Edit tour

Windows Analysis Report
wr.exe

Overview

General Information

Sample name:	wr.exe
Analysis ID:	1428863
MD5:	e2a072228078e6f3cf5073f4af029913
SHA1:	16ed4faf2239de52acdc439e88047984b8510547
SHA256:	a742c71ce1ae3316e82d2b8c788b9c6ffd723d8d6da4f94ba5639b84070bb639
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Potentially malicious time measurement code found

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Classification

Process Tree

System is w10x64

wr.exe (PID: 5064 cmdline: "C:\Users\user\Desktop\wr.exe" MD5: E2A072228078E6F3CF5073F4AF029913)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: wr.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: wr.exe

ReversingLabs: Detection: 87%

Source: wr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\wr.exe	Code function: 4x nop then mov rsi, r9		0_2_005DB2A0
Source: C:\Users\user\Desktop\wr.exe	Code function: 4x nop then mov rdi, 0000800000000000h		0_2_005D9DE0

Source: unknown

DNS traffic detected: queries for: www.dblikes.top

Source: wr.exe, wr.exe, 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.dblikes.top/winconsistent
Source: wr.exe	String found in binary or memory: https://www.sysinternals.com0

Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_00617300 SetWaitableTimer,SetWaitableTimer,NtWaitForSingleObject,		0_2_00617300
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_006172C0 NtWaitForSingleObject,		0_2_006172C0

Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_005E4080	0_2_005E4080
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_005B6160	0_2_005B6160
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_005D41E0	0_2_005D41E0
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_00605240	0_2_00605240
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_005DA260	0_2_005DA260
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_00628220	0_2_00628220
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_005D72C0	0_2_005D72C0
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_0060F2A0	0_2_0060F2A0
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_005C9280	0_2_005C9280
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_005DB2A0	0_2_005DB2A0
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_005F7300	0_2_005F7300
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_005FF3E0	0_2_005FF3E0
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_005CD380	0_2_005CD380
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_00626440	0_2_00626440
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_005ED460	0_2_005ED460
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_006124A9	0_2_006124A9
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_005BC4A0	0_2_005BC4A0
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_005F04A0	0_2_005F04A0
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_005E7500	0_2_005E7500
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_005DC5A0	0_2_005DC5A0
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_005FA660	0_2_005FA660
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_005C5600	0_2_005C5600
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_005D6600	0_2_005D6600
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_005B6620	0_2_005B6620
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_005D1740	0_2_005D1740
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_005C4860	0_2_005C4860
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_005C98E0	0_2_005C98E0
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_005B5880	0_2_005B5880
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_005FDAA0	0_2_005FDAA0
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_005EEBC0	0_2_005EEBC0
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_005BDBA0	0_2_005BDBA0
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_00625C00	0_2_00625C00
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_005F3C20	0_2_005F3C20
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_00627CE0	0_2_00627CE0
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_005C9CC0	0_2_005C9CC0
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_00606C80	0_2_00606C80
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_005E7D60	0_2_005E7D60
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_005D9DE0	0_2_005D9DE0
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_005B9E20	0_2_005B9E20
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_005EAE20	0_2_005EAE20
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_005EDEA0	0_2_005EDEA0
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_005CFF60	0_2_005CFF60
Source: C:\Users\user\Desktop\wr.exe	Code function: 0_2_005BCFE0	0_2_005BCFE0

Source: C:\Users\user\Desktop\wr.exe	Code function: String function: 005FE620 appears 37 times
Source: C:\Users\user\Desktop\wr.exe	Code function: String function: 005E8320 appears 54 times
Source: C:\Users\user\Desktop\wr.exe	Code function: String function: 005E6A60 appears 31 times
Source: C:\Users\user\Desktop\wr.exe	Code function: String function: 005E6960 appears 564 times
Source: C:\Users\user\Desktop\wr.exe	Code function: String function: 005E8BA0 appears 563 times

Source: wr.exe

Static PE information: invalid certificate

Source: classification engine

Classification label: mal60.evad.winEXE@1/0@2/0

Source: C:\Users\user\Desktop\wr.exe

Mutant created: \Sessions\1\BaseNamedObjects\abc20259991

Source: C:\Users\user\Desktop\wr.exe

File opened: C:\Windows\system32\86dbeb1e3f4e7a98ad6a93ba86f929747d19ef3c7cdf7a0145acd6db2fd830a1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Jump to behavior

Source: C:\Users\user\Desktop\wr.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: wr.exe

ReversingLabs: Detection: 87%

Source: wr.exe	String found in binary or memory: C:/Program Files/Go/src/net/addrselect.go
Source: wr.exe	String found in binary or memory: C:/Users/Sroc/go/pkg/mod/golang.org/x/sys@v0.17.0/windows/svc/eventlog/install.go

Source: C:\Users\user\Desktop\wr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\wr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\wr.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\wr.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\wr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\wr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\wr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wr.exe	Section loaded: mswsock.dll	Jump to behavior

Source: wr.exe

Static file information: File size 4445584 > 1048576

Source: wr.exe

Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x43aa00

Source: wr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\wr.exe

Code function: 0_2_00D9A7C0 LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,ExitProcess,

0_2_00D9A7C0

Source: wr.exe

Static PE information: section name: UPX2

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\wr.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\wr.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Users\user\Desktop\wr.exe

Code function: 0_2_006153E0 rdtscp

0_2_006153E0

Source: C:\Users\user\Desktop\wr.exe

Code function: 0_2_005E19C0 GetProcessAffinityMask,GetSystemInfo,

0_2_005E19C0

Source: wr.exe, 00000000.00000002.2039272794.000002685E15C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\wr.exe

API call chain: ExitProcess graph end node

graph_0-45125

Source: C:\Users\user\Desktop\wr.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\wr.exe

Code function: 0_2_006153E0 Start: 006153E9 End: 006153FF

0_2_006153E0

Source: C:\Users\user\Desktop\wr.exe

Code function: 0_2_006153E0 rdtscp

0_2_006153E0

Source: C:\Users\user\Desktop\wr.exe

Code function: 0_2_00D9A7C0 LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,ExitProcess,

0_2_00D9A7C0

Source: C:\Users\user\Desktop\wr.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\wr.exe

Code function: 0_2_005F9980 RtlAddVectoredExceptionHandler,RtlAddVectoredContinueHandler,RtlAddVectoredContinueHandler,SetUnhandledExceptionFilter,

0_2_005F9980

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Software Packing	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	21 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
wr.exe	88%	ReversingLabs	Win64.Trojan.DisguisedXMRigMiner
wr.exe	100%	Avira	TR/Redcap.rhlwi

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ghs.googlehosted.com	173.194.209.121	true	false		unknown
www.dblikes.top	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.dblikes.top/winconsistent	wr.exe, wr.exe, 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp	false		unknown
https://www.sysinternals.com0	wr.exe	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428863
Start date and time:	2024-04-19 18:35:15 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	wr.exe
Detection:	MAL
Classification:	mal60.evad.winEXE@1/0@2/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 3 Number of non-executed functions: 47
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
VT rate limit hit for: wr.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ghs.googlehosted.com	phishing_email.eml.msg	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	142.250.190.19
	rsV7dDNYT3.elf	Get hash	malicious	Unknown	Browse	142.250.80.51
	sample.bin	Get hash	malicious	Unknown	Browse	142.251.116.121
	SecuriteInfo.com.Application.Linux.Generic.22204.666.18925.elf	Get hash	malicious	Unknown	Browse	172.217.13.115
	https://courtofkingsbenchofalberta.securevdr.com/public/share/web-b2e071badfaa4de2	Get hash	malicious	HTMLPhisher	Browse	142.251.40.115
	https://cthompson-vsc16.coupacloud.com/quotes/external_responses/b30e6941a7e0553e0d3b5d318c8a406aefe85fa0bd4d5e844560a248434cc9ccd28fbee0140d9980/terms?response_intend=true	Get hash	malicious	Unknown	Browse	142.251.32.115
	https://cthompson-vsc16.coupacloud.com/quotes/external_responses/b30e6941a7e0553e0d3b5d318c8a406aefe85fa0bd4d5e844560a248434cc9ccd28fbee0140d9980/terms?response_intend=true	Get hash	malicious	Unknown	Browse	142.251.32.115
	https://www.sharevault.net/panajax/index.jsp?et=iaebe&uno=d53d1e12-04bb-4756-9e67-8d688dccc59d&svid=6876	Get hash	malicious	Unknown	Browse	142.250.80.115
	https://c4acd020.caspio.com/dp/74bad000cb53f19fe49e4479a674	Get hash	malicious	Unknown	Browse	142.251.2.121

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.891548043841517
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	wr.exe
File size:	4'445'584 bytes
MD5:	e2a072228078e6f3cf5073f4af029913
SHA1:	16ed4faf2239de52acdc439e88047984b8510547
SHA256:	a742c71ce1ae3316e82d2b8c788b9c6ffd723d8d6da4f94ba5639b84070bb639
SHA512:	1ff79ce5e138afe9924577d4901ac028a7a2ba90b2273779b4a933aa65a6963d1c23a5b35e6015eb96f8b3efdc1766b7a2b5e18cc7bd181dc82660c9ef34fa6e
SSDEEP:	98304:DdTDuHIp8vWucCSSR94RD2rwCL2ZtIjcQyWYkgiDyYNWGtlNRtkG2wpOx1DkkSgB:dDbTJGi2rAZUghYPtXR6GhI9R0n0
TLSH:	3626335A2501A1A4E1E57B7032AD3DD2E88F34434FAE74A54C8BCAF01D7AED39B53063
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.........r.<.....".......C.......:.P.~...;...@...............................~...........`... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0xbea750
Entrypoint Section:	UPX1
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	6ed4f5f04d62b18d96b26d6db7c18840

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	02/09/2021 20:32:59 01/09/2022 20:32:59
Subject Chain	CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	D15B2B9631F8B37BA8D83A5AE528A8BB
Thumbprint SHA-1:	8740DF4ACB749640AD318E4BE842F72EC651AD80
Thumbprint SHA-256:	2EB421FBB33BBF9C8F6B58C754B0405F40E02CB6328936AAE39DB7A24880EA21
Serial:	33000002528B33AAF895F339DB000000000252

Entrypoint Preview

Instruction
push ebx
push esi
push edi
push ebp
dec eax
lea esi, dword ptr [FFBC58CAh]
dec eax
lea edi, dword ptr [esi-003AF025h]
push edi
xor ebx, ebx
xor ecx, ecx
dec eax
or ebp, FFFFFFFFh
call 00007F90F4F1FE85h
add ebx, ebx
je 00007F90F4F1FE34h
rep ret
mov ebx, dword ptr [esi]
dec eax
sub esi, FFFFFFFCh
adc ebx, ebx
mov dl, byte ptr [esi]
rep ret
dec eax
lea eax, dword ptr [edi+ebp]
cmp ecx, 05h
mov dl, byte ptr [eax]
jbe 00007F90F4F1FE53h
dec eax
cmp ebp, FFFFFFFCh
jnbe 00007F90F4F1FE4Dh
sub ecx, 04h
mov edx, dword ptr [eax]
dec eax
add eax, 04h
sub ecx, 04h
mov dword ptr [edi], edx
dec eax
lea edi, dword ptr [edi+04h]
jnc 00007F90F4F1FE21h
add ecx, 04h
mov dl, byte ptr [eax]
je 00007F90F4F1FE42h
dec eax
inc eax
mov byte ptr [edi], dl
sub ecx, 01h
mov dl, byte ptr [eax]
dec eax
lea edi, dword ptr [edi+01h]
jne 00007F90F4F1FE22h
rep ret
cld
inc ecx
pop ebx
jmp 00007F90F4F1FE3Ah
dec eax
inc esi
mov byte ptr [edi], dl
dec eax
inc edi
mov dl, byte ptr [esi]
add ebx, ebx
jne 00007F90F4F1FE3Ch
mov ebx, dword ptr [esi]
dec eax
sub esi, FFFFFFFCh
adc ebx, ebx
mov dl, byte ptr [esi]
jc 00007F90F4F1FE18h
lea eax, dword ptr [ecx+01h]
jmp 00007F90F4F1FE39h
dec eax
inc ecx
call ebx
adc eax, eax
inc ecx
call ebx
adc eax, eax
add ebx, ebx
jne 00007F90F4F1FE3Ch
mov ebx, dword ptr [esi]
dec eax
sub esi, FFFFFFFCh
adc ebx, ebx
mov dl, byte ptr [esi]
jnc 00007F90F4F1FE16h
sub eax, 03h
jc 00007F90F4F1FE4Bh
shl eax, 08h
movzx edx, dl
or eax, edx
dec eax
inc esi
xor eax, FFFFFFFFh
je 00007F90F4F1FE8Ah
sar eax, 1

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7eb000	0x9c	UPX2
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x43ae00	0x2790	UPX1
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x3af000	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0x3b0000	0x43b000	0x43aa00	49b53f25b9a2d71ae3dc7f43479caa91	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX2	0x7eb000	0x1000	0x200	2a6c937fc0cf9a0e86bf0698c0a6a7db	False	0.1953125	data	1.3719135890817398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 19, 2024 18:36:06.205009937 CEST	65357	53	192.168.2.5	8.8.8.8
Apr 19, 2024 18:36:06.205176115 CEST	65358	53	192.168.2.5	8.8.8.8
Apr 19, 2024 18:36:06.312657118 CEST	53	65358	8.8.8.8	192.168.2.5
Apr 19, 2024 18:36:06.312728882 CEST	53	65357	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 19, 2024 18:36:06.205009937 CEST	192.168.2.5	8.8.8.8	0xfe42	Standard query (0)	www.dblikes.top	A (IP address)	IN (0x0001)	false
Apr 19, 2024 18:36:06.205176115 CEST	192.168.2.5	8.8.8.8	0x9059	Standard query (0)	www.dblikes.top	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 19, 2024 18:36:06.312657118 CEST	8.8.8.8	192.168.2.5	0x9059	No error (0)	www.dblikes.top	ghs.googlehosted.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 19, 2024 18:36:06.312657118 CEST	8.8.8.8	192.168.2.5	0x9059	No error (0)	ghs.googlehosted.com			28	IN (0x0001)	false
Apr 19, 2024 18:36:06.312728882 CEST	8.8.8.8	192.168.2.5	0xfe42	No error (0)	www.dblikes.top	ghs.googlehosted.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 19, 2024 18:36:06.312728882 CEST	8.8.8.8	192.168.2.5	0xfe42	No error (0)	ghs.googlehosted.com		173.194.209.121	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	18:36:04
Start date:	19/04/2024
Path:	C:\Users\user\Desktop\wr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\wr.exe"
Imagebase:	0x5b0000
File size:	4'445'584 bytes
MD5 hash:	E2A072228078E6F3CF5073F4AF029913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	58.8%
Total number of Nodes:	17
Total number of Limit Nodes:	2

