Edit tour

Windows Analysis Report
5yv6ZxNaTP.exe

Overview

General Information

Sample name:	5yv6ZxNaTP.exe renamed because original name is a hash value
Original sample name:	121222d12d96665d88f8e60a419329f0.exe
Analysis ID:	1546425
MD5:	121222d12d96665d88f8e60a419329f0
SHA1:	51ed963231e60e1b6bcbbf81f325184f4a314beb
SHA256:	1fcc27fc5d5ab23eb89fecedaf7c036fa5d9fee5854868dcc0b98d2023fbdb2c
Tags:	64exetrojan
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: Powershell create lnk in startup

AI detected suspicious sample

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Potentially malicious time measurement code found

Powershell creates an autostart link

Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

5yv6ZxNaTP.exe (PID: 7736 cmdline: "C:\Users\user\Desktop\5yv6ZxNaTP.exe" MD5: 121222D12D96665D88F8E60A419329F0)

powershell.exe (PID: 7764 cmdline: powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Users\user\Desktop\5yv6ZxNaTP.exe'; $s.Save()" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

5yv6ZxNaTP.exe (PID: 8076 cmdline: "C:\Users\user\Desktop\5yv6ZxNaTP.exe" MD5: 121222D12D96665D88F8E60A419329F0)

cleanup

Sigma Signatures

System Summary

Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE

Source: File created

Author: Christopher Peacock '@securepeacock', SCYTHE: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7764, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7764, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Users\user\Desktop\5yv6ZxNaTP.exe'; $s.Save()", CommandLine: powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Users\user\Desktop\5yv6ZxNaTP.exe'; $s.Save()", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\5yv6ZxNaTP.exe", ParentImage: C:\Users\user\Desktop\5yv6ZxNaTP.exe, ParentProcessId: 7736, ParentProcessName: 5yv6ZxNaTP.exe, ProcessCommandLine: powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Users\user\Desktop\5yv6ZxNaTP.exe'; $s.Save()", ProcessId: 7764, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Powershell create lnk in startup

Source: Process started

Author: Joe Security: Data: Command: powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Users\user\Desktop\5yv6ZxNaTP.exe'; $s.Save()", CommandLine: powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Users\user\Desktop\5yv6ZxNaTP.exe'; $s.Save()", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\5yv6ZxNaTP.exe", ParentImage: C:\Users\user\Desktop\5yv6ZxNaTP.exe, ParentProcessId: 7736, ParentProcessName: 5yv6ZxNaTP.exe, ProcessCommandLine: powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Users\user\Desktop\5yv6ZxNaTP.exe'; $s.Save()", ProcessId: 7764, ProcessName: powershell.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T21:42:28.628320+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.8	49708	TCP
2024-10-31T21:43:06.981805+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.8	49720	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.1% probability

Bitcoin Miner

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe

Code function: 0_2_005D4800 LoadLibraryExW,

0_2_005D4800

Source: 5yv6ZxNaTP.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 4x nop then cmp rdx, rbx	0_2_005AC2E0
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 4x nop then cmp rdx, 40h	0_2_005C1420
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 4x nop then shr r10, 0Dh	0_2_005CC640
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 4x nop then shr r10, 0Dh	0_2_005CDAC0
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 4x nop then lock or byte ptr [rdx], dil	0_2_005C1B60

Source: global traffic

TCP traffic: 192.168.2.8:49705 -> 185.196.10.218:9889

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.8:49720
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.8:49708

Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe

Code function: 0_2_0060C0E0 WSARecv,

0_2_0060C0E0

Source: powershell.exe, 00000001.00000002.1461262502.00000267358B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1443151882.00000267270DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1461262502.000002673577F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.1443151882.0000026726F90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1443151882.0000026725701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1443151882.0000026726DBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000001.00000002.1443151882.0000026726F90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.1443151882.0000026725701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000001.00000002.1461262502.000002673577F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.1461262502.000002673577F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.1461262502.000002673577F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000001.00000002.1443151882.0000026726F90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.1443151882.0000026726331000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000001.00000002.1461262502.00000267358B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1443151882.00000267270DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1461262502.000002673577F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000001.00000002.1443151882.0000026726DBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000001.00000002.1443151882.0000026726DBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX

Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005AD200	0_2_005AD200
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005E0540	0_2_005E0540
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005E79A0	0_2_005E79A0
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005D6A20	0_2_005D6A20
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005C9B20	0_2_005C9B20
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005C8D20	0_2_005C8D20
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005ADDA0	0_2_005ADDA0
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005B6EE0	0_2_005B6EE0
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005A1FE0	0_2_005A1FE0
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005BA020	0_2_005BA020
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005EF160	0_2_005EF160
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005E2180	0_2_005E2180
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005BF1A0	0_2_005BF1A0
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005DE220	0_2_005DE220
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_0061C460	0_2_0061C460
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005AA440	0_2_005AA440
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_00605420	0_2_00605420
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005BB480	0_2_005BB480
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005F2480	0_2_005F2480
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005DA520	0_2_005DA520
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005CC640	0_2_005CC640
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005C6620	0_2_005C6620
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005C36C0	0_2_005C36C0
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005FE720	0_2_005FE720
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005D37C0	0_2_005D37C0
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005DD8C0	0_2_005DD8C0
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005F3940	0_2_005F3940
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005AE960	0_2_005AE960
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005BB9A0	0_2_005BB9A0
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005D0A40	0_2_005D0A40
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005C7A60	0_2_005C7A60
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005EBA20	0_2_005EBA20
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005CDAC0	0_2_005CDAC0
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005B5AE0	0_2_005B5AE0
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_00607AA9	0_2_00607AA9
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005CCB00	0_2_005CCB00
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005A3BE0	0_2_005A3BE0
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005CFCC0	0_2_005CFCC0
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005D9CE0	0_2_005D9CE0
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_0061CC80	0_2_0061CC80
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005BADC0	0_2_005BADC0
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005C1DE0	0_2_005C1DE0
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005CEEA0	0_2_005CEEA0
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 0_2_005E0FC0	0_2_005E0FC0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFB4B4408CD	1_2_00007FFB4B4408CD
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 4_2_000000F2811FDAFC	4_2_000000F2811FDAFC

Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: String function: 005D8F40 appears 516 times
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: String function: 005DB260 appears 632 times
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: String function: 005D9020 appears 33 times
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: String function: 005DAA40 appears 77 times

Source: 5yv6ZxNaTP.exe

Static PE information: Number of sections : 15 > 10

Source: 5yv6ZxNaTP.exe	Static PE information: Section: /19 ZLIB complexity 0.9984454719387755
Source: 5yv6ZxNaTP.exe	Static PE information: Section: /32 ZLIB complexity 0.9945591517857143
Source: 5yv6ZxNaTP.exe	Static PE information: Section: /65 ZLIB complexity 0.9997003573919108
Source: 5yv6ZxNaTP.exe	Static PE information: Section: /78 ZLIB complexity 0.9953365100472813

Source: classification engine

Classification label: mal68.spre.evad.mine.winEXE@5/4@0/1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7772:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kooj2ijd.zhe.ps1

Jump to behavior

Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	File opened: C:\Windows\system32\d99eaf317a9ec33d6509637d666926e68eaab03c2511222c0f2b281ff7d0249aAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA			Jump to behavior
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	File opened: C:\Windows\system32\c497275e86134e360c36ca4b6f11eba33017d3a8ad0955706fae76390eeee7e3AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA			Jump to behavior

Source: 5yv6ZxNaTP.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 5yv6ZxNaTP.exe	String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: 5yv6ZxNaTP.exe	String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: 5yv6ZxNaTP.exe	String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: 5yv6ZxNaTP.exe	String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: 5yv6ZxNaTP.exe	String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: 5yv6ZxNaTP.exe	String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: 5yv6ZxNaTP.exe	String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: 5yv6ZxNaTP.exe	String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: 5yv6ZxNaTP.exe	String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: 5yv6ZxNaTP.exe	String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: 5yv6ZxNaTP.exe	String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: 5yv6ZxNaTP.exe	String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: 5yv6ZxNaTP.exe	String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: 5yv6ZxNaTP.exe	String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: 5yv6ZxNaTP.exe	String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: 5yv6ZxNaTP.exe	String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: 5yv6ZxNaTP.exe	String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: 5yv6ZxNaTP.exe	String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: 5yv6ZxNaTP.exe	String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: 5yv6ZxNaTP.exe	String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: 5yv6ZxNaTP.exe	String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime:
Source: 5yv6ZxNaTP.exe	String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime:
Source: 5yv6ZxNaTP.exe	String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable t
Source: 5yv6ZxNaTP.exe	String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable t
Source: 5yv6ZxNaTP.exe	String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime:
Source: 5yv6ZxNaTP.exe	String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime:
Source: 5yv6ZxNaTP.exe	String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: 5yv6ZxNaTP.exe	String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: 5yv6ZxNaTP.exe	String found in binary or memory: unsafe.String: len out of range11368683772161602973937988281255684341886080801486968994140625zone must be a non-empty stringcannot assign requested address.lib section in a.out corruptedbufio: tried to fill full buffergo package net: hostLookupOrder(sync: Unlock of unlocked RWMutexsync: negative WaitGroup counterMapIter.Value called before Nextslice bounds out of range [::%x]slice bounds out of range [:%x:]slice bounds out of range [%x::] (types from different packages)end outside usable address spaceGCProg for type that isn't largeruntime: failed to release pagesruntime: fixalloc size too largeinvalid limiter event type foundscanstack: goroutine not stoppedscavenger state is already wiredsweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = WSAGetOverlappedResult not found_cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runtime: stack split at bad timepanic while printing panic valueruntime: setevent failed; errno=runtime.semasleep wait_abandoned28421709430404007434844970703125unexpected character, want colonresource temporarily unavailablesoftware caused connection abortnumerical argument out of domainCertAddCertificateContextToStoreCertVerifyCertificateChainPolicyuse of closed network connection" not supported for cpu option "Failed to read message length: %vFailed to get executable path: %vgo package net: confVal.netCgo = sync: RUnlock of unlocked RWMutexreflect: slice index out of range of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangeslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of range142108547152020037174224853515625710542735760100185871124267578125skip everything and stop the walktoo many levels of symbolic linksInitializeProcThreadAttributeListtoo many Answers to pack (>65535)GetVolumeNameForVolumeMountPointWwaiting for unsupported file typeGODEBUG: no value specified for "Failed to connect to target %s: %vClosed connection for Stream ID %dNoDefaultCurrentDirectoryInExePathreflect: Field of non-struct type reflect: Field index out of boundsreflect: s
Source: 5yv6ZxNaTP.exe	String found in binary or memory: unsafe.String: len out of range11368683772161602973937988281255684341886080801486968994140625zone must be a non-empty stringcannot assign requested address.lib section in a.out corruptedbufio: tried to fill full buffergo package net: hostLookupOrder(sync: Unlock of unlocked RWMutexsync: negative WaitGroup counterMapIter.Value called before Nextslice bounds out of range [::%x]slice bounds out of range [:%x:]slice bounds out of range [%x::] (types from different packages)end outside usable address spaceGCProg for type that isn't largeruntime: failed to release pagesruntime: fixalloc size too largeinvalid limiter event type foundscanstack: goroutine not stoppedscavenger state is already wiredsweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = WSAGetOverlappedResult not found_cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runtime: stack split at bad timepanic while printing panic valueruntime: setevent failed; errno=runtime.semasleep wait_abandoned28421709430404007434844970703125unexpected character, want colonresource temporarily unavailablesoftware caused connection abortnumerical argument out of domainCertAddCertificateContextToStoreCertVerifyCertificateChainPolicyuse of closed network connection" not supported for cpu option "Failed to read message length: %vFailed to get executable path: %vgo package net: confVal.netCgo = sync: RUnlock of unlocked RWMutexreflect: slice index out of range of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangeslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of range142108547152020037174224853515625710542735760100185871124267578125skip everything and stop the walktoo many levels of symbolic linksInitializeProcThreadAttributeListtoo many Answers to pack (>65535)GetVolumeNameForVolumeMountPointWwaiting for unsupported file typeGODEBUG: no value specified for "Failed to connect to target %s: %vClosed connection for Stream ID %dNoDefaultCurrentDirectoryInExePathreflect: Field of non-struct type reflect: Field index out of boundsreflect: s
Source: 5yv6ZxNaTP.exe	String found in binary or memory: C:/Program Files/Go/src/net/addrselect.go

Source: unknown	Process created: C:\Users\user\Desktop\5yv6ZxNaTP.exe "C:\Users\user\Desktop\5yv6ZxNaTP.exe"
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Users\user\Desktop\5yv6ZxNaTP.exe'; $s.Save()"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\5yv6ZxNaTP.exe "C:\Users\user\Desktop\5yv6ZxNaTP.exe"
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Users\user\Desktop\5yv6ZxNaTP.exe'; $s.Save()"	Jump to behavior

Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Section loaded: mswsock.dll	Jump to behavior

Source: Nexus.lnk.1.dr

LNK file: ..\..\..\..\..\..\..\Desktop\5yv6ZxNaTP.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 5yv6ZxNaTP.exe

Static file information: File size 3255296 > 1048576

Source: 5yv6ZxNaTP.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x112000

Source: 5yv6ZxNaTP.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 5yv6ZxNaTP.exe	Static PE information: section name: .xdata
Source: 5yv6ZxNaTP.exe	Static PE information: section name: /4
Source: 5yv6ZxNaTP.exe	Static PE information: section name: /19
Source: 5yv6ZxNaTP.exe	Static PE information: section name: /32
Source: 5yv6ZxNaTP.exe	Static PE information: section name: /46
Source: 5yv6ZxNaTP.exe	Static PE information: section name: /65
Source: 5yv6ZxNaTP.exe	Static PE information: section name: /78
Source: 5yv6ZxNaTP.exe	Static PE information: section name: /90
Source: 5yv6ZxNaTP.exe	Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 4_2_000000F2811FFE1A push ebp; retf	4_2_000000F2811FFE2B
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 4_2_000000F2811FE248 push ecx; retf	4_2_000000F2811FE329
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 4_2_000000F2811FF271 push edi; retf	4_2_000000F2811FF34B
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 4_2_000000F2811FFE38 push ebp; retf	4_2_000000F2811FFE3B
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 4_2_000000F2811FD8E8 push ecx; retf	4_2_000000F2811FD949
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Code function: 4_2_000000F2811FFE02 push ebp; retf	4_2_000000F2811FFE13

