCount=, levelBits[level] = runtime: searchIdx = defer on system stackpanic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdea$work.nwait > work.nprocleft over markroot jobsgcDrain phase incorrectMB during sweep; swept bad profile stack countruntime: netpoll failedRtlGetNtVersionNumbers$work.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread I
API String ID: 0-2597733568
Opcode ID: 7626a6057af96ac597dcfb971f8fb7afd8f662e0fe17e8697f83deab9cd22213
Instruction ID: 10e4db9bf1196a97a6d1858a6c1bb9d57f34c66855e3692ec656ed791d6a67f1
Opcode Fuzzy Hash: 7626a6057af96ac597dcfb971f8fb7afd8f662e0fe17e8697f83deab9cd22213
Instruction Fuzzy Hash: 92D1D1B41097449FC304EF25C090A5ABBF0FF89318F00996EE99987362DB79E885DF56

Function 0041B460 Relevance: 12.8, Strings: 10, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at en, xrefs: 0041B625
next= jobs= goid sweep B -> % util alloc free span= prev= list=, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= (...) m=nil base 390625hangupkilled, val headerAnswerLengthGetACPCommonrdtscppopcntcmd/goAPPDATAWindowsStartupfloat32float64windowsru, xrefs: 0041B7F7
wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ lockedm=244140625rwxrwxrw, xrefs: 0041B695
flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= runtime: pid=: unknown pc , xrefs: 0041B64F
in gcMark expecting to see gcphase as _GCmarkterminationsync: WaitGroup misuse: Add called concurrently with Waitcannot run executable found relative to current directory (set GODEBUG=execwait=2 to capture stacks for debugging)runtime: checkmarks found unexpec, xrefs: 0041B914
nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACE, xrefs: 0041B875
nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= runtime: pid=, xrefs: 0041B8C9
runtime: full=runtime: want=MB; allocated timeEndPeriod, xrefs: 0041B7CD
8, xrefs: 0041B91D
P has cached GC work at end of mark terminationfailed to acquire lock to start a GC transitionfinishGCTransition called without starting one?tried to sleep scavenger from another goroutineruntime: CreateIoCompletionPort failed (errno= racy sudog adjustment due, xrefs: 0041B71A

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= runtime: pid=: unknown pc $ nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACE$ nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= runtime: pid=$ next= jobs= goid sweep B -> % util alloc free span= prev= list=, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= (...) m=nil base 390625hangupkilled, val headerAnswerLengthGetACPCommonrdtscppopcntcmd/goAPPDATAWindowsStartupfloat32float64windowsru$ wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ lockedm=244140625rwxrwxrw$8$P has cached GC work at end of mark terminationfailed to acquire lock to start a GC transitionfinishGCTransition called without starting one?tried to sleep scavenger from another goroutineruntime: CreateIoCompletionPort failed (errno= racy sudog adjustment due$in gcMark expecting to see gcphase as _GCmarkterminationsync: WaitGroup misuse: Add called concurrently with Waitcannot run executable found relative to current directory (set GODEBUG=execwait=2 to capture stacks for debugging)runtime: checkmarks found unexpec$runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at en$runtime: full=runtime: want=MB; allocated timeEndPeriod
API String ID: 0-2780444836
Opcode ID: fa9f76e301de3e2c2f94b555e00f6cd4fb5b15aaee8dd8d840375eaecd65081c
Instruction ID: 82a5545f0430c9045a731e37a05a4fd15ef01553cc6b59c52fc67bdbe0034acd
Opcode Fuzzy Hash: fa9f76e301de3e2c2f94b555e00f6cd4fb5b15aaee8dd8d840375eaecd65081c
Instruction Fuzzy Hash: 88D1F7B45093449FC304EF65D585B6ABBF1FF88308F40982EF9898B351DB38A944DB96

Function 00460180 Relevance: 12.7, Strings: 10, Instructions: 244
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

minutes etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNexus.lnk method: (MISSING)%!(EXTRA files,dnsdns,filesipv6-icmp_outboundlocalhostconnectexfork/exec#execwaitWednesdaySeptem, xrefs: 0046049E
unknown wait reasonnotesleep not on g0GC work not flushed/gc/scan/heap:bytes/gc/heap/goal:bytes/gc/heap/live:bytesbad kind in runfinqmarkroot: bad indexnwait > work.nprocs, gp->atomicstatus=marking free object KiB work (eager), [controller reset]mspan.sweep: , xrefs: 00460205
]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccallkindallgallprootitabsbrkidledead is LEAFb, xrefs: 004604EC
(scan)types : type 19531259765625::ffff:abortedCopySidWSARecvWSASendsignal nil keyanswersavx512fos/execruntime#internPrograms-CommandGoStringnetedns0[::1]:53continue_gatewayshutdownaddress readfromwsaioctlunixgramnil PoolFullPathThursdaySaturdayFebruaryNovem, xrefs: 00460433
gp= mp=) m=3125quitbitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localint16int32int64uint8arrayslice and defersweeptestRtestWexecWexecRschedhch, xrefs: 00460333
m=nil base 390625hangupkilled, val headerAnswerLengthGetACPCommonrdtscppopcntcmd/goAPPDATAWindowsStartupfloat32float64windowsrunningwsarecvwsasendconnectlookup writetoconsolePATHEXT\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_DltinvaliduintptrChanDir Value>forcegca, xrefs: 004603D4
, locked to threadruntime.semacreateruntime.semawakeup298023223876953125unable to parse IPsegmentation faultoperation canceledno child processesconnection refusedRFS specific erroridentifier removedinput/output errormultihop attemptedfile name too longno locks, xrefs: 004604CC
goroutine 12207031256103515625ParseAddr(invalid IPterminatedowner diedDnsQuery_WGetIfEntryCancelIoExCreatePipeGetVersionWSACleanupWSAStartupgetsockoptdnsapi.dllws2_32.dllClassCSNETClassCHAOSAdditionalskipping: LockFileExWSASocketWhttp2debugcrypto/tlsshort writ, xrefs: 004602CA
[("")) ) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=St, xrefs: 004603F4
???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintmapptr...finobjgc %: gp *(in n= ) - NaN P , xrefs: 004601DD

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: (scan)types : type 19531259765625::ffff:abortedCopySidWSARecvWSASendsignal nil keyanswersavx512fos/execruntime#internPrograms-CommandGoStringnetedns0[::1]:53continue_gatewayshutdownaddress readfromwsaioctlunixgramnil PoolFullPathThursdaySaturdayFebruaryNovem$ [("")) ) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=St$ gp= mp=) m=3125quitbitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localint16int32int64uint8arrayslice and defersweeptestRtestWexecWexecRschedhch$ m=nil base 390625hangupkilled, val headerAnswerLengthGetACPCommonrdtscppopcntcmd/goAPPDATAWindowsStartupfloat32float64windowsrunningwsarecvwsasendconnectlookup writetoconsolePATHEXT\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_DltinvaliduintptrChanDir Value>forcegca$ minutes etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNexus.lnk method: (MISSING)%!(EXTRA files,dnsdns,filesipv6-icmp_outboundlocalhostconnectexfork/exec#execwaitWednesdaySeptem$, locked to threadruntime.semacreateruntime.semawakeup298023223876953125unable to parse IPsegmentation faultoperation canceledno child processesconnection refusedRFS specific erroridentifier removedinput/output errormultihop attemptedfile name too longno locks$???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintmapptr...finobjgc %: gp *(in n= ) - NaN P $]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccallkindallgallprootitabsbrkidledead is LEAFb$goroutine 12207031256103515625ParseAddr(invalid IPterminatedowner diedDnsQuery_WGetIfEntryCancelIoExCreatePipeGetVersionWSACleanupWSAStartupgetsockoptdnsapi.dllws2_32.dllClassCSNETClassCHAOSAdditionalskipping: LockFileExWSASocketWhttp2debugcrypto/tlsshort writ$unknown wait reasonnotesleep not on g0GC work not flushed/gc/scan/heap:bytes/gc/heap/goal:bytes/gc/heap/live:bytesbad kind in runfinqmarkroot: bad indexnwait > work.nprocs, gp->atomicstatus=marking free object KiB work (eager), [controller reset]mspan.sweep:
API String ID: 0-1838092129
Opcode ID: e0cc56025ce05c5fbcd10d2eba0a069ffa7b479f1965e6c1216a3a5823f1c344
Instruction ID: 872cae036d1da53ab8c811fab67b347261010f21cfe77534060da605c69c5e42
Opcode Fuzzy Hash: e0cc56025ce05c5fbcd10d2eba0a069ffa7b479f1965e6c1216a3a5823f1c344
Instruction Fuzzy Hash: 2DA149746093148FC310EF65C191A6FB7E1EF88708F50986EE98487352EB38E945DB9B

Function 004477E0 Relevance: 12.7, Strings: 10, Instructions: 243COMMON

Download Yara Rule

Strings

nmidlelocked= needspinning=randinit twicestore64 failedmemprofileratesemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module dataruntime: seq1=runtime: goid= in goroutine 1907348632812595367431640625file too largeis a dir, xrefs: 00447ADC
runtime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a power of 2too many callback functionstimer when must b, xrefs: 00447A92
%, xrefs: 00447A6C
checkdead: no p for timercheckdead: no m for timerunknown sigtramp callbackunexpected fault address missing stack in newstackbad status in shrinkstackmissing traceGCSweepStart2910383045673370361328125IPv4 field has value >255resource deadlock avoidedoperation , xrefs: 00447A25
mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNexus.lnk method: (MISSING)%!(EXTRA files,dnsdns,filesipv6-icmp_outboundloc, xrefs: 00447B06
nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type 19531259765625::ffff:abortedCopySidWSARecvWSASendsignal nil keyanswersavx512fos/execruntime#internPrograms-CommandGoStringnetedns0[::1]:53continue_gatewayshutdown, xrefs: 00447B30
checkdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer found on stack locals stack map entries for abi mismatch detected between runtime: impossible type kind unsafe.Slice: len out of range22737367544323205947, xrefs: 00447B74
no goroutines (main called runtime.Goexit) - deadlock!goroutine running on other thread; stack unavailablename is not in canonical format (it must end with a .)internal error: polling on unsupported descriptor typeReceived Open Connection Request for Stream , xrefs: 004478EE
all goroutines are asleep - deadlock!2220446049250313080847263336181640625godebug: unexpected IncNonDefault of cannot exec a shared library directlyvalue too large for defined data typecannot create context from nil parenttoo many Authorities to pack (>65535)t, xrefs: 00447A63
checkdead: no m for timerunknown sigtramp callbackunexpected fault address missing stack in newstackbad status in shrinkstackmissing traceGCSweepStart2910383045673370361328125IPv4 field has value >255resource deadlock avoidedoperation now in progressno buffer , xrefs: 004479FF

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNexus.lnk method: (MISSING)%!(EXTRA files,dnsdns,filesipv6-icmp_outboundloc$ nmidlelocked= needspinning=randinit twicestore64 failedmemprofileratesemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module dataruntime: seq1=runtime: goid= in goroutine 1907348632812595367431640625file too largeis a dir$ nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type 19531259765625::ffff:abortedCopySidWSARecvWSASendsignal nil keyanswersavx512fos/execruntime#internPrograms-CommandGoStringnetedns0[::1]:53continue_gatewayshutdown$%$all goroutines are asleep - deadlock!2220446049250313080847263336181640625godebug: unexpected IncNonDefault of cannot exec a shared library directlyvalue too large for defined data typecannot create context from nil parenttoo many Authorities to pack (>65535)t$checkdead: inconsistent countsrunqputslow: queue is not fullruntime: bad pointer in frame invalid pointer found on stack locals stack map entries for abi mismatch detected between runtime: impossible type kind unsafe.Slice: len out of range22737367544323205947$checkdead: no m for timerunknown sigtramp callbackunexpected fault address missing stack in newstackbad status in shrinkstackmissing traceGCSweepStart2910383045673370361328125IPv4 field has value >255resource deadlock avoidedoperation now in progressno buffer $checkdead: no p for timercheckdead: no m for timerunknown sigtramp callbackunexpected fault address missing stack in newstackbad status in shrinkstackmissing traceGCSweepStart2910383045673370361328125IPv4 field has value >255resource deadlock avoidedoperation $no goroutines (main called runtime.Goexit) - deadlock!goroutine running on other thread; stack unavailablename is not in canonical format (it must end with a .)internal error: polling on unsupported descriptor typeReceived Open Connection Request for Stream $runtime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len out of rangestack size not a power of 2too many callback functionstimer when must b
API String ID: 0-3186792609
Opcode ID: 48b61ef6d9f2b701cd519543989a218348ec51ea5dd9d5102a56db2ae8a3cd89
Instruction ID: 93f6c63aa4b6947a3dcffc5d8c5af000d6ad82d6968fc3f62af2d9cc5a2561f4
Opcode Fuzzy Hash: 48b61ef6d9f2b701cd519543989a218348ec51ea5dd9d5102a56db2ae8a3cd89
Instruction Fuzzy Hash: B5A179B45093048FD714EF25D48566EBBE0FF98308F44982EE8C997351EB38D94ADB4A

Function 00407100 Relevance: 12.7, Strings: 10, Instructions: 199COMMON

Download Yara Rule

Strings

(types from different scopes)notetsleep - waitm out of syncfailed to get system page sizeassignment to entry in nil mapruntime: found in object at *( in prepareForSweep; sweepgen /cpu/classes/total:cpu-seconds/gc/cycles/automatic:gc-cycles/sched/pauses/total/, xrefs: 00407334
: missing method notetsleepg on g0bad TinySizeClassruntime: pointer g already scannedmark - bad statusscanobject n == 0swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 004073BB
is not pointerBAD RANK status unknown(trigger= npages= nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/, xrefs: 00407399
interface conversion: freeIndex is not validoldoverflow is not nils.freeindex > s.nelemsbad sweepgen in refillspan has no free space/gc/scan/globals:bytes/gc/heap/frees:objectsruntime: work.nwait = runtime:scanstack: gp=scanstack - bad statusheadTailIndex over, xrefs: 004071C3, 0040737F, 00407425
, xrefs: 00407306
is LEAFbase of <==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125quitbitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+, xrefs: 004071E5
(types from different packages)GCProg for type that isn't largeruntime: failed to release pagesruntime: fixalloc size too largeinvalid limiter event type foundscanstack: goroutine not stoppedscavenger state is already wiredsweep increased allocation countremo, xrefs: 004072FC
is nil, not value method bad map state span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: , xrefs: 00407447
interfaceinvalid nfuncargs(bad indirreflect: InterfaceprofBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedcoroutinecopystack ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), xrefs: 00407130
, not object next= jobs= goid sweep B -> % util alloc free span= prev= list=, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= (...) m=nil base 390625hangupkilled, val headerAnswerLengthGetACPCommonrdtscppopcntcmd/goAPPDATAWindowsStartupfloat32floa, xrefs: 004071FF