Executed Functions

Function 00D9A7C0 Relevance: 6.2, APIs: 4, Instructions: 195
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 00D9A8E6
GetProcAddress.KERNEL32 ref: 00D9A904
VirtualProtect.KERNELBASE(?,?,?,00000000), ref: 00D9A989
VirtualProtect.KERNELBASE ref: 00D9A9A7

Memory Dump Source

Source File: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID: ProtectVirtual$AddressLibraryLoadProc
String ID:
API String ID: 3300690313-0
Opcode ID: 7d3bf6b3c3a184bc2c8824ec2578db003a582a91b4c17481c9f146442b4b0725
Instruction ID: ef214a0b29ea1b3771c68663f5ba378b1de8c84d0a2685399ac938091e37c607
Opcode Fuzzy Hash: 7d3bf6b3c3a184bc2c8824ec2578db003a582a91b4c17481c9f146442b4b0725
Instruction Fuzzy Hash: A1515223B5125196DF245BBCAD843A867A1E7057B4F8C4336CBBD433C5EA68C84783B2

Uniqueness

Uniqueness Score: -1.00%

Function 00617300 Relevance: 1.5, APIs: 1, Instructions: 28
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWaitableTimer.KERNELBASE ref: 00617361

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID: TimerWaitable
String ID:
API String ID: 1823812067-0
Opcode ID: 2b08c3f2551288a64fb59bf88715c0fef3be7b33fb2fbd41e23685c7eed74307
Instruction ID: 58715df1a1750b6632fb2ffc065be4eb7d2ba5ec83ccc7932d9f5976b4d70e4c
Opcode Fuzzy Hash: 2b08c3f2551288a64fb59bf88715c0fef3be7b33fb2fbd41e23685c7eed74307
Instruction Fuzzy Hash: FD01B676225F8485DA508B4AE8A035A7360F3C9FA4F545222EEAD977A4CF39C1218B00

Uniqueness

Uniqueness Score: -1.00%

Function 00616E60 Relevance: 1.3, APIs: 1, Instructions: 33
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00616EBC

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 33b54bf97a7912f954cb5ac1813d54e14e05c2a316259aa94b24e2224a416175
Instruction ID: 9e0d2406965e0cc46b00aae48087181261bb1e41accb4794bbccd779749559b8
Opcode Fuzzy Hash: 33b54bf97a7912f954cb5ac1813d54e14e05c2a316259aa94b24e2224a416175
Instruction Fuzzy Hash: 8EF064BAA01B8082DB218B1AE9403683370F74CBE8F244216DE5DA3B20CB29E192C200

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00606C80 Relevance: 32.6, Strings: 25, Instructions: 1308COMMON

Download Yara Rule

Strings

tracebackunderflowunhandledwbufSpanswebsocketwinmm.dll} stack=[ netGo = MB goal, flushGen gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= stream=%d sweepgen sweepgen= targetpc= throwing= until pc=%!Weekday(%s|%s%s, xrefs: 0060889A
stack=[_NewEnum_gatewayaddress avx512bwavx512cdavx512dqavx512eravx512pfavx512vlbad instcgocheckcontinuecs deadlockexecwaitexporterfinishedfs gs hijackedhttp/1.1if-matchif-rangeinvalid locationno anodeno-cacheno_proxypollDescr10 r11 r12 , xrefs: 00607E45
runtime., xrefs: 006082F2
: unknown pc Accept-RangesAuthorizationCLIENT_RANDOMCONNECT_ERRORCache-ControlCertOpenStoreCoTaskMemFreeConnectServerContent-RangeDeleteServiceECDSAWithSHA1EnumProcessesExitWindowsExFQDN too longFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep wait, xrefs: 00606F3C
: frame.sp=BLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256Bad GatewayBad RequestClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDives_AkuruENABLE_PUSHEND_HEADERSESTABLISHEDEarly HintsEnumWindowsEnvironmentExitProcessFreeLibraryGOMEMLIMIT=GOTRACEBACKGetFile, xrefs: 00607DD7
unknown caller pcunknown type kindunrecognized namewait for GC cyclewrong medium typex-forwarded-proto but memory size because dotdotdot in async preempt to non-Go memory , locked to thread/etc/nsswitch.conf298023223876953125: day out of rangeArab Standard , xrefs: 00608834
] n=allgallpasn1avx2basebindbitsbmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6chancx16datedeaddialermsetagfailfilefromftpsfuncgziphosthourhttpicmpidleigmpinetint8itabkindlinkopenpipepop3quitreadrootsbrksmtpsse2sse3tcp4tcp6trueudp4udp6uintunixvaryxn-- ... MB, a, xrefs: 00607E85
called from flushedWork idlethreads= in duration in host name is nil, not nStackRoots= out of range pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625: unknown pc Accept-Ranges, xrefs: 0060762F
gopa, xrefs: 00608309
sp=%x><) = ) m=+Inf-Inf.css.gif.htm.jpg.mjs.pdf.png.svg.xml0x%x10803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCESTChamDATADashDateEESTEtagFromGOGCGoneHostJulyJuneLEAFLisuMiaoModiNZDTNZSTNameNewaPINGPOSTSASTStatThaiTypem=] = ] n=allgallpasn1avx2base, xrefs: 00607F1B, 006084FC
gentraceback callback cannot be used with non-zero skipmheap.freeSpanLocked - invalid free of user arena chunknet/http: invalid byte %q in %s; dropping invalid bytesnet/http: request canceled while waiting for connectionos: invalid use of WriteAt on file opene, xrefs: 006088BC
panicparsepop3srangerune scav schedsleepslicesockssse41sse42ssse3sudogsweeptext/tls: traceuint8usageutf-8write B -> FROM Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util(...), i = , not , val , xrefs: 00608327
fp= is lr: of on pc= sp: sp=%x><) = ) m=+Inf-Inf.css.gif.htm.jpg.mjs.pdf.png.svg.xml0x%x10803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCESTChamDATADashDateEESTEtagFromGOGCGoneHostJulyJuneLEAFLisuMiaoModiNZDTNZSTNameNewaPINGPOSTSASTStatThaiTypem=, xrefs: 006084DE
(...), i = , not , val .local.onion390625<-chanAcceptAnswerArabicAugustBasic BrahmiCANCELCLOSEDCarianChakmaCommonCookieCopticDELETEExpectFormatFridayGOAWAYGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLISTENLengthLepchaLockedLycianLydianMondayPADDEDPragmaRe, xrefs: 00608125
traceback did not unwind completelytransform: short destination buffertransport endpoint is not connectedunsupported signature algorithm: %vx509: decryption password incorrectx509: invalid authority info accessx509: malformed extension OID fieldx509: wrong Ed2, xrefs: 00607ECF
gentraceback cannot trace user goroutine on its own stackreceived record with version %x when expecting version %xruntime: checkmarks found unexpected unmarked object obj=sync: WaitGroup misuse: Add called concurrently with Waittls: Ed25519 public keys are not, xrefs: 006088AB
traceback stuckunexpected typeunknown Go typeunknown networkunknown versionwindows-servicewrite error: %wx-forwarded-for already; errno= mheap.sweepgen= not in ranges: untyped locals %s %s HTTP/1.1, not a function.WithValue(type /etc/resolv.conf0123456789AB, xrefs: 00607F65
unknown pcuser-agentuser32.dllws2_32.dll of size (targetpc= , plugin: ErrCode=%v KiB work, exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=) at entry+, elemsize=, xrefs: 00606FA9
runtime: traceback stuck. pc=scanobject of a noscan objectsemacquire not on the G stackstring concatenation too longsyntax error scanning booleantimeBegin/EndPeriod not foundtls: invalid NextProtos valuetls: invalid server key sharetls: too many ignored record, xrefs: 00607EFD
max= ms, ptr tab= top=%s %q%s*%d%s=%s"'&+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930.avif.html.jpeg.json.wasm.webp1562578125:***@:path<nil>AdlamAprilBamumBatakBuhidCall ClassCountDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarch, xrefs: 00607EA5
top=%s %q%s*%d%s=%s"'&+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930.avif.html.jpeg.json.wasm.webp1562578125:***@:path<nil>AdlamAprilBamumBatakBuhidCall ClassCountDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsage, xrefs: 00607DF5
runtime: g runtime: p scheddetailsechost.dllsecur32.dllshell32.dllshort writetls: alert(tracealloc(traffic updunreachableuserenv.dllversion.dll (sensitive) B (goal KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= maxTri, xrefs: 00606F1E, 006075EB
runtime: gs.state = schedtracesemacquireset-cookiesetsockoptskipping: socks bindstackLarget.Kind == terminatedtracefree(tracegc()unixpacketunknown pcuser-agentuser32.dllws2_32.dll of size (targetpc= , plugin: ErrCode=%v KiB work, exp.) for freeindex= gc, xrefs: 00607DB9
: unexpected return pc for CertEnumCertificatesInStoreCurveP256CurveP384CurveP521DATA frame with stream ID 0Easter Island Standard TimeFindCloseChangeNotificationG waiting list is corruptedGetSecurityDescriptorLengthGetUserPreferredUILanguagesNAF digits must f, xrefs: 00607609
traceback: unexpected SPWRITE function trailing backslash at end of expressiontransport endpoint is already connectedusername/password authentication failedwmi: cannot load field %q into a %q: %sx509: failed to parse URI constraint %qx509: invalid NameConstrai, xrefs: 0060886A

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID: stack=[_NewEnum_gatewayaddress avx512bwavx512cdavx512dqavx512eravx512pfavx512vlbad instcgocheckcontinuecs deadlockexecwaitexporterfinishedfs gs hijackedhttp/1.1if-matchif-rangeinvalid locationno anodeno-cacheno_proxypollDescr10 r11 r12 $ called from flushedWork idlethreads= in duration in host name is nil, not nStackRoots= out of range pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625: unknown pc Accept-Ranges$ fp= is lr: of on pc= sp: sp=%x><) = ) m=+Inf-Inf.css.gif.htm.jpg.mjs.pdf.png.svg.xml0x%x10803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCESTChamDATADashDateEESTEtagFromGOGCGoneHostJulyJuneLEAFLisuMiaoModiNZDTNZSTNameNewaPINGPOSTSASTStatThaiTypem=$ max= ms, ptr tab= top=%s %q%s*%d%s=%s"'&+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930.avif.html.jpeg.json.wasm.webp1562578125:***@:path<nil>AdlamAprilBamumBatakBuhidCall ClassCountDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarch$ sp=%x><) = ) m=+Inf-Inf.css.gif.htm.jpg.mjs.pdf.png.svg.xml0x%x10803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCESTChamDATADashDateEESTEtagFromGOGCGoneHostJulyJuneLEAFLisuMiaoModiNZDTNZSTNameNewaPINGPOSTSASTStatThaiTypem=] = ] n=allgallpasn1avx2base$ top=%s %q%s*%d%s=%s"'&+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930.avif.html.jpeg.json.wasm.webp1562578125:***@:path<nil>AdlamAprilBamumBatakBuhidCall ClassCountDograECDSAErrorFoundGreekHTTP/KhmerLatinLimbuLocalMarchNushuOghamOriyaOsage$(...), i = , not , val .local.onion390625<-chanAcceptAnswerArabicAugustBasic BrahmiCANCELCLOSEDCarianChakmaCommonCookieCopticDELETEExpectFormatFridayGOAWAYGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLISTENLengthLepchaLockedLycianLydianMondayPADDEDPragmaRe$: frame.sp=BLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256Bad GatewayBad RequestClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDives_AkuruENABLE_PUSHEND_HEADERSESTABLISHEDEarly HintsEnumWindowsEnvironmentExitProcessFreeLibraryGOMEMLIMIT=GOTRACEBACKGetFile$: unexpected return pc for CertEnumCertificatesInStoreCurveP256CurveP384CurveP521DATA frame with stream ID 0Easter Island Standard TimeFindCloseChangeNotificationG waiting list is corruptedGetSecurityDescriptorLengthGetUserPreferredUILanguagesNAF digits must f$: unknown pc Accept-RangesAuthorizationCLIENT_RANDOMCONNECT_ERRORCache-ControlCertOpenStoreCoTaskMemFreeConnectServerContent-RangeDeleteServiceECDSAWithSHA1EnumProcessesExitWindowsExFQDN too longFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep wait$] n=allgallpasn1avx2basebindbitsbmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6chancx16datedeaddialermsetagfailfilefromftpsfuncgziphosthourhttpicmpidleigmpinetint8itabkindlinkopenpipepop3quitreadrootsbrksmtpsse2sse3tcp4tcp6trueudp4udp6uintunixvaryxn-- ... MB, a$gentraceback callback cannot be used with non-zero skipmheap.freeSpanLocked - invalid free of user arena chunknet/http: invalid byte %q in %s; dropping invalid bytesnet/http: request canceled while waiting for connectionos: invalid use of WriteAt on file opene$gentraceback cannot trace user goroutine on its own stackreceived record with version %x when expecting version %xruntime: checkmarks found unexpected unmarked object obj=sync: WaitGroup misuse: Add called concurrently with Waittls: Ed25519 public keys are not$gopa$panicparsepop3srangerune scav schedsleepslicesockssse41sse42ssse3sudogsweeptext/tls: traceuint8usageutf-8write B -> FROM Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util(...), i = , not , val $runtime.$runtime: g runtime: p scheddetailsechost.dllsecur32.dllshell32.dllshort writetls: alert(tracealloc(traffic updunreachableuserenv.dllversion.dll (sensitive) B (goal KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= maxTri$runtime: gs.state = schedtracesemacquireset-cookiesetsockoptskipping: socks bindstackLarget.Kind == terminatedtracefree(tracegc()unixpacketunknown pcuser-agentuser32.dllws2_32.dll of size (targetpc= , plugin: ErrCode=%v KiB work, exp.) for freeindex= gc$runtime: traceback stuck. pc=scanobject of a noscan objectsemacquire not on the G stackstring concatenation too longsyntax error scanning booleantimeBegin/EndPeriod not foundtls: invalid NextProtos valuetls: invalid server key sharetls: too many ignored record$traceback did not unwind completelytransform: short destination buffertransport endpoint is not connectedunsupported signature algorithm: %vx509: decryption password incorrectx509: invalid authority info accessx509: malformed extension OID fieldx509: wrong Ed2$traceback stuckunexpected typeunknown Go typeunknown networkunknown versionwindows-servicewrite error: %wx-forwarded-for already; errno= mheap.sweepgen= not in ranges: untyped locals %s %s HTTP/1.1, not a function.WithValue(type /etc/resolv.conf0123456789AB$traceback: unexpected SPWRITE function trailing backslash at end of expressiontransport endpoint is already connectedusername/password authentication failedwmi: cannot load field %q into a %q: %sx509: failed to parse URI constraint %qx509: invalid NameConstrai$tracebackunderflowunhandledwbufSpanswebsocketwinmm.dll} stack=[ netGo = MB goal, flushGen gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= stream=%d sweepgen sweepgen= targetpc= throwing= until pc=%!Weekday(%s|%s%s$unknown caller pcunknown type kindunrecognized namewait for GC cyclewrong medium typex-forwarded-proto but memory size because dotdotdot in async preempt to non-Go memory , locked to thread/etc/nsswitch.conf298023223876953125: day out of rangeArab Standard $unknown pcuser-agentuser32.dllws2_32.dll of size (targetpc= , plugin: ErrCode=%v KiB work, exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=) at entry+, elemsize=
API String ID: 0-1997802532
Opcode ID: 4e80f16eea02150e7333b7c8faee4272fb7bc035b0b483cf60a8b4b45d1f7b42
Instruction ID: 323d5085de741439ac9c3d56a7c61b9c12eb59b47b9e4b81a6fa8da5fc4311be
Opcode Fuzzy Hash: 4e80f16eea02150e7333b7c8faee4272fb7bc035b0b483cf60a8b4b45d1f7b42
Instruction Fuzzy Hash: 89E2F036648BC586CAB99B12E4843EFB769F789B94F444116EECD43B99CF38C591CB00