Boot Survival

Powershell creates an autostart link

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: .lnk'); $s.TargetPath = 'C:\Users\user\Desktop\5yv6ZxNaTP.exe'; $s.Save()@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Scripting Techniques" # Keyword tags to help users find this module via navigations and search. Tags = @('powershell','unit testing','bdd','tdd','mocking') # The web address of an icon which can be used in galler

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk

Jump to behavior

Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe

Code function: 0_2_0060A800 rdtscp

0_2_0060A800

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2876			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3664			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7976	Thread sleep time: -1844674407370954s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7864	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe

Code function: 0_2_005D4940 GetProcessAffinityMask,GetSystemInfo,

0_2_005D4940

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: powershell.exe, 00000001.00000002.1465103864.000002673D9A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}v
Source: 5yv6ZxNaTP.exe, 00000000.00000002.2675712059.000002227DE54000.00000004.00000020.00020000.00000000.sdmp, 5yv6ZxNaTP.exe, 00000004.00000002.2675613804.0000027639FF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000001.00000002.1465103864.000002673D9A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe

Code function: 0_2_0060A800 Start: 0060A809 End: 0060A81F

0_2_0060A800

Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe

Code function: 0_2_0060A800 rdtscp

0_2_0060A800

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\5yv6ZxNaTP.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Users\user\Desktop\5yv6ZxNaTP.exe'; $s.Save()"

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	12 Registry Run Keys / Startup Folder	11 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	1 DLL Side-Loading	12 Registry Run Keys / Startup Folder	21 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
5yv6ZxNaTP.exe	8%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://oneget.orgX	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://oneget.org	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.1461262502.00000267358B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1443151882.00000267270DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1461262502.000002673577F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000001.00000002.1443151882.0000026726DBC000.00000004.00000800.00020000.00000000.sdmp	true		unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000001.00000002.1443151882.0000026726F90000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000001.00000002.1443151882.0000026726F90000.00000004.00000800.00020000.00000000.sdmp	true		unknown
https://go.micro	powershell.exe, 00000001.00000002.1443151882.0000026726331000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000001.00000002.1461262502.000002673577F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.1461262502.00000267358B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1443151882.00000267270DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1461262502.000002673577F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000001.00000002.1461262502.000002673577F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000001.00000002.1461262502.000002673577F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://oneget.orgX	powershell.exe, 00000001.00000002.1443151882.0000026726DBC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000001.00000002.1443151882.0000026725701000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.1443151882.0000026725701000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000001.00000002.1443151882.0000026726F90000.00000004.00000800.00020000.00000000.sdmp	true		unknown
https://oneget.org	powershell.exe, 00000001.00000002.1443151882.0000026726DBC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.196.10.218	unknown	Switzerland		42624	SIMPLECARRIERCH	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546425
Start date and time:	2024-10-31 21:41:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	5yv6ZxNaTP.exe renamed because original name is a hash value
Original Sample Name:	121222d12d96665d88f8e60a419329f0.exe
Detection:	MAL
Classification:	mal68.spre.evad.mine.winEXE@5/4@0/1
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 15 Number of non-executed functions: 39
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 5yv6ZxNaTP.exe, PID 8076 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 7764 because it is empty
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: 5yv6ZxNaTP.exe

Simulations

Behavior and APIs

Time	Type	Description
16:42:11	API Interceptor	5x Sleep call for process: powershell.exe modified
21:42:13	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
185.196.10.218	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SIMPLECARRIERCH	file.exe	Get hash	malicious	Unknown	Browse	185.196.10.218
	file.exe	Get hash	malicious	Unknown	Browse	185.196.10.218
	file.exe	Get hash	malicious	Unknown	Browse	185.196.10.218
	sipari_.exe	Get hash	malicious	AgentTesla	Browse	185.196.9.150
	UGcjMkPWwW.exe	Get hash	malicious	RHADAMANTHYS	Browse	185.196.11.237
	x86_64.bin.elf	Get hash	malicious	Unknown	Browse	185.196.10.215
	fEv4R2ahiLCQa5O.exe	Get hash	malicious	AgentTesla	Browse	185.196.9.150
	PW68YarHboeikgM.exe	Get hash	malicious	AgentTesla	Browse	185.196.9.150
	IND24072113.xlsx	Get hash	malicious	Unknown	Browse	185.196.10.234
	SecuriteInfo.com.Win32.MalwareX-gen.30759.2179.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	185.196.9.150

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulDm0ll//Z:NllU6cl/
MD5:	DA1F22117B9766A1F0220503765A5BA5
SHA1:	D35597157EFE03AA1A88C1834DF8040B3DD3F3CB
SHA-256:	BD022BFCBE39B4DA088DDE302258AE375AAFD6BDA4C7B39A97D80C8F92981C69
SHA-512:	520FA7879AB2A00C86D9982BB057E7D5E243F7FC15A12BA1C823901DC582D2444C76534E955413B0310B9EBD043400907FD412B88927DAD07A1278D3B667E3D9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................R..............@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kooj2ijd.zhe.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v5e0kluk.1fy.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Oct 5 07:36:25 2023, mtime=Thu Oct 31 19:42:11 2024, atime=Thu Oct 31 19:42:08 2024, length=3255296, window=hide
Category:	dropped
Size (bytes):	606
Entropy (8bit):	5.10965313185072
Encrypted:	false
SSDEEP:	12:8hZM1qzYNbRnPPpZFohKE2jEjA/sGRRcuq9hgImV:8hyTnnPPpZfE2UA/hR3q9hgIm
MD5:	11E79E18119F4CBC323EA78CD411FFA3
SHA1:	A99E297EC4066E6B69BEAB5C63FD1DB4E4605141
SHA-256:	12C3FACB4940E9CDC1A331419ABD0743A87EC0DDDD6D17BD7DC2E85110788460
SHA-512:	6F92E73DD8DD376AB54FDD8873EBBA279A3E59B30D3F63E8448FD69A416D45F340EC076A55FDF5AF7F4B7608806A2505EF756D48CD25199BC2AC91670871FEDE
Malicious:	true
Preview:	L..................F.... ...3B8.g......\.+..)..Z.+....1..........................P.O. .:i.....+00.:...:..,.LB.)...A&...&.........Yd...ji..g......\.+....j.2...1._YE. .5YV6ZX~1.EXE..N......EW.D_YE......T.......................5.y.v.6.Z.x.N.a.T.P...e.x.e.......U...............-.......T...........(.U......C:\Users\user\Desktop\5yv6ZxNaTP.exe..+.....\.....\.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.5.y.v.6.Z.x.N.a.T.P...e.x.e.`.......X.......226533...........hT..CrF.f4... ..E..Yc...,...E...hT..CrF.f4... ..E..Yc...,...E..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.8489982564228065
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	5yv6ZxNaTP.exe
File size:	3'255'296 bytes
MD5:	121222d12d96665d88f8e60a419329f0
SHA1:	51ed963231e60e1b6bcbbf81f325184f4a314beb
SHA256:	1fcc27fc5d5ab23eb89fecedaf7c036fa5d9fee5854868dcc0b98d2023fbdb2c
SHA512:	b35d227b3f45c1397a5b143c5a24dc602bd2bb557ecaadd5940f9b0af957fb5e987478baeafa254123ba2d2d62eb713df6aa995d7ef277fc27ea7acb97a0ab71
SSDEEP:	49152:Tu4q74iE3izWReSVYlI4vvn94SHlJ91fE6G3w:IBELRqJw
TLSH:	1BE58E57BC9508A9D4A9A33189A652937B76BC490F3223D36F60F33C2F76BD09979310
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........l/.i....."...........................@...............................:...........`... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x46bf80
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	c2d457ad8ac36fc9f18d45bffcd450c2

Entrypoint Preview

Instruction
jmp 00007FA110CD8E30h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
dec eax
mov ebp, esp
pushfd
cld
dec eax
sub esp, 000000E0h
dec eax
mov dword ptr [esp], edi
dec eax
mov dword ptr [esp+08h], esi
dec eax
mov dword ptr [esp+10h], ebp
dec eax
mov dword ptr [esp+18h], ebx
dec esp
mov dword ptr [esp+20h], esp
dec esp
mov dword ptr [esp+28h], ebp
dec esp
mov dword ptr [esp+30h], esi
dec esp
mov dword ptr [esp+38h], edi
movups dqword ptr [esp+40h], xmm6
movups dqword ptr [esp+50h], xmm7
inc esp
movups dqword ptr [esp+60h], xmm0
inc esp
movups dqword ptr [esp+70h], xmm1
inc esp
movups dqword ptr [esp+00000080h], xmm2
inc esp
movups dqword ptr [esp+00000090h], xmm3
inc esp
movups dqword ptr [esp+000000A0h], xmm4
inc esp
movups dqword ptr [esp+000000B0h], xmm5
inc esp
movups dqword ptr [esp+000000C0h], xmm6
inc esp
movups dqword ptr [esp+000000D0h], xmm7
inc ebp
xorps xmm7, xmm7
dec ebp
xor esi, esi
dec eax
mov eax, dword ptr [00229202h]
dec eax
mov eax, dword ptr [eax]
dec eax
cmp eax, 00000000h
je 00007FA110CDC715h
dec esp
mov esi, dword ptr [eax]
dec eax
sub esp, 10h
dec eax
mov eax, ecx
dec eax
mov ebx, edx
call 00007FA110CDE80Bh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x380000	0x554	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x299000	0x6abc	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x381000	0x4f46	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x200100	0x180	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xec3be	0xec400	d90c021d10428169e6bf2ee3ae77b428	False	0.4619088955026455	data	6.197180912933258	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xee000	0x111e88	0x112000	1deff442e960c5585d5c78c81dc98944	False	0.4076489079607664	data	5.413398604478663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x200000	0x98d00	0xfc00	209b5a6f3d7c81e34a85592649145ec3	False	0.3759765625	data	3.8948674422655625	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x299000	0x6abc	0x6c00	7c73081b839175441f6530ec8e4bb7db	False	0.39579716435185186	data	5.021276623612626	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x2a0000	0xb4	0x200	168200dcfbbfe2f110cfcd239b02e02c	False	0.2265625	shared library	1.787112262798912	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
/4	0x2a1000	0x129	0x200	17f62672c8506464ae13eccc2eb6cb94	False	0.623046875	data	5.081946473254993	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/19	0x2a2000	0x30e50	0x31000	a8bd9d213d0d02e475d4ba24baad2381	False	0.9984454719387755	data	7.995397489621077	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/32	0x2d3000	0xa78c	0xa800	d39f8eccfa305e8f7ac9c27925c3832c	False	0.9945591517857143	data	7.927815340947501	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/46	0x2de000	0x30	0x200	40cca7c46fc713b4f088e5d440ca7931	False	0.103515625	data	0.8556848540171443	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/65	0x2df000	0x598ff	0x59a00	3cdc7ff8a582210e331182b5863195c2	False	0.9997003573919108	data	7.998038714109929	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/78	0x339000	0x34cd2	0x34e00	3410cf04c1bee7f6dc879dac5a25d73e	False	0.9953365100472813	data	7.992547884111423	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/90	0x36e000	0x11cd4	0x11e00	2f31c072746f0711cf34450cf828cecd	False	0.9732708697552448	data	7.803217541460137	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.idata	0x380000	0x554	0x600	9019caff4a889656c39bded7c080bd75	False	0.380859375	data	3.9866303467640605	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x381000	0x4f46	0x5000	4f662718fc0dc77773bc41a73258f631	False	0.3177734375	data	5.430280365870681	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0x386000	0x23f0b	0x24000	f954f869a86ee6475798b59d75def54c	False	0.2531263563368056	data	5.100166500840262	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, RtlVirtualUnwind, RtlLookupFunctionEntry, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler, AddVectoredContinueHandler