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: $ (types from different packages)GCProg for type that isn't largeruntime: failed to release pagesruntime: fixalloc size too largeinvalid limiter event type foundscanstack: goroutine not stoppedscavenger state is already wiredsweep increased allocation countremo$ (types from different scopes)notetsleep - waitm out of syncfailed to get system page sizeassignment to entry in nil mapruntime: found in object at *( in prepareForSweep; sweepgen /cpu/classes/total:cpu-seconds/gc/cycles/automatic:gc-cycles/sched/pauses/total/$ is LEAFbase of <==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125quitbitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+$ is nil, not value method bad map state span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: $ is not pointerBAD RANK status unknown(trigger= npages= nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/$, not object next= jobs= goid sweep B -> % util alloc free span= prev= list=, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= (...) m=nil base 390625hangupkilled, val headerAnswerLengthGetACPCommonrdtscppopcntcmd/goAPPDATAWindowsStartupfloat32floa$: missing method notetsleepg on g0bad TinySizeClassruntime: pointer g already scannedmark - bad statusscanobject n == 0swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb$interface conversion: freeIndex is not validoldoverflow is not nils.freeindex > s.nelemsbad sweepgen in refillspan has no free space/gc/scan/globals:bytes/gc/heap/frees:objectsruntime: work.nwait = runtime:scanstack: gp=scanstack - bad statusheadTailIndex over$interfaceinvalid nfuncargs(bad indirreflect: InterfaceprofBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedcoroutinecopystack ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use)
API String ID: 0-3784703874
Opcode ID: af3fc176bcb5e14d9d5188559cf9f01110c711f2e0b1578073616a30cc7fc258
Instruction ID: f83e9998422f3e5ce4d122e8e5248b1e27ca6edef12f27c547d49e3482ed015f
Opcode Fuzzy Hash: af3fc176bcb5e14d9d5188559cf9f01110c711f2e0b1578073616a30cc7fc258
Instruction Fuzzy Hash: 6DA199B49083419FC318DF15C080A5ABBE1BB88744F50892EF89987391DB79A849DF47

Function 004612C0 Relevance: 12.7, Strings: 10, Instructions: 175COMMON

Download Yara Rule

Strings

runtime: type offset base pointer out of rangeruntime: text offset base pointer out of rangebufio: reader returned negative count from Readunexpected error wrapping poll.ErrFileClosing: reflect.Value.Bytes of unaddressable byte arrayslice bounds out of range [, xrefs: 004614E2
!, xrefs: 00461595
base 390625hangupkilled, val headerAnswerLengthGetACPCommonrdtscppopcntcmd/goAPPDATAWindowsStartupfloat32float64windowsrunningwsarecvwsasendconnectlookup writetoconsolePATHEXT\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_DltinvaliduintptrChanDir Value>forcegcallocmW, xrefs: 004613FD
etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNexus.lnk method: (MISSING)%!(EXTRA files,dnsdns,filesipv6-icmp_outboundlocalhostconnectexfork/exec#execwaitWednesdaySeptember-07:0, xrefs: 0046149C
not in ranges:23841857910156250123456789ABCDEFinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePointerExOpenProcessTokenRegQueryInfoKeyWRegQueryValueExWDnsNameCompare_WCreateDirectoryWFlushFileBuffersGetC, xrefs: 00461427
types : type 19531259765625::ffff:abortedCopySidWSARecvWSASendsignal nil keyanswersavx512fos/execruntime#internPrograms-CommandGoStringnetedns0[::1]:53continue_gatewayshutdownaddress readfromwsaioctlunixgramnil PoolFullPathThursdaySaturdayFebruaryNovemberDece, xrefs: 00461472
runtime: typeOff runtime: textOff 1192092895507812559604644775390625permission deniedwrong medium typeno data availableexec format errorLookupAccountSidWDnsRecordListFreeGetCurrentProcessGetShortPathNameWWSAEnumProtocolsWRegLoadMUIStringWmultipartmaxpartsrefle, xrefs: 004613D4, 00461505
runtime: type offset out of range142108547152020037174224853515625710542735760100185871124267578125skip everything and stop the walktoo many levels of symbolic linksInitializeProcThreadAttributeListtoo many Answers to pack (>65535)GetVolumeNameForVolumeMountPo, xrefs: 0046158C
- NaN P MPC= < end > ]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccallkindallgallprooti, xrefs: 00461558
out of range no module dataruntime: seq1=runtime: goid= in goroutine 1907348632812595367431640625file too largeis a directorylevel 2 haltedlevel 3 haltedtoo many linksno such deviceprotocol errortext file busytoo many usersCryptGenRandomCertCloseStoreCreatePr, xrefs: 0046152E

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: types : type 19531259765625::ffff:abortedCopySidWSARecvWSASendsignal nil keyanswersavx512fos/execruntime#internPrograms-CommandGoStringnetedns0[::1]:53continue_gatewayshutdownaddress readfromwsaioctlunixgramnil PoolFullPathThursdaySaturdayFebruaryNovemberDece$ - NaN P MPC= < end > ]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccallkindallgallprooti$ base 390625hangupkilled, val headerAnswerLengthGetACPCommonrdtscppopcntcmd/goAPPDATAWindowsStartupfloat32float64windowsrunningwsarecvwsasendconnectlookup writetoconsolePATHEXT\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_DltinvaliduintptrChanDir Value>forcegcallocmW$ etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNexus.lnk method: (MISSING)%!(EXTRA files,dnsdns,filesipv6-icmp_outboundlocalhostconnectexfork/exec#execwaitWednesdaySeptember-07:0$ not in ranges:23841857910156250123456789ABCDEFinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePointerExOpenProcessTokenRegQueryInfoKeyWRegQueryValueExWDnsNameCompare_WCreateDirectoryWFlushFileBuffersGetC$ out of range no module dataruntime: seq1=runtime: goid= in goroutine 1907348632812595367431640625file too largeis a directorylevel 2 haltedlevel 3 haltedtoo many linksno such deviceprotocol errortext file busytoo many usersCryptGenRandomCertCloseStoreCreatePr$!$runtime: type offset base pointer out of rangeruntime: text offset base pointer out of rangebufio: reader returned negative count from Readunexpected error wrapping poll.ErrFileClosing: reflect.Value.Bytes of unaddressable byte arrayslice bounds out of range [$runtime: type offset out of range142108547152020037174224853515625710542735760100185871124267578125skip everything and stop the walktoo many levels of symbolic linksInitializeProcThreadAttributeListtoo many Answers to pack (>65535)GetVolumeNameForVolumeMountPo$runtime: typeOff runtime: textOff 1192092895507812559604644775390625permission deniedwrong medium typeno data availableexec format errorLookupAccountSidWDnsRecordListFreeGetCurrentProcessGetShortPathNameWWSAEnumProtocolsWRegLoadMUIStringWmultipartmaxpartsrefle
API String ID: 0-2750088902
Opcode ID: 43c3d045e655d812b6373281fd0d502039e68b2fecf9becc2859258b88dc1300
Instruction ID: f84276e96cc464bdbfe79f9bce170ddb1aa41f5f0dc3cb53c0e9b2862f9e1838
Opcode Fuzzy Hash: 43c3d045e655d812b6373281fd0d502039e68b2fecf9becc2859258b88dc1300
Instruction Fuzzy Hash: 8F8139B45093059FC344EF25C481B6AB7E0FF88308F44996EE98887751EB389949EB97

Function 00461010 Relevance: 12.7, Strings: 10, Instructions: 156COMMON

Download Yara Rule

Strings

!, xrefs: 004612A4
base 390625hangupkilled, val headerAnswerLengthGetACPCommonrdtscppopcntcmd/goAPPDATAWindowsStartupfloat32float64windowsrunningwsarecvwsasendconnectlookup writetoconsolePATHEXT\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_DltinvaliduintptrChanDir Value>forcegcallocmW, xrefs: 00461108
etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNexus.lnk method: (MISSING)%!(EXTRA files,dnsdns,filesipv6-icmp_outboundlocalhostconnectexfork/exec#execwaitWednesdaySeptember-07:0, xrefs: 004611AB
runtime: name offset out of rangeruntime: type offset out of range142108547152020037174224853515625710542735760100185871124267578125skip everything and stop the walktoo many levels of symbolic linksInitializeProcThreadAttributeListtoo many Answers to pack (>65, xrefs: 0046129B
runtime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base pointer out of rangebufio: reader returned negative count from Readunexpected error wrapping poll.ErrFileClosing: reflect.Value.Bytes of unadd, xrefs: 004611F1
not in ranges:23841857910156250123456789ABCDEFinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePointerExOpenProcessTokenRegQueryInfoKeyWRegQueryValueExWDnsNameCompare_WCreateDirectoryWFlushFileBuffersGetC, xrefs: 00461132
types : type 19531259765625::ffff:abortedCopySidWSARecvWSASendsignal nil keyanswersavx512fos/execruntime#internPrograms-CommandGoStringnetedns0[::1]:53continue_gatewayshutdownaddress readfromwsaioctlunixgramnil PoolFullPathThursdaySaturdayFebruaryNovemberDece, xrefs: 00461181
runtime: nameOff runtime: typeOff runtime: textOff 1192092895507812559604644775390625permission deniedwrong medium typeno data availableexec format errorLookupAccountSidWDnsRecordListFreeGetCurrentProcessGetShortPathNameWWSAEnumProtocolsWRegLoadMUIStringWmulti, xrefs: 004610DF, 00461214
- NaN P MPC= < end > ]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccallkindallgallprooti, xrefs: 00461267
out of range no module dataruntime: seq1=runtime: goid= in goroutine 1907348632812595367431640625file too largeis a directorylevel 2 haltedlevel 3 haltedtoo many linksno such deviceprotocol errortext file busytoo many usersCryptGenRandomCertCloseStoreCreatePr, xrefs: 0046123D

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: types : type 19531259765625::ffff:abortedCopySidWSARecvWSASendsignal nil keyanswersavx512fos/execruntime#internPrograms-CommandGoStringnetedns0[::1]:53continue_gatewayshutdownaddress readfromwsaioctlunixgramnil PoolFullPathThursdaySaturdayFebruaryNovemberDece$ - NaN P MPC= < end > ]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccallkindallgallprooti$ base 390625hangupkilled, val headerAnswerLengthGetACPCommonrdtscppopcntcmd/goAPPDATAWindowsStartupfloat32float64windowsrunningwsarecvwsasendconnectlookup writetoconsolePATHEXT\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_DltinvaliduintptrChanDir Value>forcegcallocmW$ etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNexus.lnk method: (MISSING)%!(EXTRA files,dnsdns,filesipv6-icmp_outboundlocalhostconnectexfork/exec#execwaitWednesdaySeptember-07:0$ not in ranges:23841857910156250123456789ABCDEFinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePointerExOpenProcessTokenRegQueryInfoKeyWRegQueryValueExWDnsNameCompare_WCreateDirectoryWFlushFileBuffersGetC$ out of range no module dataruntime: seq1=runtime: goid= in goroutine 1907348632812595367431640625file too largeis a directorylevel 2 haltedlevel 3 haltedtoo many linksno such deviceprotocol errortext file busytoo many usersCryptGenRandomCertCloseStoreCreatePr$!$runtime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base pointer out of rangebufio: reader returned negative count from Readunexpected error wrapping poll.ErrFileClosing: reflect.Value.Bytes of unadd$runtime: name offset out of rangeruntime: type offset out of range142108547152020037174224853515625710542735760100185871124267578125skip everything and stop the walktoo many levels of symbolic linksInitializeProcThreadAttributeListtoo many Answers to pack (>65$runtime: nameOff runtime: typeOff runtime: textOff 1192092895507812559604644775390625permission deniedwrong medium typeno data availableexec format errorLookupAccountSidWDnsRecordListFreeGetCurrentProcessGetShortPathNameWWSAEnumProtocolsWRegLoadMUIStringWmulti
API String ID: 0-528331427
Opcode ID: 0da25ecb87cb4e265b2180c4bd9ea8b3b72a65382f788047a731e162cea343eb
Instruction ID: fc671f0a6b84f3f40c6abe962479be665b475ed6c8606287bbcc50d366154201
Opcode Fuzzy Hash: 0da25ecb87cb4e265b2180c4bd9ea8b3b72a65382f788047a731e162cea343eb
Instruction Fuzzy Hash: 57612BB45087449FC344EF65C58176AB7E0FF88308F40982EE9C887751EB789948EB97