Uniqueness

Uniqueness Score: -1.00%

Function 005D41E0 Relevance: 15.7, Strings: 12, Instructions: 725
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

nalloc= newval= nfreed= packed= ping=%q pointer stack=[ status %!Month(%02d%02d2.5.4.102.5.4.112.5.4.1748828125AcceptExAcceptedArmenianBAD RANKBalineseBopomofoBugineseCancelIoCherokeeClassANYConflictContinueCurveID(CyrillicDNS nameDSA-SHA1DecemberDuployanEqua, xrefs: 005D4B45
mspan.sweep: m is not lockedmultipart: message too largenewproc1: new g is not Gdeadnewproc1: newg missing stackos: process already finishedpending ASN.1 child too longprotocol driver not attachedreflect.MakeSlice: len > capregion exceeds uintptr rangeruntime., xrefs: 005D4EDB
mspan.sweep: bad span statenet/http: invalid method %qnet/http: use last responsenot a XENIX named type fileprogToPointerMask: overflowreflect.Value.UnsafePointerrunlock of unlocked rwmutexruntime: asyncPreemptStack=runtime: checkdead: find g runtime: checkdea, xrefs: 005D4ECA
previous allocCount=, levelBits[level] = 186264514923095703125931322574615478515625AdjustTokenPrivilegesAlaskan Standard TimeAnatolian_HieroglyphsArabian Standard TimeBelarus Standard TimeCM_Get_DevNode_StatusCentral Standard TimeChangeServiceConfig2WDeregist, xrefs: 005D4B65
sweepgen= targetpc= throwing= until pc=%!Weekday(%s|%s%s|%s, bound = , limit = .localhost/dev/stdin/etc/hosts122070312561035156258.8.8.8:53: parsing :authorityAdditionalBad varintCLOSE_WAITCancelIoExChorasmianClassCHAOSClassCSNETConnectionContent-IdCreateFile, xrefs: 005D4AB2, 005D4E85
mheap.sweepgen= not in ranges: untyped locals %s %s HTTP/1.1, not a function.WithValue(type /etc/resolv.conf0123456789ABCDEF0123456789abcdef2384185791015625: value of type Already ReportedCoCreateInstanceConnectNamedPipeContent-EncodingContent-LanguageCont, xrefs: 005D4ACF, 005D4EA5
sweep increased allocation countsync: Unlock of unlocked RWMutexsync: negative WaitGroup countertls: NextProtos values too largetls: unknown Renegotiation valuetransform: short internal bufferuse of closed network connectionx509: ECDSA verification failurex509, xrefs: 005D4BAF
swept cached spansync.RWMutex.Lockthread exhaustiontransfer-encodingtruncated headersunknown caller pcunknown type kindunrecognized namewait for GC cyclewrong medium typex-forwarded-proto but memory size because dotdotdot in async preempt to non-Go memory ,, xrefs: 005D4A76
mspan.sweep: state=multipartmaxheadersnegative coordinatenetwork unreachablenot implemented yetnotesleep not on g0ntdll.dll not foundnwait > work.nprocspanic during mallocpanic during panicpanic holding lockspanicwrap: no ( in panicwrap: no ) in proxy-authori, xrefs: 005D4A94, 005D4E65
mspan.sweep: bad span state after sweepout of memory allocating heap arena mapruntime: blocked write on free polldescruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system callsuspendG from non-preemptible goroutinetags don't match (%d vs %+, xrefs: 005D4AF8
runtime: nelems=schedule: in cgotime: bad [0-9]*unknown network unpacking headerworkbuf is emptywww-authenticate spinningthreads=%%!%c(big.Int=%s), p.searchAddr = 0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing me, xrefs: 005D4B25
sweep: tried to preserve a user arena spansync/atomic: store of nil value into Valueunexpected signal during runtime executionupdateStatus with no service status handlex509: %q cannot be encoded as an IA5Stringx509: RSA modulus is not a positive numberError en, xrefs: 005D4A65

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID: mheap.sweepgen= not in ranges: untyped locals %s %s HTTP/1.1, not a function.WithValue(type /etc/resolv.conf0123456789ABCDEF0123456789abcdef2384185791015625: value of type Already ReportedCoCreateInstanceConnectNamedPipeContent-EncodingContent-LanguageCont$ nalloc= newval= nfreed= packed= ping=%q pointer stack=[ status %!Month(%02d%02d2.5.4.102.5.4.112.5.4.1748828125AcceptExAcceptedArmenianBAD RANKBalineseBopomofoBugineseCancelIoCherokeeClassANYConflictContinueCurveID(CyrillicDNS nameDSA-SHA1DecemberDuployanEqua$ previous allocCount=, levelBits[level] = 186264514923095703125931322574615478515625AdjustTokenPrivilegesAlaskan Standard TimeAnatolian_HieroglyphsArabian Standard TimeBelarus Standard TimeCM_Get_DevNode_StatusCentral Standard TimeChangeServiceConfig2WDeregist$ sweepgen= targetpc= throwing= until pc=%!Weekday(%s|%s%s|%s, bound = , limit = .localhost/dev/stdin/etc/hosts122070312561035156258.8.8.8:53: parsing :authorityAdditionalBad varintCLOSE_WAITCancelIoExChorasmianClassCHAOSClassCSNETConnectionContent-IdCreateFile$mspan.sweep: bad span state after sweepout of memory allocating heap arena mapruntime: blocked write on free polldescruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system callsuspendG from non-preemptible goroutinetags don't match (%d vs %+$mspan.sweep: bad span statenet/http: invalid method %qnet/http: use last responsenot a XENIX named type fileprogToPointerMask: overflowreflect.Value.UnsafePointerrunlock of unlocked rwmutexruntime: asyncPreemptStack=runtime: checkdead: find g runtime: checkdea$mspan.sweep: m is not lockedmultipart: message too largenewproc1: new g is not Gdeadnewproc1: newg missing stackos: process already finishedpending ASN.1 child too longprotocol driver not attachedreflect.MakeSlice: len > capregion exceeds uintptr rangeruntime.$mspan.sweep: state=multipartmaxheadersnegative coordinatenetwork unreachablenot implemented yetnotesleep not on g0ntdll.dll not foundnwait > work.nprocspanic during mallocpanic during panicpanic holding lockspanicwrap: no ( in panicwrap: no ) in proxy-authori$runtime: nelems=schedule: in cgotime: bad [0-9]*unknown network unpacking headerworkbuf is emptywww-authenticate spinningthreads=%%!%c(big.Int=%s), p.searchAddr = 0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing me$sweep increased allocation countsync: Unlock of unlocked RWMutexsync: negative WaitGroup countertls: NextProtos values too largetls: unknown Renegotiation valuetransform: short internal bufferuse of closed network connectionx509: ECDSA verification failurex509$sweep: tried to preserve a user arena spansync/atomic: store of nil value into Valueunexpected signal during runtime executionupdateStatus with no service status handlex509: %q cannot be encoded as an IA5Stringx509: RSA modulus is not a positive numberError en$swept cached spansync.RWMutex.Lockthread exhaustiontransfer-encodingtruncated headersunknown caller pcunknown type kindunrecognized namewait for GC cyclewrong medium typex-forwarded-proto but memory size because dotdotdot in async preempt to non-Go memory ,
API String ID: 0-1960342452
Opcode ID: da58ad6b457c0a250145d7743fa2f752e54109cd7b5dabcd02e3b1d1f6cb3572
Instruction ID: fdae8e80a38a665eb7a2891d2fe8bfa87e2fa81336a5556d9ace22a328d26ca6
Opcode Fuzzy Hash: da58ad6b457c0a250145d7743fa2f752e54109cd7b5dabcd02e3b1d1f6cb3572
Instruction Fuzzy Hash: 1562BF32208BD186DB74DB19E4503AEBBA5F386B84F858127EACD43B55DF38C995CB00

Uniqueness

Uniqueness Score: -1.00%

Function 005C9CC0 Relevance: 15.7, Strings: 12, Instructions: 694
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

MB goal, flushGen gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= stream=%d sweepgen sweepgen= targetpc= throwing= until pc=%!Weekday(%s|%s%s|%s, bound = , limit = .localhost/dev/stdin/etc/hosts12207031256103515625, xrefs: 005CA829
MB globals, MB) workers= called from flushedWork idlethreads= in duration in host name is nil, not nStackRoots= out of range pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625, xrefs: 005CA867
., xrefs: 005CA3B4
(forced) -> node= B exp.) B work ( blocked= in use) lockedg= lockedm= m->curg= marked ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=%s %q: %s%s %x %x(unknown), newval=, oldval=, size = , tail = 244140625: status=Authorit, xrefs: 005CA8A9
gc done but gcphase != _GCoffgfput: bad status (not Gdead)http2: client conn not usablehttp2: client connection losthttp: idle connection timeoutinteger not minimally-encodedinternal error: took too muchinvalid P256 element encodinginvalid character class rang, xrefs: 005CAA36
gcinggscanhchanhostshttpsimap2imap3imapsinet4inet6init int16int32int64matchmheapmonthntohspanicparsepop3srangerune scav schedsleepslicesockssse41sse42ssse3sudogsweeptext/tls: traceuint8usageutf-8write B -> FROM Value addr= alloc base code= ctxt: curg= free , xrefs: 005C9D97, 005C9DAD
ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=) at entry+, elemsize=, npages = , settings:.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=BLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256Bad GatewayBad RequestClassHE, xrefs: 005CA5C5
failed to set sweep barrierframe_pushpromise_pad_shortframe_rststream_zero_streamgcstopm: not waiting for gcgrowslice: len out of rangehkdf: entropy limit reachedhttp chunk length too largehttp2: response body closedinput overflows the modulusinsufficient secu, xrefs: 005CAA25
MB, and cnt= got= max= ms, ptr tab= top=%s %q%s*%d%s=%s"'&+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930.avif.html.jpeg.json.wasm.webp1562578125:***@:path<nil>AdlamAprilBamumBatakBuhidCall ClassCountDograECDSAErrorFoundGreekHTTP/Khmer, xrefs: 005CA807
%: ): +00+01+03+04+05+06+07+08+09+10+11+12+13+14,h1-01-02-03-04-05-06-08-09-11-12....js///0125200204206304400404443500625: `://::1???ACKADTASTAprAugBSTCATCDTCETCSTDSADecDltE: EATEDTEETEOFESTFebFriGETGMTGetHDTHSTHanI: IDTISTJSTJanJulJunKSTLaoMD4MD5MDTMSKMSTMa, xrefs: 005CA48F
ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=%s %q: %s%s %x %x(unknown), newval=, oldval=, size = , tail = 244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticExecQueryFindCloseForbiddenHex_DigitInherite, xrefs: 005CA79C
MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= maxTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>) p->status=, cons/mark -byte limit100-cont, xrefs: 005CA848

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID: (forced) -> node= B exp.) B work ( blocked= in use) lockedg= lockedm= m->curg= marked ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=%s %q: %s%s %x %x(unknown), newval=, oldval=, size = , tail = 244140625: status=Authorit$ MB globals, MB) workers= called from flushedWork idlethreads= in duration in host name is nil, not nStackRoots= out of range pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625$ MB goal, flushGen gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= stream=%d sweepgen sweepgen= targetpc= throwing= until pc=%!Weekday(%s|%s%s|%s, bound = , limit = .localhost/dev/stdin/etc/hosts12207031256103515625$ MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= maxTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>) p->status=, cons/mark -byte limit100-cont$ MB, and cnt= got= max= ms, ptr tab= top=%s %q%s*%d%s=%s"'&+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930.avif.html.jpeg.json.wasm.webp1562578125:***@:path<nil>AdlamAprilBamumBatakBuhidCall ClassCountDograECDSAErrorFoundGreekHTTP/Khmer$ ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=) at entry+, elemsize=, npages = , settings:.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=BLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256Bad GatewayBad RequestClassHE$ ms cpu, not in [ runtime= s.limit= s.state= threads= unmarked wbuf1.n= wbuf2.n=%s %q: %s%s %x %x(unknown), newval=, oldval=, size = , tail = 244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticExecQueryFindCloseForbiddenHex_DigitInherite$%: ): +00+01+03+04+05+06+07+08+09+10+11+12+13+14,h1-01-02-03-04-05-06-08-09-11-12....js///0125200204206304400404443500625: `://::1???ACKADTASTAprAugBSTCATCDTCETCSTDSADecDltE: EATEDTEETEOFESTFebFriGETGMTGetHDTHSTHanI: IDTISTJSTJanJulJunKSTLaoMD4MD5MDTMSKMSTMa$.$failed to set sweep barrierframe_pushpromise_pad_shortframe_rststream_zero_streamgcstopm: not waiting for gcgrowslice: len out of rangehkdf: entropy limit reachedhttp chunk length too largehttp2: response body closedinput overflows the modulusinsufficient secu$gc done but gcphase != _GCoffgfput: bad status (not Gdead)http2: client conn not usablehttp2: client connection losthttp: idle connection timeoutinteger not minimally-encodedinternal error: took too muchinvalid P256 element encodinginvalid character class rang$gcinggscanhchanhostshttpsimap2imap3imapsinet4inet6init int16int32int64matchmheapmonthntohspanicparsepop3srangerune scav schedsleepslicesockssse41sse42ssse3sudogsweeptext/tls: traceuint8usageutf-8write B -> FROM Value addr= alloc base code= ctxt: curg= free
API String ID: 0-3070744486
Opcode ID: 38c627055a7b00b8d3cb290d9b3bcede792e79f241e47d3b95588447c4b19c45
Instruction ID: 73aac9d047dadf6d183d77e87c0cf81b97582c0878a2d5af06c9fcf66c50690f
Opcode Fuzzy Hash: 38c627055a7b00b8d3cb290d9b3bcede792e79f241e47d3b95588447c4b19c45
Instruction Fuzzy Hash: D672BE36705BC5C9EB10DB25F8957AABB64F78AB80F848126DA8D43766DF3CC085C702