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-31T21:42:28.628320+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.8	49708	TCP
2024-10-31T21:43:06.981805+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.8	49720	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 21:42:16.116893053 CET	49705	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:16.121819019 CET	9889	49705	185.196.10.218	192.168.2.8
Oct 31, 2024 21:42:16.121933937 CET	49705	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:23.564796925 CET	49706	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:23.889091015 CET	9889	49706	185.196.10.218	192.168.2.8
Oct 31, 2024 21:42:23.889230013 CET	49706	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:24.614007950 CET	9889	49705	185.196.10.218	192.168.2.8
Oct 31, 2024 21:42:24.614109993 CET	49705	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:24.614337921 CET	49705	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:24.615305901 CET	49707	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:24.619251013 CET	9889	49705	185.196.10.218	192.168.2.8
Oct 31, 2024 21:42:24.620107889 CET	9889	49707	185.196.10.218	192.168.2.8
Oct 31, 2024 21:42:24.620182991 CET	49707	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:32.380167961 CET	9889	49706	185.196.10.218	192.168.2.8
Oct 31, 2024 21:42:32.380286932 CET	49706	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:32.380532026 CET	49706	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:32.380677938 CET	49712	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:32.385808945 CET	9889	49706	185.196.10.218	192.168.2.8
Oct 31, 2024 21:42:32.385857105 CET	9889	49712	185.196.10.218	192.168.2.8
Oct 31, 2024 21:42:32.385947943 CET	49712	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:33.130424023 CET	9889	49707	185.196.10.218	192.168.2.8
Oct 31, 2024 21:42:33.130605936 CET	49707	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:33.130640030 CET	49707	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:33.130872011 CET	49713	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:33.135756969 CET	9889	49707	185.196.10.218	192.168.2.8
Oct 31, 2024 21:42:33.136095047 CET	9889	49713	185.196.10.218	192.168.2.8
Oct 31, 2024 21:42:33.136173964 CET	49713	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:40.870146036 CET	9889	49712	185.196.10.218	192.168.2.8
Oct 31, 2024 21:42:40.870212078 CET	49712	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:40.870318890 CET	49712	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:40.871403933 CET	49714	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:40.875176907 CET	9889	49712	185.196.10.218	192.168.2.8
Oct 31, 2024 21:42:40.876230001 CET	9889	49714	185.196.10.218	192.168.2.8
Oct 31, 2024 21:42:40.876291990 CET	49714	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:41.857737064 CET	9889	49713	185.196.10.218	192.168.2.8
Oct 31, 2024 21:42:41.857800007 CET	49713	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:41.857928991 CET	49713	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:41.858197927 CET	49715	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:41.858326912 CET	9889	49713	185.196.10.218	192.168.2.8
Oct 31, 2024 21:42:41.858362913 CET	49713	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:41.862689018 CET	9889	49713	185.196.10.218	192.168.2.8
Oct 31, 2024 21:42:41.863070011 CET	9889	49715	185.196.10.218	192.168.2.8
Oct 31, 2024 21:42:41.863140106 CET	49715	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:49.384553909 CET	9889	49714	185.196.10.218	192.168.2.8
Oct 31, 2024 21:42:49.384670973 CET	49714	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:49.384897947 CET	49714	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:49.385092020 CET	49716	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:49.390393019 CET	9889	49714	185.196.10.218	192.168.2.8
Oct 31, 2024 21:42:49.390418053 CET	9889	49716	185.196.10.218	192.168.2.8
Oct 31, 2024 21:42:49.390500069 CET	49716	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:50.352288008 CET	9889	49715	185.196.10.218	192.168.2.8
Oct 31, 2024 21:42:50.352374077 CET	49715	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:50.352509022 CET	49715	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:50.352777958 CET	49717	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:50.357418060 CET	9889	49715	185.196.10.218	192.168.2.8
Oct 31, 2024 21:42:50.358022928 CET	9889	49717	185.196.10.218	192.168.2.8
Oct 31, 2024 21:42:50.358108044 CET	49717	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:57.898375988 CET	9889	49716	185.196.10.218	192.168.2.8
Oct 31, 2024 21:42:57.898478031 CET	49716	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:57.898943901 CET	49716	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:57.899133921 CET	49718	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:57.903934002 CET	9889	49716	185.196.10.218	192.168.2.8
Oct 31, 2024 21:42:57.906897068 CET	9889	49718	185.196.10.218	192.168.2.8
Oct 31, 2024 21:42:57.906975985 CET	49718	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:58.863070965 CET	9889	49717	185.196.10.218	192.168.2.8
Oct 31, 2024 21:42:58.863143921 CET	49717	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:58.863254070 CET	49717	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:58.863514900 CET	49719	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:42:58.868763924 CET	9889	49717	185.196.10.218	192.168.2.8
Oct 31, 2024 21:42:58.868772030 CET	9889	49719	185.196.10.218	192.168.2.8
Oct 31, 2024 21:42:58.868835926 CET	49719	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:06.422827005 CET	9889	49718	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:06.422915936 CET	49718	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:06.423175097 CET	49718	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:06.423337936 CET	49721	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:06.428031921 CET	9889	49718	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:06.428344965 CET	9889	49721	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:06.428523064 CET	49721	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:07.375658035 CET	9889	49719	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:07.375724077 CET	49719	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:07.375906944 CET	49719	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:07.376081944 CET	49722	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:07.380740881 CET	9889	49719	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:07.380968094 CET	9889	49722	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:07.381053925 CET	49722	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:14.921108007 CET	9889	49721	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:14.921449900 CET	49721	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:14.921498060 CET	49721	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:14.921725988 CET	49723	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:14.926661015 CET	9889	49721	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:14.927397013 CET	9889	49723	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:14.927491903 CET	49723	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:16.226818085 CET	9889	49722	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:16.226938963 CET	49722	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:16.227519035 CET	9889	49722	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:16.227574110 CET	49722	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:16.227957010 CET	49724	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:16.227984905 CET	49722	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:16.233004093 CET	9889	49722	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:16.233016014 CET	9889	49724	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:16.233119011 CET	49724	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:23.425211906 CET	9889	49723	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:23.425343990 CET	49723	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:23.425714970 CET	49725	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:23.425736904 CET	49723	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:23.430608988 CET	9889	49723	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:23.430695057 CET	9889	49725	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:23.430756092 CET	49725	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:24.726280928 CET	9889	49724	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:24.726471901 CET	49724	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:24.726613045 CET	49724	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:24.726897001 CET	49726	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:24.731416941 CET	9889	49724	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:24.731702089 CET	9889	49726	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:24.731762886 CET	49726	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:31.913377047 CET	9889	49725	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:31.913476944 CET	49725	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:31.914263010 CET	49729	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:31.914300919 CET	49725	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:31.920003891 CET	9889	49725	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:31.920017958 CET	9889	49729	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:31.920103073 CET	49729	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:33.223726034 CET	9889	49726	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:33.223836899 CET	49726	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:33.228503942 CET	49726	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:33.228811026 CET	49730	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:33.233450890 CET	9889	49726	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:33.233624935 CET	9889	49730	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:33.233690023 CET	49730	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:40.426645994 CET	9889	49729	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:40.426805973 CET	49729	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:40.426938057 CET	49729	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:40.427146912 CET	49731	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:40.431945086 CET	9889	49729	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:40.432081938 CET	9889	49731	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:40.432152987 CET	49731	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:41.728425026 CET	9889	49730	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:41.728514910 CET	49730	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:41.728612900 CET	49730	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:41.728910923 CET	49732	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:41.734602928 CET	9889	49730	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:41.734641075 CET	9889	49732	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:41.734705925 CET	49732	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:48.916129112 CET	9889	49731	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:48.916178942 CET	49731	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:48.916290998 CET	49731	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:48.916651011 CET	49733	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:48.921427965 CET	9889	49731	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:48.921439886 CET	9889	49733	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:48.921493053 CET	49733	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:50.220163107 CET	9889	49732	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:50.220237970 CET	49732	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:50.220463991 CET	49732	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:50.220608950 CET	49734	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:50.225198030 CET	9889	49732	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:50.225332022 CET	9889	49734	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:50.225394964 CET	49734	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:57.840578079 CET	9889	49733	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:57.842861891 CET	49733	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:57.842998981 CET	49733	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:57.843231916 CET	49735	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:57.847913027 CET	9889	49733	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:57.851560116 CET	9889	49735	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:57.854906082 CET	49735	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:58.732387066 CET	9889	49734	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:58.732459068 CET	49734	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:58.732721090 CET	49734	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:58.732830048 CET	49736	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:43:58.737879038 CET	9889	49734	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:58.737915039 CET	9889	49736	185.196.10.218	192.168.2.8
Oct 31, 2024 21:43:58.738003016 CET	49736	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:44:06.364211082 CET	9889	49735	185.196.10.218	192.168.2.8
Oct 31, 2024 21:44:06.364316940 CET	49735	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:44:06.364484072 CET	49735	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:44:06.364727020 CET	49737	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:44:06.369496107 CET	9889	49735	185.196.10.218	192.168.2.8
Oct 31, 2024 21:44:06.369575024 CET	9889	49737	185.196.10.218	192.168.2.8
Oct 31, 2024 21:44:06.369643927 CET	49737	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:44:07.224646091 CET	9889	49736	185.196.10.218	192.168.2.8
Oct 31, 2024 21:44:07.224720001 CET	49736	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:44:07.224901915 CET	49736	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:44:07.225148916 CET	49738	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:44:07.229731083 CET	9889	49736	185.196.10.218	192.168.2.8
Oct 31, 2024 21:44:07.229968071 CET	9889	49738	185.196.10.218	192.168.2.8
Oct 31, 2024 21:44:07.230024099 CET	49738	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:44:14.876935959 CET	9889	49737	185.196.10.218	192.168.2.8
Oct 31, 2024 21:44:14.878878117 CET	49737	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:44:14.879899979 CET	49737	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:44:14.880342960 CET	49739	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:44:14.884680033 CET	9889	49737	185.196.10.218	192.168.2.8
Oct 31, 2024 21:44:14.885768890 CET	9889	49739	185.196.10.218	192.168.2.8
Oct 31, 2024 21:44:14.886253119 CET	49739	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:44:15.720231056 CET	9889	49738	185.196.10.218	192.168.2.8
Oct 31, 2024 21:44:15.720343113 CET	49738	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:44:15.720474005 CET	49738	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:44:15.720688105 CET	49740	9889	192.168.2.8	185.196.10.218
Oct 31, 2024 21:44:15.725419044 CET	9889	49738	185.196.10.218	192.168.2.8
Oct 31, 2024 21:44:15.725503922 CET	9889	49740	185.196.10.218	192.168.2.8
Oct 31, 2024 21:44:15.725573063 CET	49740	9889	192.168.2.8	185.196.10.218

Target ID:	0
Start time:	16:42:09
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\5yv6ZxNaTP.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\5yv6ZxNaTP.exe"
Imagebase:	0x5a0000
File size:	3'255'296 bytes
MD5 hash:	121222D12D96665D88F8E60A419329F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	16:42:09
Start date:	31/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Users\user\Desktop\5yv6ZxNaTP.exe'; $s.Save()"
Imagebase:	0x7ff6cb6b0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:42:09
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	16:42:22
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\5yv6ZxNaTP.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\5yv6ZxNaTP.exe"
Imagebase:	0x5a0000
File size:	3'255'296 bytes
MD5 hash:	121222D12D96665D88F8E60A419329F0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Go lang
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21.8%
Total number of Nodes:	762
Total number of Limit Nodes:	62

Executed Functions

Function 005AD200 Relevance: 12.9, Strings: 10, Instructions: 384
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

out of memory allocating allArenas/memory/classes/heap/objects:bytesruntime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning wit, xrefs: 005AD5A5
) not in usable address space: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: , xrefs: 005AD945
out of memory allocating heap arena map/cpu/classes/gc/mark/assist:cpu-seconds/cpu/classes/scavenge/total:cpu-seconds/memory/classes/profiling/buckets:bytesmspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResume, xrefs: 005AD5D8
, xrefs: 005AD88F
base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-c, xrefs: 005AD871
memory reservation exceeds address space limittried to park scavenger from another goroutinereleased less than one physical page of memory (bad use of unsafe.Pointer? try -d=checkptr)sysGrow bounds not aligned to pallocChunkBytesruntime: failed to create new , xrefs: 005AD972
arena already initialized to unused region of span bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p , xrefs: 005AD5C7
out of memory allocating heap arena metadata/cpu/classes/scavenge/background:cpu-secondsruntime: unexpected metric registration for gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbi, xrefs: 005AD5B6
region exceeds uintptr range/gc/heap/frees-by-size:bytes/gc/heap/tiny/allocs:objects/sched/goroutines:goroutinesgcBgMarkWorker: mode not setmspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: m, xrefs: 005AD847
end outside usable address spaceGCProg for type that isn't largeruntime: failed to release pagesruntime: fixalloc size too largeinvalid limiter event type foundscanstack: goroutine not stoppedscavenger state is already wiredsweep increased allocation countremo, xrefs: 005AD89F

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID: $) not in usable address space: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: $arena already initialized to unused region of span bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p $base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-c$end outside usable address spaceGCProg for type that isn't largeruntime: failed to release pagesruntime: fixalloc size too largeinvalid limiter event type foundscanstack: goroutine not stoppedscavenger state is already wiredsweep increased allocation countremo$memory reservation exceeds address space limittried to park scavenger from another goroutinereleased less than one physical page of memory (bad use of unsafe.Pointer? try -d=checkptr)sysGrow bounds not aligned to pallocChunkBytesruntime: failed to create new $out of memory allocating allArenas/memory/classes/heap/objects:bytesruntime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning wit$out of memory allocating heap arena map/cpu/classes/gc/mark/assist:cpu-seconds/cpu/classes/scavenge/total:cpu-seconds/memory/classes/profiling/buckets:bytesmspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResume$out of memory allocating heap arena metadata/cpu/classes/scavenge/background:cpu-secondsruntime: unexpected metric registration for gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbi$region exceeds uintptr range/gc/heap/frees-by-size:bytes/gc/heap/tiny/allocs:objects/sched/goroutines:goroutinesgcBgMarkWorker: mode not setmspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: m
API String ID: 0-847506971
Opcode ID: b881efb49170ed06758485bab7d313c702d3bbd842a17acfa894e5e2db098b8c
Instruction ID: b0a26574ad0b3243215a1f0aa12ae778eb4ccc17a53cef4dc2184874c2c4d509
Opcode Fuzzy Hash: b881efb49170ed06758485bab7d313c702d3bbd842a17acfa894e5e2db098b8c
Instruction Fuzzy Hash: 09028972609B8482EB649B55F4407AEBB65F78AB90F448226EFDE17B99CF3CC444C710