Function 00401A60 Relevance: 11.6, Strings: 9, Instructions: 326COMMON

Download Yara Rule

Strings

cpu., xrefs: 00401AD1
GODEBUG: no value specified for "unaligned 64-bit atomic operationFailed to connect to target %s: %vClosed connection for Stream ID %dNoDefaultCurrentDirectoryInExePathreflect: Field of non-struct type reflect: Field index out of boundsreflect: string index ou, xrefs: 00401C43
", missing CPU supportpattern bits too long: Unknown message type: %dError creating shortcut:SA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard TimeSA Western Standard TimeMontevideo Standard TimeMagallanes Standard TimePacific SA Standard Ti, xrefs: 00401D0F
GODEBUG: unknown cpu feature "Failed to read message type: %vError checking for shortcut: %vfmt: unknown base; can't happenW. Central Africa Standard TimeCentral Brazilian Standard TimeMountain Standard Time (Mexico)reflect: Len of non-array type slice bounds , xrefs: 00401E24
GODEBUG: value "[bisect-match 0xreflect.Value.Int0123456789ABCDEFX0123456789abcdefxos/exec.Command(exec: killing Cmdexec: not startedGTB Standard TimeFLE Standard TimeGMT Standard Timeunknown type kindreflect: call of reflect.Value.Lengoroutine profileAllThre, xrefs: 00401BBA
"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintmapptr...finobjgc %: gp *(in n= ) - , xrefs: 00401C0E, 00401C6D, 00401E4E
" not supported for cpu option "Failed to read message length: %vFailed to get executable path: %vgo package net: confVal.netCgo = sync: RUnlock of unlocked RWMutexreflect: slice index out of range of method on nil interface valuereflect: Field index out of ra, xrefs: 00401BE4
GODEBUG: can not enable "Failed to read payload: %vcannot marshal DNS messageunexpected type in connecttoo many colons in addressunclosed criterion bracketcriterion lacks equal signGetFileInformationByHandleSouth Africa Standard TimeSaint Pierre Standard TimeN, xrefs: 00401CE5
!, xrefs: 00401C4C

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: !$"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintmapptr...finobjgc %: gp *(in n= ) - $" not supported for cpu option "Failed to read message length: %vFailed to get executable path: %vgo package net: confVal.netCgo = sync: RUnlock of unlocked RWMutexreflect: slice index out of range of method on nil interface valuereflect: Field index out of ra$", missing CPU supportpattern bits too long: Unknown message type: %dError creating shortcut:SA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard TimeSA Western Standard TimeMontevideo Standard TimeMagallanes Standard TimePacific SA Standard Ti$GODEBUG: can not enable "Failed to read payload: %vcannot marshal DNS messageunexpected type in connecttoo many colons in addressunclosed criterion bracketcriterion lacks equal signGetFileInformationByHandleSouth Africa Standard TimeSaint Pierre Standard TimeN$GODEBUG: no value specified for "unaligned 64-bit atomic operationFailed to connect to target %s: %vClosed connection for Stream ID %dNoDefaultCurrentDirectoryInExePathreflect: Field of non-struct type reflect: Field index out of boundsreflect: string index ou$GODEBUG: unknown cpu feature "Failed to read message type: %vError checking for shortcut: %vfmt: unknown base; can't happenW. Central Africa Standard TimeCentral Brazilian Standard TimeMountain Standard Time (Mexico)reflect: Len of non-array type slice bounds $GODEBUG: value "[bisect-match 0xreflect.Value.Int0123456789ABCDEFX0123456789abcdefxos/exec.Command(exec: killing Cmdexec: not startedGTB Standard TimeFLE Standard TimeGMT Standard Timeunknown type kindreflect: call of reflect.Value.Lengoroutine profileAllThre$cpu.
API String ID: 0-3650166030
Opcode ID: 9cfbf6dd7358f3a2cfa980e791c2cbd565f79b3a47979bce08e7bb82901ebe4a
Instruction ID: 434b28da2bcfce092ea891682c63a407aae1b0b9201cbaf4d9cb4cb07bd33a4a
Opcode Fuzzy Hash: 9cfbf6dd7358f3a2cfa980e791c2cbd565f79b3a47979bce08e7bb82901ebe4a
Instruction Fuzzy Hash: 97D1907060C3548FC714DF65C48052EB7F1AB98308F54886FE885AB3A2D778E945DF9A

Function 00420770 Relevance: 11.5, Strings: 9, Instructions: 239COMMON

Download Yara Rule

Strings

s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ lockedm=244140625rwxrwxrwxinterruptbus erro, xrefs: 0042085B
unknown(trigger= npages= nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNex, xrefs: 00420955
s=nil (scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type 19531259765625::ffff:abortedCopySidWSARecvWSASendsignal nil keyanswersavx512fos/execruntime#internP, xrefs: 004209E5
*(in n= ) - NaN P MPC= < end > ]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccallkinda, xrefs: 00420A6A
) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintm, xrefs: 00420983
s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= runtime: pid=: unknown pc called from 3814697265625, xrefs: 00420885
... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:1562578125 (at ntohsClassGreeksse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localreturnlisten.onionsocketexec: SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13uint16, xrefs: 00420A39, 00420B44
s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc=, xrefs: 00420831
<==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125quitbitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Lo, xrefs: 00420AFE

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: *(in n= ) - NaN P MPC= < end > ]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccallkinda$ ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:1562578125 (at ntohsClassGreeksse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localreturnlisten.onionsocketexec: SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13uint16$ <==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125quitbitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Lo$ s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc=$ s.limit= s.state= B work ( B exp.) marked unmarked in use), size = , tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ lockedm=244140625rwxrwxrwxinterruptbus erro$ s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= runtime: pid=: unknown pc called from 3814697265625$ s=nil (scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type 19531259765625::ffff:abortedCopySidWSARecvWSASendsignal nil keyanswersavx512fos/execruntime#internP$) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintm$unknown(trigger= npages= nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNex
API String ID: 0-4106205133
Opcode ID: f71dfa7bd4d34e9a92bbf05ca2c4b8f52d9232918c7fdfc8fcf14ce956999baa
Instruction ID: 34d944404b5c83a6b05763de51e48f506b933d9d9cb014227796db39f0ced14f
Opcode Fuzzy Hash: f71dfa7bd4d34e9a92bbf05ca2c4b8f52d9232918c7fdfc8fcf14ce956999baa
Instruction Fuzzy Hash: FDB1FAB42093548FD340EF65D19176EBBE0EF88308F81985EE98987352DB389948DB97

Function 00436C90 Relevance: 11.4, Strings: 9, Instructions: 189COMMON

Download Yara Rule

Strings

runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:, xrefs: 00436EFE
bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatch152587890625762939453125invalid slothost is downillegal seekGetLengt, xrefs: 00436ED7
runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerocannot send after transport endpoint shutdowncontext: internal error: missing cancel errorparsing/packing of this section has, xrefs: 00436F59
runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!2220446049250313080847263336181640625godebug: unexpected IncNonDefault of c, xrefs: 00436FE8
%, xrefs: 00436FF1
CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject wait_failed; errno=strconv: illegal AppendFloat/FormatFloat bitSizenot enough significant bits after mult64bitPow10syscall: string with, xrefs: 00436F8D
VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timer3552713678800500929355621337890625too many references: cannot spliceSetFileCompletionNotif, xrefs: 00436F32
) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintm, xrefs: 00436EBC
runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerocannot send after transport endpoint shutdowncontext: internal error: missing ca, xrefs: 00436FB4

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: %$) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintm$CreateWaitableTimerEx when creating timer failedruntime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject wait_failed; errno=strconv: illegal AppendFloat/FormatFloat bitSizenot enough significant bits after mult64bitPow10syscall: string with$VirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timer3552713678800500929355621337890625too many references: cannot spliceSetFileCompletionNotif$bad g0 stackself-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatch152587890625762939453125invalid slothost is downillegal seekGetLengt$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerocannot send after transport endpoint shutdowncontext: internal error: missing ca$runtime.minit: duplicatehandle failed_cgo_notify_runtime_init_done missingstartTheWorld: inconsistent mp->nextpruntime: unexpected SPWRITE function all goroutines are asleep - deadlock!2220446049250313080847263336181640625godebug: unexpected IncNonDefault of c$runtime: CreateWaitableTimerEx failed; errno=exitsyscall: syscall frame is no longer validunsafe.String: ptr is nil and len is not zerocannot send after transport endpoint shutdowncontext: internal error: missing cancel errorparsing/packing of this section has$runtime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime: bad notifyList size - sync=accessed data from freed user arena runtime:
API String ID: 0-2025737982
Opcode ID: 1b1964fc6b4db3a573c57e88b4f4ed46b7491482acc87dbbe837a7bb27ee8aee
Instruction ID: d296bd98874d98b09101613837b3cc139afd8fcf293b97d7d4a826dccca11ac0
Opcode Fuzzy Hash: 1b1964fc6b4db3a573c57e88b4f4ed46b7491482acc87dbbe837a7bb27ee8aee
Instruction Fuzzy Hash: 549103B41087058FC300EF69C09575ABBE4FF88318F01996EE9888B351DB78E949DF96

Function 00412500 Relevance: 11.4, Strings: 9, Instructions: 125COMMON

Download Yara Rule

Strings

runtime: found in object at *( in prepareForSweep; sweepgen /cpu/classes/total:cpu-seconds/gc/cycles/automatic:gc-cycles/sched/pauses/total/gc:seconds/sync/mutex/wait/total:seconds/godebug/non-default-behavior/bcryptprimitives.dll not foundpanic called with ni, xrefs: 004125A3
>, xrefs: 00412591
to unused region of span bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p has runnable gsstoplocked, xrefs: 0041272C
) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintm, xrefs: 004125F7
span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failed, xrefs: 0041269F
found bad pointer in Go heap (incorrect use of unsafe or cgo?)limiterEvent.stop: found wrong event in p's limiter event slotslice length too short to convert to array or pointer to arrayruntime: internal error: misuse of lockOSThread/unlockOSThreadmalformed GO, xrefs: 00412588
runtime: pointer g already scannedmark - bad statusscanobject n == 0swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 00412521
to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitws2_32.dll not found, xrefs: 00412661
object next= jobs= goid sweep B -> % util alloc free span= prev= list=, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= (...) m=nil base 390625hangupkilled, val headerAnswerLengthGetACPCommonrdtscppopcntcmd/goAPPDATAWindowsStartupfloat32float64win, xrefs: 00412612

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failed$ to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitws2_32.dll not found$ to unused region of span bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p has runnable gsstoplocked$) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintm$>$found bad pointer in Go heap (incorrect use of unsafe or cgo?)limiterEvent.stop: found wrong event in p's limiter event slotslice length too short to convert to array or pointer to arrayruntime: internal error: misuse of lockOSThread/unlockOSThreadmalformed GO$object next= jobs= goid sweep B -> % util alloc free span= prev= list=, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= (...) m=nil base 390625hangupkilled, val headerAnswerLengthGetACPCommonrdtscppopcntcmd/goAPPDATAWindowsStartupfloat32float64win$runtime: found in object at *( in prepareForSweep; sweepgen /cpu/classes/total:cpu-seconds/gc/cycles/automatic:gc-cycles/sched/pauses/total/gc:seconds/sync/mutex/wait/total:seconds/godebug/non-default-behavior/bcryptprimitives.dll not foundpanic called with ni$runtime: pointer g already scannedmark - bad statusscanobject n == 0swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
API String ID: 0-3668347996
Opcode ID: e60f9dccfec0eea950195a98f6719ed39a1180ad009b9753a6d4dcbbe1d150c4
Instruction ID: cbfe1744b4e828010f7ec837e2b766780ae937bffb6cc0cc3886ce7d8d63807d
Opcode Fuzzy Hash: e60f9dccfec0eea950195a98f6719ed39a1180ad009b9753a6d4dcbbe1d150c4
Instruction Fuzzy Hash: FF51D7B41096049FC340FF65C19179EBBE4EF4C308F50985EE98887352DB789949EBA7

Function 00408CF0 Relevance: 10.2, Strings: 8, Instructions: 218COMMON

Download Yara Rule

Strings

panicwrap: unexpected string after package name: runtime: unexpected waitm - semaphore out of syncs.allocCount != s.nelems && freeIndex == s.nelemsdelayed zeroing on data that may contain pointerssweeper left outstanding across sweep generationsfully empty unf, xrefs: 00408DC8
panicwrap: unexpected string after type name: memory reservation exceeds address space limittried to park scavenger from another goroutinereleased less than one physical page of memory (bad use of unsafe.Pointer? try -d=checkptr)sysGrow bounds not aligned to , xrefs: 00408E89
called using nil *unknown wait reasonnotesleep not on g0GC work not flushed/gc/scan/heap:bytes/gc/heap/goal:bytes/gc/heap/live:bytesbad kind in runfinqmarkroot: bad indexnwait > work.nprocs, gp->atomicstatus=marking free object KiB work (eager), [controller , xrefs: 00408F9E
value method bad map state span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads=, xrefs: 00408F1D
pointerBAD RANK status unknown(trigger= npages= nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/b, xrefs: 00408FC4
panicwrap: no ( in panicwrap: no ) in called using nil *unknown wait reasonnotesleep not on g0GC work not flushed/gc/scan/heap:bytes/gc/heap/goal:bytes/gc/heap/live:bytesbad kind in runfinqmarkroot: bad indexnwait > work.nprocs, gp->atomicstatus=marking free , xrefs: 00409090
., xrefs: 00408E93
panicwrap: no ) in called using nil *unknown wait reasonnotesleep not on g0GC work not flushed/gc/scan/heap:bytes/gc/heap/goal:bytes/gc/heap/live:bytesbad kind in runfinqmarkroot: bad indexnwait > work.nprocs, gp->atomicstatus=marking free object KiB work (ea, xrefs: 00409033