Uniqueness

Uniqueness Score: -1.00%

Function 005DA260 Relevance: 15.6, Strings: 12, Instructions: 555
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

runtime: p.searchAddr = span has no free objectsstack trace unavailablestreamSafe was not resetstructure needs cleaningtext/html; charset=utf-8unexpected buffer len=%vunpacking Question.Classupdate during transitionwmi: invalid entity typex509: malformed vali, xrefs: 005DAB25
, levelBits[level] = 186264514923095703125931322574615478515625AdjustTokenPrivilegesAlaskan Standard TimeAnatolian_HieroglyphsArabian Standard TimeBelarus Standard TimeCM_Get_DevNode_StatusCentral Standard TimeChangeServiceConfig2WDeregisterEventSourceDwmGetWi, xrefs: 005DABC5
] = ] n=allgallpasn1avx2basebindbitsbmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6chancx16datedeaddialermsetagfailfilefromftpsfuncgziphosthourhttpicmpidleigmpinetint8itabkindlinkopenpipepop3quitreadrootsbrksmtpsse2sse3tcp4tcp6trueudp4udp6uintunixvaryxn-- ... MB, xrefs: 005DAA2F
bad summary databad symbol tablecastogscanstatuscontent-encodingcontent-languagecontent-locationcontext canceleddivision by zerogc: unswept spangcshrinkstackoffhost unreachablehostLookupOrder=integer overflowinvalid argumentinvalid encodinginvalid exchangeinva, xrefs: 005DA66F, 005DADEC
, npages = , settings:.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=BLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256Bad GatewayBad RequestClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDives_AkuruENABLE_PUSHEND_HEADERSESTABLISHEDEarly H, xrefs: 005DAABC
runtime: npages = runtime: range = {runtime: textAddr segmentation faultsequence truncatedserver misbehavingstopping the worldstreams pipe errorsync.RWMutex.RLocksystem page size (tracebackancestorstruncated sequenceunexpected messageuse of closed filevalue ou, xrefs: 005DA645
runtime: levelShift[level] = runtime: marking free object runtime: p.gcMarkWorkerMode= runtime: split stack overflowruntime: sudog with non-nil cruntime: summary max pages = runtime: traceback stuck. pc=scanobject of a noscan objectsemacquire not on the G stac, xrefs: 005DABA5
runtime: level = runtime: nameOff runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0seeker can't seekselect (no cases)stack: frame={sp:swept cached spansync.RWMutex.Lockthread exhaustiontransfer-encodingtruncated headersunkno, xrefs: 005DAA9E
, i = , not , val .local.onion390625<-chanAcceptAnswerArabicAugustBasic BrahmiCANCELCLOSEDCarianChakmaCommonCookieCopticDELETEExpectFormatFridayGOAWAYGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLISTENLengthLepchaLockedLycianLydianMondayPADDEDPragmaRejangSC, xrefs: 005DAB45
, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625: type ::ffff::method:scheme:statusAvestanBengaliBrailleCLOSINGCONNECTChanDirCopySidCreatedCypriotDeseretEd25519ElbasanElymaicExpiresFreeSidGODEBUGGranthaHEADERSHanunooIM UsedIO waitInstAltInstNopJ, xrefs: 005DAADA
runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0seeker can't seekselect (no cases)stack: frame={sp:swept cached spansync.RWMutex.Lockthread exhaustiontransfer-encodingtruncated headersunknown caller pcunknown type kindunrecognized namewait , xrefs: 005DA58A, 005DA9EE
] = (allowarraybad nchdirclosecpu%ddeferfalsefaultfilesgcinggscanhchanhostshttpsimap2imap3imapsinet4inet6init int16int32int64matchmheapmonthntohspanicparsepop3srangerune scav schedsleepslicesockssse41sse42ssse3sudogsweeptext/tls: traceuint8usageutf-8write B ->, xrefs: 005DA5C5

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID: , i = , not , val .local.onion390625<-chanAcceptAnswerArabicAugustBasic BrahmiCANCELCLOSEDCarianChakmaCommonCookieCopticDELETEExpectFormatFridayGOAWAYGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLISTENLengthLepchaLockedLycianLydianMondayPADDEDPragmaRejangSC$, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625: type ::ffff::method:scheme:statusAvestanBengaliBrailleCLOSINGCONNECTChanDirCopySidCreatedCypriotDeseretEd25519ElbasanElymaicExpiresFreeSidGODEBUGGranthaHEADERSHanunooIM UsedIO waitInstAltInstNopJ$, levelBits[level] = 186264514923095703125931322574615478515625AdjustTokenPrivilegesAlaskan Standard TimeAnatolian_HieroglyphsArabian Standard TimeBelarus Standard TimeCM_Get_DevNode_StatusCentral Standard TimeChangeServiceConfig2WDeregisterEventSourceDwmGetWi$, npages = , settings:.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=BLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256Bad GatewayBad RequestClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDives_AkuruENABLE_PUSHEND_HEADERSESTABLISHEDEarly H$] = (allowarraybad nchdirclosecpu%ddeferfalsefaultfilesgcinggscanhchanhostshttpsimap2imap3imapsinet4inet6init int16int32int64matchmheapmonthntohspanicparsepop3srangerune scav schedsleepslicesockssse41sse42ssse3sudogsweeptext/tls: traceuint8usageutf-8write B ->$] = ] n=allgallpasn1avx2basebindbitsbmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6chancx16datedeaddialermsetagfailfilefromftpsfuncgziphosthourhttpicmpidleigmpinetint8itabkindlinkopenpipepop3quitreadrootsbrksmtpsse2sse3tcp4tcp6trueudp4udp6uintunixvaryxn-- ... MB$bad summary databad symbol tablecastogscanstatuscontent-encodingcontent-languagecontent-locationcontext canceleddivision by zerogc: unswept spangcshrinkstackoffhost unreachablehostLookupOrder=integer overflowinvalid argumentinvalid encodinginvalid exchangeinva$runtime: level = runtime: nameOff runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0seeker can't seekselect (no cases)stack: frame={sp:swept cached spansync.RWMutex.Lockthread exhaustiontransfer-encodingtruncated headersunkno$runtime: levelShift[level] = runtime: marking free object runtime: p.gcMarkWorkerMode= runtime: split stack overflowruntime: sudog with non-nil cruntime: summary max pages = runtime: traceback stuck. pc=scanobject of a noscan objectsemacquire not on the G stac$runtime: npages = runtime: range = {runtime: textAddr segmentation faultsequence truncatedserver misbehavingstopping the worldstreams pipe errorsync.RWMutex.RLocksystem page size (tracebackancestorstruncated sequenceunexpected messageuse of closed filevalue ou$runtime: p.searchAddr = span has no free objectsstack trace unavailablestreamSafe was not resetstructure needs cleaningtext/html; charset=utf-8unexpected buffer len=%vunpacking Question.Classupdate during transitionwmi: invalid entity typex509: malformed vali$runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0seeker can't seekselect (no cases)stack: frame={sp:swept cached spansync.RWMutex.Lockthread exhaustiontransfer-encodingtruncated headersunknown caller pcunknown type kindunrecognized namewait
API String ID: 0-1438732543
Opcode ID: 59aac260e6a34c837cc01c283fa1670ea3fbfaf90196f0b2d2f2e155c599897f
Instruction ID: a6117eaabe184ab2a416be23450eca35fe357f80df3f80e11ad7905f818b691e
Opcode Fuzzy Hash: 59aac260e6a34c837cc01c283fa1670ea3fbfaf90196f0b2d2f2e155c599897f
Instruction Fuzzy Hash: B632CF76B14BC5C2DB24AB16E8413EAAB65F789BC0F848563DE8D17B5ACF38C445C701

Uniqueness

Uniqueness Score: -1.00%

Function 005BC4A0 Relevance: 15.4, Strings: 12, Instructions: 383
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

arena already initializedbad status in shrinkstackbad system huge page sizechansend: spurious wakeupcheckdead: no m for timercheckdead: no p for timercontext deadline exceededexplicit tag has no childframe_data_pad_byte_shortframe_headers_pad_too_bigframe_head, xrefs: 005BC870
misrounded allocation in sysAllocnet/http: skip alternate protocolpad size larger than data payloadpseudo header field after regularreflect.nameFrom: name too long: reflect: Field index out of rangereflect: NumOut of non-func type reflect: array index out of r, xrefs: 005BCB7A
base outside usable address spacebytes.Buffer.Grow: negative countconcurrent map read and map writeconnection not allowed by rulesetcrypto/aes: output not full blockcrypto/des: output not full blockcrypto: requested hash function #findrunnable: negative nmspin, xrefs: 005BCB14
end outside usable address spaceframe_windowupdate_zero_inc_conngo package net: hostLookupOrder(integer is not minimally encodedinvalid limiter event type foundinvalid range: failed to overlapmime: expected token after slashnumerical argument out of domainpani, xrefs: 005BCB42
region exceeds uintptr rangeruntime.semasleep unexpectedruntime: bad lfnode address runtime: casgstatus: oldval=runtime: no module data for save on system g not allowedthe service is not installedunexpected protocol version x509: invalid DSA parametersx509: in, xrefs: 005BCAEA
out of memory allocating heap arena mapruntime: blocked write on free polldescruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system callsuspendG from non-preemptible goroutinetags don't match (%d vs %+v) %+v %s @%dtls: internal error: wrong, xrefs: 005BC885
) not in usable address space: ...additional frames elided....lib section in a.out corrupted11368683772161602973937988281255684341886080801486968994140625CLIENT_HANDSHAKE_TRAFFIC_SECRETCentral Brazilian Standard TimeCertDuplicateCertificateContextMountain Sta, xrefs: 005BCBE5
out of memory allocating heap arena metadatareflect: funcLayout with interface receiver runtime: lfstack.push invalid packing: node=span on userArena.faultList has invalid sizetls: server sent an incorrect legacy versiontls: server's Finished message was incor, xrefs: 005BC85F
, xrefs: 005BCB32
out of memory allocating allArenasreflect.Value.Grow: slice overflowreflect: ChanDir of non-chan type reflect: Field index out of boundsreflect: Field of non-struct type reflect: string index out of rangeruntime.SetFinalizer: cannot pass runtime: g is running , xrefs: 005BC84E
runtime: memory allocated by OS [runtime: name offset out of rangeruntime: text offset out of rangeruntime: type offset out of rangescalar has high bit set illegallyskip everything and stop the walkslice bounds out of range [%x:%y]stackalloc not on scheduler s, xrefs: 005BCBA5
memory reservation exceeds address space limitnet/http: internal error: misuse of tryDelivernet/http: too many 1xx informational responsesos: unexpected result from WaitForSingleObjectpanicwrap: unexpected string after type name: protocol error: received DATA , xrefs: 005BCC0F

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID: $) not in usable address space: ...additional frames elided....lib section in a.out corrupted11368683772161602973937988281255684341886080801486968994140625CLIENT_HANDSHAKE_TRAFFIC_SECRETCentral Brazilian Standard TimeCertDuplicateCertificateContextMountain Sta$arena already initializedbad status in shrinkstackbad system huge page sizechansend: spurious wakeupcheckdead: no m for timercheckdead: no p for timercontext deadline exceededexplicit tag has no childframe_data_pad_byte_shortframe_headers_pad_too_bigframe_head$base outside usable address spacebytes.Buffer.Grow: negative countconcurrent map read and map writeconnection not allowed by rulesetcrypto/aes: output not full blockcrypto/des: output not full blockcrypto: requested hash function #findrunnable: negative nmspin$end outside usable address spaceframe_windowupdate_zero_inc_conngo package net: hostLookupOrder(integer is not minimally encodedinvalid limiter event type foundinvalid range: failed to overlapmime: expected token after slashnumerical argument out of domainpani$memory reservation exceeds address space limitnet/http: internal error: misuse of tryDelivernet/http: too many 1xx informational responsesos: unexpected result from WaitForSingleObjectpanicwrap: unexpected string after type name: protocol error: received DATA $misrounded allocation in sysAllocnet/http: skip alternate protocolpad size larger than data payloadpseudo header field after regularreflect.nameFrom: name too long: reflect: Field index out of rangereflect: NumOut of non-func type reflect: array index out of r$out of memory allocating allArenasreflect.Value.Grow: slice overflowreflect: ChanDir of non-chan type reflect: Field index out of boundsreflect: Field of non-struct type reflect: string index out of rangeruntime.SetFinalizer: cannot pass runtime: g is running $out of memory allocating heap arena mapruntime: blocked write on free polldescruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system callsuspendG from non-preemptible goroutinetags don't match (%d vs %+v) %+v %s @%dtls: internal error: wrong$out of memory allocating heap arena metadatareflect: funcLayout with interface receiver runtime: lfstack.push invalid packing: node=span on userArena.faultList has invalid sizetls: server sent an incorrect legacy versiontls: server's Finished message was incor$region exceeds uintptr rangeruntime.semasleep unexpectedruntime: bad lfnode address runtime: casgstatus: oldval=runtime: no module data for save on system g not allowedthe service is not installedunexpected protocol version x509: invalid DSA parametersx509: in$runtime: memory allocated by OS [runtime: name offset out of rangeruntime: text offset out of rangeruntime: type offset out of rangescalar has high bit set illegallyskip everything and stop the walkslice bounds out of range [%x:%y]stackalloc not on scheduler s
API String ID: 0-2469717192
Opcode ID: af5e0b4e92e57198cd08b550ef965f54dc05a955317c5ffcf8a16b12f20879ba
Instruction ID: b0b91e458468c88e6f8eeaeb1875c8c9a133e1040434954b3053845c9c24845d
Opcode Fuzzy Hash: af5e0b4e92e57198cd08b550ef965f54dc05a955317c5ffcf8a16b12f20879ba
Instruction Fuzzy Hash: A0027B72609BC4C2DB64CB56E4503EABB65F38AB90F448226EEDD53799CF38D544C704