Function 005ADDA0 Relevance: 9.3, Strings: 7, Instructions: 547COMMON

Download Yara Rule

Strings

mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= , xrefs: 005AE625
mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential, xrefs: 005AE658
malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no , xrefs: 005AE647
delayed zeroing on data that may contain pointerssweeper left outstanding across sweep generationsfully empty unfreed span set block found in resetcasgstatus: waiting for Gwaiting but is Grunnablenot enough significant bits after mult128bitPow10the :: must exp, xrefs: 005AE5DD
!"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 005AE133
malloc during signalclose of nil channelinconsistent lockedmnotetsleep not on g0bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=, xrefs: 005AE636
unexpected malloc header in delayed zeroing of large objectsync/atomic: store of inconsistently typed value into Valuereflect: call of reflect.Value.Len on ptr to non-array Valuemanual span allocation called with non-manually-managed typeaddr range base and li, xrefs: 005AE5CC

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC$delayed zeroing on data that may contain pointerssweeper left outstanding across sweep generationsfully empty unfreed span set block found in resetcasgstatus: waiting for Gwaiting but is Grunnablenot enough significant bits after mult128bitPow10the :: must exp$malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no $malloc during signalclose of nil channelinconsistent lockedmnotetsleep not on g0bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=$mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largelimiterEvent.stop: invalid limiter event type foundpotential$mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= $unexpected malloc header in delayed zeroing of large objectsync/atomic: store of inconsistently typed value into Valuereflect: call of reflect.Value.Len on ptr to non-array Valuemanual span allocation called with non-manually-managed typeaddr range base and li
API String ID: 0-1668493485
Opcode ID: 83e1674a86f87a9046b469c7572ea7f32069a3e369ec5c775e9e0a1871a05fb8
Instruction ID: c038cb838e4ca3aa7fdaf658c9485808d5f177b351248432e695f7bb55ca4ae9
Opcode Fuzzy Hash: 83e1674a86f87a9046b469c7572ea7f32069a3e369ec5c775e9e0a1871a05fb8
Instruction Fuzzy Hash: EF322172608B90C6DB64DB11E0857AEBF75F786B94F489516EE8E07B95DB78C880CB00

Function 005A1FE0 Relevance: 9.2, Strings: 7, Instructions: 474
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localint16int32int64uint8arrayslice and defersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleep, xrefs: 005A2041
avx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNexus.lnkfiles,dnsdns,filesipv6-icmp_outboundlocalhostconnectexfork/exec#execwaitWednesdaySeptembercomplex64interfaceinvalid nfuncargs(bad indirreflect: InterfaceprofBlockstackpoolhchanLeafwbufSpansmSpan, xrefs: 005A2631
pclmulqdqmath/randtlsrsakexStart Menupowershell.localhostsetsockoptunixpacket netGo = /dev/stdinCreateFileexecerrdotSYSTEMROOT%!Weekday(complex128t.Kind == notifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop tracedisablethpinvalidptrschedtracesemacquiredeb, xrefs: 005A205F
rdtscppopcntcmd/goAPPDATAWindowsStartupfloat32float64windowsrunningwsarecvwsasendconnectlookup writetoconsolePATHEXT\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_DltinvaliduintptrChanDir Value>forcegcallocmWcpuprofallocmRunknowngctraceIO waitsyscallwaitingUNKNOWN:eve, xrefs: 005A2080
sse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localreturnlisten.onionsocketexec: SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13uint16uint32uint64structchan<-<-chan Valuesysmontimersefenceselect, not object next= jobs= goid sweep, xrefs: 005A2268
avx512fos/execruntime#internPrograms-CommandGoStringnetedns0[::1]:53continue_gatewayshutdownaddress readfromwsaioctlunixgramnil PoolFullPathThursdaySaturdayFebruaryNovemberDecember%!Month(scavengepollDesctraceBufdeadlockraceFinipanicnilcgocheckrunnable procid , xrefs: 005A25E4
adxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = dialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccallkindallgallprootitabsbrkidledead is LEAFbase of <==GOGC] = pc=+I, xrefs: 005A2006

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID: adxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = dialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccallkindallgallprootitabsbrkidledead is LEAFbase of <==GOGC] = pc=+I$avx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNexus.lnkfiles,dnsdns,filesipv6-icmp_outboundlocalhostconnectexfork/exec#execwaitWednesdaySeptembercomplex64interfaceinvalid nfuncargs(bad indirreflect: InterfaceprofBlockstackpoolhchanLeafwbufSpansmSpan$avx512fos/execruntime#internPrograms-CommandGoStringnetedns0[::1]:53continue_gatewayshutdownaddress readfromwsaioctlunixgramnil PoolFullPathThursdaySaturdayFebruaryNovemberDecember%!Month(scavengepollDesctraceBufdeadlockraceFinipanicnilcgocheckrunnable procid $ermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localint16int32int64uint8arrayslice and defersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleep$pclmulqdqmath/randtlsrsakexStart Menupowershell.localhostsetsockoptunixpacket netGo = /dev/stdinCreateFileexecerrdotSYSTEMROOT%!Weekday(complex128t.Kind == notifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop tracedisablethpinvalidptrschedtracesemacquiredeb$rdtscppopcntcmd/goAPPDATAWindowsStartupfloat32float64windowsrunningwsarecvwsasendconnectlookup writetoconsolePATHEXT\\.\UNCTuesdayJanuaryOctoberMUI_StdMUI_DltinvaliduintptrChanDir Value>forcegcallocmWcpuprofallocmRunknowngctraceIO waitsyscallwaitingUNKNOWN:eve$sse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localreturnlisten.onionsocketexec: SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13uint16uint32uint64structchan<-<-chan Valuesysmontimersefenceselect, not object next= jobs= goid sweep
API String ID: 0-3864557194
Opcode ID: 3e34f6f1a088494b061dc172a4916d1f7965f4983e03fc8dbae2cd0e4945cc4b
Instruction ID: 4a890b8dd31e1989b9b8681c7fc73466284db42b71e883cf642f14f3a33ca42b
Opcode Fuzzy Hash: 3e34f6f1a088494b061dc172a4916d1f7965f4983e03fc8dbae2cd0e4945cc4b
Instruction Fuzzy Hash: AD42BB7A504F80C5E700DF29F84979A3BA1F395F80F958226DAD94B361DF79C6A9C340

Function 005D6A20 Relevance: 4.0, Strings: 3, Instructions: 273COMMON

Download Yara Rule

Strings

self-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatch152587890625762939453125invalid slothost is downillegal seekGetLengthSidGetLastE, xrefs: 005D6EC5
runtime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject wait_failed; errno=strconv: illegal AppendFloat/FormatFloat bitSizenot enough significant bits after mult64bitPow10syscall: string with NUL passed to StringToUTF16parsing/packing of t, xrefs: 005D6E87
runtime.preemptM: duplicatehandle failedglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many arguments13877787807814456755295395851135253906256938893903907228377647697925567626953125ryuFtoaFixed32 calle, xrefs: 005D6EAF

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID: runtime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject wait_failed; errno=strconv: illegal AppendFloat/FormatFloat bitSizenot enough significant bits after mult64bitPow10syscall: string with NUL passed to StringToUTF16parsing/packing of t$runtime.preemptM: duplicatehandle failedglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many arguments13877787807814456755295395851135253906256938893903907228377647697925567626953125ryuFtoaFixed32 calle$self-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatch152587890625762939453125invalid slothost is downillegal seekGetLengthSidGetLastE
API String ID: 0-3009455715
Opcode ID: 56410509a630782902b64118ae066c04cd75b29c4c9687fd77c28c662460cd00
Instruction ID: b531ebc0fbe3baebaff873ac9329e90a8df31d80666f78ecc3f7a9b869c12454
Opcode Fuzzy Hash: 56410509a630782902b64118ae066c04cd75b29c4c9687fd77c28c662460cd00
Instruction Fuzzy Hash: F6C15C36605F8181CB60DB29E88536F7B60F78AB90F159237DAAC537A5DF39C492CB40

Function 005D4800 Relevance: 3.8, Strings: 3, Instructions: 65COMMON

Download Yara Rule

Strings

.`, xrefs: 005D489A
PowerRegisterSuspendResumeNotification, xrefs: 005D4869
powrprof.dll, xrefs: 005D4819

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID: .`$PowerRegisterSuspendResumeNotification$powrprof.dll
API String ID: 0-3225791698
Opcode ID: 44d24f89154824cc11c56763e591cdb9fb0a85941e7be42b470fd5cd78009dba
Instruction ID: d4b71b9a5f23b08059bcaed383d006c7da76e548a94d80c93fcd5a20e3e35d9e
Opcode Fuzzy Hash: 44d24f89154824cc11c56763e591cdb9fb0a85941e7be42b470fd5cd78009dba
Instruction Fuzzy Hash: 58214836209F84C6DB10CF15F44536ABBA5F38AB80F488516EACC47B58DF79C195CB40

Function 005C9B20 Relevance: 2.8, Strings: 2, Instructions: 332COMMON

Download Yara Rule

Strings

grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me, xrefs: 005CA082
@E`, xrefs: 005C9EB3

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID: @E`$grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me
API String ID: 0-1755309879
Opcode ID: a0976dc51cec0492eb393a7fbc7454ee0aa4962e3576eeafc5765aade38bd967
Instruction ID: e2bb0059010f2057727233c13f81255dee0d2edee22af2551b5bb7ec7f498d9b
Opcode Fuzzy Hash: a0976dc51cec0492eb393a7fbc7454ee0aa4962e3576eeafc5765aade38bd967
Instruction Fuzzy Hash: 42E18E32209B8489DB60CF55E494B9ABF61F786BD0F58951AEECD43B69CF38C494CB40

Function 0060C0E0 Relevance: 1.5, APIs: 1, Instructions: 46networkCOMMON

Download Yara Rule

APIs

WSARecv.WS2_32 ref: 0060C178

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID: Recv
String ID:
API String ID: 4192927123-0
Opcode ID: d0420e7b245c68536b1289b904fe6097933a37c154ff1c15fd575de53d0a58cb
Instruction ID: 059f93c86ec3ecc698348d304a65272684870ce54c0fc3c94bea9e5df61f300d
Opcode Fuzzy Hash: d0420e7b245c68536b1289b904fe6097933a37c154ff1c15fd575de53d0a58cb
Instruction Fuzzy Hash: BB117C36A40B80C1DB248B1AE8413697370E348BF4F244365DEAD57BA5CB28E1A2C740

Function 005B6EE0 Relevance: 1.5, Strings: 1, Instructions: 283COMMON

Download Yara Rule

Strings

span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor, xrefs: 005B7090

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID: span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor
API String ID: 0-1712010102
Opcode ID: 62ad128bf3858c0174402c8d5a1fc9a2e917c769831a02d662e6d7d7b8206458
Instruction ID: 14778a4e72cb54c89bf653a490f2f8d28b41f0561025b239e16498fbe7e1b10d
Opcode Fuzzy Hash: 62ad128bf3858c0174402c8d5a1fc9a2e917c769831a02d662e6d7d7b8206458
Instruction Fuzzy Hash: B1C1D432209B458ADF14DB14E4947AEBBA1F7C5B44F04452AEB8E07BA9DF3CE944CB50

Function 005E79A0 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63743188d5dbba73dcc8777889c975756452f22b3ee0f1ee15213252e74e5086
Instruction ID: fa1bc41ef3dc3e2639b02ffa2d96c7718271ff255f22e7b50d6816081f66e5f2
Opcode Fuzzy Hash: 63743188d5dbba73dcc8777889c975756452f22b3ee0f1ee15213252e74e5086
Instruction Fuzzy Hash: 1CC1903260DB8486DB08DF26E49036ABB65F7CAB80F985525EACD43765DF7CD844CB00

Function 005E0540 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76bc640c0164ddc80bb4159aea91c468d8542978f64eb93f64102dbc53455c5d
Instruction ID: 20977e8c93ddb14e3c55a52a97dbf8d155dc8602b5915ad25ccecdb47b1efabf
Opcode Fuzzy Hash: 76bc640c0164ddc80bb4159aea91c468d8542978f64eb93f64102dbc53455c5d
Instruction Fuzzy Hash: 53910675A09680CADB189F16E49036A7F61F7C1B84F98A035C98D073A5DFBDD8D5CB80

Function 005C8D20 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 921a085b0a0f9ff61c8d2173f54fd059379f42d3a4404dcd6b8cdce61aa9b4f7
Instruction ID: e118c773f84b9fed97e12a5ed701812debdb7b2640bd283db58943afe3b5a68f
Opcode Fuzzy Hash: 921a085b0a0f9ff61c8d2173f54fd059379f42d3a4404dcd6b8cdce61aa9b4f7
Instruction Fuzzy Hash: 873166BA309B4A91DB449B19E4813EA6B62F3C4BC0F85D036DE4E57769CE38D64BC340

Function 005D4940 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdd6910b81359d82a000ccbee3a73faa141a11c2b4a33abe83676cd268d41d19
Instruction ID: 1a8de4d333711c9b55e87c3e309f0919a576add7a207c6b1b9ed603e1bec41a4
Opcode Fuzzy Hash: cdd6910b81359d82a000ccbee3a73faa141a11c2b4a33abe83676cd268d41d19
Instruction Fuzzy Hash: 16214C33608B8582CB10CB25F48636B6B60F386BD4F449223EE9D47B99DB38C191CB40

Non-executed Functions

Function 005BB9A0 Relevance: 17.0, Strings: 13, Instructions: 703COMMON

Download Yara Rule

Strings

MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException , xrefs: 005BC545
failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre, xrefs: 005BC789
ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32, xrefs: 005BC2AA
gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foun, xrefs: 005BC79A
ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = bad prune, tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=, xrefs: 005BC4CB
@s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintmap, xrefs: 005BC12C
, xrefs: 005BBF7F
2`, xrefs: 005BC6DF
MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, xrefs: 005BC585
non-concurrent sweep failed to drain all sweep queuescompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not enabledno goroutines (main called runtime.Goexit) - d, xrefs: 005BC778
., xrefs: 005BC08A
gc %: gp *(in n= ) - NaN P MPC= < end > ]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = dialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccall, xrefs: 005BC10E
gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:1562578125 (at ntohsClassGreeksse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localreturnlisten.onionsocketexec: SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC, xrefs: 005BBA64