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: called using nil *unknown wait reasonnotesleep not on g0GC work not flushed/gc/scan/heap:bytes/gc/heap/goal:bytes/gc/heap/live:bytesbad kind in runfinqmarkroot: bad indexnwait > work.nprocs, gp->atomicstatus=marking free object KiB work (eager), [controller $ pointerBAD RANK status unknown(trigger= npages= nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/b$.$panicwrap: no ( in panicwrap: no ) in called using nil *unknown wait reasonnotesleep not on g0GC work not flushed/gc/scan/heap:bytes/gc/heap/goal:bytes/gc/heap/live:bytesbad kind in runfinqmarkroot: bad indexnwait > work.nprocs, gp->atomicstatus=marking free $panicwrap: no ) in called using nil *unknown wait reasonnotesleep not on g0GC work not flushed/gc/scan/heap:bytes/gc/heap/goal:bytes/gc/heap/live:bytesbad kind in runfinqmarkroot: bad indexnwait > work.nprocs, gp->atomicstatus=marking free object KiB work (ea$panicwrap: unexpected string after package name: runtime: unexpected waitm - semaphore out of syncs.allocCount != s.nelems && freeIndex == s.nelemsdelayed zeroing on data that may contain pointerssweeper left outstanding across sweep generationsfully empty unf$panicwrap: unexpected string after type name: memory reservation exceeds address space limittried to park scavenger from another goroutinereleased less than one physical page of memory (bad use of unsafe.Pointer? try -d=checkptr)sysGrow bounds not aligned to $value method bad map state span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads=
API String ID: 0-2628187855
Opcode ID: a49a52ccfa3d05b8cb831fb6aeb29f55b84c4650b9d9afef934ca34aaafa47c6
Instruction ID: 9d1f064a71096dbe859929c47fb0ef8b8ac8243933752ddc8241ec1b2b08d5db
Opcode Fuzzy Hash: a49a52ccfa3d05b8cb831fb6aeb29f55b84c4650b9d9afef934ca34aaafa47c6
Instruction Fuzzy Hash: E6B19FB4A093459FD324DF25D190B9ABBE1BF88304F40892EE4C997352DB78A948CF57

Function 00426710 Relevance: 10.1, Strings: 8, Instructions: 126COMMON

Download Yara Rule

Strings

pacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinning: not a spinning mentersyscallblock inconsistent runtime: split stack overflow: ...additional frames elided...unsafe.String: len out of range113686837721, xrefs: 00426812
MB; allocated timeEndPeriod, xrefs: 0042683C
pages/byte s.sweepgen= allocCount end tracegcProcessPrng, xrefs: 004268CF
sweeper left outstanding across sweep generationsfully empty unfreed span set block found in resetcasgstatus: waiting for Gwaiting but is Grunnablenot enough significant bits after mult128bitPow10the :: must expand to at least one field of zerosinvalid or inco, xrefs: 00426908
mismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freeattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlinefindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did n, xrefs: 004268F2
1, xrefs: 00426911
MB during sweep; swept bad profile stack countruntime: netpoll failedRtlGetNtVersionNumbers, xrefs: 0042687F
pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine , xrefs: 004268A9

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine $ pages/byte s.sweepgen= allocCount end tracegcProcessPrng$1$MB during sweep; swept bad profile stack countruntime: netpoll failedRtlGetNtVersionNumbers$MB; allocated timeEndPeriod$mismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freeattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlinefindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did n$pacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinning: not a spinning mentersyscallblock inconsistent runtime: split stack overflow: ...additional frames elided...unsafe.String: len out of range113686837721$sweeper left outstanding across sweep generationsfully empty unfreed span set block found in resetcasgstatus: waiting for Gwaiting but is Grunnablenot enough significant bits after mult128bitPow10the :: must expand to at least one field of zerosinvalid or inco
API String ID: 0-1865461020
Opcode ID: 62ac155142be4b216eb538f82a2ee2ac38ef09d7a5fb54542cbe3df895fa4cac
Instruction ID: 24a43e043851d58181f11b684ab76c9f7ac95071338aa9a3e217df2613327bb9
Opcode Fuzzy Hash: 62ac155142be4b216eb538f82a2ee2ac38ef09d7a5fb54542cbe3df895fa4cac
Instruction Fuzzy Hash: 465104746087059FC304EF29D48462EBBE0FF88308F81992EF89883351EB38D945DB46

Function 00401F10 Relevance: 9.2, Strings: 7, Instructions: 483COMMON

Download Yara Rule

Strings

rdtscppopcntcmd/goAPPDATAWindowsStartupfloat32float64windowsrunningwsarecvwsasendconnectlookup writetoconsolePATHEXT\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_DltinvaliduintptrChanDir Value>forcegcallocmWcpuprofallocmRunknowngctraceIO waitsyscallwaitingUNKNOWN:eve, xrefs: 00401FA3
sse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localreturnlisten.onionsocketexec: SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13uint16uint32uint64structchan<-<-chan Valuesysmontimersefenceselect, not object next= jobs= goid sweep, xrefs: 00402146
pclmulqdqmath/randtlsrsakexStart Menupowershell(BADINDEX)%!(NOVERB)myhostname.localhostunixpacketsetsockopt netGo = /dev/stdinCreateFileexecerrdotSYSTEMROOTtime.Date(time.Local%!Weekday(complex128t.Kind == notifyListprofInsertstackLargemSpanInUseGOMAXPROCSsto, xrefs: 00401F8A
ermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localint16int32int64uint8arrayslice and defersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleep, xrefs: 00401F71
avx512fos/execruntime#internPrograms-CommandGoStringnetedns0[::1]:53continue_gatewayshutdownaddress readfromwsaioctlunixgramnil PoolFullPathThursdaySaturdayFebruaryNovemberDecember%!Month(scavengepollDesctraceBufdeadlockraceFinipanicnilcgocheckrunnable procid , xrefs: 00402463
adxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccallkindallgallprootitabsbrkidledead is LEAFbase of <==GOGC] = p, xrefs: 00401F40
avx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNexus.lnk method: (MISSING)%!(EXTRA files,dnsdns,filesipv6-icmp_outboundlocalhostconnectexfork/exec#execwaitWednesdaySeptember-07:00:00Z07:00:00complex64interfaceinvalid nfuncargs(bad indirreflect: Inter, xrefs: 004024A4

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: adxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccallkindallgallprootitabsbrkidledead is LEAFbase of <==GOGC] = p$avx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNexus.lnk method: (MISSING)%!(EXTRA files,dnsdns,filesipv6-icmp_outboundlocalhostconnectexfork/exec#execwaitWednesdaySeptember-07:00:00Z07:00:00complex64interfaceinvalid nfuncargs(bad indirreflect: Inter$avx512fos/execruntime#internPrograms-CommandGoStringnetedns0[::1]:53continue_gatewayshutdownaddress readfromwsaioctlunixgramnil PoolFullPathThursdaySaturdayFebruaryNovemberDecember%!Month(scavengepollDesctraceBufdeadlockraceFinipanicnilcgocheckrunnable procid $ermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localint16int32int64uint8arrayslice and defersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleep$pclmulqdqmath/randtlsrsakexStart Menupowershell(BADINDEX)%!(NOVERB)myhostname.localhostunixpacketsetsockopt netGo = /dev/stdinCreateFileexecerrdotSYSTEMROOTtime.Date(time.Local%!Weekday(complex128t.Kind == notifyListprofInsertstackLargemSpanInUseGOMAXPROCSsto$rdtscppopcntcmd/goAPPDATAWindowsStartupfloat32float64windowsrunningwsarecvwsasendconnectlookup writetoconsolePATHEXT\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_DltinvaliduintptrChanDir Value>forcegcallocmWcpuprofallocmRunknowngctraceIO waitsyscallwaitingUNKNOWN:eve$sse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localreturnlisten.onionsocketexec: SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13uint16uint32uint64structchan<-<-chan Valuesysmontimersefenceselect, not object next= jobs= goid sweep
API String ID: 0-4001917556
Opcode ID: 723136f72bf18482a275495c001da335651f044058853c9d2f64deb5a7ac3b55
Instruction ID: 5a566a7ef4cc34c82151f9986193eb8a3813bf1cb864c8919b1e502b5e469abf
Opcode Fuzzy Hash: 723136f72bf18482a275495c001da335651f044058853c9d2f64deb5a7ac3b55
Instruction Fuzzy Hash: 76328DB45087418FD718DF18D884B5ABBF1BF98308F18856ED8488B396E375D84ADF86

Function 0043B5F0 Relevance: 8.9, Strings: 7, Instructions: 145COMMON

Download Yara Rule

Strings

-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125quitbitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localint16int32int64ui, xrefs: 0043B644
., xrefs: 0043B77A
+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125quitbitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localint16int32int, xrefs: 0043B65E
e, xrefs: 0043B77F
NaN P MPC= < end > ]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccallkindallgallprootitab, xrefs: 0043B6DD
-, xrefs: 0043B6C8
-, xrefs: 0043B78D

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: +Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125quitbitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localint16int32int$-$-$-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125quitbitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localint16int32int64ui$.$NaN P MPC= < end > ]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccallkindallgallprootitab$e
API String ID: 0-1305696309
Opcode ID: 8baffc0a3f58290862e6d68fd225efbeb8791f13a2a5dc794e8772a1ba0d9e5e
Instruction ID: 69877f113d9a23dfec359bee7a64b41cc3967e04c30e5e6da35c7d5a9ae7c92f
Opcode Fuzzy Hash: 8baffc0a3f58290862e6d68fd225efbeb8791f13a2a5dc794e8772a1ba0d9e5e
Instruction Fuzzy Hash: A2513E71409B448EC70BEF39C06632AB7D4EFAA384F409B4FE58666293E778454D8287

Function 0040C230 Relevance: 8.9, Strings: 7, Instructions: 128COMMON

Download Yara Rule

Strings

runtime: s.allocCount= s.allocCount > s.nelems/gc/heap/allocs:objectsmissing type in runfinqruntime: internal errorwork.nwait > work.nprocleft over markroot jobsgcDrain phase incorrectMB during sweep; swept bad profile stack countruntime: netpoll failedRtlGetN, xrefs: 0040C3D0
freeIndex is not validoldoverflow is not nils.freeindex > s.nelemsbad sweepgen in refillspan has no free space/gc/scan/globals:bytes/gc/heap/frees:objectsruntime: work.nwait = runtime:scanstack: gp=scanstack - bad statusheadTailIndex overflowruntime.main not o, xrefs: 0040C3B0
s.allocCount= nil elem type! to finalizer GC worker initruntime: full=runtime: want=MB; allocated timeEndPeriod, xrefs: 0040C32C
s.allocCount != s.nelems && freeIndex == s.nelemsdelayed zeroing on data that may contain pointerssweeper left outstanding across sweep generationsfully empty unfreed span set block found in resetcasgstatus: waiting for Gwaiting but is Grunnablenot enough sign, xrefs: 0040C43E
1, xrefs: 0040C447
s.nelems= of size runtime: p ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64, xrefs: 0040C366, 0040C40A
s.allocCount > s.nelems/gc/heap/allocs:objectsmissing type in runfinqruntime: internal errorwork.nwait > work.nprocleft over markroot jobsgcDrain phase incorrectMB during sweep; swept bad profile stack countruntime: netpoll failedRtlGetNtVersionNumbers, xrefs: 0040C39A

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: s.nelems= of size runtime: p ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64$1$freeIndex is not validoldoverflow is not nils.freeindex > s.nelemsbad sweepgen in refillspan has no free space/gc/scan/globals:bytes/gc/heap/frees:objectsruntime: work.nwait = runtime:scanstack: gp=scanstack - bad statusheadTailIndex overflowruntime.main not o$runtime: s.allocCount= s.allocCount > s.nelems/gc/heap/allocs:objectsmissing type in runfinqruntime: internal errorwork.nwait > work.nprocleft over markroot jobsgcDrain phase incorrectMB during sweep; swept bad profile stack countruntime: netpoll failedRtlGetN$s.allocCount != s.nelems && freeIndex == s.nelemsdelayed zeroing on data that may contain pointerssweeper left outstanding across sweep generationsfully empty unfreed span set block found in resetcasgstatus: waiting for Gwaiting but is Grunnablenot enough sign$s.allocCount > s.nelems/gc/heap/allocs:objectsmissing type in runfinqruntime: internal errorwork.nwait > work.nprocleft over markroot jobsgcDrain phase incorrectMB during sweep; swept bad profile stack countruntime: netpoll failedRtlGetNtVersionNumbers$s.allocCount= nil elem type! to finalizer GC worker initruntime: full=runtime: want=MB; allocated timeEndPeriod
API String ID: 0-4108374785
Opcode ID: 70eaae74c5d76de4ad09092affad1cf90ecb747016f093b2af87d50309681575
Instruction ID: c0f7344dcff2dc5f716eb97af03ec686f4addf8ea6041382b57d98bd1bf14694
Opcode Fuzzy Hash: 70eaae74c5d76de4ad09092affad1cf90ecb747016f093b2af87d50309681575
Instruction Fuzzy Hash: 375107B40083549AC344EF65C19026EB7E0FF98708F90985EF8D887382E778D945EB6B

Function 004615B0 Relevance: 8.9, Strings: 7, Instructions: 123COMMON

Download Yara Rule

Strings

runtime: textOff 1192092895507812559604644775390625permission deniedwrong medium typeno data availableexec format errorLookupAccountSidWDnsRecordListFreeGetCurrentProcessGetShortPathNameWWSAEnumProtocolsWRegLoadMUIStringWmultipartmaxpartsreflect.Value.Uintserv, xrefs: 0046166D
base 390625hangupkilled, val headerAnswerLengthGetACPCommonrdtscppopcntcmd/goAPPDATAWindowsStartupfloat32float64windowsrunningwsarecvwsasendconnectlookup writetoconsolePATHEXT\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_DltinvaliduintptrChanDir Value>forcegcallocmW, xrefs: 00461696
etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNexus.lnk method: (MISSING)%!(EXTRA files,dnsdns,filesipv6-icmp_outboundlocalhostconnectexfork/exec#execwaitWednesdaySeptember-07:0, xrefs: 0046174D
not in ranges:23841857910156250123456789ABCDEFinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePointerExOpenProcessTokenRegQueryInfoKeyWRegQueryValueExWDnsNameCompare_WCreateDirectoryWFlushFileBuffersGetC, xrefs: 004616C0
types : type 19531259765625::ffff:abortedCopySidWSARecvWSASendsignal nil keyanswersavx512fos/execruntime#internPrograms-CommandGoStringnetedns0[::1]:53continue_gatewayshutdownaddress readfromwsaioctlunixgramnil PoolFullPathThursdaySaturdayFebruaryNovemberDece, xrefs: 00461723
runtime: text offset base pointer out of rangebufio: reader returned negative count from Readunexpected error wrapping poll.ErrFileClosing: reflect.Value.Bytes of unaddressable byte arrayslice bounds out of range [::%x] with length %yP has cached GC work at en, xrefs: 00461793
., xrefs: 0046179C