Uniqueness

Uniqueness Score: -1.00%

Function 005FDAA0 Relevance: 12.9, Strings: 10, Instructions: 371COMMON

Download Yara Rule

Strings

missing stackmapno colon on lineno renegotiationno route to hostnon-Go functionnon-IPv4 addressnon-IPv6 addressobject is remoteproxy-connectionread_frame_otherreflect mismatchregexp: Compile(remote I/O errorruntime: addr = runtime: base = runtime: head = runt, xrefs: 005FDF6F, 005FE0DC
untyped locals %s %s HTTP/1.1, not a function.WithValue(type /etc/resolv.conf0123456789ABCDEF0123456789abcdef2384185791015625: value of type Already ReportedCoCreateInstanceConnectNamedPipeContent-EncodingContent-LanguageContent-Length: CreateDirectoryWCrea, xrefs: 005FE094
bad symbol tablecastogscanstatuscontent-encodingcontent-languagecontent-locationcontext canceleddivision by zerogc: unswept spangcshrinkstackoffhost unreachablehostLookupOrder=integer overflowinvalid argumentinvalid encodinginvalid exchangeinvalid g statusleng, xrefs: 005FDECA, 005FE03B
args stack map entries for registry key already exists18189894035458564758300781259094947017729282379150390625Aus Central W. Standard TimeCanada Central Standard TimeCen. Australia Standard TimeCentral Europe Standard TimeCertCreateCertificateContextEd25519 , xrefs: 005FDE6F
locals stack map entries for 227373675443232059478759765625Central European Standard TimeCentral Standard Time (Mexico)CertDeleteCertificateFromStoreConfig.Name field is required.E. South America Standard TimeEastern Standard Time (Mexico)GODEBUG: unknown cpu, xrefs: 005FDFE5
runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssync.Cond is copiedsysMemStat overflowtime: unknown unit too many open filesunexpected InstFailunexpected g statusunknown Go type: %vunknown certificateunknown ciphe, xrefs: 005FDE31, 005FDFA9
untyped args -thread limit.WithDeadline(1907348632812595367431640625: extra text: <not Stringer>Accept-CharsetCertCloseStoreCoInitializeExCoUninitializeComputerNameExContent-LengthControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGen, xrefs: 005FDF26
runtime: frame runtime: max = runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm holding psync.Mutex.LocktimeBeginPeriodtraceback stuckunexpected typeunknown Go typeunknown networkunknown versionwindows-servicewrite error: %wx-forwarded-for alre, xrefs: 005FDF06, 005FE074
(targetpc= , plugin: ErrCode=%v KiB work, exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=) at entry+, elemsize=, npages = , settings:.WithCancel/dev/stderr/dev/st, xrefs: 005FDE94, 005FE005
and cnt= got= max= ms, ptr tab= top=%s %q%s*%d%s=%s"'&+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930.avif.html.jpeg.json.wasm.webp1562578125:***@:path<nil>AdlamAprilBamumBatakBuhidCall ClassCountDograECDSAErrorFoundGreekHTTP/KhmerLatin, xrefs: 005FDE51, 005FDFC6

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID: (targetpc= , plugin: ErrCode=%v KiB work, exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=) at entry+, elemsize=, npages = , settings:.WithCancel/dev/stderr/dev/st$ and cnt= got= max= ms, ptr tab= top=%s %q%s*%d%s=%s"'&+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930.avif.html.jpeg.json.wasm.webp1562578125:***@:path<nil>AdlamAprilBamumBatakBuhidCall ClassCountDograECDSAErrorFoundGreekHTTP/KhmerLatin$ args stack map entries for registry key already exists18189894035458564758300781259094947017729282379150390625Aus Central W. Standard TimeCanada Central Standard TimeCen. Australia Standard TimeCentral Europe Standard TimeCertCreateCertificateContextEd25519 $ locals stack map entries for 227373675443232059478759765625Central European Standard TimeCentral Standard Time (Mexico)CertDeleteCertificateFromStoreConfig.Name field is required.E. South America Standard TimeEastern Standard Time (Mexico)GODEBUG: unknown cpu$ untyped args -thread limit.WithDeadline(1907348632812595367431640625: extra text: <not Stringer>Accept-CharsetCertCloseStoreCoInitializeExCoUninitializeComputerNameExContent-LengthControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGen$ untyped locals %s %s HTTP/1.1, not a function.WithValue(type /etc/resolv.conf0123456789ABCDEF0123456789abcdef2384185791015625: value of type Already ReportedCoCreateInstanceConnectNamedPipeContent-EncodingContent-LanguageContent-Length: CreateDirectoryWCrea$bad symbol tablecastogscanstatuscontent-encodingcontent-languagecontent-locationcontext canceleddivision by zerogc: unswept spangcshrinkstackoffhost unreachablehostLookupOrder=integer overflowinvalid argumentinvalid encodinginvalid exchangeinvalid g statusleng$missing stackmapno colon on lineno renegotiationno route to hostnon-Go functionnon-IPv4 addressnon-IPv6 addressobject is remoteproxy-connectionread_frame_otherreflect mismatchregexp: Compile(remote I/O errorruntime: addr = runtime: base = runtime: head = runt$runtime: frame runtime: max = runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm holding psync.Mutex.LocktimeBeginPeriodtraceback stuckunexpected typeunknown Go typeunknown networkunknown versionwindows-servicewrite error: %wx-forwarded-for alre$runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssync.Cond is copiedsysMemStat overflowtime: unknown unit too many open filesunexpected InstFailunexpected g statusunknown Go type: %vunknown certificateunknown ciphe
API String ID: 0-2336858285
Opcode ID: 2345bf7fb2e756a0fe3ee676eca2628bd9ebf3190a6879e2f84bea46289e68ca
Instruction ID: 5e29a11c4d698416a6462dcbef9db90b721c7dc9111f315b4acb356743390c2b
Opcode Fuzzy Hash: 2345bf7fb2e756a0fe3ee676eca2628bd9ebf3190a6879e2f84bea46289e68ca
Instruction Fuzzy Hash: E2F19C76614B85C6D724EF26E8843AABB65F789B80F948022EBCD47766DF38C445CB10

Uniqueness

Uniqueness Score: -1.00%

Function 005BCFE0 Relevance: 8.0, Strings: 6, Instructions: 517COMMON

Download Yara Rule

Strings

malloc deadlockmisaligned maskmissing addressmissing mcache?ms: gomaxprocs=network is downno medium foundno such processnon-minimal tagpreempt SPWRITErecord overflowrecovery failedrecv_rststream_runtime error: runtime: frame runtime: max = runtime: min = runti, xrefs: 005BD7E5
mallocgc called with gcphase == _GCmarkterminationnet/http: HTTP/1.x transport connection broken: %wnet/http: Transport failed to read from server: %vnet/http: cannot rewind body after connection lossrecursive call during initialization - linker skewruntime: u, xrefs: 005BD7F6
malloc during signalno such struct fieldnot an integer classnotetsleep not on g0number has no digitsp mcache not flushedpacer: assist ratio=pad length too largepreempt off reason: read_frame_too_largereflect.Value.SetIntreflect.makeFuncStubruntime: double wait, xrefs: 005BD7D0
!"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 005BD33A
mallocgc called without a P or outside bootstrappingprotocol error: received DATA before a HEADERS frameruntime.SetFinalizer: pointer not in allocated blockruntime: GetQueuedCompletionStatusEx failed (errno= runtime: use of FixAlloc_Alloc before FixAlloc_Init, xrefs: 005BD7BF
delayed zeroing on data that may contain pointersecdsa: internal error: truncated hash is too longfully empty unfreed span set block found in resethttp2: request body closed due to handler exitinghttp: wrote more than the declared Content-Lengthinvalid memory , xrefs: 005BD777

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC$delayed zeroing on data that may contain pointersecdsa: internal error: truncated hash is too longfully empty unfreed span set block found in resethttp2: request body closed due to handler exitinghttp: wrote more than the declared Content-Lengthinvalid memory $malloc deadlockmisaligned maskmissing addressmissing mcache?ms: gomaxprocs=network is downno medium foundno such processnon-minimal tagpreempt SPWRITErecord overflowrecovery failedrecv_rststream_runtime error: runtime: frame runtime: max = runtime: min = runti$malloc during signalno such struct fieldnot an integer classnotetsleep not on g0number has no digitsp mcache not flushedpacer: assist ratio=pad length too largepreempt off reason: read_frame_too_largereflect.Value.SetIntreflect.makeFuncStubruntime: double wait$mallocgc called with gcphase == _GCmarkterminationnet/http: HTTP/1.x transport connection broken: %wnet/http: Transport failed to read from server: %vnet/http: cannot rewind body after connection lossrecursive call during initialization - linker skewruntime: u$mallocgc called without a P or outside bootstrappingprotocol error: received DATA before a HEADERS frameruntime.SetFinalizer: pointer not in allocated blockruntime: GetQueuedCompletionStatusEx failed (errno= runtime: use of FixAlloc_Alloc before FixAlloc_Init
API String ID: 0-221902859
Opcode ID: c9a7511c892fee2fea4e03323fbb20b55c89b57664c17fe7575393e9e64af13b
Instruction ID: 233a34a96a4e46a3c1a945516b244446156fb365c3d5331d948f4dad62295fc2
Opcode Fuzzy Hash: c9a7511c892fee2fea4e03323fbb20b55c89b57664c17fe7575393e9e64af13b
Instruction Fuzzy Hash: 1B22DE76219B8482DB10DF15E0407EABB71F389BD4F585526EE8D07B99EF38D884CB10

Uniqueness

Uniqueness Score: -1.00%

Function 005E7500 Relevance: 7.8, Strings: 6, Instructions: 297COMMON

Download Yara Rule

Strings

invalid g statuslength too largemSpanList.insertmSpanList.removemessage too longmissing stackmapno colon on lineno renegotiationno route to hostnon-Go functionnon-IPv4 addressnon-IPv6 addressobject is remoteproxy-connectionread_frame_otherreflect mismatchrege, xrefs: 005E7A1A
runtime: gp: gp=runtime: getg: g=runtime: npages = runtime: range = {runtime: textAddr segmentation faultsequence truncatedserver misbehavingstopping the worldstreams pipe errorsync.RWMutex.RLocksystem page size (tracebackancestorstruncated sequenceunexpect, xrefs: 005E7927
, gp->atomicstatus=14901161193847656252006-01-02 15:04:0520060102150405Z07007450580596923828125Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeConnection: closeCreatePseudoConsoleCreateSymbolicLinkWCryptReleaseContextEgypt Standar, xrefs: 005E7965
, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625: type ::ffff::method:scheme:statusAvestanBengaliBrailleCLOSINGCONNECTChanDirCopySidCreatedCypriotDeseretEd25519ElbasanElymaicExpiresFreeSidGODEBUGGranthaHEADERSHanunooIM UsedIO waitInstAltI, xrefs: 005E7945, 005E79CF
, g->atomicstatus=, gp->atomicstatus=14901161193847656252006-01-02 15:04:0520060102150405Z07007450580596923828125Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeConnection: closeCreatePseudoConsoleCreateSymbolicLinkWCryptReleaseC, xrefs: 005E79EF
suspendG from non-preemptible goroutinetags don't match (%d vs %+v) %+v %s @%dtls: internal error: wrong nonce lengthtls: unsupported certificate curve (%s)traceback: unexpected SPWRITE function trailing backslash at end of expressiontransport endpoint is alre, xrefs: 005E7A2B

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID: , g->atomicstatus=, gp->atomicstatus=14901161193847656252006-01-02 15:04:0520060102150405Z07007450580596923828125Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeConnection: closeCreatePseudoConsoleCreateSymbolicLinkWCryptReleaseC$, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625: type ::ffff::method:scheme:statusAvestanBengaliBrailleCLOSINGCONNECTChanDirCopySidCreatedCypriotDeseretEd25519ElbasanElymaicExpiresFreeSidGODEBUGGranthaHEADERSHanunooIM UsedIO waitInstAltI$, gp->atomicstatus=14901161193847656252006-01-02 15:04:0520060102150405Z07007450580596923828125Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeConnection: closeCreatePseudoConsoleCreateSymbolicLinkWCryptReleaseContextEgypt Standar$invalid g statuslength too largemSpanList.insertmSpanList.removemessage too longmissing stackmapno colon on lineno renegotiationno route to hostnon-Go functionnon-IPv4 addressnon-IPv6 addressobject is remoteproxy-connectionread_frame_otherreflect mismatchrege$runtime: gp: gp=runtime: getg: g=runtime: npages = runtime: range = {runtime: textAddr segmentation faultsequence truncatedserver misbehavingstopping the worldstreams pipe errorsync.RWMutex.RLocksystem page size (tracebackancestorstruncated sequenceunexpect$suspendG from non-preemptible goroutinetags don't match (%d vs %+v) %+v %s @%dtls: internal error: wrong nonce lengthtls: unsupported certificate curve (%s)traceback: unexpected SPWRITE function trailing backslash at end of expressiontransport endpoint is alre
API String ID: 0-2853955614
Opcode ID: e33320787c70009291d594b29f0906ae05be1e4eb3e549159c996124c6362d05
Instruction ID: 90699776e3f004ab2a11f396bc39a002d87c3871c66e9ba94550903370437896
Opcode Fuzzy Hash: e33320787c70009291d594b29f0906ae05be1e4eb3e549159c996124c6362d05
Instruction Fuzzy Hash: ECD13A76608BC4C6D718DB26E48576ABF61F38AB80F549166EEDD07B6ADF38C441CB00

Uniqueness

Uniqueness Score: -1.00%

Function 005EDEA0 Relevance: 5.7, Strings: 4, Instructions: 688COMMON

Download Yara Rule

Strings

findrunnable: netpoll with pforgetting unknown stream idfound pointer to free objectgcBgMarkWorker: mode not setgcstopm: negative nmspinninggeneral SOCKS server failurehttp2: Transport received %shttp2: client conn is closedhttp: no Host in request URLinvalid , xrefs: 005EE9C5
findrunnable: negative nmspinningframe_pushpromise_promiseid_shortfreeing stack not in a stack spango package net: confVal.netCgo = http2: invalid pseudo headers: %vhttp2: recursive push not allowedhttp: CloseIdleConnections calledhttp: invalid Read on closed , xrefs: 005EE9D6
findrunnable: netpoll with spinningflate: corrupt input before offset greyobject: obj not pointer-alignedhpack: invalid Huffman-encoded datahttp: server closed idle connectionmheap.freeSpanLocked - invalid freemime: bogus characters after %%: %qmime: invalid R, xrefs: 005EE9AF
findrunnable: wrong pframe_ping_has_streamhttp: Handler timeouthttp: nil Request.URLinvalid NumericStringinvalid named captureinvalid scalar lengthkey is not comparablelink has been severedlocalhost.localdomainnegative shift amountnet/http: nil Contextpackage , xrefs: 005EE9E7