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID: $ @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintmap$ MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:$ MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException $ ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32$ ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = bad prune, tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=$.$failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre$gc %: gp *(in n= ) - NaN P MPC= < end > ]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = dialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfunccall$gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foun$gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:1562578125 (at ntohsClassGreeksse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localreturnlisten.onionsocketexec: SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC$non-concurrent sweep failed to drain all sweep queuescompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not enabledno goroutines (main called runtime.Goexit) - d$2`
API String ID: 0-507349935
Opcode ID: 4ad0eded2a40d559762a26ab8440cea37433f031f210859abd0fcb0f5aa207df
Instruction ID: b8ca16ae480f5514141c5bffd74150692b6d6d3a88ea0423867ada3a3e8cb0ae
Opcode Fuzzy Hash: 4ad0eded2a40d559762a26ab8440cea37433f031f210859abd0fcb0f5aa207df
Instruction Fuzzy Hash: E372AC36609BC5C5EB61DB28E8853EBBB65F78AB80F448126DA8C0376ADF7CD144C750

Function 005CCB00 Relevance: 15.5, Strings: 12, Instructions: 542COMMON

Download Yara Rule

Strings

runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSrunqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlock116415321826934814453125582076609134674072265625address string too shortfloating point excep, xrefs: 005CD365
, levelBits[level] = runtime: searchIdx = defer on system stackpanic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:, xrefs: 005CD405
runtime: npages = runtime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr cleantimers: bad p frames elided..., locked to threadruntime.semacreateruntime.semawakeup29802322, xrefs: 005CCEAF
] = (usageinit ms, fault tab= top=[...], fp:1562578125 (at ntohsClassGreeksse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localreturnlisten.onionsocketexec: SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13uint16uint32uint64structch, xrefs: 005CCE38
, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by 30517578125broken pipealarm c, xrefs: 005CD2FC
bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 005CCEDC, 005CD62C
, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type 19531259765625::ffff:abortedCopySidWSARecvWSASendsignal nil keyanswersavx512fos/execruntime#internPrograms-CommandGoStringnetedns0[::1]:53con, xrefs: 005CD31A
] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125quitbitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localint16, xrefs: 005CD276
, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= (...) m=nil base 390625hangupkilled, val headerAnswerLengthGetACPCommonrdtscppopcntcmd/goAPPDATAWindowsStartupfloat32float64windowsrunningwsarecvwsasendconnectlookup writetoconsolePATHEXT\\.\UNCTuesd, xrefs: 005CD385
runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foundruntime: sudog with non-nil cgfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon, xrefs: 005CD3E5
runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 005CCDFF, 005CD236
][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintmapptr...fi, xrefs: 005CCE1A, 005CD25B

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID: , i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= (...) m=nil base 390625hangupkilled, val headerAnswerLengthGetACPCommonrdtscppopcntcmd/goAPPDATAWindowsStartupfloat32float64windowsrunningwsarecvwsasendconnectlookup writetoconsolePATHEXT\\.\UNCTuesd$, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type 19531259765625::ffff:abortedCopySidWSARecvWSASendsignal nil keyanswersavx512fos/execruntime#internPrograms-CommandGoStringnetedns0[::1]:53con$, levelBits[level] = runtime: searchIdx = defer on system stackpanic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:$, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by 30517578125broken pipealarm c$] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125quitbitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localint16$] = (usageinit ms, fault tab= top=[...], fp:1562578125 (at ntohsClassGreeksse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localreturnlisten.onionsocketexec: SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13uint16uint32uint64structch$][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintmapptr...fi$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foundruntime: sudog with non-nil cgfput: bad status (not Gdead)LockOSThread nesting overflowsemacquire not on the G stackruntime: split stack overflowstring concatenation too lon$runtime: npages = runtime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr cleantimers: bad p frames elided..., locked to threadruntime.semacreateruntime.semawakeup29802322$runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSrunqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlock116415321826934814453125582076609134674072265625address string too shortfloating point excep$runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
API String ID: 0-1627350362
Opcode ID: 61e5b8b19802e768d507b787fa04597d64d61f0a01c0da1a4820f4827f72f971
Instruction ID: 695782d4eb5d233faa37d73375be7b8647b81fee79556c55c46c264eaf2d80b0
Opcode Fuzzy Hash: 61e5b8b19802e768d507b787fa04597d64d61f0a01c0da1a4820f4827f72f971
Instruction Fuzzy Hash: 0632DE76714B8981EB20DB55E4857DABB26F789BC0F404027DE8D17B6ADF38C945C701

Function 005BA020 Relevance: 14.1, Strings: 11, Instructions: 368COMMON

Download Yara Rule

Strings

runtime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already , xrefs: 005BA4A3, 005BA4F7, 005BA561
runtime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unknown mark worker modecannot free workbufs when work.full != 0runtime: out of memory: cannot allocate runtime.preemptM: duplicatehandle failedglobal runq empty wi, xrefs: 005BA67F
runtime.SetFinalizer: second argument is gcSweep being done but phase is not GCoffobjects added out of order or overlappingmheap.freeSpanLocked - invalid stack freemheap.freeSpanLocked - invalid span stateattempted to add zero-sized address rangeruntime: block, xrefs: 005BA594
nil elem type! to finalizer GC worker initruntime: full=runtime: want=MB; allocated timeEndPeriod, xrefs: 005BA64D
because dotdotdotruntime: npages = runtime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr cleantimers: bad p frames elided..., locked to threadruntime.semacreateruntime., xrefs: 005BA526
runtime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= casfrom_Gscanstatus: gp->status is not in scan state, xrefs: 005BA62B
, not a functiongc: unswept span KiB work (bg), mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 005BA585
runtime.SetFinalizer: first argument was allocated into an arenacompileCallback: expected function with one uintptr-sized resultuser arena chunk size is not a multiple of the physical page sizeruntime: function marked with #cgo nocallback called back into Goru, xrefs: 005BA63C
, not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failed, xrefs: 005BA670
runtime.SetFinalizer: first argument is nilruntime.SetFinalizer: finalizer already setgcBgMarkWorker: unexpected gcMarkWorkerModenon in-use span found with specials bit setgrew heap, but no adequate free space foundroot level max pages doesn't fit in summaryru, xrefs: 005BA690
runtime.SetFinalizer: pointer not at beginning of allocated blockunable to query buffer size from InitializeProcThreadAttributeListreflect: reflect.Value.UnsafePointer on an invalid notinheap pointerembedded IPv4 address must replace the final 2 fields of the , xrefs: 005BA5AA

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID: because dotdotdotruntime: npages = runtime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr cleantimers: bad p frames elided..., locked to threadruntime.semacreateruntime.$, not a functiongc: unswept span KiB work (bg), mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$, not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failed$nil elem type! to finalizer GC worker initruntime: full=runtime: want=MB; allocated timeEndPeriod$runtime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already $runtime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unknown mark worker modecannot free workbufs when work.full != 0runtime: out of memory: cannot allocate runtime.preemptM: duplicatehandle failedglobal runq empty wi$runtime.SetFinalizer: first argument is nilruntime.SetFinalizer: finalizer already setgcBgMarkWorker: unexpected gcMarkWorkerModenon in-use span found with specials bit setgrew heap, but no adequate free space foundroot level max pages doesn't fit in summaryru$runtime.SetFinalizer: first argument was allocated into an arenacompileCallback: expected function with one uintptr-sized resultuser arena chunk size is not a multiple of the physical page sizeruntime: function marked with #cgo nocallback called back into Goru$runtime.SetFinalizer: pointer not at beginning of allocated blockunable to query buffer size from InitializeProcThreadAttributeListreflect: reflect.Value.UnsafePointer on an invalid notinheap pointerembedded IPv4 address must replace the final 2 fields of the $runtime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= casfrom_Gscanstatus: gp->status is not in scan state$runtime.SetFinalizer: second argument is gcSweep being done but phase is not GCoffobjects added out of order or overlappingmheap.freeSpanLocked - invalid stack freemheap.freeSpanLocked - invalid span stateattempted to add zero-sized address rangeruntime: block
API String ID: 0-1037468882
Opcode ID: 1032913427acd2686ec149b72338c429a8c62e88d30a3f23f699d5c7568ad228
Instruction ID: 7310f97c2ca5d4ed9227e9df32f526c48201db442a2abec13b09d5942ff608d2
Opcode Fuzzy Hash: 1032913427acd2686ec149b72338c429a8c62e88d30a3f23f699d5c7568ad228
Instruction Fuzzy Hash: 71F1D032609BC081EB609F25E4413EEBBA6F785B80F488536DB8D07B99DF79E594C701

Function 005F2480 Relevance: 14.1, Strings: 11, Instructions: 364COMMON

Download Yara Rule

Strings

untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:23841857910156250123456789ABCDEFinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePointerExOpenProcessTokenRegQueryInfoKeyWRegQ, xrefs: 005F2A4C
bad symbol tablenon-Go function not in ranges:23841857910156250123456789ABCDEFinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePointerExOpenProcessTokenRegQueryInfoKeyWRegQueryValueExWDnsNameCompare_WCrea, xrefs: 005F286A, 005F29EA
runtime: pcdata is bad ABI descriptiondodeltimer: wrong Padjusttimers: bad p14901161193847656257450580596923828125skip this directoryillegal instructionbad file descriptordisk quota exceededtoo many open filesdevice not a streamdirectory not emptyCryptReleaseC, xrefs: 005F27D3, 005F295F
missing stackmapbad symbol tablenon-Go function not in ranges:23841857910156250123456789ABCDEFinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePointerExOpenProcessTokenRegQueryInfoKeyWRegQueryValueExWDnsN, xrefs: 005F2919, 005F2A99
(targetpc= , plugin: runtime: g : frame.sp=created by 30517578125broken pipealarm clockbad messagefile existsbad addressRegCloseKeyCreateFileWDeleteFileWExitProcessFreeLibrarySetFileTimeVirtualLockWSARecvFromclosesocketgetpeernamegetsocknamecrypt32.dllmswsock, xrefs: 005F2837, 005F29B8
and defersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleep cnt=gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:1562578125 (at ntohsClassGreeksse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localr, xrefs: 005F27EF, 005F297A
untyped args out of range no module dataruntime: seq1=runtime: goid= in goroutine 1907348632812595367431640625file too largeis a directorylevel 2 haltedlevel 3 haltedtoo many linksno such deviceprotocol errortext file busytoo many usersCryptGenRandomCertClos, xrefs: 005F28D7
locals stack map entries for abi mismatch detected between runtime: impossible type kind unsafe.Slice: len out of range227373675443232059478759765625trailing garbage after addresssocket operation on non-socketinappropriate ioctl for deviceprotocol wrong type , xrefs: 005F2995
runtime: frame runtimer: bad ptraceback stuck476837158203125advertise errorkey has expirednetwork is downno medium foundno such processGetAdaptersInfoCreateHardLinkWDeviceIoControlFlushViewOfFileGetCommandLineWGetStartupInfoWProcess32FirstWUnmapViewOfFileFaile, xrefs: 005F28B4, 005F2A29
args stack map entries for invalid runtime symbol tableruntime: no module data for traceRegion: alloc too large[originating from goroutine 18189894035458564758300781259094947017729282379150390625file descriptor in bad statedestination address requiredprotocol, xrefs: 005F280F
) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintm, xrefs: 005F2852, 005F29D3

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID: (targetpc= , plugin: runtime: g : frame.sp=created by 30517578125broken pipealarm clockbad messagefile existsbad addressRegCloseKeyCreateFileWDeleteFileWExitProcessFreeLibrarySetFileTimeVirtualLockWSARecvFromclosesocketgetpeernamegetsocknamecrypt32.dllmswsock$ and defersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleep cnt=gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:1562578125 (at ntohsClassGreeksse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localr$ args stack map entries for invalid runtime symbol tableruntime: no module data for traceRegion: alloc too large[originating from goroutine 18189894035458564758300781259094947017729282379150390625file descriptor in bad statedestination address requiredprotocol$ locals stack map entries for abi mismatch detected between runtime: impossible type kind unsafe.Slice: len out of range227373675443232059478759765625trailing garbage after addresssocket operation on non-socketinappropriate ioctl for deviceprotocol wrong type $ untyped args out of range no module dataruntime: seq1=runtime: goid= in goroutine 1907348632812595367431640625file too largeis a directorylevel 2 haltedlevel 3 haltedtoo many linksno such deviceprotocol errortext file busytoo many usersCryptGenRandomCertClos$ untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:23841857910156250123456789ABCDEFinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePointerExOpenProcessTokenRegQueryInfoKeyWRegQ$) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintm$bad symbol tablenon-Go function not in ranges:23841857910156250123456789ABCDEFinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePointerExOpenProcessTokenRegQueryInfoKeyWRegQueryValueExWDnsNameCompare_WCrea$missing stackmapbad symbol tablenon-Go function not in ranges:23841857910156250123456789ABCDEFinvalid exchangeno route to hostinvalid argumentmessage too longobject is remoteremote I/O errorSetFilePointerExOpenProcessTokenRegQueryInfoKeyWRegQueryValueExWDnsN$runtime: frame runtimer: bad ptraceback stuck476837158203125advertise errorkey has expirednetwork is downno medium foundno such processGetAdaptersInfoCreateHardLinkWDeviceIoControlFlushViewOfFileGetCommandLineWGetStartupInfoWProcess32FirstWUnmapViewOfFileFaile$runtime: pcdata is bad ABI descriptiondodeltimer: wrong Padjusttimers: bad p14901161193847656257450580596923828125skip this directoryillegal instructionbad file descriptordisk quota exceededtoo many open filesdevice not a streamdirectory not emptyCryptReleaseC
API String ID: 0-69468158
Opcode ID: 0a21d9e6d972597353015af105affa5f0726e1970d568dc16956b30115f7332f
Instruction ID: ef7de46498abbe4aa1102be828815c1dcae2d48a7ab7139da362835b68427575
Opcode Fuzzy Hash: 0a21d9e6d972597353015af105affa5f0726e1970d568dc16956b30115f7332f
Instruction Fuzzy Hash: 9BE1A176208B8986EB20EB69E48536FBB66F788B80F504127EB8D47765DF7CC544CB00