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: types : type 19531259765625::ffff:abortedCopySidWSARecvWSASendsignal nil keyanswersavx512fos/execruntime#internPrograms-CommandGoStringnetedns0[::1]:53continue_gatewayshutdownaddress readfromwsaioctlunixgramnil PoolFullPathThursdaySaturdayFebruaryNovemberDece$ base 390625hangupkilled, val headerAnswerLengthGetACPCommonrdtscppopcntcmd/goAPPDATAWindowsStartupfloat32float64windowsrunningwsarecvwsasendconnectlookup writetoconsolePATHEXT\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_DltinvaliduintptrChanDir Value>forcegcallocmW$ etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNexus.lnk method: (MISSING)%!(EXTRA files,dnsdns,filesipv6-icmp_outboundlocalhostconnectexfork/exec#execwaitWednesdaySeptember-07:0$ not in ranges:23841857910156250123456789ABCDEFinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePointerExOpenProcessTokenRegQueryInfoKeyWRegQueryValueExWDnsNameCompare_WCreateDirectoryWFlushFileBuffersGetC$.$runtime: text offset base pointer out of rangebufio: reader returned negative count from Readunexpected error wrapping poll.ErrFileClosing: reflect.Value.Bytes of unaddressable byte arrayslice bounds out of range [::%x] with length %yP has cached GC work at en$runtime: textOff 1192092895507812559604644775390625permission deniedwrong medium typeno data availableexec format errorLookupAccountSidWDnsRecordListFreeGetCurrentProcessGetShortPathNameWWSAEnumProtocolsWRegLoadMUIStringWmultipartmaxpartsreflect.Value.Uintserv
API String ID: 0-1432873523
Opcode ID: ede6dafcac25a1760a948e1c2b9b653e286d272c438f7ecec3bc37634bd6d316
Instruction ID: 8e798a1d2312d316292b43de35c69e40b1da4e2db5f8249b87a8acadeb768228
Opcode Fuzzy Hash: ede6dafcac25a1760a948e1c2b9b653e286d272c438f7ecec3bc37634bd6d316
Instruction Fuzzy Hash: 78511BB4508705DFC344EF65C481A6AB7F0FF88308F44992EE88987361EB389949DB97

Function 00415160 Relevance: 8.9, Strings: 7, Instructions: 105COMMON

Download Yara Rule

Strings

9, xrefs: 0041520C
runtime: checkmarks found unexpected unmarked object obj=GODEBUG=execwait=2 detected a leaked exec.Cmd created by:reflect: reflect.Value.Elem on an invalid notinheap pointerunexpected malloc header in delayed zeroing of large objectsync/atomic: store of incon, xrefs: 00415203
runtime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incorrectpageAlloc: out of me, xrefs: 0041523C
) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintm, xrefs: 00415290
objgc %: gp *(in n= ) - NaN P MPC= < end > ]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanf, xrefs: 004152D1
base of <==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125quitbitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+134, xrefs: 004152AB
checkmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinning: not a spinning mentersyscall, xrefs: 0041530C

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: ) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintm$9$base of <==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125quitbitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+134$checkmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinning: not a spinning mentersyscall$objgc %: gp *(in n= ) - NaN P MPC= < end > ]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanf$runtime: checkmarks found unexpected unmarked object obj=GODEBUG=execwait=2 detected a leaked exec.Cmd created by:reflect: reflect.Value.Elem on an invalid notinheap pointerunexpected malloc header in delayed zeroing of large objectsync/atomic: store of incon$runtime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incorrectpageAlloc: out of me
API String ID: 0-2953137140
Opcode ID: 8d4f20fa257f4dba0100c20701d8b1b91c6cd5d0bc3cc889e45ccb4204fc6d8c
Instruction ID: dcc7d37e97a34984d87f630a7a8289da972a49e8f9c43accd7125e52c7054e4e
Opcode Fuzzy Hash: 8d4f20fa257f4dba0100c20701d8b1b91c6cd5d0bc3cc889e45ccb4204fc6d8c
Instruction Fuzzy Hash: 43413AB41097449FC340EF29C491B9ABBE0EF89308F45885EE9C887352D7789948DF97

Function 00443FD0 Relevance: 7.6, Strings: 6, Instructions: 114COMMON

Download Yara Rule

Strings

bad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatch152587890625762939453125invalid slothost is downillegal seekGetLengthSidGetLastErrorGetStdHandleGetTempPathWLoadLibr, xrefs: 00444184
preempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame runtimer: bad ptraceback stuckruntime.gopanic476837158203125advertise errorkey has expirednetwork is downno medium foundno such processGetAdaptersInfoCreat, xrefs: 0044414C
in async preemptbad manualFreeListruntime: textAddr cleantimers: bad p frames elided..., locked to threadruntime.semacreateruntime.semawakeup298023223876953125unable to parse IPsegmentation faultoperation canceledno child processesconnection refusedRFS spec, xrefs: 00444131
%, xrefs: 00444110
runtime: unexpected SPWRITE function all goroutines are asleep - deadlock!2220446049250313080847263336181640625godebug: unexpected IncNonDefault of cannot exec a shared library directlyvalue too large for defined data typecannot create context from nil parentt, xrefs: 00444107
preempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruption186264514923095703125931322574615478515625bad type in compare: IPv4 address too longtrace/br, xrefs: 00444162

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: in async preemptbad manualFreeListruntime: textAddr cleantimers: bad p frames elided..., locked to threadruntime.semacreateruntime.semawakeup298023223876953125unable to parse IPsegmentation faultoperation canceledno child processesconnection refusedRFS spec$%$bad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatch152587890625762939453125invalid slothost is downillegal seekGetLengthSidGetLastErrorGetStdHandleGetTempPathWLoadLibr$preempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame runtimer: bad ptraceback stuckruntime.gopanic476837158203125advertise errorkey has expirednetwork is downno medium foundno such processGetAdaptersInfoCreat$preempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruption186264514923095703125931322574615478515625bad type in compare: IPv4 address too longtrace/br$runtime: unexpected SPWRITE function all goroutines are asleep - deadlock!2220446049250313080847263336181640625godebug: unexpected IncNonDefault of cannot exec a shared library directlyvalue too large for defined data typecannot create context from nil parentt
API String ID: 0-1341020396
Opcode ID: a5e1bca6b94905c07c41c1c90706ff0b422841710b93f402d244acb5bc346468
Instruction ID: ad408563bafe0cd09adc1c9a3d490920fe2f81fcef738c24150ba287d6ccc7cd
Opcode Fuzzy Hash: a5e1bca6b94905c07c41c1c90706ff0b422841710b93f402d244acb5bc346468
Instruction Fuzzy Hash: 465105B46087009FD314EF25C195A2ABBE1FF98708F01985EE8C98B352DB78D948DF56

Function 0043DE30 Relevance: 7.6, Strings: 6, Instructions: 98COMMON

Download Yara Rule

Strings

runtime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function 277555756156289135105907917022705078125IPv4 field must have at least one digittransport endpoint is already connectedFailed to send status chec, xrefs: 0043DE9B
7, xrefs: 0043DFD7
casfrom_Gscanstatus:top gp->status is not in scan state is currently not supported for use in system callbackseach colon-separated field must have at least one digitstrings: illegal use of non-zero Builder copied by valuenon-empty pointer map passed for non-po, xrefs: 0043DFCE
runtime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=methodValueCallFrameObjs is not in a modulemult64bitPow10: power of 10 is out of rangeinterrupted system call should be restartedreflect: funcLayout with interface receiver s, xrefs: 0043DF42
casfrom_Gscanstatus: gp->status is not in scan stateExit Node: Read %d bytes from target for Stream ID %dnon-concurrent sweep failed to drain all sweep queuescompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class bou, xrefs: 0043DF27
, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ lockedm=244140625rwxrwxrwxinterruptbus errorFindCloseLocalFreeMoveFileWWriteFileWSASendTontdll.dllClassINETAuthorityquestionspsapi.dllInheritedpclmulqd, xrefs: 0043DEBD, 0043DF64

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: , oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ lockedm=244140625rwxrwxrwxinterruptbus errorFindCloseLocalFreeMoveFileWWriteFileWSASendTontdll.dllClassINETAuthorityquestionspsapi.dllInheritedpclmulqd$7$casfrom_Gscanstatus: gp->status is not in scan stateExit Node: Read %d bytes from target for Stream ID %dnon-concurrent sweep failed to drain all sweep queuescompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class bou$casfrom_Gscanstatus:top gp->status is not in scan state is currently not supported for use in system callbackseach colon-separated field must have at least one digitstrings: illegal use of non-zero Builder copied by valuenon-empty pointer map passed for non-po$runtime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=methodValueCallFrameObjs is not in a modulemult64bitPow10: power of 10 is out of rangeinterrupted system call should be restartedreflect: funcLayout with interface receiver s$runtime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function 277555756156289135105907917022705078125IPv4 field must have at least one digittransport endpoint is already connectedFailed to send status chec
API String ID: 0-4060435565
Opcode ID: 65f8cf30876a589e804f79b1671db6ea620f08c65b1ccf6949839aab19165f2c
Instruction ID: f8ca82d709463d0025a5638a40aeee3a8b13a17425545e52debb7e135d947f59
Opcode Fuzzy Hash: 65f8cf30876a589e804f79b1671db6ea620f08c65b1ccf6949839aab19165f2c
Instruction Fuzzy Hash: D841F3B45087048FC300FF65D18576EBBE0EF88308F41981EE9C887352EB3899489BA7

Function 0043E0D0 Relevance: 6.5, Strings: 5, Instructions: 297COMMON

Download Yara Rule

Strings

1, xrefs: 0043E423
casgstatus: waiting for Gwaiting but is Grunnablenot enough significant bits after mult128bitPow10the :: must expand to at least one field of zerosinvalid or incomplete multibyte or wide charactergo package net: dynamic selection of DNS resolverruntime: unabl, xrefs: 0043E41A
casgstatus: bad incoming valuesresetspinning: not a spinning mentersyscallblock inconsistent runtime: split stack overflow: ...additional frames elided...unsafe.String: len out of range11368683772161602973937988281255684341886080801486968994140625zone must be, xrefs: 0043E4C8
newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNexus.lnk method: (MISSING)%!(EXTRA files,dnsdns,filesipv6-icmp_out, xrefs: 0043E494
runtime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid , xrefs: 0043E46A

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNexus.lnk method: (MISSING)%!(EXTRA files,dnsdns,filesipv6-icmp_out$1$casgstatus: bad incoming valuesresetspinning: not a spinning mentersyscallblock inconsistent runtime: split stack overflow: ...additional frames elided...unsafe.String: len out of range11368683772161602973937988281255684341886080801486968994140625zone must be$casgstatus: waiting for Gwaiting but is Grunnablenot enough significant bits after mult128bitPow10the :: must expand to at least one field of zerosinvalid or incomplete multibyte or wide charactergo package net: dynamic selection of DNS resolverruntime: unabl$runtime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid
API String ID: 0-4136709329
Opcode ID: f992372dafc6c909db0effe0e011d98e93f348b1ce9fa512eab48bc2c57231a2
Instruction ID: 60ebbe3695e81d8bc1d688524b408e6bc0354754b08c0aeb4726d890cc2252cc
Opcode Fuzzy Hash: f992372dafc6c909db0effe0e011d98e93f348b1ce9fa512eab48bc2c57231a2
Instruction Fuzzy Hash: 11C1277010A3458FD314EF26C09076BBBE1FF88304F54996EE895873A2D778E845DB8A

Function 00450850 Relevance: 6.4, Strings: 5, Instructions: 194COMMON

Download Yara Rule

Strings

!, xrefs: 00450AE3
out of memory is nil, not value method bad map state span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=, xrefs: 004509BB
stackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of range14210854715202003717422485351562571054273576010018587112426757, xrefs: 00450ADA
stack size not a power of 2too many callback functionstimer when must be positive: unexpected return pc for 363797880709171295166015625IPv6 field has value >=2^16channel number out of rangecommunication error on sendkey was rejected by servicenot a XENIX named, xrefs: 00450AC4
out of memory (stackalloc)shrinking stack in libcallruntime: pcHeader: magic= traceRegion: out of memory1455191522836685180664062572759576141834259033203125invalid request descriptorno CSI structure availablerequired key not availableno message of desired type, xrefs: 004508F0

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: !$out of memory (stackalloc)shrinking stack in libcallruntime: pcHeader: magic= traceRegion: out of memory1455191522836685180664062572759576141834259033203125invalid request descriptorno CSI structure availablerequired key not availableno message of desired type$out of memory is nil, not value method bad map state span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=$stack size not a power of 2too many callback functionstimer when must be positive: unexpected return pc for 363797880709171295166015625IPv6 field has value >=2^16channel number out of rangecommunication error on sendkey was rejected by servicenot a XENIX named$stackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of range14210854715202003717422485351562571054273576010018587112426757
API String ID: 0-2902031945
Opcode ID: e9434a3c8120c53ebff57357947320cf0648e246488d42e49776e31014ac6f19
Instruction ID: 4938389fe009ad404551de69f93fa163d2c8dd0d9ba31e3789a80a1da3c73113
Opcode Fuzzy Hash: e9434a3c8120c53ebff57357947320cf0648e246488d42e49776e31014ac6f19
Instruction Fuzzy Hash: 20816C786097058FD714DF29C08066EB7F2FF99314F14882EE88587356E738D94ACB8A

Function 0040D360 Relevance: 6.4, Strings: 5, Instructions: 181COMMON

Download Yara Rule

Strings

persistentalloc: size == 0/gc/cycles/total:gc-cyclesnegative idle mark workersuse of invalid sweepLockerruntime: bad span s.state=freedefer with d.fn != nilforEachP: P did not run fnwakep: negative nmspinningstartlockedm: locked to meentersyscall inconsistent , xrefs: 0040D5DC
runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin, xrefs: 0040D588
*, xrefs: 0040D5CF
persistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classes/gc/mark/dedicated:cpu-seconds/memory/classes/metadata/mcache/free:bytes/memory/classes/metadata/mspan/inuse:bytesnon-empty mark queue after concurrent marksweep: t, xrefs: 0040D5C6
persistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freeattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: incons, xrefs: 0040D5B0