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID: findrunnable: negative nmspinningframe_pushpromise_promiseid_shortfreeing stack not in a stack spango package net: confVal.netCgo = http2: invalid pseudo headers: %vhttp2: recursive push not allowedhttp: CloseIdleConnections calledhttp: invalid Read on closed $findrunnable: netpoll with pforgetting unknown stream idfound pointer to free objectgcBgMarkWorker: mode not setgcstopm: negative nmspinninggeneral SOCKS server failurehttp2: Transport received %shttp2: client conn is closedhttp: no Host in request URLinvalid $findrunnable: netpoll with spinningflate: corrupt input before offset greyobject: obj not pointer-alignedhpack: invalid Huffman-encoded datahttp: server closed idle connectionmheap.freeSpanLocked - invalid freemime: bogus characters after %%: %qmime: invalid R$findrunnable: wrong pframe_ping_has_streamhttp: Handler timeouthttp: nil Request.URLinvalid NumericStringinvalid named captureinvalid scalar lengthkey is not comparablelink has been severedlocalhost.localdomainnegative shift amountnet/http: nil Contextpackage
API String ID: 0-1858637327
Opcode ID: 43c68ba625984928046dfb3b92c865b8dc06368e60e3d04987fd65d271e9d88b
Instruction ID: 62c5656401933af63ba565a7e9afbcd16f916531aea619f582151f1d04e66289
Opcode Fuzzy Hash: 43c68ba625984928046dfb3b92c865b8dc06368e60e3d04987fd65d271e9d88b
Instruction Fuzzy Hash: 9752CC32609BC1C5EB28CF26E4853AABB61F785B80F484426DACD47B69DF7CC885C741

Uniqueness

Uniqueness Score: -1.00%

Function 005B5880 Relevance: 5.4, Strings: 4, Instructions: 381COMMON

Download Yara Rule

Strings

o[, xrefs: 005B5C8E
chansend: spurious wakeupcheckdead: no m for timercheckdead: no p for timercontext deadline exceededexplicit tag has no childframe_data_pad_byte_shortframe_headers_pad_too_bigframe_headers_zero_streamframe_priority_bad_lengthframe_settings_has_streamhttp2: Fra, xrefs: 005B5E42
unreachableuserenv.dllversion.dll (sensitive) B (goal KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= maxTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwa, xrefs: 005B597B
G waiting list is corruptedGetSecurityDescriptorLengthGetUserPreferredUILanguagesNAF digits must fit in int8No service system detected.PdhGetFormattedCounterValueSetupDiClassNameFromGuidExWSetupDiGetDeviceInstanceIdWSetupDiGetDriverInfoDetailWStartServiceCtrlD, xrefs: 005B5E66

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID: o[$G waiting list is corruptedGetSecurityDescriptorLengthGetUserPreferredUILanguagesNAF digits must fit in int8No service system detected.PdhGetFormattedCounterValueSetupDiClassNameFromGuidExWSetupDiGetDeviceInstanceIdWSetupDiGetDriverInfoDetailWStartServiceCtrlD$chansend: spurious wakeupcheckdead: no m for timercheckdead: no p for timercontext deadline exceededexplicit tag has no childframe_data_pad_byte_shortframe_headers_pad_too_bigframe_headers_zero_streamframe_priority_bad_lengthframe_settings_has_streamhttp2: Fra$unreachableuserenv.dllversion.dll (sensitive) B (goal KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= maxTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwa
API String ID: 0-3592308213
Opcode ID: 969888e0b59f1b34e465cf2fdb80d77cb42e59e8bc156af539928c2b781a710d
Instruction ID: df9879b29d9b7660ab82960b6a166079f047ff471336ff84174f12f58be4af99
Opcode Fuzzy Hash: 969888e0b59f1b34e465cf2fdb80d77cb42e59e8bc156af539928c2b781a710d
Instruction Fuzzy Hash: C2F10232204F80C6DB14DB21E4843DEBBA2F785BE4F985625DA9D17BA5DF78D484CB40

Uniqueness

Uniqueness Score: -1.00%

Function 005C9280 Relevance: 5.3, Strings: 4, Instructions: 333COMMON

Download Yara Rule

Strings

runtime: p scheddetailsechost.dllsecur32.dllshell32.dllshort writetls: alert(tracealloc(traffic updunreachableuserenv.dllversion.dll (sensitive) B (goal KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= maxTrigger= nData, xrefs: 005C9786
flushGen gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= stream=%d sweepgen sweepgen= targetpc= throwing= until pc=%!Weekday(%s|%s%s|%s, bound = , limit = .localhost/dev/stdin/etc/hosts122070312561035156258.8.8.8:53, xrefs: 005C97A5
p mcache not flushedpacer: assist ratio=pad length too largepreempt off reason: read_frame_too_largereflect.Value.SetIntreflect.makeFuncStubruntime: double waitselectgo: bad wakeupsemaRoot rotateRighttime: invalid numbertrace: out of memoryunexpected network: , xrefs: 005C97EA
!= sweepgen MB globals, MB) workers= called from flushedWork idlethreads= in duration in host name is nil, not nStackRoots= out of range pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (, xrefs: 005C97C5

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID: != sweepgen MB globals, MB) workers= called from flushedWork idlethreads= in duration in host name is nil, not nStackRoots= out of range pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block ($ flushGen gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= stream=%d sweepgen sweepgen= targetpc= throwing= until pc=%!Weekday(%s|%s%s|%s, bound = , limit = .localhost/dev/stdin/etc/hosts122070312561035156258.8.8.8:53$p mcache not flushedpacer: assist ratio=pad length too largepreempt off reason: read_frame_too_largereflect.Value.SetIntreflect.makeFuncStubruntime: double waitselectgo: bad wakeupsemaRoot rotateRighttime: invalid numbertrace: out of memoryunexpected network: $runtime: p scheddetailsechost.dllsecur32.dllshell32.dllshort writetls: alert(tracealloc(traffic updunreachableuserenv.dllversion.dll (sensitive) B (goal KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= maxTrigger= nData
API String ID: 0-4255979612
Opcode ID: b3d00f1c261cf5fd7d22bf5047953e23f9b1cbc002c420d102159c6eacdbff18
Instruction ID: cb8baa36a245c9692fd5ab4195d9eeadd815ec2eb90be90a47c5e5825ff1852b
Opcode Fuzzy Hash: b3d00f1c261cf5fd7d22bf5047953e23f9b1cbc002c420d102159c6eacdbff18
Instruction Fuzzy Hash: E2E1C476605B80CAEB00DF65E48479EBB65F78A7A0F85422ADAAD437E5DF3CC481C701

Uniqueness

Uniqueness Score: -1.00%

Function 005EAE20 Relevance: 5.3, Strings: 4, Instructions: 256COMMON

Download Yara Rule

Strings

runtime: casgstatus: oldval=runtime: no module data for save on system g not allowedthe service is not installedunexpected protocol version x509: invalid DSA parametersx509: invalid DSA public keyx509: invalid RSA public key45474735088646411895751953125CM_Get_, xrefs: 005EB1ED
casgstatus: waiting for Gwaiting but is Grunnablechacha20poly1305: bad nonce length passed to Openchacha20poly1305: bad nonce length passed to Sealcrypto/elliptic: internal error: invalid encodingcrypto/tls: ExportKeyingMaterial context too longdelayed zeroing, xrefs: 005EB1A5
casgstatus: bad incoming valuescheckmark found unmarked objectcrypto/ecdh: invalid public keyentersyscallblock inconsistent fmt: unknown base; can't happenframe_headers_prio_weight_shorthttp2: connection error: %v: %vinternal error - misuse of itabinvalid netw, xrefs: 005EB22F
newval= nfreed= packed= ping=%q pointer stack=[ status %!Month(%02d%02d2.5.4.102.5.4.112.5.4.1748828125AcceptExAcceptedArmenianBAD RANKBalineseBopomofoBugineseCancelIoCherokeeClassANYConflictContinueCurveID(CyrillicDNS nameDSA-SHA1DecemberDuployanEqualSidEthi, xrefs: 005EB208

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID: newval= nfreed= packed= ping=%q pointer stack=[ status %!Month(%02d%02d2.5.4.102.5.4.112.5.4.1748828125AcceptExAcceptedArmenianBAD RANKBalineseBopomofoBugineseCancelIoCherokeeClassANYConflictContinueCurveID(CyrillicDNS nameDSA-SHA1DecemberDuployanEqualSidEthi$casgstatus: bad incoming valuescheckmark found unmarked objectcrypto/ecdh: invalid public keyentersyscallblock inconsistent fmt: unknown base; can't happenframe_headers_prio_weight_shorthttp2: connection error: %v: %vinternal error - misuse of itabinvalid netw$casgstatus: waiting for Gwaiting but is Grunnablechacha20poly1305: bad nonce length passed to Openchacha20poly1305: bad nonce length passed to Sealcrypto/elliptic: internal error: invalid encodingcrypto/tls: ExportKeyingMaterial context too longdelayed zeroing$runtime: casgstatus: oldval=runtime: no module data for save on system g not allowedthe service is not installedunexpected protocol version x509: invalid DSA parametersx509: invalid DSA public keyx509: invalid RSA public key45474735088646411895751953125CM_Get_
API String ID: 0-1190589400
Opcode ID: 5d22a7565d6843b625f8f5e8ba0ec49a55c02ecd9ddde122ab6794979cfaf767
Instruction ID: 2ff57ff616bfd4e5a868aa6e6fe80b3e2e6b5b4ab59ea0209cb930fc71ef7827
Opcode Fuzzy Hash: 5d22a7565d6843b625f8f5e8ba0ec49a55c02ecd9ddde122ab6794979cfaf767
Instruction Fuzzy Hash: E0B1A036609BC4C6EB08CB26E49536EBB21F38AB90F588126EEDC43B55DF39D451CB01

Uniqueness

Uniqueness Score: -1.00%

Function 005E7D60 Relevance: 5.2, Strings: 4, Instructions: 242COMMON

Download Yara Rule

Strings

runtime/internal/runtime: level = runtime: nameOff runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0seeker can't seekselect (no cases)stack: frame={sp:swept cached spansync.RWMutex.Lockthread exhaustiontransfer-encodingtrunc, xrefs: 005E7FA3
runtime., xrefs: 005E7F70
bad restart PCbad span statecontent-lengthdata truncatedfile too largefinalizer waitgcstoptheworldgetprotobynameinternal errorinvalid pid %vinvalid syntaxis a directorylevel 2 haltedlevel 3 haltedmultipartfilesneed more datanil elem type!no module datano such , xrefs: 005E80C2
reflect., xrefs: 005E7FD4

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID: bad restart PCbad span statecontent-lengthdata truncatedfile too largefinalizer waitgcstoptheworldgetprotobynameinternal errorinvalid pid %vinvalid syntaxis a directorylevel 2 haltedlevel 3 haltedmultipartfilesneed more datanil elem type!no module datano such $reflect.$runtime.$runtime/internal/runtime: level = runtime: nameOff runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0seeker can't seekselect (no cases)stack: frame={sp:swept cached spansync.RWMutex.Lockthread exhaustiontransfer-encodingtrunc
API String ID: 0-1370213113
Opcode ID: a3355b06b3aa0b141faa022d37b1b6f3191c9cd82fb9b8f840484a3cddafdf2f
Instruction ID: 2b266d3c54c8ee3bfad304e36cc55d026683b785df8b239d8fe397b086b27a9f
Opcode Fuzzy Hash: a3355b06b3aa0b141faa022d37b1b6f3191c9cd82fb9b8f840484a3cddafdf2f
Instruction Fuzzy Hash: F191AF72708B8486DB18CF16E44036EABA2F788BC4F988525EBDD47B59DF78C495CB40

Uniqueness

Uniqueness Score: -1.00%

Function 005F7300 Relevance: 4.9, Strings: 3, Instructions: 1169COMMON

Download Yara Rule

Strings

@r_, xrefs: 005F7AA1
selectgo: bad wakeupsemaRoot rotateRighttime: invalid numbertrace: out of memoryunexpected network: unknown PSK identityunknown address typewirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not foundx509: malformed spkix509usefallbackroots, xrefs: 005F80A9
gp.waiting != nilhandshake failureif-modified-sinceillegal parameterinteger too largeinvalid BMPStringinvalid IA5Stringinvalid bit size invalid stream IDlocked m0 woke upmark - bad statusmarkBits overflowmessage too largemissing closing )missing closing ]missi, xrefs: 005F80D0

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID: @r_$gp.waiting != nilhandshake failureif-modified-sinceillegal parameterinteger too largeinvalid BMPStringinvalid IA5Stringinvalid bit size invalid stream IDlocked m0 woke upmark - bad statusmarkBits overflowmessage too largemissing closing )missing closing ]missi$selectgo: bad wakeupsemaRoot rotateRighttime: invalid numbertrace: out of memoryunexpected network: unknown PSK identityunknown address typewirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not foundx509: malformed spkix509usefallbackroots
API String ID: 0-245695312
Opcode ID: fc62bd33ba07da05b9ca4844426233a68243e807e04822bc7d3f5334a852bac5
Instruction ID: fdcb80c7d31649a869ea5935815201ad2f61515176810885d0a0215851ccd593
Opcode Fuzzy Hash: fc62bd33ba07da05b9ca4844426233a68243e807e04822bc7d3f5334a852bac5
Instruction Fuzzy Hash: 4FB2AB32209BC8C2CB60DF12E4443AABB62F789BD4F999916DF9A47759CF78C494C740

Uniqueness

Uniqueness Score: -1.00%

Function 005B6620 Relevance: 4.2, Strings: 3, Instructions: 418COMMON

Download Yara Rule

Strings

o[, xrefs: 005B6A9D
unreachableuserenv.dllversion.dll (sensitive) B (goal KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= maxTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwa, xrefs: 005B67D0
G waiting list is corruptedGetSecurityDescriptorLengthGetUserPreferredUILanguagesNAF digits must fit in int8No service system detected.PdhGetFormattedCounterValueSetupDiClassNameFromGuidExWSetupDiGetDeviceInstanceIdWSetupDiGetDriverInfoDetailWStartServiceCtrlD, xrefs: 005B6B84