Function 005C6620 Relevance: 13.3, Strings: 10, Instructions: 811COMMON

Download Yara Rule

Strings

sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executionattempte, xrefs: 005C701C
mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcinternal lockOSThread errorruntime: checkdea, xrefs: 005C748A
nalloc= nfreed=[signal newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNexus.lnkfiles,dnsdns,filesipv6-icmp_outbou, xrefs: 005C7108
swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 005C702D
previous allocCount=, levelBits[level] = runtime: searchIdx = defer on system stackpanic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime:, xrefs: 005C7125
sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = WSAGetOverlappedResult not found_cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevrunt, xrefs: 005C716F
sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine 1220703125, xrefs: 005C706F, 005C7445
mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification, xrefs: 005C70B8
mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 005C708F, 005C7465
mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1, xrefs: 005C749B

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID: mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$ nalloc= nfreed=[signal newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNexus.lnkfiles,dnsdns,filesipv6-icmp_outbou$ previous allocCount=, levelBits[level] = runtime: searchIdx = defer on system stackpanic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime:$ sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine 1220703125$mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification$mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcinternal lockOSThread errorruntime: checkdea$mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1$sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = WSAGetOverlappedResult not found_cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevrunt$sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executionattempte$swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
API String ID: 0-3213733108
Opcode ID: fc9b28d460c29270dc791f935c9c1338cf548036df147925c92d5210018d930a
Instruction ID: 9d7693bc494b07011b1826cd6b54082dba85ef632a1d8ddd3fd30fd6902f62d6
Opcode Fuzzy Hash: fc9b28d460c29270dc791f935c9c1338cf548036df147925c92d5210018d930a
Instruction Fuzzy Hash: C382BE73208BC58ADB60CF65E4407AEBBA1F389B84F44951AEACD03B59DF38C595CB10

Function 005FE720 Relevance: 9.2, Strings: 7, Instructions: 451COMMON

Download Yara Rule

Strings

sp= sp: lr: fp= gp= mp=) m=3125quitbitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localint16int32int64uint8arrayslice and defersweeptestRtestWex, xrefs: 005FED92
...finobjgc %: gp *(in n= ) - NaN P MPC= < end > ]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = dialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintcha, xrefs: 005FEBB7
pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125quitbitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localint16int3, xrefs: 005FEDB2
fp= gp= mp=) m=3125quitbitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localint16int32int64uint8arrayslice and defersweeptestRtestWexecWexecRsche, xrefs: 005FED72
non-Go function at pc=4656612873077392578125IPv4 address too shortmultiple :: in addressargument list too longaddress already in usenetwork is unreachablecannot allocate memoryprotocol not availableprotocol not supportedremote address changedConvertSidToString, xrefs: 005FEEDB
) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintm, xrefs: 005FEC0D
_, xrefs: 005FEFE5

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID: fp= gp= mp=) m=3125quitbitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localint16int32int64uint8arrayslice and defersweeptestRtestWexecWexecRsche$ pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125quitbitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localint16int3$ sp= sp: lr: fp= gp= mp=) m=3125quitbitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930Localint16int32int64uint8arrayslice and defersweeptestRtestWex$) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintm$...finobjgc %: gp *(in n= ) - NaN P MPC= < end > ]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = dialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintcha$non-Go function at pc=4656612873077392578125IPv4 address too shortmultiple :: in addressargument list too longaddress already in usenetwork is unreachablecannot allocate memoryprotocol not availableprotocol not supportedremote address changedConvertSidToString$_
API String ID: 0-216964647
Opcode ID: 3a52f31b419d05c4fcbed58cec41ee8aceb811115d911a9d2296036e52aeb09d
Instruction ID: 97db0dd0051237ac3c49db1ed6d8878ad9ba4e36806360052e47b19c2c9456ac
Opcode Fuzzy Hash: 3a52f31b419d05c4fcbed58cec41ee8aceb811115d911a9d2296036e52aeb09d
Instruction Fuzzy Hash: B5223636209BC986DA709B25E4893AFBB65F789B80F045116EBCD43B6ACF3DC544CB00

Function 005C1420 Relevance: 7.7, Strings: 6, Instructions: 177COMMON

Download Yara Rule

Strings

greyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freeattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlinefindrunnable: netpoll with spinningpidleput: P has, xrefs: 005C16AF
marking free object KiB work (eager), [controller reset]mspan.sweep: state=sysMemStat overflowbad sequence numberntdll.dll not foundwinmm.dll not foundruntime: g0 stack [panic during mallocpanic holding locksmissing deferreturnunexpected gp.parampanic during , xrefs: 005C169E
base of <==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125quitbitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+134, xrefs: 005C165B
objgc %: gp *(in n= ) - NaN P MPC= < end > ]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = dialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfuncc, xrefs: 005C1676
) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintm, xrefs: 005C1645
runtime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foundruntime: sudog with non-nil cgfput: bad status (not Gdead)LockOSThread nesting overflo, xrefs: 005C15E7

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID: ) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintm$base of <==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125quitbitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+134$greyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freeattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlinefindrunnable: netpoll with spinningpidleput: P has$marking free object KiB work (eager), [controller reset]mspan.sweep: state=sysMemStat overflowbad sequence numberntdll.dll not foundwinmm.dll not foundruntime: g0 stack [panic during mallocpanic holding locksmissing deferreturnunexpected gp.parampanic during $objgc %: gp *(in n= ) - NaN P MPC= < end > ]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = dialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfuncc$runtime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foundruntime: sudog with non-nil cgfput: bad status (not Gdead)LockOSThread nesting overflo
API String ID: 0-2832768888
Opcode ID: 169de8a3bab8cce5d1ba203b8d2577037a4726d31b8877cf2e6c9ff4dc77fe63
Instruction ID: 5ee0288ace95b13de6d0f626bdedb05aeb63fcee26107359b433b3acd48e4df2
Opcode Fuzzy Hash: 169de8a3bab8cce5d1ba203b8d2577037a4726d31b8877cf2e6c9ff4dc77fe63
Instruction Fuzzy Hash: DF61E372604B84CAEB109F55E44176EBB75F786BC0F44512AEF8D07B66CB38C1A4C744

Function 005E0FC0 Relevance: 7.2, Strings: 5, Instructions: 943COMMON

Download Yara Rule

Strings

findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruption186264514923095703125931322574615478515625bad type in compare: IPv4 add, xrefs: 005E1F2E
findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for traceReg, xrefs: 005E1F0C
global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many arguments13877787807814456755295395851135253906256938893903907228377647697925567626953125ryuFtoaFixed32 called with negative precaddress family not s, xrefs: 005E1EEA
findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of r, xrefs: 005E1F1D
findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9network dropped, xrefs: 005E1EFB

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID: findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of r$findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for traceReg$findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9network dropped$findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruption186264514923095703125931322574615478515625bad type in compare: IPv4 add$global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many arguments13877787807814456755295395851135253906256938893903907228377647697925567626953125ryuFtoaFixed32 called with negative precaddress family not s
API String ID: 0-1046944959
Opcode ID: 1b87c957fa9582b5f32755e581043f118d9ea0730d4b843305c6a4d1050bd51a
Instruction ID: 01ea4d7334872f7c6f913a8eb96c7c265eafb09bde66a8b9986fd6412845f34c
Opcode Fuzzy Hash: 1b87c957fa9582b5f32755e581043f118d9ea0730d4b843305c6a4d1050bd51a
Instruction Fuzzy Hash: C1928E32609BC486DB298F16E4843EABB65F789B90F489126CACD47B58DF3DC885C744

Function 005BADC0 Relevance: 6.6, Strings: 5, Instructions: 334COMMON

Download Yara Rule

Strings

6^, xrefs: 005BB2BC
flushGen MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nan, xrefs: 005BB316
!= sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase, xrefs: 005BB331
runtime: p ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64, xrefs: 005BB2FB
p mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitws2_32.dll not foundpreempt off reason: forcegc: phase errorgopark: bad g statusgo of nil func valueselectgo: bad wakeup, xrefs: 005BB358

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID: != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase$ flushGen MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nan$p mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitws2_32.dll not foundpreempt off reason: forcegc: phase errorgopark: bad g statusgo of nil func valueselectgo: bad wakeup$runtime: p ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64$6^
API String ID: 0-3929360498
Opcode ID: e5fa76c1547a888af401498500241e1170e78b0aab5854c5b890f632d2d4fdf6
Instruction ID: 9fe309bf7f5f5a592d973effd1ca4bd7acbf07d2f0add3b6b19acd64200b05b5
Opcode Fuzzy Hash: e5fa76c1547a888af401498500241e1170e78b0aab5854c5b890f632d2d4fdf6
Instruction Fuzzy Hash: 09E1E336208B80C6EB54CF65E4843AFBB65F785B90F448226EA9D43BA5DF7CE484C741

Function 005D9CE0 Relevance: 6.5, Strings: 5, Instructions: 298COMMON

Download Yara Rule

Strings

, gp->atomicstatus=marking free object KiB work (eager), [controller reset]mspan.sweep: state=sysMemStat overflowbad sequence numberntdll.dll not foundwinmm.dll not foundruntime: g0 stack [panic during mallocpanic holding locksmissing deferreturnunexpected gp, xrefs: 005DA150
runtime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr cleantimers: bad p frames elided..., locked to threadruntime.semacreateruntime.semawakeup298023223876953125unable to parse IPsegmentation faultoperatio, xrefs: 005DA11A
suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function 277555756156289135105907917022705078125IPv4 field must have at least one digittransport endpoint is alre, xrefs: 005DA20A
, goid= s=nil (scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type 19531259765625::ffff:abortedCopySidWSARecvWSASendsignal nil keyanswersavx512fos/execruntime#, xrefs: 005DA135, 005DA1B7
invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:23841857910156250123456789ABCDEFinvalid exchangeno route to hostinvalid argumentmessage too longobje, xrefs: 005DA1F9

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID: , goid= s=nil (scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type 19531259765625::ffff:abortedCopySidWSARecvWSASendsignal nil keyanswersavx512fos/execruntime#$, gp->atomicstatus=marking free object KiB work (eager), [controller reset]mspan.sweep: state=sysMemStat overflowbad sequence numberntdll.dll not foundwinmm.dll not foundruntime: g0 stack [panic during mallocpanic holding locksmissing deferreturnunexpected gp$invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:23841857910156250123456789ABCDEFinvalid exchangeno route to hostinvalid argumentmessage too longobje$runtime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr cleantimers: bad p frames elided..., locked to threadruntime.semacreateruntime.semawakeup298023223876953125unable to parse IPsegmentation faultoperatio$suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function 277555756156289135105907917022705078125IPv4 field must have at least one digittransport endpoint is alre
API String ID: 0-3259957224
Opcode ID: 28c467d5747793a7c8f7b046c8c298681d421d2f2beaa017d97c51c98dcbc973
Instruction ID: 11119f000ef56259cc7cc42bd9a1f82bdeca9f3bddcd38efef0ace6a33ad0a7e
Opcode Fuzzy Hash: 28c467d5747793a7c8f7b046c8c298681d421d2f2beaa017d97c51c98dcbc973
Instruction Fuzzy Hash: B1D17076208B81C2D724DB69E08576ABF61F3CABD0F049167EE9D43B6ACB79C440CB51

Function 005AC2E0 Relevance: 6.3, Strings: 5, Instructions: 80COMMON

Download Yara Rule

Strings

runtime: lfstack.push invalid packing: node=out of memory allocating heap arena metadata/cpu/classes/scavenge/background:cpu-secondsruntime: unexpected metric registration for gcmarknewobject called while doing checkmarkactive sweepers found at start of mark p, xrefs: 005AC365
packed=BAD RANK status unknown(trigger= npages= nalloc= nfreed=[signal newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1Micr, xrefs: 005AC3A5
-> node= ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = bad prune, tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)tracebac, xrefs: 005AC3C5
cnt=gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:1562578125 (at ntohsClassGreeksse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localreturnlisten.onionsocketexec: SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-, xrefs: 005AC385
lfstack.push span.limit= span.state=bad flushGen MB stacks, worker mode nDataRoots= nSpanRoots= wbuf1=<nil> wbuf2=<nil> gcscandone runtime: gp= found at *( s.elemsize= B (goal , cons/mark maxTrigger= pages/byte s.sweepgen= allocCount end tracegcProces, xrefs: 005AC3EF

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID: -> node= ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = bad prune, tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)tracebac$ cnt=gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:1562578125 (at ntohsClassGreeksse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localreturnlisten.onionsocketexec: SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-$ packed=BAD RANK status unknown(trigger= npages= nalloc= nfreed=[signal newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1Micr$lfstack.push span.limit= span.state=bad flushGen MB stacks, worker mode nDataRoots= nSpanRoots= wbuf1=<nil> wbuf2=<nil> gcscandone runtime: gp= found at *( s.elemsize= B (goal , cons/mark maxTrigger= pages/byte s.sweepgen= allocCount end tracegcProces$runtime: lfstack.push invalid packing: node=out of memory allocating heap arena metadata/cpu/classes/scavenge/background:cpu-secondsruntime: unexpected metric registration for gcmarknewobject called while doing checkmarkactive sweepers found at start of mark p
API String ID: 0-1621370682
Opcode ID: c12e68af4669c7ebffe4d4da2f85d7cbb8219f4e62b23d3ca95c3471088a8ffe
Instruction ID: 148b21f8c5386ff1749d414211312e17d1e733e9afbe525a53e91f777d7d2d09
Opcode Fuzzy Hash: c12e68af4669c7ebffe4d4da2f85d7cbb8219f4e62b23d3ca95c3471088a8ffe
Instruction Fuzzy Hash: 46218D32215B49C6EB10EF54E88636EBF68F78AB80F488527EE9D07726DF38C5108710