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: *$persistentalloc: align is not a power of 2out of memory allocating checkmarks bitmap/cpu/classes/gc/mark/dedicated:cpu-seconds/memory/classes/metadata/mcache/free:bytes/memory/classes/metadata/mspan/inuse:bytesnon-empty mark queue after concurrent marksweep: t$persistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freeattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: incons$persistentalloc: size == 0/gc/cycles/total:gc-cyclesnegative idle mark workersuse of invalid sweepLockerruntime: bad span s.state=freedefer with d.fn != nilforEachP: P did not run fnwakep: negative nmspinningstartlockedm: locked to meentersyscall inconsistent $runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin
API String ID: 0-1480168796
Opcode ID: ee3d75b10f3034bcdb2eaba3c0c387d8aacab423aa12b8dea82b6349dfe30c37
Instruction ID: dae5ebd936b47f3f7a049f5c34c6c785e4ba7a5bcff2b30a68932cbc59c0f3e4
Opcode Fuzzy Hash: ee3d75b10f3034bcdb2eaba3c0c387d8aacab423aa12b8dea82b6349dfe30c37
Instruction Fuzzy Hash: 6D815CB4A09705CFC714DF64C48066ABBE1FF89318F10992EE89897391D738E94ACF46

Function 0041DB20 Relevance: 6.4, Strings: 5, Instructions: 178COMMON

Download Yara Rule

Strings

+, xrefs: 0041DDA5
sweep B -> % util alloc free span= prev= list=, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= (...) m=nil base 390625hangupkilled, val headerAnswerLengthGetACPCommonrdtscppopcntcmd/goAPPDATAWindowsStartupfloat32float64windowsrunningwsarecvwsasen, xrefs: 0041DCF8
gc: unswept span KiB work (bg), mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 0041DD45
non in-use span found with specials bit setgrew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=ru, xrefs: 0041DD9C
s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= , xrefs: 0041DD64

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: +$gc: unswept span KiB work (bg), mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$non in-use span found with specials bit setgrew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=ru$s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= $sweep B -> % util alloc free span= prev= list=, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= (...) m=nil base 390625hangupkilled, val headerAnswerLengthGetACPCommonrdtscppopcntcmd/goAPPDATAWindowsStartupfloat32float64windowsrunningwsarecvwsasen
API String ID: 0-129831425
Opcode ID: c11d868dec98aa1aea7521d152da0dead3a217a4fff77393a613a0044db83baa
Instruction ID: f9d9d57a8d8c8b24f6f58bd8bfb2410d8c5e8701347621514a79983f34e39113
Opcode Fuzzy Hash: c11d868dec98aa1aea7521d152da0dead3a217a4fff77393a613a0044db83baa
Instruction Fuzzy Hash: FE715FB460C3418FC704EF25C09066ABBE1BF89308F55885EF9C987352D778D989CB9A

Function 00426CF0 Relevance: 6.4, Strings: 5, Instructions: 155COMMON

Download Yara Rule

Strings

s.sweepgen= allocCount end tracegcProcessPrng, xrefs: 00426EDC
sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine 1220703125, xrefs: 00426F06
AF, xrefs: 00426E61
non in-use span in unswept listcasgstatus: bad incoming valuesresetspinning: not a spinning mentersyscallblock inconsistent runtime: split stack overflow: ...additional frames elided...unsafe.String: len out of range1136868377216160297393798828125568434188608, xrefs: 00426F3A
runtime: bad span s.state=freedefer with d.fn != nilforEachP: P did not run fnwakep: negative nmspinningstartlockedm: locked to meentersyscall inconsistent inittask with no functionscorrupted semaphore ticketout of memory (stackalloc)shrinking stack in libcall, xrefs: 00426EAE

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: s.sweepgen= allocCount end tracegcProcessPrng$ sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine 1220703125$non in-use span in unswept listcasgstatus: bad incoming valuesresetspinning: not a spinning mentersyscallblock inconsistent runtime: split stack overflow: ...additional frames elided...unsafe.String: len out of range1136868377216160297393798828125568434188608$runtime: bad span s.state=freedefer with d.fn != nilforEachP: P did not run fnwakep: negative nmspinningstartlockedm: locked to meentersyscall inconsistent inittask with no functionscorrupted semaphore ticketout of memory (stackalloc)shrinking stack in libcall$AF
API String ID: 0-2103893276
Opcode ID: f2353677582116173b9bf4d8261dffe9c36650ec14b44dfbab4a17a43ef56779
Instruction ID: f2dad3ec18ba70d275316a3683cff0e34660a5d397c8d60a6e2af3acbe29feab
Opcode Fuzzy Hash: f2353677582116173b9bf4d8261dffe9c36650ec14b44dfbab4a17a43ef56779
Instruction Fuzzy Hash: D56138B42093458FC744EF25D090A6ABBF0AF88308F81895EF8D887362D738D949DF56

Function 00414250 Relevance: 6.4, Strings: 5, Instructions: 153COMMON

Download Yara Rule

Strings

span has no free space/gc/scan/globals:bytes/gc/heap/frees:objectsruntime: work.nwait = runtime:scanstack: gp=scanstack - bad statusheadTailIndex overflowruntime.main not on m0set_crosscall2 missingbad g->status in readywirep: invalid p stateassembly checks fa, xrefs: 00414451
bad sweepgen in refillspan has no free space/gc/scan/globals:bytes/gc/heap/frees:objectsruntime: work.nwait = runtime:scanstack: gp=scanstack - bad statusheadTailIndex overflowruntime.main not on m0set_crosscall2 missingbad g->status in readywirep: invalid p s, xrefs: 00414489
out of memory is nil, not value method bad map state span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=, xrefs: 00414467
(, xrefs: 004144A8
refill of span with free space remaining/cpu/classes/scavenge/assist:cpu-secondsruntime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unknown mark worker modecannot free workbufs when work.full != 0runtime: out of memo, xrefs: 0041449F

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: ($bad sweepgen in refillspan has no free space/gc/scan/globals:bytes/gc/heap/frees:objectsruntime: work.nwait = runtime:scanstack: gp=scanstack - bad statusheadTailIndex overflowruntime.main not on m0set_crosscall2 missingbad g->status in readywirep: invalid p s$out of memory is nil, not value method bad map state span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=$refill of span with free space remaining/cpu/classes/scavenge/assist:cpu-secondsruntime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unknown mark worker modecannot free workbufs when work.full != 0runtime: out of memo$span has no free space/gc/scan/globals:bytes/gc/heap/frees:objectsruntime: work.nwait = runtime:scanstack: gp=scanstack - bad statusheadTailIndex overflowruntime.main not on m0set_crosscall2 missingbad g->status in readywirep: invalid p stateassembly checks fa
API String ID: 0-4022714126
Opcode ID: 721e4ded0970a36a15a337b9fe983fda3579ff0efbd6ffb7eca7e90be4661869
Instruction ID: cf5401e9c8c3bc6069cf0b16d4d917035ab18dee61e70ff8870e79d0758fb799
Opcode Fuzzy Hash: 721e4ded0970a36a15a337b9fe983fda3579ff0efbd6ffb7eca7e90be4661869
Instruction Fuzzy Hash: 00612DB05087048FC344EF29D590A6ABBF1FF88304F41996EE8988B392D778D949DF56

Function 0041CDB0 Relevance: 6.4, Strings: 5, Instructions: 137COMMON

Download Yara Rule

Strings

runtime: want=MB; allocated timeEndPeriod, xrefs: 0041CF2D
>, xrefs: 0041CF98
limiterEvent.stop: found wrong event in p's limiter event slotslice length too short to convert to array or pointer to arrayruntime: internal error: misuse of lockOSThread/unlockOSThreadmalformed GOMEMLIMIT; see `go doc runtime/debug.SetMemoryLimit`runtime.Set, xrefs: 0041CF8F
limiterEvent.stop: invalid limiter event type foundpotentially overlapping in-use allocations detectedruntime: netpoll: PostQueuedCompletionStatus failedfatal: systemstack called from unexpected goroutinegodebug: Value of name not listed in godebugs.All: Faile, xrefs: 0041CF0E
got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:1562578125 (at ntohsClassGreeksse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localreturnlisten.onionsocketexec: SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13u, xrefs: 0041CF5B

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:1562578125 (at ntohsClassGreeksse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localreturnlisten.onionsocketexec: SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13u$>$limiterEvent.stop: found wrong event in p's limiter event slotslice length too short to convert to array or pointer to arrayruntime: internal error: misuse of lockOSThread/unlockOSThreadmalformed GOMEMLIMIT; see `go doc runtime/debug.SetMemoryLimit`runtime.Set$limiterEvent.stop: invalid limiter event type foundpotentially overlapping in-use allocations detectedruntime: netpoll: PostQueuedCompletionStatus failedfatal: systemstack called from unexpected goroutinegodebug: Value of name not listed in godebugs.All: Faile$runtime: want=MB; allocated timeEndPeriod
API String ID: 0-2752319557
Opcode ID: 5b85751be5a4169c28d9f80a4cd313c0e147efcb688fce551df7f3823bb53278
Instruction ID: f2276967c4ea0a36ddf618ab9a1b96884a261dc84fbf3042525a9b64f3fc0352
Opcode Fuzzy Hash: 5b85751be5a4169c28d9f80a4cd313c0e147efcb688fce551df7f3823bb53278
Instruction Fuzzy Hash: DF5158B05497049FC714EF25C4917AEBBE2AF88704F40982EE4C883391DB38D986DB4B

Function 00436B00 Relevance: 6.3, Strings: 5, Instructions: 74COMMON

Download Yara Rule

Strings

., xrefs: 00436BA9
already; errno=runtime stack:invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:23841857910156250123456789ABCDEFinvalid exchangeno route to hostinva, xrefs: 00436BCF
runtime: failed to create new OS thread (have runtime: panic before malloc heap initializedstopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executionruntime: name offset base pointer out of rangeruntime: type offset base poin, xrefs: 00436BA0
) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintm, xrefs: 00436BF9
runtime.newosprocruntime/internal/thread exhaustionlocked m0 woke upentersyscallblock spinningthreads=gp.waiting != nilunknown caller pcstack: frame={sp:runtime: nameOff runtime: typeOff runtime: textOff 1192092895507812559604644775390625permission deniedwrong, xrefs: 00436C14

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: already; errno=runtime stack:invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:23841857910156250123456789ABCDEFinvalid exchangeno route to hostinva$) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintm$.$runtime.newosprocruntime/internal/thread exhaustionlocked m0 woke upentersyscallblock spinningthreads=gp.waiting != nilunknown caller pcstack: frame={sp:runtime: nameOff runtime: typeOff runtime: textOff 1192092895507812559604644775390625permission deniedwrong$runtime: failed to create new OS thread (have runtime: panic before malloc heap initializedstopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executionruntime: name offset base pointer out of rangeruntime: type offset base poin
API String ID: 0-773840574
Opcode ID: fae2f7efd013461163e415d50d6878821613eb43e0483f310c8afcfcef45cb0e
Instruction ID: 4c5cdd3165ea79b07941d19889fd5d9bf31d5f62f00ae4de94e299e959d0fc95
Opcode Fuzzy Hash: fae2f7efd013461163e415d50d6878821613eb43e0483f310c8afcfcef45cb0e
Instruction Fuzzy Hash: 1D31E2B45093049FD304EF65D48575ABBE4FF88308F41982EE8C887351EB789948DB8A

Function 00418B60 Relevance: 5.4, Strings: 4, Instructions: 364COMMON

Download Yara Rule

Strings

runtime: p ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64, xrefs: 004190AE
!= sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase, xrefs: 00419101
p mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitws2_32.dll not foundpreempt off reason: forcegc: phase errorgopark: bad g statusgo of nil func valueselectgo: bad wakeup, xrefs: 00419135
flushGen MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nan, xrefs: 004190D7

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase$ flushGen MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nan$p mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitws2_32.dll not foundpreempt off reason: forcegc: phase errorgopark: bad g statusgo of nil func valueselectgo: bad wakeup$runtime: p ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64
API String ID: 0-3407218033
Opcode ID: 5185b6e3b26d2392be76ff846d5cffb7d459f38a0e947d7a3d2f834a429f8597
Instruction ID: e5767b86f85a4907806c87cb152cfe932a0dfe52ac3839b4bea86a2c464783ec
Opcode Fuzzy Hash: 5185b6e3b26d2392be76ff846d5cffb7d459f38a0e947d7a3d2f834a429f8597
Instruction Fuzzy Hash: 560215B45083408FD314EF25D49575ABBE0FF89314F10891EE4998B3A2EB78D889DF56

Function 0041D3B0 Relevance: 5.3, Strings: 4, Instructions: 288COMMON

Download Yara Rule

Strings

runtime: markroot index can't scan our own stackgcDrainN phase incorrectpageAlloc: out of memoryruntime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSrunqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seq, xrefs: 0041D60C
markroot: bad indexnwait > work.nprocs, gp->atomicstatus=marking free object KiB work (eager), [controller reset]mspan.sweep: state=sysMemStat overflowbad sequence numberntdll.dll not foundwinmm.dll not foundruntime: g0 stack [panic during mallocpanic holding, xrefs: 0041D6A5
) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintm, xrefs: 0041D68A
not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: hol, xrefs: 0041D636

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: hol$) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintm$markroot: bad indexnwait > work.nprocs, gp->atomicstatus=marking free object KiB work (eager), [controller reset]mspan.sweep: state=sysMemStat overflowbad sequence numberntdll.dll not foundwinmm.dll not foundruntime: g0 stack [panic during mallocpanic holding$runtime: markroot index can't scan our own stackgcDrainN phase incorrectpageAlloc: out of memoryruntime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSrunqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seq
API String ID: 0-146678372
Opcode ID: cdbfeff3bdbac45b7b7d511ca8594089cd9cb850740dc15cc356998b79f76cc5
Instruction ID: 11cc2ec9f6ebbc5af1fb648ee4378967d930c01a4fe2dba037c91243681ca58b
Opcode Fuzzy Hash: cdbfeff3bdbac45b7b7d511ca8594089cd9cb850740dc15cc356998b79f76cc5
Instruction Fuzzy Hash: 34D109B4A08305CFC318EF25C58565ABBF1FB88304F40892EE88987351D778E985DF56