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID: o[$G waiting list is corruptedGetSecurityDescriptorLengthGetUserPreferredUILanguagesNAF digits must fit in int8No service system detected.PdhGetFormattedCounterValueSetupDiClassNameFromGuidExWSetupDiGetDeviceInstanceIdWSetupDiGetDriverInfoDetailWStartServiceCtrlD$unreachableuserenv.dllversion.dll (sensitive) B (goal KiB total, MB stacks, [recovered] allocCount found at *( gcscandone m->gsignal= maxTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwa
API String ID: 0-927581987
Opcode ID: 48331e4f21444dccd58f998b227f7c6699dda5cb3cf02231339370d3c7e5f0b8
Instruction ID: 44023e467a329317bbbddbaa3b28ba981b6c589bb5f805f3aa35b0ac439df679
Opcode Fuzzy Hash: 48331e4f21444dccd58f998b227f7c6699dda5cb3cf02231339370d3c7e5f0b8
Instruction Fuzzy Hash: E902AE32204B84C6DB60DF26E4843DABBA1F789BD4F989429DA8D47755CF7DD884C740

Uniqueness

Uniqueness Score: -1.00%

Function 005E4080 Relevance: 4.0, Strings: 3, Instructions: 272COMMON

Download Yara Rule

Strings

runtime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject unexpected; result=runtime: waitforsingleobject wait_failed; errno=slice bounds out of range [:%x] with capacity %ystrconv: illegal AppendFloat/FormatFloat bitSizesyscall: string with, xrefs: 005E44E5
self-preemptservices.exesetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstransmitfileunexpected )unknown portunknown typewintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen MB globals, MB) workers= called from flushedWork idlethreads= i, xrefs: 005E4525
runtime.preemptM: duplicatehandle failedruntime: SyscallN has too many argumentsruntime: out of memory: cannot allocate runtime: typeBitsBulkBarrier with type ryuFtoaFixed32 called with negative prectime: Stop called on uninitialized Timertls: received empty , xrefs: 005E450F

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID: runtime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject unexpected; result=runtime: waitforsingleobject wait_failed; errno=slice bounds out of range [:%x] with capacity %ystrconv: illegal AppendFloat/FormatFloat bitSizesyscall: string with$runtime.preemptM: duplicatehandle failedruntime: SyscallN has too many argumentsruntime: out of memory: cannot allocate runtime: typeBitsBulkBarrier with type ryuFtoaFixed32 called with negative prectime: Stop called on uninitialized Timertls: received empty $self-preemptservices.exesetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstransmitfileunexpected )unknown portunknown typewintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen MB globals, MB) workers= called from flushedWork idlethreads= i
API String ID: 0-594971780
Opcode ID: 76051edf4fa0b23e7491a1053765eaae4725a539399f4ed470eecdeab4fcc8a3
Instruction ID: 86fe817f0acd0624ef9aa52ccc46226707267cab23a0768669fdcf292155bdee
Opcode Fuzzy Hash: 76051edf4fa0b23e7491a1053765eaae4725a539399f4ed470eecdeab4fcc8a3
Instruction Fuzzy Hash: 6CC16B36605BC486DB14DF26E4453AABB60F38AB90F559232EB9C93B95DF38C491CB00

Uniqueness

Uniqueness Score: -1.00%

Function 005CFF60 Relevance: 3.9, Strings: 3, Instructions: 174COMMON

Download Yara Rule

Strings

pacer: assist ratio=pad length too largepreempt off reason: read_frame_too_largereflect.Value.SetIntreflect.makeFuncStubruntime: double waitselectgo: bad wakeupsemaRoot rotateRighttime: invalid numbertrace: out of memoryunexpected network: unknown PSK identity, xrefs: 005D0157
(scan (scan) MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie% CPU (%v: %#x, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625: type ::ffff::method:scheme:statusAvestanBengaliBrailleCLOSINGC, xrefs: 005D0177
MB) workers= called from flushedWork idlethreads= in duration in host name is nil, not nStackRoots= out of range pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625: unknown pc , xrefs: 005D01D4

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID: (scan (scan) MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie% CPU (%v: %#x, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625: type ::ffff::method:scheme:statusAvestanBengaliBrailleCLOSINGC$ MB) workers= called from flushedWork idlethreads= in duration in host name is nil, not nStackRoots= out of range pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625: unknown pc $pacer: assist ratio=pad length too largepreempt off reason: read_frame_too_largereflect.Value.SetIntreflect.makeFuncStubruntime: double waitselectgo: bad wakeupsemaRoot rotateRighttime: invalid numbertrace: out of memoryunexpected network: unknown PSK identity
API String ID: 0-2011844857
Opcode ID: ccf67dccc4be2ba1896b42b905d3eb93e8d08bef49befac7c1d1bf20279835dc
Instruction ID: 4514dd0d2723ec34fb492a6fb496163b9dbab49ba3cad6812dd151f5162f931a
Opcode Fuzzy Hash: ccf67dccc4be2ba1896b42b905d3eb93e8d08bef49befac7c1d1bf20279835dc
Instruction Fuzzy Hash: B5710572A19F81C5D716EB26E84436A7BA5FBCA7C0F849277AA8D17725CF38C041C700

Uniqueness

Uniqueness Score: -1.00%

Function 005F04A0 Relevance: 2.7, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

internal lockOSThread errorinvalid HTTP header name %qinvalid P224 point encodinginvalid P256 point encodinginvalid P384 point encodinginvalid P521 point encodinginvalid dependent stream IDinvalid profile bucket typeio.File missing Seek methodkey was rejected , xrefs: 005F076F
invalid m->lockedInt = invalid scalar encodingleft over markroot jobsmakechan: bad alignmentmalformed HTTP responsemissing port in addressmissing protocol schememissing type in runfinqnanotime returning zeronet/http: abort Handlernetwork not implementedno appl, xrefs: 005F0746

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID: internal lockOSThread errorinvalid HTTP header name %qinvalid P224 point encodinginvalid P256 point encodinginvalid P384 point encodinginvalid P521 point encodinginvalid dependent stream IDinvalid profile bucket typeio.File missing Seek methodkey was rejected $invalid m->lockedInt = invalid scalar encodingleft over markroot jobsmakechan: bad alignmentmalformed HTTP responsemissing port in addressmissing protocol schememissing type in runfinqnanotime returning zeronet/http: abort Handlernetwork not implementedno appl
API String ID: 0-4280029267
Opcode ID: 0b3a5b791afacb3e6123bd855356d9f0e6556ce0683e902eed8b71c1281566b0
Instruction ID: 5a52e6d2a62b16e0338165873e2e651c6b22832f7d01fd3997a2d709ac335bbb
Opcode Fuzzy Hash: 0b3a5b791afacb3e6123bd855356d9f0e6556ce0683e902eed8b71c1281566b0
Instruction Fuzzy Hash: 2171BE32605B84C6DB00DF20E4443AEB761F785B84F896225DB8D1B7A9CF7CD546C740

Uniqueness

Uniqueness Score: -1.00%

Function 00628220 Relevance: 1.8, Strings: 1, Instructions: 559COMMON

Download Yara Rule

Strings

\, xrefs: 00628461

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID: \
API String ID: 0-2967466578
Opcode ID: 0661f7601cab52a39a41ccceb6b1c5d6febebe11f5746e6828dda34d285a7299
Instruction ID: 1676ea5d8e6c4884c518710721e17e0939dd156befe46979c0738c3d6b22af71
Opcode Fuzzy Hash: 0661f7601cab52a39a41ccceb6b1c5d6febebe11f5746e6828dda34d285a7299
Instruction Fuzzy Hash: 00329D66309FD489DB60CB56F8507AEA762F389BD0F888126DE8D57B49CF7CC4858B00

Uniqueness

Uniqueness Score: -1.00%

Function 005FA660 Relevance: 1.6, Strings: 1, Instructions: 391COMMON

Download Yara Rule

Strings

!"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 005FA750, 005FA830, 005FA950, 005FAA4E

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
API String ID: 0-2911004680
Opcode ID: d2276240383f3a2468f9c862eceb467606dac8a60f080cf1b8dcdf47eabd48f6
Instruction ID: f06c329d96389fb911232aa07055a82d5c8b66ad4ca2af64fdbc311b947ef119
Opcode Fuzzy Hash: d2276240383f3a2468f9c862eceb467606dac8a60f080cf1b8dcdf47eabd48f6
Instruction Fuzzy Hash: 5EE1E3E2344B8882DA049B11E5403BDAB63F785BE0F889526EB5E47B99DF7CC484C747

Uniqueness

Uniqueness Score: -1.00%

Function 00605240 Relevance: 1.6, Strings: 1, Instructions: 319COMMON

Download Yara Rule

Strings

invalid length of trace eventio: read/write on closed pipemachine is not on the networkmime: invalid media parametermismatched local address typeno XENIX semaphores availablenotesleep - waitm out of syncnumerical result out of rangeoperation already in progres, xrefs: 00605508

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID: invalid length of trace eventio: read/write on closed pipemachine is not on the networkmime: invalid media parametermismatched local address typeno XENIX semaphores availablenotesleep - waitm out of syncnumerical result out of rangeoperation already in progres
API String ID: 0-1426604052
Opcode ID: 8659f119134e4bb99fe1def0e651bc0052279025c07394e52812f30e84a48f42
Instruction ID: 3ff589736caf59ec9807a426c2c391788a0966d2b70d5fffc5b5e65e944ece17
Opcode Fuzzy Hash: 8659f119134e4bb99fe1def0e651bc0052279025c07394e52812f30e84a48f42
Instruction Fuzzy Hash: F3D1A072269F88C2CB588B15E0503EBB762F395BC0F94412AEA9B07B94DB38C491DF55

Uniqueness

Uniqueness Score: -1.00%

Function 005D72C0 Relevance: 1.6, Strings: 1, Instructions: 319COMMON

Download Yara Rule

Strings

grew heap, but no adequate free space foundhttp2: too many 1xx informational responseshttp2: unexpected ALPN protocol %q; want %qinterrupted system call should be restartedmethodValueCallFrameObjs is not in a modulemult64bitPow10: power of 10 is out of rangemu, xrefs: 005D77FA

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID: grew heap, but no adequate free space foundhttp2: too many 1xx informational responseshttp2: unexpected ALPN protocol %q; want %qinterrupted system call should be restartedmethodValueCallFrameObjs is not in a modulemult64bitPow10: power of 10 is out of rangemu
API String ID: 0-817925779
Opcode ID: 76c4d32aaf47f44253a03bf3510694463b426a40c07141ebde28e92253dde03f
Instruction ID: b1f9b99179d2678eac97e1627ed11c4a484c059c4f41d9e82f6fef71afb1ed03
Opcode Fuzzy Hash: 76c4d32aaf47f44253a03bf3510694463b426a40c07141ebde28e92253dde03f
Instruction Fuzzy Hash: D8D17E72209BC885DB60CB29E49079ABB61F789BD0F589527DE8D83B59EF38C454CB00

Uniqueness

Uniqueness Score: -1.00%

Function 005C4860 Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

bulkBarrierPreWrite: unaligned argumentscannot free workbufs when work.full != 0cannot represent time as GeneralizedTimechacha20poly1305: invalid buffer overlapcrypto/cipher: message too large for GCMcrypto/cipher: output smaller than inputcrypto/rsa: input mu, xrefs: 005C4B4F

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID: bulkBarrierPreWrite: unaligned argumentscannot free workbufs when work.full != 0cannot represent time as GeneralizedTimechacha20poly1305: invalid buffer overlapcrypto/cipher: message too large for GCMcrypto/cipher: output smaller than inputcrypto/rsa: input mu
API String ID: 0-2581119089
Opcode ID: 7d4edee966f41bde55be91e07d992cb89877bef284b18dc8f70ec830594754d5
Instruction ID: 77ec60fab0e6710de0bec7b75fbfae32e2ee94c24424209d2284f4daf038ce07
Opcode Fuzzy Hash: 7d4edee966f41bde55be91e07d992cb89877bef284b18dc8f70ec830594754d5
Instruction Fuzzy Hash: 2071D2B6715B9486DB10CF95E554B5AABA2F784BD0F54942AEF8D03B19DF38C4A0CB00

Uniqueness

Uniqueness Score: -1.00%

Function 005DC5A0 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

bad summary databad symbol tablecastogscanstatuscontent-encodingcontent-languagecontent-locationcontext canceleddivision by zerogc: unswept spangcshrinkstackoffhost unreachablehostLookupOrder=integer overflowinvalid argumentinvalid encodinginvalid exchangeinva, xrefs: 005DC826

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID: bad summary databad symbol tablecastogscanstatuscontent-encodingcontent-languagecontent-locationcontext canceleddivision by zerogc: unswept spangcshrinkstackoffhost unreachablehostLookupOrder=integer overflowinvalid argumentinvalid encodinginvalid exchangeinva
API String ID: 0-3169204691
Opcode ID: ee2fda9793eefed1cb1a3e0074d8659d73363f72ec8b6e808c53d2afe6f6d601
Instruction ID: 84895e7eac0a3195850d54619f4569a616756f13a6ebd4f2993154b6cdb2116b
Opcode Fuzzy Hash: ee2fda9793eefed1cb1a3e0074d8659d73363f72ec8b6e808c53d2afe6f6d601
Instruction Fuzzy Hash: 2851E3B7650F8882DB509F59E04039AAB65F789BE0F445227DFAD5379ACF78C084C740

Uniqueness

Uniqueness Score: -1.00%

Function 00626440 Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 00626594

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
API String ID: 0-2272463933
Opcode ID: 8983ce4285284f723642189e706a274f3b99d95aeebc057082b23c3d245001d6
Instruction ID: 25487066a72ed072eae77361e93de97b549a7d203e655d5e05a3f8c51d1009a9
Opcode Fuzzy Hash: 8983ce4285284f723642189e706a274f3b99d95aeebc057082b23c3d245001d6
Instruction Fuzzy Hash: 82410432708EB482CB18EB19F4106A9A653F394BD4FD9964AFE4B17789CF28C855CB44

Uniqueness

Uniqueness Score: -1.00%

Function 005C98E0 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

gcinggscanhchanhostshttpsimap2imap3imapsinet4inet6init int16int32int64matchmheapmonthntohspanicparsepop3srangerune scav schedsleepslicesockssse41sse42ssse3sudogsweeptext/tls: traceuint8usageutf-8write B -> FROM Value addr= alloc base code= ctxt: curg= free , xrefs: 005C9A52, 005C9A69