Function 005A3BE0 Relevance: 5.3, Strings: 4, Instructions: 294COMMON

Download Yara Rule

Strings

nd 3, xrefs: 005A3BF7
expa, xrefs: 005A3BE8
te k, xrefs: 005A3C15
2-by, xrefs: 005A3C06

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID: 2-by$expa$nd 3$te k
API String ID: 0-3581043453
Opcode ID: d0a0678b136faf6cdae2b5bb443573c909990b14ac4f0b67f8b4f134291ae36c
Instruction ID: 47faa7e3a054f288c306b693d26b9baa0dc2c7f8025ad0cbc55bd63b5fa5df66
Opcode Fuzzy Hash: d0a0678b136faf6cdae2b5bb443573c909990b14ac4f0b67f8b4f134291ae36c
Instruction Fuzzy Hash: 70B1B066F25FD94AF323A63810036B7EB185FFB9C9A40E327FC9474A87D72095036254

Function 005DD8C0 Relevance: 5.3, Strings: 4, Instructions: 266COMMON

Download Yara Rule

Strings

casgstatus: bad incoming valuesresetspinning: not a spinning mentersyscallblock inconsistent runtime: split stack overflow: ...additional frames elided...unsafe.String: len out of range11368683772161602973937988281255684341886080801486968994140625zone must be, xrefs: 005DDCCF
casgstatus: waiting for Gwaiting but is Grunnablenot enough significant bits after mult128bitPow10the :: must expand to at least one field of zerosinvalid or incomplete multibyte or wide charactergo package net: dynamic selection of DNS resolverruntime: unabl, xrefs: 005DDC3B
newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNexus.lnkfiles,dnsdns,filesipv6-icmp_outboundlocalhostconnectexfork, xrefs: 005DDCA5
runtime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid , xrefs: 005DDC87

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID: newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1MicrosoftNexus.lnkfiles,dnsdns,filesipv6-icmp_outboundlocalhostconnectexfork$casgstatus: bad incoming valuesresetspinning: not a spinning mentersyscallblock inconsistent runtime: split stack overflow: ...additional frames elided...unsafe.String: len out of range11368683772161602973937988281255684341886080801486968994140625zone must be$casgstatus: waiting for Gwaiting but is Grunnablenot enough significant bits after mult128bitPow10the :: must expand to at least one field of zerosinvalid or incomplete multibyte or wide charactergo package net: dynamic selection of DNS resolverruntime: unabl$runtime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid
API String ID: 0-2878020112
Opcode ID: 028728f7a26f0ea3b3a3c875e20e3282dfb8f792a5b2439a71c153bef8e108a8
Instruction ID: 8d42e3f684e036d2a642b02b34653f4a4d76d683b67e75b9c463781cb2849246
Opcode Fuzzy Hash: 028728f7a26f0ea3b3a3c875e20e3282dfb8f792a5b2439a71c153bef8e108a8
Instruction Fuzzy Hash: BDB1B136609A84C6DB24CB29E48536EBF71F38AB84F548627DE9C43765CF7AC446CB10

Function 005DA520 Relevance: 5.2, Strings: 4, Instructions: 221COMMON

Download Yara Rule

Strings

runtime/internal/thread exhaustionlocked m0 woke upentersyscallblock spinningthreads=gp.waiting != nilunknown caller pcstack: frame={sp:runtime: nameOff runtime: typeOff runtime: textOff 1192092895507812559604644775390625permission deniedwrong medium typeno da, xrefs: 005DA6E5
reflect., xrefs: 005DA70C
bad restart PC-thread limitstopm spinning nmidlelocked= needspinning=randinit twicestore64 failedsemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module dataruntime: seq1=runtime: goid= in goroutine 1907348632812595367431, xrefs: 005DA7D3
runtime., xrefs: 005DA6B2

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID: bad restart PC-thread limitstopm spinning nmidlelocked= needspinning=randinit twicestore64 failedsemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module dataruntime: seq1=runtime: goid= in goroutine 1907348632812595367431$reflect.$runtime.$runtime/internal/thread exhaustionlocked m0 woke upentersyscallblock spinningthreads=gp.waiting != nilunknown caller pcstack: frame={sp:runtime: nameOff runtime: typeOff runtime: textOff 1192092895507812559604644775390625permission deniedwrong medium typeno da
API String ID: 0-1367606710
Opcode ID: dfc87a162e84d94f0db691b4ef4fa13258996f395f33df3674a926c4cac493b1
Instruction ID: f1c7121f23a8a6d59889b514ba03e06bb6b1d31e8f9b3b38f88b55064b0b645e
Opcode Fuzzy Hash: dfc87a162e84d94f0db691b4ef4fa13258996f395f33df3674a926c4cac493b1
Instruction Fuzzy Hash: FF71AE72B05A4086DB24CB28E08037BBBA2F385B94F5C8527DB8E57B95DB78D891C701

Function 005DE220 Relevance: 4.0, Strings: 3, Instructions: 245COMMON

Download Yara Rule

Strings

stopTheWorld: not stopped (stopwait != 0)34694469519536141888238489627838134765625strconv: illegal AppendInt/FormatInt basecolon must be followed by more charactersReceived Close Connection for Stream ID %dMapIter.Value called on exhausted iteratorpersistental, xrefs: 005DE540
stopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executioncompileCallback: float arguments not supportedruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base poin, xrefs: 005DE5BB
stopTheWorld: holding locksgcstopm: not waiting for gcinternal lockOSThread errorruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len ou, xrefs: 005DE605

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID: stopTheWorld: holding locksgcstopm: not waiting for gcinternal lockOSThread errorruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len ou$stopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executioncompileCallback: float arguments not supportedruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base poin$stopTheWorld: not stopped (stopwait != 0)34694469519536141888238489627838134765625strconv: illegal AppendInt/FormatInt basecolon must be followed by more charactersReceived Close Connection for Stream ID %dMapIter.Value called on exhausted iteratorpersistental
API String ID: 0-1789155415
Opcode ID: 83652f1d0c461c345fbcbb648c88178eb4e52534f9284f6cbca18c896105b993
Instruction ID: cb068819f451cbc3a08c53dc1a2018c0ad0a577616cd2c08aa1c81a63e8b7ff1
Opcode Fuzzy Hash: 83652f1d0c461c345fbcbb648c88178eb4e52534f9284f6cbca18c896105b993
Instruction Fuzzy Hash: 3DA1C032609B80CADB24DF29E49536EBBA1F38AB84F588527DA8D47765DF3CD445CB00

Function 005C1DE0 Relevance: 3.9, Strings: 3, Instructions: 179COMMON

Download Yara Rule

Strings

pacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitws2_32.dll not foundpreempt off reason: forcegc: phase errorgopark: bad g statusgo of nil func valueselectgo: bad wakeupsemaRoot rotateRightreflect.makeFuncStub, xrefs: 005C1FE6
(scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type 19531259765625::ffff:abortedCopySidWSARecvWSASendsignal nil keyanswersavx512fos/execruntime#internPrograms, xrefs: 005C2005
MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= runtime: pid=: unknown pc called from 3814697265625dalTLDpSugct?, xrefs: 005C2065

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID: (scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type 19531259765625::ffff:abortedCopySidWSARecvWSASendsignal nil keyanswersavx512fos/execruntime#internPrograms$ MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= runtime: pid=: unknown pc called from 3814697265625dalTLDpSugct?$pacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitws2_32.dll not foundpreempt off reason: forcegc: phase errorgopark: bad g statusgo of nil func valueselectgo: bad wakeupsemaRoot rotateRightreflect.makeFuncStub
API String ID: 0-914753012
Opcode ID: 66b8b3959f4267df7245b3ae4ecb31e45d555940aeefe6f8c29f52540a9cfe73
Instruction ID: edcb4be74d62b7e51d7d4eb41b6b90e708c979bb3a68629e83eebf0334965bb1
Opcode Fuzzy Hash: 66b8b3959f4267df7245b3ae4ecb31e45d555940aeefe6f8c29f52540a9cfe73
Instruction Fuzzy Hash: 7171B532518F94C9D611EB65E44075ABB65FBDABC0F44832AFA8E27726CF38C491C750

Function 005EBA20 Relevance: 3.6, Strings: 2, Instructions: 1095COMMON

Download Yara Rule

Strings

selectgo: bad wakeupsemaRoot rotateRightreflect.makeFuncStubdodeltimer0: wrong Ptrace: out of memorywirep: already in go37252902984619140625missing IPv6 addressunexpected characterinvalid request codebad font file formatis a named type filekey has been revoked, xrefs: 005EC67B
gp.waiting != nilunknown caller pcstack: frame={sp:runtime: nameOff runtime: typeOff runtime: textOff 1192092895507812559604644775390625permission deniedwrong medium typeno data availableexec format errorLookupAccountSidWDnsRecordListFreeGetCurrentProcessGetSh, xrefs: 005EC6A5

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID: gp.waiting != nilunknown caller pcstack: frame={sp:runtime: nameOff runtime: typeOff runtime: textOff 1192092895507812559604644775390625permission deniedwrong medium typeno data availableexec format errorLookupAccountSidWDnsRecordListFreeGetCurrentProcessGetSh$selectgo: bad wakeupsemaRoot rotateRightreflect.makeFuncStubdodeltimer0: wrong Ptrace: out of memorywirep: already in go37252902984619140625missing IPv6 addressunexpected characterinvalid request codebad font file formatis a named type filekey has been revoked
API String ID: 0-2172786039
Opcode ID: 82d8114099e7681219d931c0c9918f472601328677874f588de47015f5ebb1ad
Instruction ID: 83b1abb068b1e95f11be9d015fe654b60fd1206e7240a95f82996fc0c96808a3
Opcode Fuzzy Hash: 82d8114099e7681219d931c0c9918f472601328677874f588de47015f5ebb1ad
Instruction Fuzzy Hash: 46B26632204BD4C2D768CF12E84479A7BA9F388BC0F669526EEE947795DF78C891C701

Function 00605420 Relevance: 2.8, Strings: 2, Instructions: 347COMMON

Download Yara Rule

Strings

:], xrefs: 0060556F
;], xrefs: 00605792, 00605829

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID: :]$ ;]
API String ID: 0-164001195
Opcode ID: f22ffb3edcf88d94b5c92bf437152494631c4e868432e05c5bda731c771b9052
Instruction ID: 632f9b27c7b59797906d4e160c3717b5574afb64d6497f90eb954e8548118f18
Opcode Fuzzy Hash: f22ffb3edcf88d94b5c92bf437152494631c4e868432e05c5bda731c771b9052
Instruction Fuzzy Hash: CDF16B32249F84C5DB68CB15E4403AFBBA6F385B90F598126DE8E43BA5DF78C485CB40

Function 005BB480 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

3`, xrefs: 005BB5B8
gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:1562578125 (at ntohsClassGreeksse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localreturnlisten.onionsocketexec: SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC, xrefs: 005BB654

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID: 3`$gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:1562578125 (at ntohsClassGreeksse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localreturnlisten.onionsocketexec: SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC
API String ID: 0-1393020697
Opcode ID: 504df797b07dd68de8d5967b56ecb5bc1413217600db621647263bffca2eb3a6
Instruction ID: 09323a7e0443361fce9d6d328cf8d3d770ef5a6f4ee9834392168baf1b2e3aa2
Opcode Fuzzy Hash: 504df797b07dd68de8d5967b56ecb5bc1413217600db621647263bffca2eb3a6
Instruction Fuzzy Hash: 5081B032608B80C5EB40DF60E4853AB7B65F38AB90F518226EADD437A5DFBDD148C740

Function 005D37C0 Relevance: 2.7, Strings: 2, Instructions: 165COMMON

Download Yara Rule

Strings

runtime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime:, xrefs: 005D3965
runtime: inconsistent read deadlinefindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 , xrefs: 005D39D5

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID: runtime: inconsistent read deadlinefindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 $runtime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnableruntime:
API String ID: 0-2613774394
Opcode ID: ad044a47095c5be9ce11d8bff49b11abc52a0a6a27b7fbca8d2c242813eb8d12
Instruction ID: 12bd37d33f164570280a69d2f86d30b610af3d316c431c47b66934320e2701dd
Opcode Fuzzy Hash: ad044a47095c5be9ce11d8bff49b11abc52a0a6a27b7fbca8d2c242813eb8d12
Instruction Fuzzy Hash: CD51C53320A75185CB34CF29E05133BAFA1F786BA0F08462BEA9D43795CFB8C6449752

Function 005EF160 Relevance: 1.7, Strings: 1, Instructions: 441COMMON

Download Yara Rule

Strings

!"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 005EF26D, 005EF376, 005EF4B7, 005EF5DF

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
API String ID: 0-2911004680
Opcode ID: 8e901955245da634a455f9623f9d2afbf07c9b57d8d78d8df2951f337370e866
Instruction ID: f1b64b471c9863d1f0202cc2c10570a08a64251958935e1cf6e9022fd28e2d89
Opcode Fuzzy Hash: 8e901955245da634a455f9623f9d2afbf07c9b57d8d78d8df2951f337370e866
Instruction Fuzzy Hash: ACF1E332754AC486DA18DF66E8003AABB56F785BD0F958436EA9E07BD5CF7CC841C305