Function 00437680 Relevance: 5.3, Strings: 4, Instructions: 251COMMON

Download Yara Rule

Strings

runtime.preemptM: duplicatehandle failedglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many arguments13877787807814456755295395851135253906256938893903907228377647697925567626953125ryuFtoaFixed32 calle, xrefs: 00437AB6
self-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatch152587890625762939453125invalid slothost is downillegal seekGetLengthSidGetLastE, xrefs: 00437ACC
runtime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject wait_failed; errno=strconv: illegal AppendFloat/FormatFloat bitSizenot enough significant bits after mult64bitPow10syscall: string with NUL passed to StringToUTF16parsing/packing of t, xrefs: 00437A7F
(, xrefs: 00437ABF

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: ($runtime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject wait_failed; errno=strconv: illegal AppendFloat/FormatFloat bitSizenot enough significant bits after mult64bitPow10syscall: string with NUL passed to StringToUTF16parsing/packing of t$runtime.preemptM: duplicatehandle failedglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many arguments13877787807814456755295395851135253906256938893903907228377647697925567626953125ryuFtoaFixed32 calle$self-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatch152587890625762939453125invalid slothost is downillegal seekGetLengthSidGetLastE
API String ID: 0-858039921
Opcode ID: 0b569679e981a016ed8b9f749d5c9b5edb4f1f07881dcb3c0b597482bd2efdd2
Instruction ID: 204ad1d036eb5e4fc0057c6f74a78a79fa4468fb0f133b724d4e7b58bae32505
Opcode Fuzzy Hash: 0b569679e981a016ed8b9f749d5c9b5edb4f1f07881dcb3c0b597482bd2efdd2
Instruction Fuzzy Hash: E8C118B450D7458FD329EF24C194B6ABBE4FF89308F00996EE4C887392D7789944DB4A

Function 0043F480 Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

forEachP: not done in async preemptbad manualFreeListruntime: textAddr cleantimers: bad p frames elided..., locked to threadruntime.semacreateruntime.semawakeup298023223876953125unable to parse IPsegmentation faultoperation canceledno child processesconnecti, xrefs: 0043F7F7
forEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timer3552713678800500929355621337890625too many references: cannot spliceSetFileCompletionNotificationModesunexpected runtime.net, xrefs: 0043F80D
", xrefs: 0043F816
forEachP: P did not run fnwakep: negative nmspinningstartlockedm: locked to meentersyscall inconsistent inittask with no functionscorrupted semaphore ticketout of memory (stackalloc)shrinking stack in libcallruntime: pcHeader: magic= traceRegion: out of memory, xrefs: 0043F7E1

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: "$forEachP: P did not run fnwakep: negative nmspinningstartlockedm: locked to meentersyscall inconsistent inittask with no functionscorrupted semaphore ticketout of memory (stackalloc)shrinking stack in libcallruntime: pcHeader: magic= traceRegion: out of memory$forEachP: not done in async preemptbad manualFreeListruntime: textAddr cleantimers: bad p frames elided..., locked to threadruntime.semacreateruntime.semawakeup298023223876953125unable to parse IPsegmentation faultoperation canceledno child processesconnecti$forEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timer3552713678800500929355621337890625too many references: cannot spliceSetFileCompletionNotificationModesunexpected runtime.net
API String ID: 0-3611715326
Opcode ID: b100f7d27872059a47aefdd6bf5bd881dba0a2cc3fc08170f384a594eecb1600
Instruction ID: bb909b5d84f44afc2df4ef838a5cb9b38dfa1ce79a9d8b89b8e1dab0322180fc
Opcode Fuzzy Hash: b100f7d27872059a47aefdd6bf5bd881dba0a2cc3fc08170f384a594eecb1600
Instruction Fuzzy Hash: 6DB1F4746097418FC308DF25D491A2ABBF1BF9D304F50996EE8858B362D738E84ADB46

Function 00435100 Relevance: 5.2, Strings: 4, Instructions: 247COMMON

Download Yara Rule

Strings

runtime: netpoll failedRtlGetNtVersionNumbers, xrefs: 0043538A
runtime: GetQueuedCompletionStatusEx failed (errno= casfrom_Gscanstatus: gp->status is not in scan stateExit Node: Read %d bytes from target for Stream ID %dnon-concurrent sweep failed to drain all sweep queuescompileCallback: argument size is larger than uint, xrefs: 00435346
) - NaN P MPC= < end > ]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccallkindallgallpro, xrefs: 0043536F
4, xrefs: 0043534F

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: ) - NaN P MPC= < end > ]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccallkindallgallpro$4$runtime: GetQueuedCompletionStatusEx failed (errno= casfrom_Gscanstatus: gp->status is not in scan stateExit Node: Read %d bytes from target for Stream ID %dnon-concurrent sweep failed to drain all sweep queuescompileCallback: argument size is larger than uint$runtime: netpoll failedRtlGetNtVersionNumbers
API String ID: 0-993846852
Opcode ID: 29a4fd480f7de51d4b2a2317c7a7205f53c086ce4527f0e82d437d89734ca372
Instruction ID: db147dcdb71929e4a089edade569723e1b11fea9453168cb0a768ac591f20f18
Opcode Fuzzy Hash: 29a4fd480f7de51d4b2a2317c7a7205f53c086ce4527f0e82d437d89734ca372
Instruction Fuzzy Hash: 43A17BB0109B418FD714DF25C080B5FB7E1AF88708F54992EE99987381DB39E949CB9B

Function 0040B180 Relevance: 5.2, Strings: 4, Instructions: 182COMMON

Download Yara Rule

Strings

1, xrefs: 0040B3C8
runtime: unable to acquire - semaphore out of syncmallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEve, xrefs: 0040B3A9
runtime: unexpected waitm - semaphore out of syncs.allocCount != s.nelems && freeIndex == s.nelemsdelayed zeroing on data that may contain pointerssweeper left outstanding across sweep generationsfully empty unfreed span set block found in resetcasgstatus: wai, xrefs: 0040B3BF
notetsleep - waitm out of syncfailed to get system page sizeassignment to entry in nil mapruntime: found in object at *( in prepareForSweep; sweepgen /cpu/classes/total:cpu-seconds/gc/cycles/automatic:gc-cycles/sched/pauses/total/gc:seconds/sync/mutex/wait/tot, xrefs: 0040B233

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: 1$notetsleep - waitm out of syncfailed to get system page sizeassignment to entry in nil mapruntime: found in object at *( in prepareForSweep; sweepgen /cpu/classes/total:cpu-seconds/gc/cycles/automatic:gc-cycles/sched/pauses/total/gc:seconds/sync/mutex/wait/tot$runtime: unable to acquire - semaphore out of syncmallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEve$runtime: unexpected waitm - semaphore out of syncs.allocCount != s.nelems && freeIndex == s.nelemsdelayed zeroing on data that may contain pointerssweeper left outstanding across sweep generationsfully empty unfreed span set block found in resetcasgstatus: wai
API String ID: 0-2424477488
Opcode ID: f6ff3aed7bc44cbe706e4451685eec2f532faadd0c6c69db9183f104229a8e93
Instruction ID: c23de695b375a1d27a2d4156dc43a560e9a3ec8389a2b95bba70cf45fc192049
Opcode Fuzzy Hash: f6ff3aed7bc44cbe706e4451685eec2f532faadd0c6c69db9183f104229a8e93
Instruction Fuzzy Hash: B8716EB46083519FC305DF29C084B1EBBE1AF98308F09896DE8D89B392D775DC45DB96

Function 00453F30 Relevance: 5.2, Strings: 4, Instructions: 159COMMON

Download Yara Rule

Strings

-, xrefs: 004540C3
-, xrefs: 004540A1
-, xrefs: 0045407C
-, xrefs: 00453F56

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: -$-$-$-
API String ID: 0-1033403326
Opcode ID: b590c92c2adf7b940816abf60e01e197facf12322e7b90cf2da97c5c58e207e5
Instruction ID: d4c9dbf66dafffd94ec74c6255fd574ac0c90c64840e54c8dc7431c091842afa
Opcode Fuzzy Hash: b590c92c2adf7b940816abf60e01e197facf12322e7b90cf2da97c5c58e207e5
Instruction Fuzzy Hash: 945101B2A093564FD715CE18985431EBBD1ABD0309F58862DD8948B3D2E37D8A4E87C6

Function 00405060 Relevance: 5.1, Strings: 4, Instructions: 137COMMON

Download Yara Rule

Strings

M [("")) ) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=, xrefs: 004050E6
procid eax ebx ecx edx edi esi ebp esp eip eflags cs fs gs is not pointerBAD RANK status unknown(trigger= npages= nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= sta, xrefs: 00405110
out of bounds [/gc/gogc:percent, not a functiongc: unswept span KiB work (bg), mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 00405164
runtime: cgocallback with sp=runtime: bad g in cgocallback (types from different scopes)notetsleep - waitm out of syncfailed to get system page sizeassignment to entry in nil mapruntime: found in object at *( in prepareForSweep; sweepgen /cpu/classes/total:c, xrefs: 0040513A

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: out of bounds [/gc/gogc:percent, not a functiongc: unswept span KiB work (bg), mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$ procid eax ebx ecx edx edi esi ebp esp eip eflags cs fs gs is not pointerBAD RANK status unknown(trigger= npages= nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= sta$ runtime: cgocallback with sp=runtime: bad g in cgocallback (types from different scopes)notetsleep - waitm out of syncfailed to get system page sizeassignment to entry in nil mapruntime: found in object at *( in prepareForSweep; sweepgen /cpu/classes/total:c$M [("")) ) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=
API String ID: 0-1180118442
Opcode ID: 30b8846cb9b7de86923cbf3b4a52475119dfb9a322fb7f0c0b38fee8e088cabf
Instruction ID: bbf2af95c3b073296b4fe45af95c73c1e6307a567785cfe4ddff6250cc9bd888
Opcode Fuzzy Hash: 30b8846cb9b7de86923cbf3b4a52475119dfb9a322fb7f0c0b38fee8e088cabf
Instruction Fuzzy Hash: 6851F8B45097089FC740EF65C18075ABBE0FF88308F5089AEE9889B351D739E949DF96

Function 0045F950 Relevance: 5.1, Strings: 4, Instructions: 135COMMON

Download Yara Rule

Strings

2, xrefs: 0045FA7D
[originating from goroutine 18189894035458564758300781259094947017729282379150390625file descriptor in bad statedestination address requiredprotocol driver not attachedCertCreateCertificateContextabi.NewName: name too long: mismatched local address typeexec: W, xrefs: 0045F97C
]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccallkindallgallprootitabsbrkidledead is LEAFb, xrefs: 0045F9A6
...additional frames elided...unsafe.String: len out of range11368683772161602973937988281255684341886080801486968994140625zone must be a non-empty stringcannot assign requested address.lib section in a.out corruptedbufio: tried to fill full buffergo package , xrefs: 0045FA89

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: ...additional frames elided...unsafe.String: len out of range11368683772161602973937988281255684341886080801486968994140625zone must be a non-empty stringcannot assign requested address.lib section in a.out corruptedbufio: tried to fill full buffergo package $2$[originating from goroutine 18189894035458564758300781259094947017729282379150390625file descriptor in bad statedestination address requiredprotocol driver not attachedCertCreateCertificateContextabi.NewName: name too long: mismatched local address typeexec: W$]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccallkindallgallprootitabsbrkidledead is LEAFb
API String ID: 0-2001881887
Opcode ID: 10ffb95f802a8d4750f89734ffe1c75408ee38e7578d1468ceb025ec4493491c
Instruction ID: b486b2ecf3c74d537c75abba6250e72881a688e8ee55b94d8ab66e64fdd535cc
Opcode Fuzzy Hash: 10ffb95f802a8d4750f89734ffe1c75408ee38e7578d1468ceb025ec4493491c
Instruction Fuzzy Hash: 9751D3B460C3419FC304EF25C190A2ABBE1AF88715F54896EF8C887352DB38E949DB57

Function 004156A0 Relevance: 5.1, Strings: 4, Instructions: 121COMMON

Download Yara Rule

Strings

bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p has runnable gsstoplockedm: not runnablereleasep: , xrefs: 004157BF, 0041583F
out of memory is nil, not value method bad map state span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=, xrefs: 004157F3
runtime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinning: not a spinning mentersyscallblock inconsistent runtime: spl, xrefs: 00415873
runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p has runnable gsstoplockedm: not runnablereleasep: invalid p statecheckdead:, xrefs: 00415795, 00415815

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p has runnable gsstoplockedm: not runnablereleasep: $out of memory is nil, not value method bad map state span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=$runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p has runnable gsstoplockedm: not runnablereleasep: invalid p statecheckdead:$runtime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinning: not a spinning mentersyscallblock inconsistent runtime: spl
API String ID: 0-82273310
Opcode ID: 4af118c573b4b3e7f7a2552a991e9375d91db7733d981a97672f71ae2d99292e
Instruction ID: e29570d5ab88a5c0e782f58b6befebaf6addbc43dc97f178ddb589ba7dfcc98a
Opcode Fuzzy Hash: 4af118c573b4b3e7f7a2552a991e9375d91db7733d981a97672f71ae2d99292e
Instruction Fuzzy Hash: A051F3B4108705CFD340EF65C49179EB7E0EB8C308F40982EE99883381E77899899F9B