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID: gcinggscanhchanhostshttpsimap2imap3imapsinet4inet6init int16int32int64matchmheapmonthntohspanicparsepop3srangerune scav schedsleepslicesockssse41sse42ssse3sudogsweeptext/tls: traceuint8usageutf-8write B -> FROM Value addr= alloc base code= ctxt: curg= free
API String ID: 0-1747049786
Opcode ID: 70590c834660a66ae1f3b9e6b867c04e092e7d33ad79ba01a86c7e0b6de1a580
Instruction ID: dbfdfd30170bd5c1b07fde8dead1e54a9c04b2047ef282c1486f7864d1a35bad
Opcode Fuzzy Hash: 70590c834660a66ae1f3b9e6b867c04e092e7d33ad79ba01a86c7e0b6de1a580
Instruction Fuzzy Hash: 9F71F232709B80DAEB00DF60F8897AABB61F786740F85862ADA4D837A5DF7DC544C701

Uniqueness

Uniqueness Score: -1.00%

Function 0060F2A0 Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26b1b6deca3f07e0251502e3510700f3b82ea55110f98f69e4c581c7686c6218
Instruction ID: 9c5262c946af0d15f891a454543ebf2de32a0833e449ffd79f6b9215e17932c6
Opcode Fuzzy Hash: 26b1b6deca3f07e0251502e3510700f3b82ea55110f98f69e4c581c7686c6218
Instruction Fuzzy Hash: 62F18B32249BC0D6DB6C8B21E64039BB362F745794F889526DF9E43B98DF78D4A4C740

Uniqueness

Uniqueness Score: -1.00%

Function 00625C00 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce58e7e6f1cc8ca54156fdf943a28210b8722433a1d244a5cb97f3e6a4de5e4
Instruction ID: b29d2bb5cf7d033d0d9603a1d45e7ec8df986d0da630b141b4f0a4fc1de1559b
Opcode Fuzzy Hash: 6ce58e7e6f1cc8ca54156fdf943a28210b8722433a1d244a5cb97f3e6a4de5e4
Instruction Fuzzy Hash: 01C1D533708EA482DA64CF1AF5017AAA762F388BC4F584415EE8E87B19DA79C955CF04

Uniqueness

Uniqueness Score: -1.00%

Function 00627CE0 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e6eb09f2450fdc678e6548622dce31df56b4acbd14e8aa5b02ec6754c113192
Instruction ID: e6064fe2dcb5e3678fdd018625e9370dfaefa0a6435dfaad9d83b6b0bc081fe4
Opcode Fuzzy Hash: 0e6eb09f2450fdc678e6548622dce31df56b4acbd14e8aa5b02ec6754c113192
Instruction Fuzzy Hash: 3BB12523B0CE648BEB20DF25F851BDA9353B789740FCB4826DA0A47795CA6DC8468B15

Uniqueness

Uniqueness Score: -1.00%

Function 005C5600 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d00ff997a56aba8fdfce259a117658a1188a163504620da45cc78a0631b232a3
Instruction ID: bf4386a10b30d5c897aebabc39e4bb3862050dbbebb111afaa3f36ca5be1d1d4
Opcode Fuzzy Hash: d00ff997a56aba8fdfce259a117658a1188a163504620da45cc78a0631b232a3
Instruction Fuzzy Hash: 89D15E76709FC485CA60DB97A840B9AAB61F389FD0F54412AEF9D63B59DF38D490CB00

Uniqueness

Uniqueness Score: -1.00%

Function 005F3C20 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a738bdd8024164bffc7f6cbcf9e2186ec9f96b868d54dd6d455954af93548b1
Instruction ID: df66f57d82aadd3d890d67baf0e45e254cd6024672f4d6c811c31085432039df
Opcode Fuzzy Hash: 6a738bdd8024164bffc7f6cbcf9e2186ec9f96b868d54dd6d455954af93548b1
Instruction Fuzzy Hash: C2C18C32309B8886EB14DF25E49536ABB71FBC6B80F545426EA8E87764DF7CD944CB00

Uniqueness

Uniqueness Score: -1.00%

Function 005B6160 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a1e973675e054596899f389eccfad518e45558fcbbe36cc9b5fbe5a99b703c
Instruction ID: 95a9a7d3984addbbc40a65230743ad663934c5f19e17b7c88a33b01de4c1c7a7
Opcode Fuzzy Hash: a2a1e973675e054596899f389eccfad518e45558fcbbe36cc9b5fbe5a99b703c
Instruction Fuzzy Hash: 26B1DE32205B84C6DB10DB15E1843EABBA1F785BD4F98592ACE8E07B65CF7DE495C380

Uniqueness

Uniqueness Score: -1.00%

Function 006124A9 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2311d6b5f75394ec0ef541f1412324d61284e2017643f997d32326a8678364a4
Instruction ID: 735a64d96f859315afa0800260ed4f7b94f4120de61494d3e87fcc0b6e7698a4
Opcode Fuzzy Hash: 2311d6b5f75394ec0ef541f1412324d61284e2017643f997d32326a8678364a4
Instruction Fuzzy Hash: 6FB1FB16D18FDB60E613577C9403BB62B206FF35D4F01D72ABAC2F16A3D7166A01B922

Uniqueness

Uniqueness Score: -1.00%

Function 005ED460 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14b7f68ac376f6f4d52347cabb5126b5f8e0cfd52c09e2e3519b5f1e8456740a
Instruction ID: 71d54a1c3d5a5d4e52391ab359a35490805eba363b91d594bdc7a45a7bc806d7
Opcode Fuzzy Hash: 14b7f68ac376f6f4d52347cabb5126b5f8e0cfd52c09e2e3519b5f1e8456740a
Instruction Fuzzy Hash: 7181BE31B01B90CAFF2CDB16E4907A97B30F786B88F49542ADA8D17765CB78C885CB51

Uniqueness

Uniqueness Score: -1.00%

Function 005EEBC0 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a7dea6761e4bc4025a878956ae23ffb9e24de19216abd5375a92ca264cca0d6
Instruction ID: 314ac16dc6d1355fbd8c30ef3cb28550db544938803095577f75c03276bb09d9
Opcode Fuzzy Hash: 8a7dea6761e4bc4025a878956ae23ffb9e24de19216abd5375a92ca264cca0d6
Instruction Fuzzy Hash: BA816F76728BD486CB18DB67A441B5ABF66F789BC0F984426FFC947B19CB38C4508B40

Uniqueness

Uniqueness Score: -1.00%

Function 005D9DE0 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96450b973c504380de36effc1919276f2e1d1243b193bc8975cf3d3607530820
Instruction ID: 7f423bb322c492b6b36a17ef9636a0c8033a1e7fa7f60412909bf594b9385b9d
Opcode Fuzzy Hash: 96450b973c504380de36effc1919276f2e1d1243b193bc8975cf3d3607530820
Instruction Fuzzy Hash: 59914A77618F8582DB208B59F48029AB7A5F7C9BD4F545226EBAE53B99CF3CC051CB00

Uniqueness

Uniqueness Score: -1.00%

Function 005DB2A0 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5669d014a7841a318b30005f3efb412237f9951e25ac7e8bb24b5b15e0f597c6
Instruction ID: 57e4aee97ed54ba0f4c4cc1ca1f4e2cdd3caee0c212c4536be6adf239d929619
Opcode Fuzzy Hash: 5669d014a7841a318b30005f3efb412237f9951e25ac7e8bb24b5b15e0f597c6
Instruction Fuzzy Hash: DB717072758B8882DA20CF59E08076AAB63F795BC0F59512BEB8E53B59CB7CC041C740

Uniqueness

Uniqueness Score: -1.00%

Function 005CD380 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f38b8d035ed9ea3ad46d9d17e96d47b9c769c2d7965ddc643dc2c42a966010c9
Instruction ID: 0642cfc512f13f9814d2712916c6a49d334f4116e87d090179a1045d41ae09b6
Opcode Fuzzy Hash: f38b8d035ed9ea3ad46d9d17e96d47b9c769c2d7965ddc643dc2c42a966010c9
Instruction Fuzzy Hash: C5613A72209F848ADB45DB65A440B9ABB72F786BD0F48933AEA5D93785DF78C050C710

Uniqueness

Uniqueness Score: -1.00%

Function 005B9E20 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 013f8ec3c784328c8fc4ab1019f44d81316437ff7d98f702769add0e75ed9f2d
Instruction ID: bd6a4a94f4d38757493d3b5b90861a4e98ce7559a0905a87bc312354e2e9bc69
Opcode Fuzzy Hash: 013f8ec3c784328c8fc4ab1019f44d81316437ff7d98f702769add0e75ed9f2d
Instruction Fuzzy Hash: B04105A6701A5941AE04CF6685200EAE762F74EFE0399E637CF2D77768C63CE902C344

Uniqueness

Uniqueness Score: -1.00%

Function 005FF3E0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95df54111b1ed5b8b00af7fd3b1bf0ec5091aac372c5c0ecc7f1241cbf4a944b
Instruction ID: 5fd2c708ab6f6f17342d28ee52a1bc3188a33d3e5371e8cb5c62e4e138149893
Opcode Fuzzy Hash: 95df54111b1ed5b8b00af7fd3b1bf0ec5091aac372c5c0ecc7f1241cbf4a944b
Instruction Fuzzy Hash: B641D622704948CBDF24DF66A09537BAB91FF887A8F884A35D76D43BC7D66CC4948B04

Uniqueness

Uniqueness Score: -1.00%

Function 005D1740 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11187e784edc5c20ce42df8f3d5c239a3c0e5c4ee4d3e713c27f1393606e43a1
Instruction ID: 83a27a093ac65c2aa228adfaf44e324fabea7f13374f31003359c8e0134f72ed
Opcode Fuzzy Hash: 11187e784edc5c20ce42df8f3d5c239a3c0e5c4ee4d3e713c27f1393606e43a1
Instruction Fuzzy Hash: 3741F772A0BE4459DD17DB3E9561354A21BAFA3BE0F94C7239C3B763E5EB1990428304

Uniqueness

Uniqueness Score: -1.00%

Function 005BDBA0 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7573e5d914976ae6dc10e5cfb25ad7bca911e4232df9cf3d5a8ed157e2bb0c3c
Instruction ID: e1ecfabb8ed9b3285790f039b88ffcc61b0dd5aa5627f39d13f470a3c5a00d36
Opcode Fuzzy Hash: 7573e5d914976ae6dc10e5cfb25ad7bca911e4232df9cf3d5a8ed157e2bb0c3c
Instruction Fuzzy Hash: 7C2139B1F65E444ACA47DB3A8400355821ABF967C0F58C722AD1F77796F739D4C28240

Uniqueness

Uniqueness Score: -1.00%

Function 005D6600 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b191cf503cef7b9eddcaaa3b608af85915d424f7770d9dec8eca69a2c3db2b0
Instruction ID: b8cfec19c3f6663419a3cfec425663c432fbcd4bc338ceb27a8eeea0eab7f81d
Opcode Fuzzy Hash: 7b191cf503cef7b9eddcaaa3b608af85915d424f7770d9dec8eca69a2c3db2b0
Instruction Fuzzy Hash: B4318C7A304B8A91DB44CB19E4913EA6B61F784BC4F859037DE4E47769DF38C64AC700

Uniqueness

Uniqueness Score: -1.00%

Function 005E19C0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 001852704fe434d27afe5dacb6bc33d90fdab754532107115e6306150740680a
Instruction ID: 22f3b6f299aa3945d463b27ce2439728ed9d2334a7d02d37ad63f2097c3d336a
Opcode Fuzzy Hash: 001852704fe434d27afe5dacb6bc33d90fdab754532107115e6306150740680a
Instruction Fuzzy Hash: 84215E36A09F85C1DB04CF15E45536ABB60F386BD4F549222EAED83BA9DB3CC191C740

Uniqueness

Uniqueness Score: -1.00%

Function 005F9980 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f41dd1041c4166b6cf9dccf01c595ad5849fb8d0cff105f1bf291170286d72e
Instruction ID: 794b4323602c4ba5329039791ed0d586c8d0aac5208ca257562851875d6935ca
Opcode Fuzzy Hash: 6f41dd1041c4166b6cf9dccf01c595ad5849fb8d0cff105f1bf291170286d72e
Instruction Fuzzy Hash: B621E736204F89D5DB10DB22F4453AA7B61F34AB84F558622DADD83765EF3EC196C700

Uniqueness

Uniqueness Score: -1.00%

Function 006172C0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc1816b9fb327e62f180e0674da4e2765cc9fc0cb51012fa894ebf2a2d319dc4
Instruction ID: d9b9be0d62fb7c5fc89a9d5b9be2e29893d4174279401d9ef00955ea940b7e56
Opcode Fuzzy Hash: cc1816b9fb327e62f180e0674da4e2765cc9fc0cb51012fa894ebf2a2d319dc4
Instruction Fuzzy Hash: DFE0EC26724E8080DA208B19E4413967720F788BB4F550312AEBD077E4CE38C2218F40

Uniqueness

Uniqueness Score: -1.00%

Function 006153E0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2035439975.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AEC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000BA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035454107.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036064916.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036080492.0000000000D9B000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_wr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 029f6fed46ac446685fb91aef12ddb654e815247c2f047aebc8f3bfb398e6e0f
Instruction ID: 6224b1fd6ae54daf1370a06a1069907fdbaf213ceeb46256112d1c86834aba65
Opcode Fuzzy Hash: 029f6fed46ac446685fb91aef12ddb654e815247c2f047aebc8f3bfb398e6e0f
Instruction Fuzzy Hash: 70C08CB1907E8598FB108300A2403C8B9C6CF843C0E88C080826901624E7AC96C08104

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report wr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: wr.exePID: 5064, Parent PID: 1028

General

Chronological Activities

Disassembly

Analysis Process: wr.exePID: 5064, Parent PID: 1028COMMON

Execution Graph

Windows Analysis Report
wr.exe

Function 00D9A7C0 Relevance: 6.2, APIs: 4, Instructions: 195
librarymemoryloaderCOMMON

Function 00617300 Relevance: 1.5, APIs: 1, Instructions: 28
timeCOMMON

Function 00616E60 Relevance: 1.3, APIs: 1, Instructions: 33
memoryCOMMON

Function 005D41E0 Relevance: 15.7, Strings: 12, Instructions: 725
COMMON

Function 005C9CC0 Relevance: 15.7, Strings: 12, Instructions: 694
COMMON

Function 005DA260 Relevance: 15.6, Strings: 12, Instructions: 555
COMMON

Function 005BC4A0 Relevance: 15.4, Strings: 12, Instructions: 383
COMMON