Function 005BF1A0 Relevance: 1.5, Strings: 1, Instructions: 275COMMON

Download Yara Rule

Strings

6^, xrefs: 005BF41A

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID: 6^
API String ID: 0-3791550746
Opcode ID: 53a9257113997c3f60936aaa53e3822af6f57c3c82eeb3f9493033b9c7eb461b
Instruction ID: 7c134c1342c4c7450f3cf2a828cc80465aebe78b793ea7b5a38d6fcef6a7f5c6
Opcode Fuzzy Hash: 53a9257113997c3f60936aaa53e3822af6f57c3c82eeb3f9493033b9c7eb461b
Instruction Fuzzy Hash: 6CB1F172209B84C6DB15CF25E8443BABB66F386F94F188635DA9D13B94CF38E485C701

Function 005CFCC0 Relevance: 1.5, Strings: 1, Instructions: 266COMMON

Download Yara Rule

Strings

runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin, xrefs: 005D0065

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin
API String ID: 0-429552053
Opcode ID: 2c6375df0ee66950a860cd547d3998ad245f1038f6b47274a09716a6ccd86537
Instruction ID: a8b54ba6a60b9b99085b21da2f405cc2fa79287ab15d8a8fa3b208b1451e7d7f
Opcode Fuzzy Hash: 2c6375df0ee66950a860cd547d3998ad245f1038f6b47274a09716a6ccd86537
Instruction Fuzzy Hash: 32A17B76618B94C6CA20CB56E44076EAB76F3C9BC0F585526EF8D47B29CF38C991CB40

Function 005B5AE0 Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

bulkBarrierPreWrite: unaligned argumentsrefill of span with free space remaining/cpu/classes/scavenge/assist:cpu-secondsruntime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unknown mark worker modecannot free workbufs, xrefs: 005B5E87

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID: bulkBarrierPreWrite: unaligned argumentsrefill of span with free space remaining/cpu/classes/scavenge/assist:cpu-secondsruntime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unknown mark worker modecannot free workbufs
API String ID: 0-866072839
Opcode ID: de4e0b2603993152ddd1a87c7ed5a7be8b35a723012637483fad0dbd82e13009
Instruction ID: 863c39902d3050577a8b40dc54bb3f55eb9892b6d37c790f91f345a0df9d8672
Opcode Fuzzy Hash: de4e0b2603993152ddd1a87c7ed5a7be8b35a723012637483fad0dbd82e13009
Instruction Fuzzy Hash: 0B91C0B6705F8482DB188F56E4443AAAB65F389FC0F589126EF8D57B18EF38D491CB00

Function 005CEEA0 Relevance: 1.4, Strings: 1, Instructions: 189COMMON

Download Yara Rule

Strings

bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 005CF167

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID: bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod
API String ID: 0-2099802129
Opcode ID: 5481d54c0984da4ee0e4a5a67c4866ea971aebe08222671c724d88b22d23753c
Instruction ID: e7492d6646280c6f8ab7adc1db37c6fb732a9548878caaed4d107c29f327a19c
Opcode Fuzzy Hash: 5481d54c0984da4ee0e4a5a67c4866ea971aebe08222671c724d88b22d23753c
Instruction Fuzzy Hash: 3561DFB2750B8886DB009F95E44079A7B66F78ABD0F44923AEF9D13B96CB78C580C340

Function 0061CC80 Relevance: 1.4, Strings: 1, Instructions: 178COMMON

Download Yara Rule

Strings

00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 0061CDBE

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
API String ID: 0-2272463933
Opcode ID: 544d34b7c7772609efa53e911e6bfb4dff0fc063ae73cc63aa8868b920208995
Instruction ID: 7c900add1dccbe4f45a66050f9283efc06df3035d09d148a7fd14ad2f511fc53
Opcode Fuzzy Hash: 544d34b7c7772609efa53e911e6bfb4dff0fc063ae73cc63aa8868b920208995
Instruction Fuzzy Hash: 98412A32BC465482CB188B59A4117ED6A17E795FF0F9D5269CE0E0BB91CA69CCC6C384

Function 005C1B60 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackunsafe.Slice: ptr is nil and len is not , xrefs: 005C1C50

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID: gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackunsafe.Slice: ptr is nil and len is not
API String ID: 0-3110597650
Opcode ID: 95b138d9991054ec6f11f3c02461700914ddf8539f56229ea5deb5f8fc906794
Instruction ID: 445210fdbcc7e54dcb1bafcafab87d9b104f196c0f6d89ce7522ad8b217a345b
Opcode Fuzzy Hash: 95b138d9991054ec6f11f3c02461700914ddf8539f56229ea5deb5f8fc906794
Instruction Fuzzy Hash: 0F2103F3B42A8447EF048F15D4403A86B22F396FD8F49E076CF4957746CA68C592C300

Function 0061C460 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a327071dd105c25a9b8cb1b119f2811a4fea4066297b46f23a5dcff6c0cd065
Instruction ID: 2dcdd6ec15d1e0499eab0f261794ba65e166347cb5902b17fb99c2182ef2dd29
Opcode Fuzzy Hash: 2a327071dd105c25a9b8cb1b119f2811a4fea4066297b46f23a5dcff6c0cd065
Instruction Fuzzy Hash: 2BC1F833B48A9482CA54CF1AE441BEEA762F385FE4F4C5411EE8D87B18CB79C995CB40

Function 005E2180 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eda43599758b63797bb4e7e5665ead07e2a67daab0f8d07b557b33772c96f6a0
Instruction ID: 946d9f23bbdafe773f363232436adb5f2e597b2dafee5123ad504d140d8f073c
Opcode Fuzzy Hash: eda43599758b63797bb4e7e5665ead07e2a67daab0f8d07b557b33772c96f6a0
Instruction Fuzzy Hash: E591D3767196C186CB6CCB67A550B6ABB65F789BC0F489426EECD47F18CB3CC8508B40

Function 00607AA9 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e66b3d7d87a7107ea2e7963f42bcf8cd2656701d6dcb2611a44547f06cec1e9a
Instruction ID: cb1c8c10ecbfcc7ca9d9a175bfac659d325be5bba6a4cc9a0a064e80908b852d
Opcode Fuzzy Hash: e66b3d7d87a7107ea2e7963f42bcf8cd2656701d6dcb2611a44547f06cec1e9a
Instruction Fuzzy Hash: A7B10D16D1CFCA50E61357789403B762B106FF39D4F01D73ABAC2F16A3DB566A00BA22

Function 005CC640 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93777dd3814fc503c69b58b28e96303c24bab9db006b93a2883c99640e9c12de
Instruction ID: 7d719542a8bf19b9848f480844d19caf3beb4f6c261d2ff57a880be0755aef25
Opcode Fuzzy Hash: 93777dd3814fc503c69b58b28e96303c24bab9db006b93a2883c99640e9c12de
Instruction Fuzzy Hash: A6A14776618B8486DB10CB65E08075ABBA1F789BD4F14522AEFDE53BA9CF3CD051CB40

Function 005CDAC0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00fca6ffe96d0598eb837d865953b686d33a67bbe900ba1178b2787fa9c7e443
Instruction ID: 4f8655bf913d0abc42eabda5b97a4cf1de0057127b00231b96ba011517b637f8
Opcode Fuzzy Hash: 00fca6ffe96d0598eb837d865953b686d33a67bbe900ba1178b2787fa9c7e443
Instruction Fuzzy Hash: 9B81B477718B8486DB108F95E4807AABB72F79ABC0F08512AEF8D57B59CB78D481C740

Function 005AA440 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b15f9b251d4b9bad160ca198cc595e2c5b7e26107d4e1a8077fa7aa7865769d1
Instruction ID: 448a1c6d895670e806b0fd8c71262130fc10f4e18fb5325edd7288614ce0dda2
Opcode Fuzzy Hash: b15f9b251d4b9bad160ca198cc595e2c5b7e26107d4e1a8077fa7aa7865769d1
Instruction Fuzzy Hash: A841F5A5B01A9485AE048B6295240AEA761F74FFD0398E633DF1D77B6CD73CD906C348

Function 005F3940 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f5544c23892530e6ff4a0e1e40e00622561a5280096765141d73e8fd0a37b3e
Instruction ID: bc480bab9adf13330a5b45a0481e57e498f954cc91cc8d5aeed091ba57407c5a
Opcode Fuzzy Hash: 8f5544c23892530e6ff4a0e1e40e00622561a5280096765141d73e8fd0a37b3e
Instruction Fuzzy Hash: 09413B22B81A4C8BEB009F3994523B65A85F380774FCC4675DFED473C2E2ADCAE59610

Function 005C7A60 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0a7a0baea95fd27db43dd60eeadacc24f31a1ad7dc38dabda4e2d949d588315
Instruction ID: 13700decb016cba4c4259387eae7e943365794cd852e5d37808270bb8301da98
Opcode Fuzzy Hash: f0a7a0baea95fd27db43dd60eeadacc24f31a1ad7dc38dabda4e2d949d588315
Instruction Fuzzy Hash: 4C51E67270DB498ADA05CB75E44472AA761F78EBE4F188729EA5D13B94EF3CD4C18B00

Function 005C36C0 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78ed0ed9ca0cdd05faed2fded70e7b31717ee3d05d4e96dc5803aa543740dc3c
Instruction ID: aebd06353482dbea93a4318384bf7e1deefea31f51b6b3b8326aaaf14de0a087
Opcode Fuzzy Hash: 78ed0ed9ca0cdd05faed2fded70e7b31717ee3d05d4e96dc5803aa543740dc3c
Instruction Fuzzy Hash: 2B3108E2A0BE494DDE0BD7BA54617209657BFD3FE0F94D722582B762E4EF1983428700

Function 005D0A40 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d559122a1f6f0b69832be9421c7c214fb777efde5fa0d191de61b1ee1601c01b
Instruction ID: 87b37552f95af525a587bcc17d09d50b04beae85753f244dbf75b262db5a2840
Opcode Fuzzy Hash: d559122a1f6f0b69832be9421c7c214fb777efde5fa0d191de61b1ee1601c01b
Instruction Fuzzy Hash: 543127B6715B8446EF98CB225A243C9639BF798BC4F05E5769F4C93318EB38E590C340

Function 005AE960 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2038f05e97998120fb53114f31a9548b5147d81bdcd68613d0732e6f28c08c9d
Instruction ID: e94f23759229c90b5217f41c3c1165a623fbe57bd4cce06f0991e67cd48cb19d
Opcode Fuzzy Hash: 2038f05e97998120fb53114f31a9548b5147d81bdcd68613d0732e6f28c08c9d
Instruction Fuzzy Hash: 131100E2E36F440ADA47C73A5551315820B6F97BD0F28D322BD1BB6796E72991D38100

Function 0060A800 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2673591282.00000000005A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.2673550473.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673667064.000000000068E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673750056.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673766899.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673787166.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673807813.00000000007AD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.00000000007CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673825938.0000000000835000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.0000000000839000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673896976.000000000087F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2673990265.0000000000920000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2674006023.0000000000921000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a0000_5yv6ZxNaTP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a256208f17b381db6722f0ed2d02a2297ad36eb4d6491dea5391dd1c04bdc341
Instruction ID: 8c62e02cbf8056ce11925d65995b39dd87271b69d6bd4748572d2358765d0429
Opcode Fuzzy Hash: a256208f17b381db6722f0ed2d02a2297ad36eb4d6491dea5391dd1c04bdc341
Instruction Fuzzy Hash: CBC02BF0907FC128FB94C34071003533AC7CF443C4D80C090C2D800764DA2CC3824204

Analysis Process: powershell.exePID: 7764, Parent PID: 7736COMMON

Executed Functions

Function 00007FFB4B4408CD Relevance: 2.4, Strings: 1, Instructions: 1191COMMON

Download Yara Rule

Strings

2B_H, xrefs: 00007FFB4B4409C2

Memory Dump Source

Source File: 00000001.00000002.1466363103.00007FFB4B440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4b440000_powershell.jbxd

Similarity

API ID:
String ID: 2B_H
API String ID: 0-1297890977
Opcode ID: 484f1cf8013076a2da54927c8fae3de87b057708090b89dfecf4c8570cc7ec39
Instruction ID: 652729987e377438af7008d1d7c6a50156d3dcaa8e714347dc8d8868d4267bb1
Opcode Fuzzy Hash: 484f1cf8013076a2da54927c8fae3de87b057708090b89dfecf4c8570cc7ec39
Instruction Fuzzy Hash: F37237A2A0DAD90FE79AAB7888651747FD1EF56310F0840FED58CC72D3DD18AC568392

Function 00007FFB4B441442 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1466363103.00007FFB4B440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4b440000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aa72af80c92c063d7487e535b377058d95390f0b6227125cc4d3428e8d32f06
Instruction ID: bbe5fd27a463e6f6ef496ca9e83b979f9790eddabf36a3e16182b6006d758b8f
Opcode Fuzzy Hash: 5aa72af80c92c063d7487e535b377058d95390f0b6227125cc4d3428e8d32f06
Instruction Fuzzy Hash: 0551067180D7D84FD35A9B28D8556A47FF0EF97320F0942EFE089C71A3D668A826C752

Function 00007FFB4B3733B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1465988468.00007FFB4B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffb4b370000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: 5fa3338294c3b4baabbcae15557c230475371c44801a5eeae78c5c4df2a1f4bb
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: 8901677111CB0C8FD744EF0CE451AA5B7E0FB95364F10056DE58AC36A1DA36E882CB45

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 5yv6ZxNaTP.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kooj2ijd.zhe.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v5e0kluk.1fy.psm1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Windows Analysis Report
5yv6ZxNaTP.exe

Function 005AD200 Relevance: 12.9, Strings: 10, Instructions: 384
COMMON

Function 005A1FE0 Relevance: 9.2, Strings: 7, Instructions: 474
COMMON