Function 00452530 Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for traceRegion: alloc too large[originating from goroutine 18189894035458564758300781259094947017729282379150390625file descriptor in bad statedestinat, xrefs: 0045268B
bad status in shrinkstackmissing traceGCSweepStart2910383045673370361328125IPv4 field has value >255resource deadlock avoidedoperation now in progressno buffer space availableno such device or addresssocket type not supportedinvalid cross-device linkGetFinalPa, xrefs: 00452675
shrinking stack in libcallruntime: pcHeader: magic= traceRegion: out of memory1455191522836685180664062572759576141834259033203125invalid request descriptorno CSI structure availablerequired key not availableno message of desired typename not unique on network, xrefs: 00452649
shrinkstack at bad timereflect.methodValueCall23283064365386962890625device or resource busyinterrupted system callno space left on deviceoperation not supportedoperation not permittedCertGetCertificateChainFreeEnvironmentStringsWGetEnvironmentVariableWGetSyst, xrefs: 0045265F

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: bad status in shrinkstackmissing traceGCSweepStart2910383045673370361328125IPv4 field has value >255resource deadlock avoidedoperation now in progressno buffer space availableno such device or addresssocket type not supportedinvalid cross-device linkGetFinalPa$missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for traceRegion: alloc too large[originating from goroutine 18189894035458564758300781259094947017729282379150390625file descriptor in bad statedestinat$shrinking stack in libcallruntime: pcHeader: magic= traceRegion: out of memory1455191522836685180664062572759576141834259033203125invalid request descriptorno CSI structure availablerequired key not availableno message of desired typename not unique on network$shrinkstack at bad timereflect.methodValueCall23283064365386962890625device or resource busyinterrupted system callno space left on deviceoperation not supportedoperation not permittedCertGetCertificateChainFreeEnvironmentStringsWGetEnvironmentVariableWGetSyst
API String ID: 0-1404966890
Opcode ID: b5f7645e38a6cb472544d09b4fe7212d05c92313f9dc55ae038229fbaa697176
Instruction ID: 9cb0de28833c032196120a8c3500da3e23e825a4c1936554c6bbc486b6b039af
Opcode Fuzzy Hash: b5f7645e38a6cb472544d09b4fe7212d05c92313f9dc55ae038229fbaa697176
Instruction Fuzzy Hash: E94189786047008FC718DF25D291A2A73E1FF9A704F45486EEC8987362E7B8EC49DB06

Function 0042C160 Relevance: 5.1, Strings: 4, Instructions: 95COMMON

Download Yara Rule

Strings

runtime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foundruntime: sudog with non-nil cgfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflo, xrefs: 0042C29F
+, xrefs: 0042C2DC
root level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=methodValueCallFrameObjs is not in a modulemu, xrefs: 0042C2D3
runtime: root level max pages = WSAGetOverlappedResult not found_cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runt, xrefs: 0042C259

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: +$root level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=methodValueCallFrameObjs is not in a modulemu$runtime: root level max pages = WSAGetOverlappedResult not found_cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runt$runtime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foundruntime: sudog with non-nil cgfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflo
API String ID: 0-2069587728
Opcode ID: b590b892d386e0b96edd03454fb27e9122f082a52a4f4809640b0bb5567e4af5
Instruction ID: 5810637721fd97ebc4f9260e6c95588109c84356bdefb35b34f73715b5cac299
Opcode Fuzzy Hash: b590b892d386e0b96edd03454fb27e9122f082a52a4f4809640b0bb5567e4af5
Instruction Fuzzy Hash: 724109B4608744CFC304EF25D091B6EBBE0BF88308F55996EE88987352DB389945DF96

Function 00415540 Relevance: 5.1, Strings: 4, Instructions: 88COMMON

Download Yara Rule

Strings

bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p has runnable gsstoplockedm: not runnablereleasep: , xrefs: 00415645
runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incorrectpageAlloc: out of memoryruntime: p.searchAdd, xrefs: 0041561B
runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec, xrefs: 00415679
!, xrefs: 00415682

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p has runnable gsstoplockedm: not runnablereleasep: $!$runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incorrectpageAlloc: out of memoryruntime: p.searchAdd$runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
API String ID: 0-464846790
Opcode ID: d1346c64cc3424fbced7448fb6c1fbdf2ee226fc30ff30b870c91e778456cfba
Instruction ID: eb0402943e15ad96eb03f06c49feb420b179ab6dad1ea236cf630f484daf2e97
Opcode Fuzzy Hash: d1346c64cc3424fbced7448fb6c1fbdf2ee226fc30ff30b870c91e778456cfba
Instruction Fuzzy Hash: E1311AB0608700DFC708EF25D0917AAB7E2AF88314F50892EF98983355D7389985DB9B

Function 0045CAF0 Relevance: 5.1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

Strings

", xrefs: 0045CBCE
attempted to trace a bad status for a goroutineattempting to link in too many shared librariesbufio: writer returned negative count from Writeslice bounds out of range [:%x] with capacity %yruntime: waitforsingleobject unexpected; result=CreateWaitableTimerEx , xrefs: 0045CC45
runtime: goid= in goroutine 1907348632812595367431640625file too largeis a directorylevel 2 haltedlevel 3 haltedtoo many linksno such deviceprotocol errortext file busytoo many usersCryptGenRandomCertCloseStoreCreateProcessWFindFirstFileWFormatMessageWGetConso, xrefs: 0045CC11
/, xrefs: 0045CC4E

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: "$/$attempted to trace a bad status for a goroutineattempting to link in too many shared librariesbufio: writer returned negative count from Writeslice bounds out of range [:%x] with capacity %yruntime: waitforsingleobject unexpected; result=CreateWaitableTimerEx $runtime: goid= in goroutine 1907348632812595367431640625file too largeis a directorylevel 2 haltedlevel 3 haltedtoo many linksno such deviceprotocol errortext file busytoo many usersCryptGenRandomCertCloseStoreCreateProcessWFindFirstFileWFormatMessageWGetConso
API String ID: 0-1597289052
Opcode ID: 9230d4d5508b24f0d161fe133809a4f959f440b478c120dfd5c73ddbf3d027ea
Instruction ID: 66abcc1fd4a5d9f006299883a229fd291e3dcfffc528ec6d131c447797e76219
Opcode Fuzzy Hash: 9230d4d5508b24f0d161fe133809a4f959f440b478c120dfd5c73ddbf3d027ea
Instruction Fuzzy Hash: 10419AB45083449FC300DF66C09461AFBE0BF89758F40892EE9D897352D7B8A949CF97

Function 00431380 Relevance: 5.1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

Strings

, xrefs: 00431468
, xrefs: 0043141B
, xrefs: 00431413
, xrefs: 004313EE

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: $ $ $
API String ID: 0-3535155489
Opcode ID: fe1e3152f6cfa4c2189269bb4e5f408dde4f9cfad6c1ff862d8af1c044846f9f
Instruction ID: 5d81aca682314557c982b7bb72dce441b60d736a6e6a6c09b2129089a2cc1ba8
Opcode Fuzzy Hash: fe1e3152f6cfa4c2189269bb4e5f408dde4f9cfad6c1ff862d8af1c044846f9f
Instruction Fuzzy Hash: 5631B2746083418FD328DF15D094A6BBBE2BFC8718F10992EE48987761DB39A949CF47

Function 00425DA0 Relevance: 5.1, Strings: 4, Instructions: 57COMMON

Download Yara Rule

Strings

npages= nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNexus.lnk method: (, xrefs: 00425E35
too many pages allocated in chunk?mspan.ensureSwept: m is not lockedVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timer3552713678800500929355, xrefs: 00425E69
runtime: inUse=runtime: max = bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame runtimer: bad ptraceback stuckruntime.gopanic476837158203125adver, xrefs: 00425E07
", xrefs: 00425E72

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: npages= nalloc= nfreed=runtime.[signal reflect. newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNexus.lnk method: ($"$runtime: inUse=runtime: max = bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no frame (sp=runtime: frame runtimer: bad ptraceback stuckruntime.gopanic476837158203125adver$too many pages allocated in chunk?mspan.ensureSwept: m is not lockedVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already set in timer3552713678800500929355
API String ID: 0-1504365986
Opcode ID: aa02d357239e3e68f8083561a9a69f21b4baf7444e8bde4ef75aa3c8ebcaa8d8
Instruction ID: 2dc0cd07df50af94a44fb8bfd933ae964e3a7ab04a29c15e9a34ace7adcf9ab1
Opcode Fuzzy Hash: aa02d357239e3e68f8083561a9a69f21b4baf7444e8bde4ef75aa3c8ebcaa8d8
Instruction Fuzzy Hash: D9215B701186108EC300EF25D09573AB7E1EF88708F85D85EE999873A2E7389848DB6B

Function 004236B0 Relevance: 5.1, Strings: 4, Instructions: 57COMMON

Download Yara Rule

Strings

GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime, xrefs: 00423745
malformed GOMEMLIMIT; see `go doc runtime/debug.SetMemoryLimit`runtime.SetFinalizer: first argument was allocated into an arenacompileCallback: expected function with one uintptr-sized resultuser arena chunk size is not a multiple of the physical page sizerunt, xrefs: 00423779
GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pc, xrefs: 004236C7
?, xrefs: 00423782

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: ?$GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pc$GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime$malformed GOMEMLIMIT; see `go doc runtime/debug.SetMemoryLimit`runtime.SetFinalizer: first argument was allocated into an arenacompileCallback: expected function with one uintptr-sized resultuser arena chunk size is not a multiple of the physical page sizerunt
API String ID: 0-1099554046
Opcode ID: ea0540e330aed416487035ce45f06f4ff617c14fa814f5a914b00c85db1baba5
Instruction ID: 35b0f3f179cf4810e6a0c6d1dc1fb296fd46c69fba74fda29b01e42f21dc8f13
Opcode Fuzzy Hash: ea0540e330aed416487035ce45f06f4ff617c14fa814f5a914b00c85db1baba5
Instruction Fuzzy Hash: C6213AB05083418FC710EF25E05162ABBF1FF88718F90895EE8D887391DB389A45CB5B

Function 00435000 Relevance: 5.1, Strings: 4, Instructions: 53COMMON

Download Yara Rule

Strings

runtime: netpoll: PostQueuedCompletionStatus failedfatal: systemstack called from unexpected goroutinegodebug: Value of name not listed in godebugs.All: Failed to send close message to middleman server: %vmallocgc called without a P or outside bootstrappingrun, xrefs: 004350D4
runtime: netpoll: PostQueuedCompletionStatus failed (errno= runtime: GetQueuedCompletionStatusEx returned invalid mode= go package net: GODEBUG setting forcing use of Go's resolverexec: Cmd started a Process but leaked without a call to WaitabiRegArgsType nee, xrefs: 0043508F
) - NaN P MPC= < end > ]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccallkindallgallpro, xrefs: 004350B9
3, xrefs: 004350DD

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: ) - NaN P MPC= < end > ]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = mdnsdialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccallkindallgallpro$3$runtime: netpoll: PostQueuedCompletionStatus failed (errno= runtime: GetQueuedCompletionStatusEx returned invalid mode= go package net: GODEBUG setting forcing use of Go's resolverexec: Cmd started a Process but leaked without a call to WaitabiRegArgsType nee$runtime: netpoll: PostQueuedCompletionStatus failedfatal: systemstack called from unexpected goroutinegodebug: Value of name not listed in godebugs.All: Failed to send close message to middleman server: %vmallocgc called without a P or outside bootstrappingrun
API String ID: 0-682007050
Opcode ID: 9f8425ef9269fe0098c6b2fbacdc71af105f5e9692bce2cbca32d5a1bfecd8da
Instruction ID: 55102773e57a206d1fe24f581cae639836691e0b6b00865180aff2c802025652
Opcode Fuzzy Hash: 9f8425ef9269fe0098c6b2fbacdc71af105f5e9692bce2cbca32d5a1bfecd8da
Instruction Fuzzy Hash: FE2127B01087048FD304EF25D09572ABBF4EF98308F40981EE8C883352EB799949DB97

Function 004158A0 Relevance: 5.0, Strings: 4, Instructions: 45COMMON

Download Yara Rule

Strings

, xrefs: 0041594D
bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p has runnable gsstoplockedm: not runnablereleasep: , xrefs: 00415910
runtime: failed to release pagesruntime: fixalloc size too largeinvalid limiter event type foundscanstack: goroutine not stoppedscavenger state is already wiredsweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = WSAG, xrefs: 00415944
runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incorrectpageAlloc: out of memoryruntime: p.searchAdd, xrefs: 004158E6

Memory Dump Source

Source File: 0000000A.00000002.2532708995.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2532708995.00000000005F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000062C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.0000000000632000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2532708995.000000000066E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_c2SVEEbvn5.jbxd

Similarity

API ID:
String ID: $ bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p has runnable gsstoplockedm: not runnablereleasep: $runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incorrectpageAlloc: out of memoryruntime: p.searchAdd$runtime: failed to release pagesruntime: fixalloc size too largeinvalid limiter event type foundscanstack: goroutine not stoppedscavenger state is already wiredsweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = WSAG
API String ID: 0-3511914922
Opcode ID: a7d109619fe20d68980b69089ef3fb5d620c346555093f1b42fac837cb3fadd5
Instruction ID: e831ae280137a815bd9cbc07886118ba5bd1da9de69c0fd05c05f5d38d0a0548
Opcode Fuzzy Hash: a7d109619fe20d68980b69089ef3fb5d620c346555093f1b42fac837cb3fadd5
Instruction Fuzzy Hash: F7119DB41097089FD340FF69C58575EBBE4EF88708F41981EE9C887341EB7899489BA7

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report c2SVEEbvn5.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_euowbtn0.ig1.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_roktahm1.gj3.psm1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
c2SVEEbvn5.exe

Function 00C707A6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 025E003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Function 025E0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Function 00C70465 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Function 004034A0 Relevance: 18.8, Strings: 15, Instructions: 86
COMMON

Function 00417D50 Relevance: 16.7, Strings: 13, Instructions: 463
COMMON

Function 0040B600 Relevance: 15.2, Strings: 12, Instructions: 250
COMMON

Function 004477E0 Relevance: 14.0, Strings: 11, Instructions: 243
COMMON

Function 0040BAA0 Relevance: 12.9, Strings: 10, Instructions: 351
COMMON

Function 0041AD30 Relevance: 12.8, Strings: 10, Instructions: 286
COMMON

Function 0041B460 Relevance: 12.8, Strings: 10, Instructions: 280
COMMON